## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables known mitigations for CPU vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## Check for potential updates directly from AMD and Intel. ## ## https://www.amd.com/en/resources/product-security.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) ## and Intel branch history injection (BHI) vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" ## Disable Speculative Store Bypass (Spectre Variant 4). ## ## https://www.suse.com/support/kb/doc/?id=000019189 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" ## Enable mitigations for the L1TF vulnerability through disabling SMT ## and L1D flush runtime control. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" ## Enable mitigations for the MDS vulnerability through clearing buffer cache ## and disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" ## Patches the TAA vulnerability by disabling TSX and enables mitigations using ## TSX Async Abort along with disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. ## Only mitigated through microcode updates from Intel. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 ## Force disable SMT as it has caused numerous CPU vulnerabilities. ## The only full mitigation of cross-HT attacks is to disable SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" ## Enables the prctl interface to prevent leaks from L1D on context switches. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" ## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with ## Return Instructions) vulnerability and disable SMT. ## ## https://www.suse.com/support/kb/doc/?id=000020693 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Control RAS overflow mitigation on AMD Zen CPUs. ## The current default kernel parameter is 'spec_rstack_overflow=safe-ret' ## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html ## Mitigates Gather Data Sampling (GDS) vulnerability. ## Note for systems that have not received a suitable microcode update this will ## entirely disable use of the AVX instructions set. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" ## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which ## encompasses E-cores on hybrid architectures. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"