Differences

This shows you the differences between two versions of the page.

--- linux_hardening_guide:boot_parameters [2025/05/31 15:38] – [Kernel self-protection] peter
+++ linux_hardening_guide:boot_parameters [2025/05/31 15:42] (current) – peter
@@ Line 125: / Line 125: @@
 These parameters prevent information leaks during boot and must be used in combination with the **kernel.printk** sysctl documented at [[Linux Hardening Guide:sysctl|sysctl]].
+----
+===== CPU mitigations =====
+<WRAP info>
+**NOTE:**  It is best to enable all CPU mitigations that are applicable to your CPU as to ensure that you are not affected by known vulnerabilities.
+  * This is a list that enables all built-in mitigations:
+</WRAP>
+<code bash>
+spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force
+</code>
+----
+===== Result =====
+If you have followed all of the above recommendations, excluding your specific CPU mitigations, you will have:
+<code bash>
+slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0
+</code>
+<WRAP info>
+**NOTE:**  You need to regenerate your GRUB configuration file to apply these if using GRUB as your bootloader.
+</WRAP>
 ----