On 12/02/18 11:51, Adam Carter wrote:
$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline

One other thing that's landed, is an option to completely disable the BPF interpreter in the kernel and force BPF JIT. Apparently, and contrary to what people (me included) wrote here in the past, BPF JIT is the secure option, and the interpreter is the insecure one.

The option is CONFIG_BPF_JIT_ALWAYS_ON. The prompt for it only becomes available after enabling CONFIG_BPF_JIT.

Reply via email to