Update kargs

Signed-off-by: Tommy <contact@tommytran.io>
2025-11-04 11:08:35 +01:00 · 2024-05-27 13:23:30 -07:00
parent e5f5980e0c
commit 4906ea33d8
5 changed files with 13 additions and 1 deletions
--- a/UTM-Chrony.ign
+++ b/UTM-Chrony.ign
@@ -6,12 +6,15 @@
    "shouldExist": [
      "mitigations=auto,nosmt",
      "spectre_v2=on",
+      "spectre_bhi=on",
      "spec_store_bypass_disable=on",
      "tsx=off",
      "kvm.nx_huge_pages=force",
      "nosmt=force",
      "l1d_flush=on",
      "spec_rstack_overflow=safe-ret",
+      "gather_data_sampling=force",
+      "reg_file_data_sampling=on",
      "random.trust_bootloader=off",
      "random.trust_cpu=off",
      "intel_iommu=on",
--- a/UTM-Chrony.yml
+++ b/UTM-Chrony.yml
@@ -190,12 +190,15 @@ kernel_arguments:
  should_exist:
    - mitigations=auto,nosmt
    - spectre_v2=on
+    - spectre_bhi=on
    - spec_store_bypass_disable=on
    - tsx=off
    - kvm.nx_huge_pages=force
    - nosmt=force
    - l1d_flush=on
    - spec_rstack_overflow=safe-ret
+    - gather_data_sampling=force 
+    - reg_file_data_sampling=on
    - random.trust_bootloader=off
    - random.trust_cpu=off
    - intel_iommu=on
--- a/2
+++ b/2
@@ -14,4 +14,4 @@

 # This file is just incase you want to quickly copy-paste the kernel arguments into `rpm-ostree kargs`

-mitigations=auto,nosmt spectre_v2=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=isolation_force efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off
+mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200
--- a/x86-QEMU-Docker.ign
+++ b/x86-QEMU-Docker.ign
@@ -6,12 +6,15 @@
    "shouldExist": [
      "mitigations=auto,nosmt",
      "spectre_v2=on",
+      "spectre_bhi=on",
      "spec_store_bypass_disable=on",
      "tsx=off",
      "kvm.nx_huge_pages=force",
      "nosmt=force",
      "l1d_flush=on",
      "spec_rstack_overflow=safe-ret",
+      "gather_data_sampling=force",
+      "reg_file_data_sampling=on",
      "random.trust_bootloader=off",
      "random.trust_cpu=off",
      "intel_iommu=on",
--- a/x86-QEMU-Docker.yml
+++ b/x86-QEMU-Docker.yml
@@ -270,12 +270,15 @@ kernel_arguments:
  should_exist:
    - mitigations=auto,nosmt
    - spectre_v2=on
+    - spectre_bhi=on
    - spec_store_bypass_disable=on
    - tsx=off
    - kvm.nx_huge_pages=force
    - nosmt=force
    - l1d_flush=on
    - spec_rstack_overflow=safe-ret
+    - gather_data_sampling=force 
+    - reg_file_data_sampling=on
    - random.trust_bootloader=off
    - random.trust_cpu=off
    - intel_iommu=on