From 6f9763f525097b8f8ad5f9864c1694a2642e1bd6 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sat, 19 Jul 2025 05:19:27 +0000
Subject: [PATCH 1/2] Enable `indirect_target_selection=force`

---
 README.md                                 | 2 ++
 etc/default/grub.d/40_cpu_mitigations.cfg | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/README.md b/README.md
index ab0c69a..cf3ea62 100644
--- a/README.md
+++ b/README.md
@@ -177,6 +177,8 @@ CPU mitigations:
 
 - Register File Data Sampling (RFDS)
 
+- Indirect Target Selection (ITS)
+
 Boot parameters relating to kernel hardening, DMA mitigations, and entropy
 generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
 configuration file.
diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg
index efc9e5e..d40cb95 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@@ -187,3 +187,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
+
+## Indirect Target Selection (ITS):
+## Mitigate the vulnerability by not allowing indirect branches in the lower half of the cacheline.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/indirect-target-selection.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force"

From c1e76aa52cd28f38c1ab6550e0f4de0010a9ea14 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Mon, 21 Jul 2025 10:00:25 +0000
Subject: [PATCH 2/2] bumped changelog version

---
 changelog.upstream | 28 ++++++++++++++++++++++++++++
 debian/changelog   |  6 ++++++
 2 files changed, 34 insertions(+)

diff --git a/changelog.upstream b/changelog.upstream
index fb9687f..6a483f4 100644
--- a/changelog.upstream
+++ b/changelog.upstream
@@ -1,3 +1,31 @@
+commit 36114e29a2ce1045b5f5d82372fcf0463efc5ca7
+Merge: e3ce9c3 f851886
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Jul 21 06:00:11 2025 -0400
+
+    Merge remote-tracking branch 'github-kicksecure/master'
+
+commit f851886ffd0fc82ba0b0add501964d1c812c6c15
+Merge: e3ce9c3 6f9763f
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Mon Jul 21 05:58:44 2025 -0400
+
+    Merge pull request #310 from raja-grewal/its
+    
+    Enable `indirect_target_selection=force`
+
+commit 6f9763f525097b8f8ad5f9864c1694a2642e1bd6
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sat Jul 19 05:19:27 2025 +0000
+
+    Enable `indirect_target_selection=force`
+
+commit e3ce9c38c5b241f789945de7229c0ee15fa0a266
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Wed Jul 2 20:52:17 2025 +0000
+
+    bumped changelog version
+
 commit b06fb5428051518390439ce95c9d6894e6338951
 Merge: 115b6f6 468cf40
 Author: Patrick Schleizer <adrelanos@whonix.org>
diff --git a/debian/changelog b/debian/changelog
index 63a49d9..e108966 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+security-misc (3:46.4-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Mon, 21 Jul 2025 10:00:25 +0000
+
 security-misc (3:46.3-1) unstable; urgency=medium
 
   * New upstream version (local package).