feat: add karg option to disable SMT on any CPU (#502)

* feat: add option to disable SMT in kargs * fix: improvements * fix: context * fix: wording * fix: wording * fix: wording * fix: var name --------- Co-authored-by: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
2025-11-02 11:28:06 +00:00 · 2024-10-31 00:03:16 -04:00
parent 60a5bb4a99
commit 396afbd7a2
1 changed files with 8 additions and 1 deletions
--- a/files/system/usr/share/ublue-os/just/70-secureblue.just
+++ b/files/system/usr/share/ublue-os/just/70-secureblue.just
@@ -8,6 +8,13 @@ set-kargs-hardening:
        IAEMU_NO="--append-if-missing=ia32_emulation=0"
        echo "Disabling 32-bit support, for the next boot."
    fi
+    read -p "Do you want to force disable Simultaneous Multithreading (SMT) / Hyperthreading? (This can cause a reduction in the performance of certain tasks in favor of security) (Note that in most hardware SMT will be disabled anyways to mitigate a known vulnerability, this turns it off on all hardware regardless) [y/N]: " YES
+    if [[ "$YES" == [Yy]* ]]; then
+        NOSMT_YES=--append-if-missing=nosmt=force"
+        echo "Force disabling SMT/Hyperthreading."
+    else
+        echo "Not force disabling SMT/Hyperthreading."
+    fi
    read -p "Would you like to set additional (unstable) hardening kargs? (Warning: Setting these kargs may lead to boot issues on some hardware.) [y/N]: " YES
    if [[ "$YES" == [Yy]* ]]; then
    UNSTABLE_YES="--append-if-missing=efi=disable_early_pci_dma \
@@ -18,7 +25,7 @@ set-kargs-hardening:
    fi
    echo "Applying boot parameters..."
    rpm-ostree kargs \
-      ${UNSTABLE_YES:+$UNSTABLE_YES} ${IAEMU_NO:+$IAEMU_NO} \
+      ${UNSTABLE_YES:+$UNSTABLE_YES} ${IAEMU_NO:+$IAEMU_NO} ${NOSMT_YES:+$NOSMT_YES} \
      --append-if-missing=init_on_alloc=1 \
      --append-if-missing=init_on_free=1 \
      --append-if-missing=slab_nomerge \