Merge remote-tracking branch 'github-kicksecure/master'

README.md

@@ -178,6 +178,8 @@ CPU mitigations:
 
 - Indirect Target Selection (ITS)
 
+- VMScape
+
 Boot parameters relating to kernel hardening, DMA mitigations, and entropy
 generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
 configuration file.

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -167,7 +167,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
 ##
 ## The default kernel setting will be utilized until provided sufficient evidence to modify.
-## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact.
+## Using "spec_rstack_overflow=ibpb" may provide superior protection to the default software-based approach.
+## The use of hardware barriers may be more effective while possibly incurring a greater performance loss.
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret"
 
@@ -195,3 +196,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/indirect-target-selection.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force"
+
+## VMScape:
+## Mitigate the vulnerability by flushing branch predictors before returning to userspace when exiting guests.
+## Comprehensive protection may also require disabling SMT to limit cross-thread attacks.
+## Currently affects both AMD and Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/vmscape.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vmscape=force"