From 1660aaa6dd1013ede105baebbb8ff3e1afc7b268 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Tue, 19 Jul 2022 03:38:41 +1000
Subject: [PATCH] update details around disabling SMT

---
 etc/default/grub.d/40_cpu_mitigations.cfg | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg
index 4537871..a54de29 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@@ -6,11 +6,6 @@
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
 
-## Force disable SMT as it has caused numerous CPU vulnerabilities.
-##
-## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
-
 ## Enable mitigations for Spectre variant 2 (indirect branch speculation).
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
@@ -48,6 +43,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
 ## https://access.redhat.com/solutions/5142691
 
+## Force disable SMT as it has caused numerous CPU vulnerabilities.
+## The only full mitigation of cross-HT attacks is to disable SMT.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
+## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+
 ## Enables the prctl interface to prevent leaks from L1D on context switches.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html