shuffle and rewording

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -1,11 +1,17 @@
 ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Enables all mitigations for CPU vulnerabilities.
+## Enables all known mitigations for CPU vulnerabilities.
 ##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
 
-## Enable all mitigations for Spectre Variant 2.
+## Force disable SMT as it has caused numerous CPU vulnerabilities.
+##
+## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+
+## Enable mitigations for Spectre variant 2 (indirect branch speculation).
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
@@ -13,30 +19,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
 ## Disable Speculative Store Bypass.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
 
-## Disable TSX, enable all mitigations for the TSX Async Abort
+## Enable mitigations for the L1TF vulnerability through disabling SMT
-## vulnerability and disable SMT.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"
-
-## Enable all mitigations for the MDS vulnerability and disable
-## SMT.
-##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
-
-## Enable all mitigations for the L1TF vulnerability and disable SMT
 ## and L1D flush runtime control.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
 
-## Force disable SMT as it has caused numerous CPU vulnerabilities.
+## Enable mitigations for the MDS vulnerability through clearing buffer cache
+## and disabling SMT.
 ##
-## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
+
+## Patches the TAA vulnerability by disabling TSX and enables mitigations using
+## TSX Async Abort along with disabling SMT.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"
 
 ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
 ##
-## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"