Skip to content

Commit

Permalink
[docs] keep up with upstream - 3bfda66
Browse files Browse the repository at this point in the history
  • Loading branch information
@EsseLowNitro
EsseLowNitro authored Dec 24, 2024
1 parent 6876362 commit 17e73b1
Showing 1 changed file with 19 additions and 16 deletions.
35 changes: 19 additions & 16 deletions content/KARGS.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,19 +87,31 @@ Stable kargs that are always applied by the `set-kargs-hardening` ujust script.

`l1d_flush=on`

**Mitigate unprivileged speculative access to data by using the microcode mitigation when available or by disabling AVX on affected systems where the microcode hasn’t been updated to include the mitigation.**
**Force enables all available mitigations for the L1TF vulnerability.**

`gather_data_sampling=force`
`l1tf=full,force`

**Enables unconditional flushes, required for complete l1d vuln mitigation.**

`kvm-intel.vmentry_l1d_flush=always`

## Optional

Optional kargs that can be inclusively set alongside the stable kargs detailed above. The `set-kargs-hardening` command prompts the user on whether to add these.

### Disable 32-bit processes and syscalls

**32-bit support is needed by some legacy software, such as Steam**

`ia32_emulation=0`

### Force disable simultaneous multithreading

**Disables this hardware feature on user request, regardless of whether it is affected by known vulnerabilities**

`nosmt=force`

## Unstable

Unstable kargs that can be inclusively set alongside the stable kargs detailed above. The `set-kargs-hardening` command prompts the user on whether to add these.
### Unstable kargs: may cause issues on some hardware

**Fill IOMMU protection gap by setting the busmaster bit during early boot**

Expand All @@ -109,15 +121,6 @@ Unstable kargs that can be inclusively set alongside the stable kargs detailed a

`debugfs=off`

**Disables support for 32-bit processes, and syscalls**
This is considered unstable but the user is prompted separately on whether they want this.

`ia32_emulation=0`

**Force enables all available mitigations for the L1TF vulnerability.**

`l1tf=full,force`

**Enables unconditional flushes, required for complete l1d vuln mitigation.**
**Mitigate unprivileged speculative access to data by using the microcode mitigation when available or by disabling AVX on affected systems where the microcode hasn’t been updated to include the mitigation.**

`kvm-intel.vmentry_l1d_flush=always`
`gather_data_sampling=force`

0 comments on commit 17e73b1

Please sign in to comment.