Update docs on pti=on

README.md

@@ -208,8 +208,8 @@ Kernel space:
 - Enable the kernel page allocator to randomize free lists to limit some data
   exfiltration and ROP attacks, especially during the early boot process.
 
-- Enable kernel page table isolation to increase KASLR effectiveness and also
-  mitigate the Meltdown CPU vulnerability.
+- Enable kernel page table isolation on X86_64 CPUs to increase KASLR effectiveness
+  and also mitigate the Meltdown CPU vulnerability.
 
 - Enable randomization of the kernel stack offset on syscall entries to harden
   against memory corruption attacks.

etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared

@@ -83,8 +83,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
 
 ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
-## Mitigates the Meltdown CPU vulnerability.
+## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability.
+## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1".
 ##
+## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
 ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
 ##
 ## KSPP=yes