On 12/27/2017 2:48 AM, Dave Hansen wrote: > On 12/26/2017 09:43 PM, Tom Lendacky wrote: >> --- a/arch/x86/kernel/cpu/common.c >> +++ b/arch/x86/kernel/cpu/common.c >> @@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 >> *c) >> >> setup_force_cpu_cap(X86_FEATURE_ALWAYS); >> >> - /* Assume for now that ALL x86 CPUs are insecure */ >> - setup_force_cpu_bug(X86_BUG_CPU_INSECURE); >> + if (c->x86_vendor != X86_VENDOR_AMD) >> + setup_force_cpu_bug(X86_BUG_CPU_INSECURE); > > Does this disable it in a way that it can be turned back on via the > kernel command-line? >
Yes, specifying pti=on on the command line will turn kernel page table isolation on regardless of this setting. Thanks, Tom > This is a rather wide class of issues and I would rather not just > hard-code it in a way that we say one vendor has never and will never be > affected. >