gather_data_sampling=force - Enable Gather Data Sampling (GDS) mitigation - related to CPU AVX instruction; More CPU Mitigations and Additional References

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -1,21 +1,30 @@
 ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-## Enables all known mitigations for CPU vulnerabilities.
+## Enables known mitigations for CPU vulnerabilities.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
 ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
 
-## Enable known mitigations for CPU vulnerabilities and disable SMT.
+## Check for potential updates directly from AMD and Intel.
+##
+## https://www.amd.com/en/resources/product-security.html
+## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
+## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
+
+## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
 
-## Enable mitigations for Spectre variant 2 (indirect branch speculation).
+## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
+## and Intel branch history injection (BHI) vulnerabilities.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on"
 
-## Disable Speculative Store Bypass.
+## Disable Speculative Store Bypass (Spectre Variant 4).
+##
+## https://www.suse.com/support/kb/doc/?id=000019189
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
 
 ## Enable mitigations for the L1TF vulnerability through disabling SMT
@@ -67,6 +76,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
 ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
 ## Return Instructions) vulnerability and disable SMT.
 ##
+## https://www.suse.com/support/kb/doc/?id=000020693
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
 
 ## Control RAS overflow mitigation on AMD Zen CPUs.
@@ -75,8 +85,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
 
-## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs.
+## Mitigates Gather Data Sampling (GDS) vulnerability.
+## Note for systems that have not received a suitable microcode update this will
+## entirely disable use of the AVX instructions set.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
+
+## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which 
+## encompasses E-cores on hybrid architectures.
 ##
-## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925
-## TODO: update the above link with better alternative when possible
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"