Improve protection against Spectre v4 with spec_store_bypass_disable=on
Add to the kernel boot parameters: spec_store_bypass_disable=on
. This parameter will enable global mitigations for Spectre v4 (SSB). It is disabled by default for performance because some specific workloads with lots of context switches may be slowed down. Performance impact on Tails is negligible (on testing a variety of workloads with and without this mitigation, I have seen no detectable performance impact).
The default is to only provide mitigations for processes that opt-in explicitly via prctl()
and processes under an active seccomp policy. This change would enable the mitigation for all processes.
We already use mds=full,nosmt
which has a much higher performance impact than this option.