From 4231155efa0970d2456b67cc89c8828b0766cf7f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:57:48 +0000 Subject: [PATCH 1/5] Add reference for kernel parameters --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 1351206..e92d7cc 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -4,6 +4,7 @@ ## Enables all known mitigations for CPU vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html +## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## Enable mitigations for Spectre variant 2 (indirect branch speculation). From 4509a5fc95204080f2855849d22c7e05393455d9 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:58:14 +0000 Subject: [PATCH 2/5] Enable known mitigations for CPU vulnerabilities and disable SMT --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index e92d7cc..8bcf7c2 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -7,6 +7,9 @@ ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 +## Enable known mitigations for CPU vulnerabilities and disable SMT. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" + ## Enable mitigations for Spectre variant 2 (indirect branch speculation). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html From 6c54e35027e86ec045102cd1d95f84aa30bc55c9 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:58:51 +0000 Subject: [PATCH 3/5] Enable mitigations for RETBleed vulnerability and disable SMT --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 8bcf7c2..e90579c 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -63,3 +63,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" + +## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with +## Return Instructions) vulnerability and disable SMT. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" From 139b10a9aad85018f87bdc4bb227e938f7955235 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:59:13 +0000 Subject: [PATCH 4/5] Control RAS overflow mitigation on AMD Zen CPUs --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index e90579c..7c55707 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -68,3 +68,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## Return Instructions) vulnerability and disable SMT. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" + +## Control RAS overflow mitigation on AMD Zen CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" From b16c99ab62a902b1f61b9d4fe63273cd614e757c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 13:39:40 +0000 Subject: [PATCH 5/5] Remove hardcoded `spec_rstack_overflow` setting --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 7c55707..9bd9fc5 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -70,6 +70,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Control RAS overflow mitigation on AMD Zen CPUs. +## The current default kernel parameter is 'spec_rstack_overflow=safe-ret' +## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" +