Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-03-19 18:56:03 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'github-kicksecure/master'

Browse Source
This commit is contained in:
Patrick Schleizer 2024-02-03 12:51:07 -05:00
commit 02090da08c
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
etc/default/grub.d/40_cpu_mitigations.cfg
View File

@ -4,8 +4,12 @@
## Enables all known mitigations for CPU vulnerabilities.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
## Enable known mitigations for CPU vulnerabilities and disable SMT.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
## Enable mitigations for Spectre variant 2 (indirect branch speculation).
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
@ -59,3 +63,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
## Return Instructions) vulnerability and disable SMT.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
## Control RAS overflow mitigation on AMD Zen CPUs.
## The current default kernel parameter is 'spec_rstack_overflow=safe-ret'
## This default will used until provided sufficient evidence to modify.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html