set kernel boot parameter l1tf=full,force and nosmt=force

https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17

debian/control

@@ -70,6 +70,8 @@ Description: enhances misc security settings
  vulnerabilities.
  .
   * All mitigations for the MDS vulnerability are enabled.
+ .
+  * Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability.
  .
   * A systemd service clears System.map on boot as these contain kernel symbols
  that could be useful to an attacker.