From 606b573804515d46f4d3b1c0e936e89ff1f85c70 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Fri, 12 Dec 2025 11:47:33 +1100
Subject: [PATCH] Update KARGS.md to include AMD SME and SEV options

---
 content/articles/KARGS.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/content/articles/KARGS.md b/content/articles/KARGS.md
index a6209f3..8564d97 100644
--- a/content/articles/KARGS.md
+++ b/content/articles/KARGS.md
@@ -41,6 +41,8 @@ installation, and are always applied by the script `ujust set-kargs-hardening`.
 - `iommu=force` and `intel_iommu=on`: Mitigate DMA attacks by enabling IOMMU.
 - `iommu.passthrough=0`: Disable IOMMU bypass.
 - `iommu.strict=1`: Synchronously invalidate IOMMU hardware TLBs.
+- `kvm_amd.sev=1`, `kvm_amd.sev_es=1`, `kvm_amd.sev_snp=1`: Enable AMD Secure
+  Encrypted Virtualization (SEV) and extensions.
 - `kvm-intel.vmentry_l1d_flush=always`: Enable unconditional flushes, required
   for complete L1D vulnerability mitigation.
 - `kvm.mitigate_smt_rsb=1`: Mitigate cross-thread return address predictions
@@ -50,6 +52,7 @@ installation, and are always applied by the script `ujust set-kargs-hardening`.
   vulnerability.
 - `lockdown=confidentiality`: Enable kernel lockdown in the strictest mode.
 - `loglevel=0`: Only log level 0 (system is unusable) messages to the console.
+- `mem_encrypt=on`: Enable AMD Secure Memory Encryption (SME).
 - `mitigations=auto,nosmt`: Automatically mitigate all known CPU
   vulnerabilities, including disabling SMT if necessary.
 - `module.sig_enforce=1`: Only allow kernel modules that have been signed with a