From 965c8641fd28e0ee592b50605edb7494fe9c3a28 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:47:02 +1000 Subject: [PATCH 1/9] Update BHI mitigation reference --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 667480e..7940b25 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -77,6 +77,5 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs. ## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925 -## TODO: update the above link with better alternative when possible +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" From de4f4be94762c9751ea62f744d7d6ede3ef30e88 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:47:40 +1000 Subject: [PATCH 2/9] Merge spectre mitigations --- etc/default/grub.d/40_cpu_mitigations.cfg | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 7940b25..de9ca82 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -10,10 +10,11 @@ ## Enable known mitigations for CPU vulnerabilities and disable SMT. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" -## Enable mitigations for Spectre variant 2 (indirect branch speculation). +## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) +## and Intel branch history injection (BHI) vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" ## Disable Speculative Store Bypass. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" @@ -74,8 +75,3 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html - -## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" From 015dcc4212736417a2202ea0e0a92e5c2e58d6a5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:48:13 +1000 Subject: [PATCH 3/9] Add reference for SSB --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index de9ca82..b683200 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -16,7 +16,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" -## Disable Speculative Store Bypass. +## Disable Speculative Store Bypass (Spectre Variant 4). +## +## https://www.suse.com/support/kb/doc/?id=000019189 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" ## Enable mitigations for the L1TF vulnerability through disabling SMT From d89d7e8ef8ee3fd45456e82e8f649f7f28c93e80 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:49:00 +1000 Subject: [PATCH 4/9] Add reference for RETBleed --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index b683200..ee6a2df 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -70,6 +70,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with ## Return Instructions) vulnerability and disable SMT. ## +## https://www.suse.com/support/kb/doc/?id=000020693 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Control RAS overflow mitigation on AMD Zen CPUs. From c002bd62e8584a19e73b3f42673a3f9bafba6a2c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:49:34 +1000 Subject: [PATCH 5/9] Clarify use of `mitigations=auto` --- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index ee6a2df..49c200e 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -7,7 +7,7 @@ ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 -## Enable known mitigations for CPU vulnerabilities and disable SMT. +## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) From 1122b3402c0856a087415d7ba1a313048b7e3eea Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:50:42 +1000 Subject: [PATCH 6/9] GDS mitigation for CPUs --- etc/default/grub.d/40_cpu_mitigations.cfg | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 49c200e..029db6d 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -78,3 +78,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html + +## Mitigates Gather Data Sampling (GDS) vulnerability. +## Note for systems that have not received a suitable microcode update this will +## entirely disable use of the AVX instructions set. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" From 0c031a29d33d13d9106746d61b87f9d98a80b5cd Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:55:09 +1000 Subject: [PATCH 7/9] RFDS mitigation on Intel Atom CPUs (including E-cores) --- etc/default/grub.d/40_cpu_mitigations.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 029db6d..aaefdaf 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -85,3 +85,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" + +## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which +## encompasses E-cores on hybrid architectures. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" From 8f7768ce96e32e3f1ec52118afffc2a44a160976 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 5 May 2024 12:50:39 +0000 Subject: [PATCH 8/9] Add vendor links --- etc/default/grub.d/40_cpu_mitigations.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index aaefdaf..20f62c1 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -7,6 +7,12 @@ ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 +## Check for potential updates directly from AMD and Intel. +## +## https://www.amd.com/en/resources/product-security.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html + ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" From 4694268b8f779c1a0a56546dc6d12bf9f23a7cdd Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 5 May 2024 12:52:51 +0000 Subject: [PATCH 9/9] Remove a word --- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 20f62c1..fd997e4 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,7 +1,7 @@ ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Enables all known mitigations for CPU vulnerabilities. +## Enables known mitigations for CPU vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html