unconditionally enable all CPU bugs (spectre, meltdown, L1TF, ...)

this might reduce performance * `spectre_v2=on` * `spec_store_bypass_disable=on` * `tsx=off` * `tsx_async_abort=full,nosmt` Thanks to @madaidan for the suggestion! https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
2025-01-07 14:01:06 +07:00 · 2020-01-30 05:55:13 -05:00 · 2020-01-30 05:55:13 -05:00 · b9d65338bc
commit b9d65338bc
parent 2711d0f7f0
1 changed files with 8 additions and 0 deletions
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -36,6 +36,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
 ## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"

+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
+
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
+
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
+
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
+
 ## Enables all mitigations for the MDS vulnerability.
 ## Disables smt which can be used to exploit the MDS vulnerability.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"