Should all kernel patches for CPU bugs be unconditionally enabled? We currently enable all of the mds vulnerability mitigations.
spectre_v2=on as a boot parameter will force the spectre v2 mitigation to be enabled.
l1tf=full,force will enable all mitigations for the L1TF vulnerability and disable smt (which is already disabled with the mds mitigations).
spec_store_bypass_disable=on will enable the SSB vulnerability mitigation (spectre v4). ClipOS recommends to use
spec_store_bypass_disable=seccomp which disables the mitigation by default but enables it for programs using seccomp.
This should also partly get rid of the need for microcode updates.