On Tue, 2018-01-30 at 11:58 +0100, Borislav Petkov wrote:
>
> Does that help?
>
> diff --git a/arch/x86/kernel/cpu/intel.c
> b/arch/x86/kernel/cpu/intel.c
> index 6936d14d4c77..1dd596d0a6c4 100644
> --- a/arch/x86/kernel/cpu/intel.c
> +++ b/arch/x86/kernel/cpu/intel.c
> @@ -182,21 +182,21 @@ static void early_init_intel(struct cpuinfo_x86
> *c)
> * Intel CPUs, for finer-grained selection of what's
> available.
> */
> if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
> - set_cpu_cap(c, X86_FEATURE_IBRS);
> - set_cpu_cap(c, X86_FEATURE_IBPB);
> + setup_force_cpu_cap(X86_FEATURE_IBRS);
> + setup_force_cpu_cap(X86_FEATURE_IBPB);
> }
> if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
> - set_cpu_cap(c, X86_FEATURE_STIBP);
> + setup_force_cpu_cap(X86_FEATURE_STIBP);I pondered that, but I didn't like it. I didn't want to always *force* those features on, for all CPUs, just because they happened to be discovered at boot time on the first CPU (which *did* have its microcode updated by the crappy BIOS, while the others didn't). I strongly suspect that's purely an academic concern, and we mostly check boot_cpu_has() and never even *notice* if secondary CPUs don't match. I just didn't want to make that *worse*. It tickled my OCD.
smime.p7s
Description: S/MIME cryptographic signature
