From 5e87c9bea49b5a06c1400cb8b632f344cccb6db6 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Mon, 3 Nov 2025 04:30:58 +0000
Subject: [PATCH 1/3] Set `kpti=1`

---
 README.md                                          |  2 ++
 .../40_cpu_mitigations.cfg#security-misc-shared    | 14 ++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/README.md b/README.md
index 302c8ab..35815ac 100644
--- a/README.md
+++ b/README.md
@@ -156,6 +156,8 @@ CPU mitigations:
 
 - Spectre Side Channels (BTI and BHI)
 
+- Meltdown
+
 - Speculative Store Bypass (SSB)
 
 - L1 Terminal Fault (L1TF)
diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
index 8f18ad0..4ee58fc 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
@@ -71,6 +71,20 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
 
+## Meltdown:
+## Mitigate Spectre Variant 3 using kernel page table isolation (PTI).
+## Force enable PTI of user and kernel address spaces on all cores.
+## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on".
+## Currently affects ARM64 CPUs.
+##
+## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
+## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
+##
+## KSPP=yes
+## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1"
+
 ## Speculative Store Bypass (SSB):
 ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
 ## Unconditionally enable the mitigation for both kernel and userspace.

From 322584db3346aaa1e3d1f9782b3d22ca2153c7da Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Mon, 3 Nov 2025 04:31:59 +0000
Subject: [PATCH 2/3] Update docs on `pti=on`

---
 README.md                                                     | 4 ++--
 .../grub.d/40_kernel_hardening.cfg#security-misc-shared       | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 35815ac..87b3742 100644
--- a/README.md
+++ b/README.md
@@ -208,8 +208,8 @@ Kernel space:
 - Enable the kernel page allocator to randomize free lists to limit some data
   exfiltration and ROP attacks, especially during the early boot process.
 
-- Enable kernel page table isolation to increase KASLR effectiveness and also
-  mitigate the Meltdown CPU vulnerability.
+- Enable kernel page table isolation on X86_64 CPUs to increase KASLR effectiveness
+  and also mitigate the Meltdown CPU vulnerability.
 
 - Enable randomization of the kernel stack offset on syscall entries to harden
   against memory corruption attacks.
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index 2eef877..73dca75 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -83,8 +83,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
 
 ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
-## Mitigates the Meltdown CPU vulnerability.
+## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability.
+## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1".
 ##
+## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
 ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
 ##
 ## KSPP=yes

From 53d90b1128d55e352b3eef8ae680a07a825b1ecf Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Mon, 3 Nov 2025 04:32:49 +0000
Subject: [PATCH 3/3] Update docs on `ssbd=force-on`

---
 etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
index 4ee58fc..0bd8665 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
@@ -88,7 +88,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1"
 ## Speculative Store Bypass (SSB):
 ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
 ## Unconditionally enable the mitigation for both kernel and userspace.
-## Currently affects both AMD and Intel CPUs.
+## Currently affects AMD, ARM64, and Intel CPUs.
 ##
 ## https://en.wikipedia.org/wiki/Speculative_Store_Bypass
 ## https://www.suse.com/support/kb/doc/?id=000019189