Refactor CPU mitigations

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -17,7 +17,7 @@
 ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
 ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
 
-## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
+## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
 ##
 ## KSPP=yes
 ## KSPP sets the kernel parameters.
@@ -27,7 +27,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 ## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
 ## The only full mitigation of cross-HT attacks is to disable SMT.
 ## Disabling will significantly decrease system performance on multi-threaded tasks.
-## To enable SMT, remove this line and all other occurrences of "nosmt" in this file.
+## Note, this setting will prevent re-enabling SMT via the sysfs interface.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
@@ -36,95 +36,125 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 ## KSPP=yes
 ## KSPP sets the kernel parameter.
 ##
+## To re-enable SMT:
+## - Remove "nosmt=force".
+## - Remove all occurrences of ",nosmt" in this file (note the comma ",").
+## - Downgrade "l1tf=full,force" protection to "l1tf=flush".
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
 
-## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
+## Spectre Side Channels (BTI and BHI):
-## and Intel branch history injection (BHI) vulnerabilities.
+## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection).
+## Enable mitigation for the Intel branch history injection vulnerability.
+## Currently affects both AMD and Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
 
-## Disable Speculative Store Bypass (Spectre Variant 4).
+## Speculative Store Bypass (SSB):
-## Unconditionally enable mitigation for both kernel and userspace.
+## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
+## Unconditionally enable the mitigation for both kernel and userspace.
+## Currently affects both AMD and Intel CPUs.
 ##
+## https://en.wikipedia.org/wiki/Speculative_Store_Bypass
 ## https://www.suse.com/support/kb/doc/?id=000019189
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on"
 
-## Enable mitigations for the L1TF vulnerability through disabling SMT
+## L1 Terminal Fault (L1TF):
-## and L1D flush runtime control.
+## Mitigate the vulnerability by disabling L1D flush runtime control and SMT.
+## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
 
-## Enable mitigations for the MDS vulnerability through clearing buffer cache
+## Microarchitectural Data Sampling (MDS):
-## and disabling SMT.
+## Mitigate the vulnerability by clearing the buffer cache and disabling SMT.
+## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
 
-## Patches the TAA vulnerability by disabling TSX and enables mitigations using
+## TSX Asynchronous Abort (TAA):
-## TSX Async Abort along with disabling SMT.
+## Mitigate the vulnerability by disabling TSX.
+## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT.
+## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
 
-## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
+## iTLB Multihit:
+## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable.
+## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
 
-## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions
+## Special Register Buffer Data Sampling (SRBDS):
-## are only possible through microcode updates from Intel.
+## Mitigation of the vulnerability is only possible via microcode updates from Intel.
+## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
 ## https://access.redhat.com/solutions/5142691
 
-## Enable the prctl() interface to prevent leaks from L1D on context switches.
+## L1D Flushing:
+## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface.
+## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
 
-## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT.
+## MMIO Stale Data:
+## Mitigate the vulnerability by appropriately clearing the CPU buffer and disabling SMT.
+## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
 
-## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
+## Arbitrary Speculative Code Execution with Return Instructions (Retbleed):
-## Return Instructions) vulnerability and disable SMT.
+## Mitigate the vulnerability through CPU-dependent implementation and disable SMT.
+## Currently affects both AMD Zen 1-2 and Intel CPUs.
 ##
+## https://en.wikipedia.org/wiki/Retbleed
+## https://comsec.ethz.ch/research/microarch/retbleed/
 ## https://www.suse.com/support/kb/doc/?id=000020693
+## https://access.redhat.com/solutions/retbleed
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
 
-## Control RAS overflow mitigation on AMD Zen CPUs.
+## Speculative Return Stack Overflow (SRSO):
+## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location.
+## Currently affects AMD Zen 1-4 CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
 ##
 ## The default kernel setting will be utilized until provided sufficient evidence to modify.
+## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact.
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret"
 
-## Enable Gather Data Sampling (GDS) mitigation.
+## Gather Data Sampling (GDS):
-## Note for systems that have not received a suitable microcode update this will
+## Mitigate the vulnerability either via microcode update or by disabling AVX.
-## entirely disable use of the AVX instructions set.
+## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set.
+## Currently affects Intel CPUs.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
 
-## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which
+## Register File Data Sampling (RFDS):
-## encompasses E-cores on hybrid architectures.
+## Mitigate the vulnerability by appropriately clearing the CPU buffer.
+## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures).
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
 ##