Merge pull request #197 from raja-grewal/mitigations

Additional Explicit CPU Mitigations

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -4,8 +4,12 @@
 ## Enables all known mitigations for CPU vulnerabilities.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
+## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
 
+## Enable known mitigations for CPU vulnerabilities and disable SMT.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
+
 ## Enable mitigations for Spectre variant 2 (indirect branch speculation).
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
@@ -59,3 +63,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
+
+## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
+## Return Instructions) vulnerability and disable SMT.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
+
+## Control RAS overflow mitigation on AMD Zen CPUs.
+## The current default kernel parameter is 'spec_rstack_overflow=safe-ret'
+## This default will used until provided sufficient evidence to modify.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
+