On Tue, 4 Sep 2018, Tim Chen wrote: > I think STIBP should be an opt in option as it will have significant > impact on performance. The attack from neighbor thread is pretty > difficult to pull off considering you have to know what the sibling > thread is running and its address allocation.
In many scenarios the attacker can just easily taskset itself to the correct sibling. > We could also use a security module to opt in the STIBP policy. I am a bit afraid that we are offloading to sysadmins decisions that are very hard for them to make, as they require deep understanding of both the technical details of the security issue in the CPU, and the mitigation. I surely understand that Intel is doing what they could to minimize the performance effect, but achieving that by making it a rocket science to configure it properly doesn't feel right. So, after giving it a bit more thought, I still believe "I want spectre V2 protection" vs. "I do not care about spectre V2 on my system (=nospectre_v2)" are the sane options we should provide; so I'll respin v4 of my patchset, including the ptrace check in switch_mm() (statically patched out on !IBPB-capable systems), and we can then later see whether the LSM implementation, once it exists, should be used instead. Thanks, -- Jiri Kosina SUSE Labs
