On Tue, Jan 09, 2018 at 10:29:40PM +0100, Borislav Petkov wrote: > On Tue, Jan 09, 2018 at 01:26:57PM -0800, Andy Lutomirski wrote: > > 2.Turning off PTI is, in general, a terrible idea. It totally breaks > > any semblance of a security model on a Meltdown-affected CPU. So I > > think we should require CAP_SYS_RAWIO *and* that the system is booted > > with pti=allow_optout or something like that. > > Uhh, I like that. > > Maybe also taint the kernel ...
Requiring a reboot just to fix a performance problem you've discovered the hard way is not the most friendly way to help users I'm afraid. However, definitely +1 on tainting! Willy
