2024-05-11 10:18:36 +07:00
|
|
|
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
2020-02-13 01:42:13 +07:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
|
2024-07-14 22:56:25 +07:00
|
|
|
## Enable known mitigations for CPU vulnerabilities.
|
2022-07-18 23:29:46 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
|
2024-01-29 19:57:48 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
|
2020-02-13 01:42:13 +07:00
|
|
|
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
|
|
|
|
|
|
2024-05-05 19:50:39 +07:00
|
|
|
## Check for potential updates directly from AMD and Intel.
|
|
|
|
|
## https://www.amd.com/en/resources/product-security.html
|
|
|
|
|
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
|
|
|
|
|
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
|
|
|
|
|
|
2024-05-01 10:49:34 +07:00
|
|
|
## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2024-01-29 19:58:14 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
|
|
|
|
|
|
2024-07-14 22:56:25 +07:00
|
|
|
## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
|
|
|
|
|
## The only full mitigation of cross-HT attacks is to disable SMT.
|
2024-07-17 10:32:08 +07:00
|
|
|
## Disabling will significantly decrease system performance on multi-threaded tasks.
|
2024-07-17 22:44:17 +07:00
|
|
|
## To enable SMT, remove this line and all other occurrences of "nosmt" in this file.
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
|
|
|
|
|
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
|
2024-07-17 10:32:08 +07:00
|
|
|
## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
|
|
|
|
|
|
2024-05-01 10:47:40 +07:00
|
|
|
## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
|
|
|
|
|
## and Intel branch history injection (BHI) vulnerabilities.
|
2020-02-13 01:42:13 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
|
2020-02-13 01:42:13 +07:00
|
|
|
|
2024-05-01 10:48:13 +07:00
|
|
|
## Disable Speculative Store Bypass (Spectre Variant 4).
|
|
|
|
|
##
|
|
|
|
|
## https://www.suse.com/support/kb/doc/?id=000019189
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2020-02-13 01:42:13 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
|
|
|
|
|
|
2022-07-18 23:29:46 +07:00
|
|
|
## Enable mitigations for the L1TF vulnerability through disabling SMT
|
|
|
|
|
## and L1D flush runtime control.
|
2020-02-13 01:42:13 +07:00
|
|
|
##
|
2022-07-18 23:29:46 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2022-07-18 23:29:46 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
|
2020-02-13 01:42:13 +07:00
|
|
|
|
2022-07-18 23:29:46 +07:00
|
|
|
## Enable mitigations for the MDS vulnerability through clearing buffer cache
|
|
|
|
|
## and disabling SMT.
|
2020-02-13 01:42:13 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2020-02-13 01:42:13 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
|
|
|
|
|
|
2024-07-17 22:44:17 +07:00
|
|
|
## Patches the TAA vulnerability by disabling TSX and enables mitigations using
|
2022-07-18 23:29:46 +07:00
|
|
|
## TSX Async Abort along with disabling SMT.
|
2020-02-13 01:42:13 +07:00
|
|
|
##
|
2022-07-18 23:29:46 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
|
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
|
2020-02-13 01:42:13 +07:00
|
|
|
|
|
|
|
|
## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
|
|
|
|
|
##
|
2022-07-18 23:29:46 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2020-02-13 01:42:13 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
|
2022-07-18 23:30:49 +07:00
|
|
|
|
2024-07-14 22:56:25 +07:00
|
|
|
## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions
|
|
|
|
|
## are only possible through microcode updates from Intel.
|
2022-07-18 23:30:49 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
|
2022-07-19 00:16:08 +07:00
|
|
|
## https://access.redhat.com/solutions/5142691
|
2022-07-18 23:32:41 +07:00
|
|
|
|
2024-07-14 22:56:25 +07:00
|
|
|
## Enable the prctl() interface to prevent leaks from L1D on context switches.
|
2022-07-18 23:32:41 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2022-07-18 23:32:41 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
|
2022-07-18 23:33:16 +07:00
|
|
|
|
2024-07-14 22:56:25 +07:00
|
|
|
## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT.
|
2022-07-18 23:33:16 +07:00
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2022-07-18 23:33:16 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
|
2024-01-29 19:58:51 +07:00
|
|
|
|
|
|
|
|
## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
|
|
|
|
|
## Return Instructions) vulnerability and disable SMT.
|
|
|
|
|
##
|
2024-05-01 10:49:00 +07:00
|
|
|
## https://www.suse.com/support/kb/doc/?id=000020693
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2024-01-29 19:58:51 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
|
2024-01-29 19:59:13 +07:00
|
|
|
|
|
|
|
|
## Control RAS overflow mitigation on AMD Zen CPUs.
|
|
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2024-07-17 22:44:17 +07:00
|
|
|
## The default kernel setting will be utilized until provided sufficient evidence to modify.
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
|
|
|
|
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret"
|
2024-05-01 10:50:42 +07:00
|
|
|
|
2024-07-14 22:56:25 +07:00
|
|
|
## Enable Gather Data Sampling (GDS) mitigation.
|
2024-05-01 10:50:42 +07:00
|
|
|
## Note for systems that have not received a suitable microcode update this will
|
|
|
|
|
## entirely disable use of the AVX instructions set.
|
|
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2024-05-01 10:50:42 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
|
2024-05-01 10:55:09 +07:00
|
|
|
|
2024-07-17 19:39:20 +07:00
|
|
|
## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which
|
2024-05-01 10:55:09 +07:00
|
|
|
## encompasses E-cores on hybrid architectures.
|
|
|
|
|
##
|
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
|
2024-07-14 22:56:25 +07:00
|
|
|
##
|
2024-07-17 19:39:20 +07:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
|
