update details around disabling SMT

2025-01-22 02:17:04 +07:00 · 2022-07-19 03:38:41 +10:00 · 2022-07-19 03:38:41 +10:00 · 1660aaa6dd
commit 1660aaa6dd
parent bfd78a2c06
1 changed files with 7 additions and 5 deletions
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@ -6,11 +6,6 @@
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647

-## Force disable SMT as it has caused numerous CPU vulnerabilities.
-##
-## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
-
 ## Enable mitigations for Spectre variant 2 (indirect branch speculation).
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
@ -48,6 +43,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
 ## https://access.redhat.com/solutions/5142691

+## Force disable SMT as it has caused numerous CPU vulnerabilities.
+## The only full mitigation of cross-HT attacks is to disable SMT.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
+## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+
 ## Enables the prctl interface to prevent leaks from L1D on context switches.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html