Which ones? All recent ones or only the ones mentioned in your last post?
Yes.
mds=full,nosmt does not make that redundant.
Though, l1tf=full,force makes it redundant.
l1tf=full,force https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt says
Implies the ‘nosmt=force’ command line option. (i.e. sysfs control of SMT is disabled.)
mds=full,nosmt does not say “Implies the ‘nosmt=force’”.
The reason why I am interested in nosmt=force is:
Force disable SMT, cannot be undone via the sysfs control file.
Which seems useful at least for purposes of Untrusted Root - improve Security by Restricting Root.
I see your point. But I am not sure.
As per TAA - TSX Asynchronous Abort — The Linux Kernel documentation here are some possible combinations (these are listed in a table on that page):
- tsx=on
- tsx_async_abort=full,nosmt
- As above, cross-thread attacks on SMT mitigated.
- tsx=off
- tsx_async_abort=full,nosmt
- TSX might be disabled if microcode provides a TSX control MSR. If so, system is not vulnerable.
What also confuses me:
Default mitigations
The kernel’s default action for vulnerable processors is:
Deploy TSX disable mitigation (tsx_async_abort=full tsx=off).
A combination of tsx=off and tsx_async_abort=full.
Why didn’t they write simpler:
Deploy TSX disable mitigation (tsx=off).
Therefore perhaps better to keep tsx_async_abort=full,nosmt?