From e20263f23da7583154a491cf36fafa2000cede87 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 27 Nov 2022 11:38:54 +0000 Subject: [PATCH] Update content/posts/linux/Desktop-Linux-Hardening.md Co-authored-by: WfKe9vLwSvv7rN <96372288+WfKe9vLwSvv7rN@users.noreply.github.com> Signed-off-by: Raja Grewal --- content/posts/linux/Desktop-Linux-Hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop-Linux-Hardening.md b/content/posts/linux/Desktop-Linux-Hardening.md index c5eca6f..6f610f6 100644 --- a/content/posts/linux/Desktop-Linux-Hardening.md +++ b/content/posts/linux/Desktop-Linux-Hardening.md @@ -265,7 +265,7 @@ In this section we succinctly present the parameters used by Kicksecure as those spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full, mds=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt ``` -[SMT](https://en.wikipedia.org/wiki/Simultaneous_multithreading) is disabled due to it being the cause of various security vulnerabilities. Also, on rpm-ostree based distributions, you should set the kernel parameters using `rpm-ostree kargs` rather than messing with `GRUB` configurations directly. As an aside, one should keep in mind that despite the clear security benefits of disabling SMT, the very popular `linux-hardened` kernel for Arch Linux does not disable it by default given the [large potential performance costs](https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365). You should determine your own desired level of risk mitigation and if you choose to keep SMT enabled, simply remove all occurrences of `nosmt` and `nosmt=force` from the above parameters. +[SMT](https://en.wikipedia.org/wiki/Simultaneous_multithreading) is disabled due to it being the cause of various security vulnerabilities. Also, on `rpm-ostree`–based distributions, you should set the kernel parameters using `rpm-ostree kargs` rather than messing with `GRUB` configurations directly. As an aside, one should keep in mind that, despite the clear security benefits of disabling SMT, the very popular `linux-hardened` kernel for Arch Linux does not disable it by default due to the [potentially very large performance penalty](https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365). Assess your own risk tolerance, and, if you choose to keep SMT enabled, simply remove all occurrences of `nosmt` and `nosmt=force` from the above parameters. - Kernel ```