Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 17:36:19 -05:00
Code Issues Projects Releases Packages Wiki Activity

README: Do not rely on mitigations=auto

Browse source
This commit is contained in:
raja-grewal 2025-09-25 15:35:34 +10:00 committed by GitHub
parent b9deefed61
commit 78492e0e56
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -141,6 +141,11 @@ Mitigations for known CPU vulnerabilities are enabled in their strictest form
and simultaneous multithreading (SMT) is disabled. See the
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
Importantly, we do not rely on the use of the already enabled-by-default `mitigations=auto`
kernel boot parameter to perform CPU mitigations like many other distributions
as not only is it's use totally redundant, but it also does not apply all hardening
settings to their strictest possible levels. See issue: https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859.
Note, to achieve complete protection for known CPU vulnerabilities, the latest
security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept