I noticed that when it comes to kernel command line options for CPU vulnerability mitigations there is only following:
# Mitigates all known CPU vulnerabilities, disabling SMT *if needed*.
mitigations=auto,nosmt
While this a very convenient and efficient way to enable them, there is an apparent flaw in this approach I have discussed here Kicksecure/security-misc#199 (comment) which I would like to bring to everyone's attention.
In short, this usage is incomplete as the two parameters together do not perform maximum hardening by default.
Using the kernel docs as a guide we can find several others that can be tightened as I have noted in the Kicksecure issue.
I noticed that when it comes to kernel command line options for CPU vulnerability mitigations there is only following:
While this a very convenient and efficient way to enable them, there is an apparent flaw in this approach I have discussed here Kicksecure/security-misc#199 (comment) which I would like to bring to everyone's attention.
In short, this usage is incomplete as the two parameters together do not perform maximum hardening by default.
Using the kernel docs as a guide we can find several others that can be tightened as I have noted in the Kicksecure issue.