From 73f1e233327cc0edec83eac322b7f03bcb7fba22 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Tue, 19 Jul 2022 02:29:46 +1000
Subject: [PATCH] shuffle and rewording

---
 etc/default/grub.d/40_cpu_mitigations.cfg | 39 ++++++++++++-----------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg
index 7d6eb65..1977eeb 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@@ -1,11 +1,17 @@
 ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Enables all mitigations for CPU vulnerabilities.
+## Enables all known mitigations for CPU vulnerabilities.
 ##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
 
-## Enable all mitigations for Spectre Variant 2.
+## Force disable SMT as it has caused numerous CPU vulnerabilities.
+##
+## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+
+## Enable mitigations for Spectre variant 2 (indirect branch speculation).
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
@@ -13,30 +19,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
 ## Disable Speculative Store Bypass.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
 
-## Disable TSX, enable all mitigations for the TSX Async Abort
-## vulnerability and disable SMT.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"
-
-## Enable all mitigations for the MDS vulnerability and disable
-## SMT.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
-
-## Enable all mitigations for the L1TF vulnerability and disable SMT
+## Enable mitigations for the L1TF vulnerability through disabling SMT
 ## and L1D flush runtime control.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
 
-## Force disable SMT as it has caused numerous CPU vulnerabilities.
+## Enable mitigations for the MDS vulnerability through clearing buffer cache
+## and disabling SMT.
 ##
-## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
+
+## Patches the TAA vulnerability by disabling TSX and enables mitigations using
+## TSX Async Abort along with disabling SMT.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"
 
 ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"