security-misc/etc/default/grub.d/40_cpu_mitigations.cfg

## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Enables all known mitigations for CPU vulnerabilities.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647

## Force disable SMT as it has caused numerous CPU vulnerabilities.
##
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"

## Enable mitigations for Spectre variant 2 (indirect branch speculation).
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"

## Disable Speculative Store Bypass.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"

## Enable mitigations for the L1TF vulnerability through disabling SMT
## and L1D flush runtime control.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"

## Enable mitigations for the MDS vulnerability through clearing buffer cache
## and disabling SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"

## Patches the TAA vulnerability by disabling TSX and enables mitigations using
## TSX Async Abort along with disabling SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"

## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
copyright 2022-05-21 01:46:38 +07:00			`## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>`
Create 40_cpu_mitigations.cfg 2020-02-13 01:42:13 +07:00			`## See the file COPYING for copying conditions.`

shuffle and rewording 2022-07-18 23:29:46 +07:00			`## Enables all known mitigations for CPU vulnerabilities.`
Create 40_cpu_mitigations.cfg 2020-02-13 01:42:13 +07:00			`##`
shuffle and rewording 2022-07-18 23:29:46 +07:00			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html`
Create 40_cpu_mitigations.cfg 2020-02-13 01:42:13 +07:00			`## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647`

shuffle and rewording 2022-07-18 23:29:46 +07:00			`## Force disable SMT as it has caused numerous CPU vulnerabilities.`
			`##`
			`## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"`

			`## Enable mitigations for Spectre variant 2 (indirect branch speculation).`
Create 40_cpu_mitigations.cfg 2020-02-13 01:42:13 +07:00			`##`
			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"`

			`## Disable Speculative Store Bypass.`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"`

shuffle and rewording 2022-07-18 23:29:46 +07:00			`## Enable mitigations for the L1TF vulnerability through disabling SMT`
			`## and L1D flush runtime control.`
Create 40_cpu_mitigations.cfg 2020-02-13 01:42:13 +07:00			`##`
shuffle and rewording 2022-07-18 23:29:46 +07:00			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"`
Create 40_cpu_mitigations.cfg 2020-02-13 01:42:13 +07:00
shuffle and rewording 2022-07-18 23:29:46 +07:00			`## Enable mitigations for the MDS vulnerability through clearing buffer cache`
			`## and disabling SMT.`
Create 40_cpu_mitigations.cfg 2020-02-13 01:42:13 +07:00			`##`
			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"`

shuffle and rewording 2022-07-18 23:29:46 +07:00			`## Patches the TAA vulnerability by disabling TSX and enables mitigations using`
			`## TSX Async Abort along with disabling SMT.`
Create 40_cpu_mitigations.cfg 2020-02-13 01:42:13 +07:00			`##`
shuffle and rewording 2022-07-18 23:29:46 +07:00			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"`
Create 40_cpu_mitigations.cfg 2020-02-13 01:42:13 +07:00
			`## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.`
			`##`
shuffle and rewording 2022-07-18 23:29:46 +07:00			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html`
Create 40_cpu_mitigations.cfg 2020-02-13 01:42:13 +07:00			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"`