# N.B Hardening command line parameters:
# iommu=force (does it help against DMA attacks?)
#
-# Mitigations of CPU vulnerabilities:
-# Аrch-independent:
-# X86:
-# l1d_flush=on (a part of the l1tf option)
+# The list of disabled mitigations of CPU vulnerabilities:
+# mitigations=off
+# pti=off
+# spectre_v2=off
+# spectre_v2_user=off
+# spec_store_bypass_disable=off
+# l1tf=off
+# mds=off
+# tsx_async_abort=off
+# srbds=off
+# mmio_stale_data=off
+# retbleed=off
+# nopti
+# nokaslr
+# nospectre_v1
+# nospectre_v2
+# nospectre_bhb
+# nospec_store_bypass_disable
+# kpti=0
+# ssbd=force-off
+# nosmt (enabled)
#
# Hardware tag-based KASAN with arm64 Memory Tagging Extension (MTE):
# kasan=on
l += [CmdlineCheck('self_protection', 'defconfig', 'nopti', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v1', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_v2', 'is not set')]
+ l += [CmdlineCheck('self_protection', 'defconfig', 'nospectre_bhb', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'nospec_store_bypass_disable', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nobti', 'is not set')]
l += [CmdlineCheck('self_protection', 'defconfig', 'arm64.nopauth', 'is not set')]