docs: update prod-host-setup with ssbd for arm

In our guide, we recommend enabling the SSBD mitiagtion through the
kernel command line with `spec_store_bypass_disable=seccomp`. However,
this only works for x86_64. Updated the guide with the addition of
the mitigation in the Firecracker through `prctl` and the alternative
through the `ssbd=force-on` kernel command line parameter.

Signed-off-by: George Pisaltu <[email protected]>

Author: georgepisaltu

docs/prod-host-setup.md

@@ -220,14 +220,24 @@ See more details [here](https://www.kernel.org/doc/html/latest/admin-guide/hw-vu
 This will mitigate variants of Spectre side-channel issues such as
 Speculative Store Bypass and SpectreNG.
 
-It can be enabled by adding the following Linux kernel boot parameter:
+On x86_64 systems, it can be enabled by adding the following Linux kernel boot
+parameter:
 
 ```
 spec_store_bypass_disable=seccomp
 ```
 
 which will apply SSB if seccomp is enabled by Firecracker.
 
+On aarch64 systems, it is enabled by Firecracker
+[using the `prctl` interface][3]. However, this is only availabe on host
+kernels Linux >=4.17 and also Amazon Linux 4.14. Alternatively, a global
+mitigation can be enabled by adding the following Linux kernel boot parameter:
+
+```console
+ssbd=force-on
+```
+
 Verification can be done by running:
 
 ```bash
@@ -327,3 +337,4 @@ to trap and control this in the hypervisor.
 
 [1]: https://elixir.free-electrons.com/linux/v4.14.203/source/virt/kvm/arm/hyp/timer-sr.c#L63
 [2]: https://lists.cs.columbia.edu/pipermail/kvmarm/2017-January/023323.html
+[3]: https://elixir.bootlin.com/linux/v4.17/source/include/uapi/linux/prctl.h#L212