security-misc/etc/default/grub.d/40_cpu_mitigations.cfg
2024-04-12 00:17:06 +10:00

83 lines
3.8 KiB
INI

## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Enables all known mitigations for CPU vulnerabilities.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
## Enable known mitigations for CPU vulnerabilities and disable SMT.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
## Enable mitigations for Spectre variant 2 (indirect branch speculation).
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
## Disable Speculative Store Bypass.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
## Enable mitigations for the L1TF vulnerability through disabling SMT
## and L1D flush runtime control.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
## Enable mitigations for the MDS vulnerability through clearing buffer cache
## and disabling SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
## Patches the TAA vulnerability by disabling TSX and enables mitigations using
## TSX Async Abort along with disabling SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt"
## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.
## Only mitigated through microcode updates from Intel.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
## https://access.redhat.com/solutions/5142691
## Force disable SMT as it has caused numerous CPU vulnerabilities.
## The only full mitigation of cross-HT attacks is to disable SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
## Enables the prctl interface to prevent leaks from L1D on context switches.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
## Return Instructions) vulnerability and disable SMT.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
## Control RAS overflow mitigation on AMD Zen CPUs.
## The current default kernel parameter is 'spec_rstack_overflow=safe-ret'
## This default will used until provided sufficient evidence to modify.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs.
##
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925
## TODO: update the above link with better alternative when possible
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"