From 7b32e9339e1da769df38ff9afb849a975b1c1668 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Fri, 12 Sep 2025 23:10:34 +1000
Subject: [PATCH 1/2] Update SRSO docs

---
 etc/default/grub.d/40_cpu_mitigations.cfg | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg
index d40cb95..90a6f80 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@@ -167,7 +167,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
 ##
 ## The default kernel setting will be utilized until provided sufficient evidence to modify.
-## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact.
+## Using "spec_rstack_overflow=ibpb" may provide superior protection to the default software-based approach.
+## The use of hardware barriers may be more effective while possibly incurring a greater performance loss.
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret"
 

From 21c605e27efaf10b3fd182e102c49135843ad21f Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sat, 13 Sep 2025 03:41:59 +0000
Subject: [PATCH 2/2] Enable `vmscape=force`

---
 README.md                                 | 2 ++
 etc/default/grub.d/40_cpu_mitigations.cfg | 9 +++++++++
 2 files changed, 11 insertions(+)

diff --git a/README.md b/README.md
index 203aa60..92bc163 100644
--- a/README.md
+++ b/README.md
@@ -178,6 +178,8 @@ CPU mitigations:
 
 - Indirect Target Selection (ITS)
 
+- VMScape
+
 Boot parameters relating to kernel hardening, DMA mitigations, and entropy
 generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
 configuration file.
diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg
index d40cb95..5654a6e 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@@ -195,3 +195,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/indirect-target-selection.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force"
+
+## VMScape:
+## Mitigate the vulnerability by flushing branch predictors before returning to userspace when exiting guests.
+## Comprehensive protection may also require disabling SMT to limit cross-thread attacks.
+## Currently affects both AMD and Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/vmscape.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vmscape=force"