Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 11:56:24 -05:00
Code Issues Projects Releases Packages Wiki Activity

Update docs on CPU mitigations

Browse source
This commit is contained in:
raja-grewal 2025-11-05 01:44:36 +00:00 committed by GitHub
parent 4340bf50b7
commit 635c216d4e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 4 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -142,9 +142,9 @@ and simultaneous multithreading (SMT) is disabled. See the
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
Importantly, we do not rely on the use of the already enabled-by-default `mitigations=auto`
kernel boot parameter to perform CPU mitigations like many other distributions
as not only is it's use totally redundant, but it also does not apply all hardening
settings to their strictest possible levels. See issue: https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859.
kernel boot parameter to perform CPU mitigations like many other distributions. This is
because it's use is both totally redundant and it does not apply all hardening settings
to their strictest possible levels. See issue: https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859.
Note, to achieve complete protection for known CPU vulnerabilities, the latest
security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,

1
etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
View file

@ -40,6 +40,7 @@
## We retain it here for completeness as many other distributions heavily rely on this for many CPU mitigations.
##
## https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/attack_vector_controls.html
##
## KSPP=no
## KSPP sets the kernel parameters.