Boot parameters (side channel mitigations)

[mmisono]

Linux has several side channel mitigations (KPTI, spectre, L1F, ...). We should enable appropriate ones.

• https://docs.kernel.org/admin-guide/hw-vuln/index.html
• https://intel.github.io/ccc-linux-guest-hardening-docs/security-spec.html#bounds-check-bypass-spectre-v1

TODO

• List available mitigation
• Check Linux's default configuration
• Determine which one should be enabled for evaluation

[mmisono]

I think the default behavior is

• https://docs.kernel.org/admin-guide/kernel-parameters.html

 mitigations=
[...]
                        auto (default)
                                Mitigate all CPU vulnerabilities, but leave SMT
                                enabled, even if it's vulnerable.  This is for
                                users who don't want to be surprised by SMT
                                getting disabled across kernel upgrades, or who
                                have other ways of avoiding SMT-based attacks.
                                Equivalent to: (default behavior)

And we disable hyperthreading in the BIOS, so the default parameter should be fine.