From 538b312349a97bcecb12e62519d77840afcd6ca3 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 9 Jan 2025 15:28:56 +1100
Subject: [PATCH] Add comment about microcode updates

---
 etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg
index d2232b3..795cc72 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@@ -21,6 +21,11 @@
 ## Tabular comparison between the utility and functionality of various mitigations.
 ## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587
 
+## For complete protection, users must install the latest relevant security microcode update.
+## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers.
+## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
+## The parameters below only provide (partial) protection at both the kernel and user space level.
+
 ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
 ##
 ## KSPP=yes