From 0dff2cd28fd769955757cdef1b7f9d637a1180c5 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Wed, 18 Dec 2024 03:32:35 +0000
Subject: [PATCH] Minor additions

---
 etc/default/grub.d/40_cpu_mitigations.cfg | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg
index b7984c5..fa750b7 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@@ -8,6 +8,7 @@
 ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
 
 ## Enable known mitigations for CPU vulnerabilities.
+## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link.
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
@@ -40,6 +41,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 ## - Remove "nosmt=force".
 ## - Remove all occurrences of ",nosmt" in this file (note the comma ",").
 ## - Downgrade "l1tf=full,force" protection to "l1tf=flush".
+## - Regenerate the dracut initramfs and then reboot system.
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
 
@@ -66,7 +68,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on"
 
 ## L1 Terminal Fault (L1TF):
 ## Mitigate the vulnerability by disabling L1D flush runtime control and SMT.
-## If conditional L1D flushing, mitigate the vulnerability for certain KVM hypervisor configurations.
+## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations.
 ## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
@@ -75,7 +77,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always"
 
 ## Microarchitectural Data Sampling (MDS):
-## Mitigate the vulnerability by clearing the buffer cache and disabling SMT.
+## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT.
 ## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
@@ -101,7 +103,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
 
 ## Special Register Buffer Data Sampling (SRBDS):
-## Mitigation of the vulnerability is only possible via microcode updates from Intel.
+## Mitigation of the vulnerability is only possible via microcode update from Intel.
 ## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
@@ -115,8 +117,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
 
-## MMIO Stale Data:
-## Mitigate the vulnerability by appropriately clearing the CPU buffer and disabling SMT.
+## Processor MMIO Stale Data:
+## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT.
 ## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
@@ -143,7 +145,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"
 
 ## Speculative Return Stack Overflow (SRSO):
-## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location.
+## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location.
 ## Currently affects AMD Zen 1-4 CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html