On Mon, Feb 12, 2018 at 10:26 AM, Pavel Machek <pa...@ucw.cz> wrote:
> On Tue 2017-12-26 23:43:54, Tom Lendacky wrote:
>> AMD processors are not subject to the types of attacks that the kernel
>> page table isolation feature protects against. The AMD microarchitecture
>> does not allow memory references, including speculative references, that
>> access higher privileged data when running in a lesser privileged mode
>> when that access would result in a page fault.
>> Disable page table isolation by default on AMD processors by not setting
>> the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
>> is set.
> PTI was originally meant to protect KASLR from memory leaks, before
> Spectre was public. I guess that's still valid use on AMD cpus?
KASLR leaks are a much lower threat than Meltdown. Given that no AMD
processor supports PCID, enabling PTI has a much more significant
performance impact for a much smaller benefit. For the paranoid user
they still have the option to enable PTI at boot, but it should not be
on by default.