2022-05-20 14:46:38 -04:00
|
|
|
## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
2020-02-12 13:42:13 -05:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
2022-07-18 12:29:46 -04:00
|
|
|
## Enables all known mitigations for CPU vulnerabilities.
|
2020-02-12 13:42:13 -05:00
|
|
|
##
|
2022-07-18 12:29:46 -04:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
|
2020-02-12 13:42:13 -05:00
|
|
|
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
|
|
|
|
|
2022-07-18 12:29:46 -04:00
|
|
|
## Force disable SMT as it has caused numerous CPU vulnerabilities.
|
|
|
|
##
|
|
|
|
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
|
|
|
|
|
|
|
|
## Enable mitigations for Spectre variant 2 (indirect branch speculation).
|
2020-02-12 13:42:13 -05:00
|
|
|
##
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
|
|
|
|
|
|
|
|
## Disable Speculative Store Bypass.
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
|
|
|
|
|
2022-07-18 12:29:46 -04:00
|
|
|
## Enable mitigations for the L1TF vulnerability through disabling SMT
|
|
|
|
## and L1D flush runtime control.
|
2020-02-12 13:42:13 -05:00
|
|
|
##
|
2022-07-18 12:29:46 -04:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
|
2020-02-12 13:42:13 -05:00
|
|
|
|
2022-07-18 12:29:46 -04:00
|
|
|
## Enable mitigations for the MDS vulnerability through clearing buffer cache
|
|
|
|
## and disabling SMT.
|
2020-02-12 13:42:13 -05:00
|
|
|
##
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
|
|
|
|
|
2022-07-18 12:29:46 -04:00
|
|
|
## Patches the TAA vulnerability by disabling TSX and enables mitigations using
|
|
|
|
## TSX Async Abort along with disabling SMT.
|
2020-02-12 13:42:13 -05:00
|
|
|
##
|
2022-07-18 12:29:46 -04:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"
|
2020-02-12 13:42:13 -05:00
|
|
|
|
|
|
|
## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
|
|
|
|
##
|
2022-07-18 12:29:46 -04:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
|
2020-02-12 13:42:13 -05:00
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
|
2022-07-18 12:30:49 -04:00
|
|
|
|
|
|
|
## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.
|
|
|
|
##
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX srbds=on"
|
2022-07-18 12:32:41 -04:00
|
|
|
|
|
|
|
## Enables the prctl interface to prevent leaks from L1D on context switches.
|
|
|
|
##
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
|
|
|
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
|