## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

## Enable known mitigations for CPU vulnerabilities.
## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link.
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647

## Check for potential updates directly from AMD and Intel.
## https://www.amd.com/en/resources/product-security.html
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html

## Tabular comparison between the utility and functionality of various mitigations.
## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587

## For complete protection, users must install the latest relevant security microcode update.
## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers.
## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
## The parameters below only provide (partial) protection at both the kernel and user space level.

## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
##
## KSPP=yes
## KSPP sets the kernel parameters.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"

## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
## The only full mitigation of cross-HT attacks is to disable SMT.
## Disabling will significantly decrease system performance on multi-threaded tasks.
## Note, this setting will prevent re-enabling SMT via the sysfs interface.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
##
## KSPP=yes
## KSPP sets the kernel parameter.
##
## To re-enable SMT:
## - Remove "nosmt=force".
## - Remove all occurrences of ",nosmt" in this file (note the comma ",").
## - Downgrade "l1tf=full,force" protection to "l1tf=flush".
## - Regenerate the dracut initramfs and then reboot system.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"

## Spectre Side Channels (BTI and BHI):
## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection).
## Enable mitigation for the Intel branch history injection vulnerability.
## Currently affects both AMD and Intel CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"

## Speculative Store Bypass (SSB):
## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
## Unconditionally enable the mitigation for both kernel and userspace.
## Currently affects both AMD and Intel CPUs.
##
## https://en.wikipedia.org/wiki/Speculative_Store_Bypass
## https://www.suse.com/support/kb/doc/?id=000019189
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on"

## L1 Terminal Fault (L1TF):
## Mitigate the vulnerability by disabling L1D flush runtime control and SMT.
## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations.
## Currently affects Intel CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always"

## Microarchitectural Data Sampling (MDS):
## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT.
## Currently affects Intel CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"

## TSX Asynchronous Abort (TAA):
## Mitigate the vulnerability by disabling TSX.
## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT.
## Currently affects Intel CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"

## iTLB Multihit:
## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable.
## Currently affects Intel CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"

## Special Register Buffer Data Sampling (SRBDS):
## Mitigation of the vulnerability is only possible via microcode update from Intel.
## Currently affects Intel CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
## https://access.redhat.com/solutions/5142691

## L1D Flushing:
## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface.
## Currently affects Intel CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"

## Processor MMIO Stale Data:
## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT.
## Currently affects Intel CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"

## Arbitrary Speculative Code Execution with Return Instructions (Retbleed):
## Mitigate the vulnerability through CPU-dependent implementation and disable SMT.
## Currently affects both AMD Zen 1-2 and Intel CPUs.
##
## https://en.wikipedia.org/wiki/Retbleed
## https://comsec.ethz.ch/research/microarch/retbleed/
## https://www.suse.com/support/kb/doc/?id=000020693
## https://access.redhat.com/solutions/retbleed
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"

## Cross-Thread Return Address Predictions:
## Mitigate the vulnerability for certain KVM hypervisor configurations.
## Currently affects AMD Zen 1-2 CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"

## Speculative Return Stack Overflow (SRSO):
## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location.
## Currently affects AMD Zen 1-4 CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
##
## The default kernel setting will be utilized until provided sufficient evidence to modify.
## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact.
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret"

## Gather Data Sampling (GDS):
## Mitigate the vulnerability either via microcode update or by disabling AVX.
## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set.
## Currently affects Intel CPUs.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"

## Register File Data Sampling (RFDS):
## Mitigate the vulnerability by appropriately clearing the CPU buffer.
## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures).
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"