security-misc/etc/default/grub.d/40_cpu_mitigations.cfg

## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Enables known mitigations for CPU vulnerabilities.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647

## Check for potential updates directly from AMD and Intel.
##
## https://www.amd.com/en/resources/product-security.html
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html

## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"

## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
## and Intel branch history injection (BHI) vulnerabilities.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on"

## Disable Speculative Store Bypass (Spectre Variant 4).
##
## https://www.suse.com/support/kb/doc/?id=000019189
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"

## Enable mitigations for the L1TF vulnerability through disabling SMT
## and L1D flush runtime control.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"

## Enable mitigations for the MDS vulnerability through clearing buffer cache
## and disabling SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"

## Patches the TAA vulnerability by disabling TSX and enables mitigations using
## TSX Async Abort along with disabling SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"

## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"

## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.
## Only mitigated through microcode updates from Intel.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
## https://access.redhat.com/solutions/5142691

## Force disable SMT as it has caused numerous CPU vulnerabilities.
## The only full mitigation of cross-HT attacks is to disable SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"

## Enables the prctl interface to prevent leaks from L1D on context switches.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"

## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"

## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
## Return Instructions) vulnerability and disable SMT.
##
## https://www.suse.com/support/kb/doc/?id=000020693
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"

## Control RAS overflow mitigation on AMD Zen CPUs.
## The current default kernel parameter is 'spec_rstack_overflow=safe-ret'
## This default will used until provided sufficient evidence to modify.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html

## Mitigates Gather Data Sampling (GDS) vulnerability.
## Note for systems that have not received a suitable microcode update this will
## entirely disable use of the AVX instructions set.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"

## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which 
## encompasses E-cores on hybrid architectures.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
Update Copyright (C) to 2024 2024-05-10 23:18:36 -04:00			`## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00			`## See the file COPYING for copying conditions.`

Remove a word 2024-05-05 08:52:51 -04:00			`## Enables known mitigations for CPU vulnerabilities.`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00			`##`
shuffle and rewording 2022-07-18 12:29:46 -04:00			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html`
Add reference for kernel parameters 2024-01-29 07:57:48 -05:00			`## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00			`## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647`

Add vendor links 2024-05-05 08:50:39 -04:00			`## Check for potential updates directly from AMD and Intel.`
			`##`
			`## https://www.amd.com/en/resources/product-security.html`
			`## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html`
			`## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html`

Clarify use of `mitigations=auto` 2024-04-30 23:49:34 -04:00			`## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.`
Enable known mitigations for CPU vulnerabilities and disable SMT 2024-01-29 07:58:14 -05:00			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"`

Merge spectre mitigations 2024-04-30 23:47:40 -04:00			`## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)`
			`## and Intel branch history injection (BHI) vulnerabilities.`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00			`##`
			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html`
Merge spectre mitigations 2024-04-30 23:47:40 -04:00			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on"`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00
Add reference for SSB 2024-04-30 23:48:13 -04:00			`## Disable Speculative Store Bypass (Spectre Variant 4).`
			`##`
			`## https://www.suse.com/support/kb/doc/?id=000019189`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"`

shuffle and rewording 2022-07-18 12:29:46 -04:00			`## Enable mitigations for the L1TF vulnerability through disabling SMT`
			`## and L1D flush runtime control.`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00			`##`
shuffle and rewording 2022-07-18 12:29:46 -04:00			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00
shuffle and rewording 2022-07-18 12:29:46 -04:00			`## Enable mitigations for the MDS vulnerability through clearing buffer cache`
			`## and disabling SMT.`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00			`##`
			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"`

shuffle and rewording 2022-07-18 12:29:46 -04:00			`## Patches the TAA vulnerability by disabling TSX and enables mitigations using`
			`## TSX Async Abort along with disabling SMT.`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00			`##`
shuffle and rewording 2022-07-18 12:29:46 -04:00			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00
			`## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.`
			`##`
shuffle and rewording 2022-07-18 12:29:46 -04:00			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html`
Create 40_cpu_mitigations.cfg 2020-02-12 13:42:13 -05:00			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"`
CPU mitigation - SRBDS 2022-07-18 12:30:49 -04:00
			`## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.`
update SRBDS mitigation 2022-07-18 13:16:08 -04:00			`## Only mitigated through microcode updates from Intel.`
CPU mitigation - SRBDS 2022-07-18 12:30:49 -04:00			`##`
			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html`
update SRBDS mitigation 2022-07-18 13:16:08 -04:00			`## https://access.redhat.com/solutions/5142691`
CPU mitigation - L1D FLushing 2022-07-18 12:32:41 -04:00
update details around disabling SMT 2022-07-18 13:38:41 -04:00			`## Force disable SMT as it has caused numerous CPU vulnerabilities.`
			`## The only full mitigation of cross-HT attacks is to disable SMT.`
			`##`
			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html`
			`## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"`

CPU mitigation - L1D FLushing 2022-07-18 12:32:41 -04:00			`## Enables the prctl interface to prevent leaks from L1D on context switches.`
			`##`
			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"`
CPU mitigation - MMIO Stale Data 2022-07-18 12:33:16 -04:00
			`## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT.`
			`##`
			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"`
Enable mitigations for RETBleed vulnerability and disable SMT 2024-01-29 07:58:51 -05:00
			`## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with`
			`## Return Instructions) vulnerability and disable SMT.`
			`##`
Add reference for RETBleed 2024-04-30 23:49:00 -04:00			`## https://www.suse.com/support/kb/doc/?id=000020693`
Enable mitigations for RETBleed vulnerability and disable SMT 2024-01-29 07:58:51 -05:00			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"`
Control RAS overflow mitigation on AMD Zen CPUs 2024-01-29 07:59:13 -05:00
			`## Control RAS overflow mitigation on AMD Zen CPUs.`
Remove hardcoded `spec_rstack_overflow` setting 2024-01-29 08:39:40 -05:00			`## The current default kernel parameter is 'spec_rstack_overflow=safe-ret'`
			`## This default will used until provided sufficient evidence to modify.`
Control RAS overflow mitigation on AMD Zen CPUs 2024-01-29 07:59:13 -05:00			`##`
			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html`
GDS mitigation for CPUs 2024-04-30 23:50:42 -04:00
			`## Mitigates Gather Data Sampling (GDS) vulnerability.`
			`## Note for systems that have not received a suitable microcode update this will`
			`## entirely disable use of the AVX instructions set.`
			`##`
			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"`
RFDS mitigation on Intel Atom CPUs (including E-cores) 2024-04-30 23:55:09 -04:00
			`## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which`
			`## encompasses E-cores on hybrid architectures.`
			`##`
			`## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html`
			`GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"`