Add link to tabular comparison of CPU mitigations

README.md

@@ -137,7 +137,9 @@ Networking:
 
 Mitigations for known CPU vulnerabilities are enabled in their strictest form
 and simultaneous multithreading (SMT) is disabled. See the
-`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
+`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve
+complete protection for known CPU vulnerabilities, the latest security microcode
+(BIOS/UEFI) updates must also be installed on the system.
 
 Boot parameters relating to kernel hardening, DMA mitigations, and entropy
 generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -18,6 +18,14 @@
 ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
 ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
 
+## Tabular comparison between the utility and functionality of various mitigations.
+## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587
+
+## For complete protection, users must install the latest relevant security microcode update.
+## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers.
+## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
+## The parameters below only provide (partial) protection at both the kernel and user space level.
+
 ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
 ##
 ## KSPP=yes