2024-05-11 10:18:36 +07:00
|
|
|
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
2020-02-13 01:42:13 +07:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
|
2024-08-26 08:34:12 +07:00
|
|
|
## Definitions:
|
|
|
|
|
## KSPP=yes: compliant with recommendations by the KSPP
|
|
|
|
|
## KSPP=partial: partially compliant with recommendations by the KSPP
|
2024-09-26 20:09:21 +07:00
|
|
|
## KSPP=no: not (currently) compliant with recommendations by the KSPP
|
2024-10-14 09:54:30 +07:00
|
|
|
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
|
2024-08-26 08:34:12 +07:00
|
|
|
|
2024-07-14 22:56:25 +07:00
|
|
|
## Enable known mitigations for CPU vulnerabilities.
|
2024-12-18 10:32:35 +07:00
|
|
|
## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link.
|
2022-07-18 23:29:46 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
|
2024-01-29 19:57:48 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
|
2020-02-13 01:42:13 +07:00
|
|
|
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
|
|
|
|
|
|
2024-05-05 19:50:39 +07:00
|
|
|
## Check for potential updates directly from AMD and Intel.
|
|
|
|
|
## https://www.amd.com/en/resources/product-security.html
|
|
|
|
|
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
|
|
|
|
|
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
|
|
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
|
## KSPP sets the kernel parameters.
|
|
|
|
|
##
|
2024-01-29 19:58:14 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
|
|
|
|
|
|
2024-07-14 22:56:25 +07:00
|
|
|
## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
|
|
|
|
|
## The only full mitigation of cross-HT attacks is to disable SMT.
|
2024-07-17 10:32:08 +07:00
|
|
|
## Disabling will significantly decrease system performance on multi-threaded tasks.
|
2024-12-17 18:42:03 +07:00
|
|
|
## Note, this setting will prevent re-enabling SMT via the sysfs interface.
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
|
|
|
|
|
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
|
2024-07-17 10:32:08 +07:00
|
|
|
## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
|
## KSPP sets the kernel parameter.
|
|
|
|
|
##
|
2024-12-17 18:42:03 +07:00
|
|
|
## To re-enable SMT:
|
|
|
|
|
## - Remove "nosmt=force".
|
|
|
|
|
## - Remove all occurrences of ",nosmt" in this file (note the comma ",").
|
|
|
|
|
## - Downgrade "l1tf=full,force" protection to "l1tf=flush".
|
2024-12-18 10:32:35 +07:00
|
|
|
## - Regenerate the dracut initramfs and then reboot system.
|
2024-12-17 18:42:03 +07:00
|
|
|
##
|
2024-07-14 22:56:25 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
|
|
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## Spectre Side Channels (BTI and BHI):
|
|
|
|
|
## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection).
|
|
|
|
|
## Enable mitigation for the Intel branch history injection vulnerability.
|
|
|
|
|
## Currently affects both AMD and Intel CPUs.
|
2020-02-13 01:42:13 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
|
2020-02-13 01:42:13 +07:00
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## Speculative Store Bypass (SSB):
|
|
|
|
|
## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
|
|
|
|
|
## Unconditionally enable the mitigation for both kernel and userspace.
|
|
|
|
|
## Currently affects both AMD and Intel CPUs.
|
2024-05-01 10:48:13 +07:00
|
|
|
##
|
2024-12-17 18:42:03 +07:00
|
|
|
## https://en.wikipedia.org/wiki/Speculative_Store_Bypass
|
2024-05-01 10:48:13 +07:00
|
|
|
## https://www.suse.com/support/kb/doc/?id=000019189
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2020-02-13 01:42:13 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
|
2024-11-08 11:36:04 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on"
|
2020-02-13 01:42:13 +07:00
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## L1 Terminal Fault (L1TF):
|
|
|
|
|
## Mitigate the vulnerability by disabling L1D flush runtime control and SMT.
|
2024-12-18 10:32:35 +07:00
|
|
|
## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations.
|
2024-12-17 18:42:03 +07:00
|
|
|
## Currently affects Intel CPUs.
|
2020-02-13 01:42:13 +07:00
|
|
|
##
|
2022-07-18 23:29:46 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2022-07-18 23:29:46 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
|
2024-12-17 18:42:52 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always"
|
2020-02-13 01:42:13 +07:00
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## Microarchitectural Data Sampling (MDS):
|
2024-12-18 10:32:35 +07:00
|
|
|
## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT.
|
2024-12-17 18:42:03 +07:00
|
|
|
## Currently affects Intel CPUs.
|
2020-02-13 01:42:13 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2020-02-13 01:42:13 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
|
|
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## TSX Asynchronous Abort (TAA):
|
|
|
|
|
## Mitigate the vulnerability by disabling TSX.
|
|
|
|
|
## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT.
|
|
|
|
|
## Currently affects Intel CPUs.
|
2020-02-13 01:42:13 +07:00
|
|
|
##
|
2022-07-18 23:29:46 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
|
2020-02-13 01:42:13 +07:00
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## iTLB Multihit:
|
|
|
|
|
## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable.
|
|
|
|
|
## Currently affects Intel CPUs.
|
2020-02-13 01:42:13 +07:00
|
|
|
##
|
2022-07-18 23:29:46 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2020-02-13 01:42:13 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
|
2022-07-18 23:30:49 +07:00
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## Special Register Buffer Data Sampling (SRBDS):
|
2024-12-18 10:32:35 +07:00
|
|
|
## Mitigation of the vulnerability is only possible via microcode update from Intel.
|
2024-12-17 18:42:03 +07:00
|
|
|
## Currently affects Intel CPUs.
|
2022-07-18 23:30:49 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
|
2022-07-19 00:16:08 +07:00
|
|
|
## https://access.redhat.com/solutions/5142691
|
2022-07-18 23:32:41 +07:00
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## L1D Flushing:
|
|
|
|
|
## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface.
|
|
|
|
|
## Currently affects Intel CPUs.
|
2022-07-18 23:32:41 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2022-07-18 23:32:41 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
|
2022-07-18 23:33:16 +07:00
|
|
|
|
2024-12-18 10:32:35 +07:00
|
|
|
## Processor MMIO Stale Data:
|
|
|
|
|
## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT.
|
2024-12-17 18:42:03 +07:00
|
|
|
## Currently affects Intel CPUs.
|
2022-07-18 23:33:16 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2022-07-18 23:33:16 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
|
2024-01-29 19:58:51 +07:00
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## Arbitrary Speculative Code Execution with Return Instructions (Retbleed):
|
|
|
|
|
## Mitigate the vulnerability through CPU-dependent implementation and disable SMT.
|
|
|
|
|
## Currently affects both AMD Zen 1-2 and Intel CPUs.
|
2024-01-29 19:58:51 +07:00
|
|
|
##
|
2024-12-17 18:42:03 +07:00
|
|
|
## https://en.wikipedia.org/wiki/Retbleed
|
|
|
|
|
## https://comsec.ethz.ch/research/microarch/retbleed/
|
2024-05-01 10:49:00 +07:00
|
|
|
## https://www.suse.com/support/kb/doc/?id=000020693
|
2024-12-17 18:42:03 +07:00
|
|
|
## https://access.redhat.com/solutions/retbleed
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2024-01-29 19:58:51 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
|
2024-01-29 19:59:13 +07:00
|
|
|
|
2024-12-17 18:44:11 +07:00
|
|
|
## Cross-Thread Return Address Predictions:
|
|
|
|
|
## Mitigate the vulnerability for certain KVM hypervisor configurations.
|
|
|
|
|
## Currently affects AMD Zen 1-2 CPUs.
|
|
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html
|
|
|
|
|
##
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"
|
|
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## Speculative Return Stack Overflow (SRSO):
|
2024-12-18 10:32:35 +07:00
|
|
|
## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location.
|
2024-12-17 18:42:03 +07:00
|
|
|
## Currently affects AMD Zen 1-4 CPUs.
|
2024-01-29 19:59:13 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2024-07-17 22:44:17 +07:00
|
|
|
## The default kernel setting will be utilized until provided sufficient evidence to modify.
|
2024-12-17 18:42:03 +07:00
|
|
|
## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact.
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
|
|
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret"
|
2024-05-01 10:50:42 +07:00
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## Gather Data Sampling (GDS):
|
|
|
|
|
## Mitigate the vulnerability either via microcode update or by disabling AVX.
|
|
|
|
|
## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set.
|
|
|
|
|
## Currently affects Intel CPUs.
|
2024-05-01 10:50:42 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2024-05-01 10:50:42 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
|
2024-05-01 10:55:09 +07:00
|
|
|
|
2024-12-17 18:42:03 +07:00
|
|
|
## Register File Data Sampling (RFDS):
|
|
|
|
|
## Mitigate the vulnerability by appropriately clearing the CPU buffer.
|
|
|
|
|
## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures).
|
2024-05-01 10:55:09 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2024-07-17 19:39:20 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
|
