From 6f9763f525097b8f8ad5f9864c1694a2642e1bd6 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sat, 19 Jul 2025 05:19:27 +0000
Subject: [PATCH] Enable `indirect_target_selection=force`

---
 README.md                                 | 2 ++
 etc/default/grub.d/40_cpu_mitigations.cfg | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/README.md b/README.md
index ab0c69a..cf3ea62 100644
--- a/README.md
+++ b/README.md
@@ -177,6 +177,8 @@ CPU mitigations:
 
 - Register File Data Sampling (RFDS)
 
+- Indirect Target Selection (ITS)
+
 Boot parameters relating to kernel hardening, DMA mitigations, and entropy
 generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
 configuration file.
diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg
index efc9e5e..d40cb95 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@@ -187,3 +187,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
+
+## Indirect Target Selection (ITS):
+## Mitigate the vulnerability by not allowing indirect branches in the lower half of the cacheline.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/indirect-target-selection.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force"