Merge pull request #292 from raja-grewal/cpu_table

Add link to tabular comparison of CPU mitigations
2025-02-13 07:41:27 -05:00 · 2025-01-10 10:30:34 -05:00 · 2025-01-10 10:30:34 -05:00 · e9ef3602dd
commit e9ef3602dd
parent 1b33e83529 cf435a8fa8
2 changed files with 11 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -136,7 +136,9 @@ Networking:
 Mitigations for known CPU vulnerabilities are enabled in their strictest form
 and simultaneous multithreading (SMT) is disabled. See the
-`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
+`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve
 complete protection for known CPU vulnerabilities, the latest security microcode
 (BIOS/UEFI) updates must also be installed on the system.
 Boot parameters relating to kernel hardening, DMA mitigations, and entropy
 generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@ -18,6 +18,14 @@
 ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
 ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
 ## Tabular comparison between the utility and functionality of various mitigations.
 ## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587
 ## For complete protection, users must install the latest relevant security microcode update.
 ## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers.
 ## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
 ## The parameters below only provide (partial) protection at both the kernel and user space level.
 ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
 ##
 ## KSPP=yes