From 6f9763f525097b8f8ad5f9864c1694a2642e1bd6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 19 Jul 2025 05:19:27 +0000 Subject: [PATCH] Enable `indirect_target_selection=force` --- README.md | 2 ++ etc/default/grub.d/40_cpu_mitigations.cfg | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index ab0c69a..cf3ea62 100644 --- a/README.md +++ b/README.md @@ -177,6 +177,8 @@ CPU mitigations: - Register File Data Sampling (RFDS) +- Indirect Target Selection (ITS) + Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index efc9e5e..d40cb95 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -187,3 +187,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" + +## Indirect Target Selection (ITS): +## Mitigate the vulnerability by not allowing indirect branches in the lower half of the cacheline. +## Currently affects Intel CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/indirect-target-selection.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force"