Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-02-08 21:48:32 -05:00
Code Issues Packages Projects Releases Wiki Activity

update details around disabling SMT

Browse Source
This commit is contained in:
Raja Grewal 2022-07-19 03:38:41 +10:00
parent bfd78a2c06
commit 1660aaa6dd
No known key found for this signature in database
GPG Key ID: E34A5801947020A5
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
etc/default/grub.d/40_cpu_mitigations.cfg
View File

@ -6,11 +6,6 @@
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
## Force disable SMT as it has caused numerous CPU vulnerabilities.
##
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
## Enable mitigations for Spectre variant 2 (indirect branch speculation). ## Enable mitigations for Spectre variant 2 (indirect branch speculation).
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
@ -48,6 +43,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
## https://access.redhat.com/solutions/5142691 ## https://access.redhat.com/solutions/5142691
## Force disable SMT as it has caused numerous CPU vulnerabilities.
## The only full mitigation of cross-HT attacks is to disable SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
## Enables the prctl interface to prevent leaks from L1D on context switches. ## Enables the prctl interface to prevent leaks from L1D on context switches.
## ##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html