set kernel boot parameter l1tf=full,force and nosmt=force

https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
2024-12-23 01:13:40 +07:00 · 2020-01-30 00:46:48 -05:00 · 2020-01-30 00:46:48 -05:00 · c1a0da60be
commit c1a0da60be
parent efc40da4fb
2 changed files with 8 additions and 0 deletions
--- a/debian/control
+++ b/debian/control
@ -70,6 +70,8 @@ Description: enhances misc security settings
 vulnerabilities.
 .
  * All mitigations for the MDS vulnerability are enabled.
+ .
+  * Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability.
 .
  * A systemd service clears System.map on boot as these contain kernel symbols
 that could be useful to an attacker.
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -40,6 +40,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
 ## Disables smt which can be used to exploit the MDS vulnerability.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"

+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
+
+## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+
 ## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"