From b9deefed61b40127bbb7aaad8dd83f256b68f896 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 25 Sep 2025 15:34:54 +1000
Subject: [PATCH 1/4] Incompleteness of `mitigations=auto,nosmt`

---
 .../40_cpu_mitigations.cfg#security-misc-shared       | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
index 8f18ad0..ea8c915 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
@@ -34,12 +34,17 @@
 ## https://uefi.org/revocationlistfile
 ## https://github.com/fwupd/fwupd
 
-## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
+## Enable a subset of known default mitigations for some CPU vulnerabilities and disable SMT.
+## Note that this redundant parameter simply applies each mitigation at the already applied default settings.
+## The default values are not always the strictest and so we reapply each below to their highest setting.
+## We retain it here for completeness as many other distributions heavily rely on this for many CPU mitigations.
 ##
-## KSPP=yes
+## https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859
+##
+## KSPP=no
 ## KSPP sets the kernel parameters.
 ##
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 
 ## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
 ## The only full mitigation of cross-HT attacks is to disable SMT.

From 78492e0e5656990ecec7ad2641d5f7e46a264aab Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 25 Sep 2025 15:35:34 +1000
Subject: [PATCH 2/4] README: Do not rely on `mitigations=auto`

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index f784bbf..872509a 100644
--- a/README.md
+++ b/README.md
@@ -141,6 +141,11 @@ Mitigations for known CPU vulnerabilities are enabled in their strictest form
 and simultaneous multithreading (SMT) is disabled. See the
 `/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
 
+Importantly, we do not rely on the use of the already enabled-by-default `mitigations=auto`
+kernel boot parameter to perform CPU mitigations like many other distributions
+as not only is it's use totally redundant, but it also does not apply all hardening
+settings to their strictest possible levels. See issue: https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859.
+
 Note, to achieve complete protection for known CPU vulnerabilities, the latest
 security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
 if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept

From 4340bf50b7bf9112703d78fae4e8ca4f5e458ab6 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Mon, 29 Sep 2025 15:46:06 +1000
Subject: [PATCH 3/4] Warnings about using `mitigations=auto,nosmt`

---
 etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
index ea8c915..46e5052 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
@@ -44,6 +44,9 @@
 ## KSPP=no
 ## KSPP sets the kernel parameters.
 ##
+## WARNING: Do not enable this parameter, it is presented here only for educational purposes.
+## WARNING: Parameters are applied consecutively and so do not ever move this setting down.
+##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 
 ## Disable SMT as it has been the cause of and amplified numerous CPU exploits.

From 635c216d4e55eb0c6463c543202aea629c572f5e Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Wed, 5 Nov 2025 01:44:36 +0000
Subject: [PATCH 4/4] Update docs on CPU mitigations

---
 README.md                                                   | 6 +++---
 .../grub.d/40_cpu_mitigations.cfg#security-misc-shared      | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 872509a..5e06af6 100644
--- a/README.md
+++ b/README.md
@@ -142,9 +142,9 @@ and simultaneous multithreading (SMT) is disabled. See the
 `/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
 
 Importantly, we do not rely on the use of the already enabled-by-default `mitigations=auto`
-kernel boot parameter to perform CPU mitigations like many other distributions
-as not only is it's use totally redundant, but it also does not apply all hardening
-settings to their strictest possible levels. See issue: https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859.
+kernel boot parameter to perform CPU mitigations like many other distributions. This is
+because it's use is both totally redundant and it does not apply all hardening settings
+to their strictest possible levels. See issue: https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859.
 
 Note, to achieve complete protection for known CPU vulnerabilities, the latest
 security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
index 46e5052..e0e19a3 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared
@@ -40,6 +40,7 @@
 ## We retain it here for completeness as many other distributions heavily rely on this for many CPU mitigations.
 ##
 ## https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/attack_vector_controls.html
 ##
 ## KSPP=no
 ## KSPP sets the kernel parameters.