From 635c216d4e55eb0c6463c543202aea629c572f5e Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Wed, 5 Nov 2025 01:44:36 +0000
Subject: [PATCH] Update docs on CPU mitigations

---
 README.md                                                   | 6 +++---
 .../grub.d/40_cpu_mitigations.cfg#security-misc-shared      | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 872509a..5e06af6 100644
--- a/README.md
+++ b/README.md
@@ -142,9 +142,9 @@ and simultaneous multithreading (SMT) is disabled. See the
 `/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
 
 Importantly, we do not rely on the use of the already enabled-by-default `mitigations=auto`
-kernel boot parameter to perform CPU mitigations like many other distributions
-as not only is it's use totally redundant, but it also does not apply all hardening
-settings to their strictest possible levels. See issue: https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859.
+kernel boot parameter to perform CPU mitigations like many other distributions. This is
+because it's use is both totally redundant and it does not apply all hardening settings
+to their strictest possible levels. See issue: https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859.
 
 Note, to achieve complete protection for known CPU vulnerabilities, the latest
 security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
index 46e5052..e0e19a3 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
@@ -40,6 +40,7 @@
 ## We retain it here for completeness as many other distributions heavily rely on this for many CPU mitigations.
 ##
 ## https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/attack_vector_controls.html
 ##
 ## KSPP=no
 ## KSPP sets the kernel parameters.