## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables all mitigations for CPU vulnerabilities. ## ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## Enable all mitigations for Spectre Variant 2. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" ## Disable Speculative Store Bypass. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" ## Disable TSX, enable all mitigations for the TSX Async Abort ## vulnerability and disable SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" ## Enable all mitigations for the MDS vulnerability and disable ## SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" ## Enable all mitigations for the L1TF vulnerability and disable SMT ## and L1D flush runtime control. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" ## Force disable SMT as it has caused numerous CPU vulnerabilities. ## ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html#mitigation-control-on-the-kernel-command-line-and-kvm-module-parameter GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"