Merge spectre mitigations

This commit is contained in:
raja-grewal 2024-05-01 13:47:40 +10:00 committed by GitHub
parent 965c8641fd
commit de4f4be947
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -10,10 +10,11 @@
## Enable known mitigations for CPU vulnerabilities and disable SMT.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
## Enable mitigations for Spectre variant 2 (indirect branch speculation).
## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
## and Intel branch history injection (BHI) vulnerabilities.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on"
## Disable Speculative Store Bypass.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
@ -74,8 +75,3 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
## This default will used until provided sufficient evidence to modify.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"