From 396afbd7a226f39623a5426d405af628f9578365 Mon Sep 17 00:00:00 2001 From: Root <175176948+RKNF404@users.noreply.github.com> Date: Thu, 31 Oct 2024 00:03:16 -0400 Subject: [PATCH] feat: add karg option to disable SMT on any CPU (#502) * feat: add option to disable SMT in kargs * fix: improvements * fix: context * fix: wording * fix: wording * fix: wording * fix: var name --------- Co-authored-by: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> --- files/system/usr/share/ublue-os/just/70-secureblue.just | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/files/system/usr/share/ublue-os/just/70-secureblue.just b/files/system/usr/share/ublue-os/just/70-secureblue.just index b9cf465..7f43208 100644 --- a/files/system/usr/share/ublue-os/just/70-secureblue.just +++ b/files/system/usr/share/ublue-os/just/70-secureblue.just @@ -8,6 +8,13 @@ set-kargs-hardening: IAEMU_NO="--append-if-missing=ia32_emulation=0" echo "Disabling 32-bit support, for the next boot." fi + read -p "Do you want to force disable Simultaneous Multithreading (SMT) / Hyperthreading? (This can cause a reduction in the performance of certain tasks in favor of security) (Note that in most hardware SMT will be disabled anyways to mitigate a known vulnerability, this turns it off on all hardware regardless) [y/N]: " YES + if [[ "$YES" == [Yy]* ]]; then + NOSMT_YES=--append-if-missing=nosmt=force" + echo "Force disabling SMT/Hyperthreading." + else + echo "Not force disabling SMT/Hyperthreading." + fi read -p "Would you like to set additional (unstable) hardening kargs? (Warning: Setting these kargs may lead to boot issues on some hardware.) [y/N]: " YES if [[ "$YES" == [Yy]* ]]; then UNSTABLE_YES="--append-if-missing=efi=disable_early_pci_dma \ @@ -18,7 +25,7 @@ set-kargs-hardening: fi echo "Applying boot parameters..." rpm-ostree kargs \ - ${UNSTABLE_YES:+$UNSTABLE_YES} ${IAEMU_NO:+$IAEMU_NO} \ + ${UNSTABLE_YES:+$UNSTABLE_YES} ${IAEMU_NO:+$IAEMU_NO} ${NOSMT_YES:+$NOSMT_YES} \ --append-if-missing=init_on_alloc=1 \ --append-if-missing=init_on_free=1 \ --append-if-missing=slab_nomerge \