On Wed, Jan 10, 2018 at 03:45:06PM +0100, Borislav Petkov wrote: > On Wed, Jan 10, 2018 at 08:25:08AM +0100, Ingo Molnar wrote: > > We could taint the kernel and warn prominently in the syslog when PTI is > > disabled > > globally on the boot line though, if running on affected CPUs. > > > > Something like: > > > > "x86/intel: Page Table Isolation (PTI) is disabled globally. This allows > > unprivileged, untrusted code to exploit the Meltdown CPU bug to read kernel > > data." > > > > I think we should warn in the per-mm disabling case too. Not the same > text but a similar blurb about the trusted process becoming a high-value > target.
Well, we don't warn when /dev/mem is opened read-only, even not when it's opened R/W, and it exposes the contents much better. Tainting is first a support help so that developers don't waste time debugging something that might have been altered. In this case nothing got altered. At best(worst?) things might have been disclosed. That said I'm all for at least tainting when running with pti=off at least to educate users. Willy