On Wed, Nov 04, 2020 at 04:57:02PM -0500, Andrea Arcangeli wrote: > Switch the kernel default of SSBD and STIBP to the ones with > CONFIG_SECCOMP=n (i.e. spec_store_bypass_disable=prctl > spectre_v2_user=prctl) even if CONFIG_SECCOMP=y. Agreed. I think this is the right time to flip this switch. I agree with the (very well described) rationales. :) Fundamentally, likely everyone who is interested in manipulating the mitigations are doing so now, and it doesn't make sense (on many fronts) to tie some to seccomp mode any more (which was intended as a temporary defense to gain coverage while sysadmins absorbed what the best practices should be). Thanks for sending this! Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> -- Kees Cook
