feat: set additional kargs to override suboptimal defaults

files/system/usr/share/ublue-os/just/60-custom.just

@@ -18,7 +18,11 @@ set-kargs-hardening:
       --append-if-missing="iommu.strict=1" \
       --append-if-missing="pti=on" \
       --append-if-missing="module.sig_enforce=1" \
-      --append-if-missing="mitigations=auto,nosmt"
+      --append-if-missing="mitigations=auto,nosmt" \
+      --append-if-missing="spectre_v2=on" \
+      --append-if-missing="spec_store_bypass_disable=on" \
+      --append-if-missing="l1d_flush=on" \
+      --append-if-missing="gather_data_sampling=force"
     echo "Hardening kargs set."
 
 # Add additional (unstable) boot parameters for hardening (requires reboot)
@@ -53,7 +57,11 @@ remove-kargs-hardening:
       --delete-if-present="module.sig_enforce=1" \
       --delete-if-present="mitigations=auto,nosmt" \
       --delete-if-present="efi=disable_early_pci_dma" \
-      --delete-if-present="debugfs=off"
+      --delete-if-present="debugfs=off" \
+      --delete-if-present="spectre_v2=on" \
+      --delete-if-present="spec_store_bypass_disable=on" \
+      --delete-if-present="l1d_flush=on" \
+      --delete-if-present="gather_data_sampling=force"
     echo "Hardening kargs removed."
 
 # Harden flatpaks by preloading hardened_malloc (highest supported hwcap)

files/system/usr/share/ublue-os/just/60-custom.just.readme.md

@@ -71,3 +71,19 @@
 **Disable debugfs to prevent exposure of sensitive kernel information**
 
 `debugfs=off` 
+
+**Turn on spectre_v2 mitigations at boot time for all programs**
+
+`spectre_v2=on` 
+
+**Disable spec store bypass for all programs**
+
+`spec_store_bypass_disable=on`
+
+**Enable the mechanism to flush the L1D cache on context switch.**
+
+`l1d_flush=on`
+
+**Mitigate unprivileged speculative access to data by using the microcode mitigation when available or by disabling AVX on affected systems where the microcode hasn’t been updated to include the mitigation.**
+
+`gather_data_sampling=force`