From b9d65338bcc76552e4d2169106cd04e6276eb320 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2020 05:55:13 -0500 Subject: [PATCH] unconditionally enable all CPU bugs (spectre, meltdown, L1TF, ...) this might reduce performance * `spectre_v2=on` * `spec_store_bypass_disable=on` * `tsx=off` * `tsx_async_abort=full,nosmt` Thanks to @madaidan for the suggestion! https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 --- etc/default/grub.d/40_kernel_hardening.cfg | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index e8da9a2..82a2bb8 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -36,6 +36,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" ## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" + +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" + +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" + +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" + ## Enables all mitigations for the MDS vulnerability. ## Disables smt which can be used to exploit the MDS vulnerability. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"