On 9/19/24 17:52, Pawan Gupta wrote:
CPU mitigations are deployed system-wide, but usually not all of the userspace is malicious. Yet, they suffer from the performance impact of the mitigations. This all or nothing approach is due to lack of a way for kernel to know which userspace can be trusted and which cannot. For scenarios where an admin can decide which processes to trust, an interface to tell the kernel to possibly skip the mitigation would be useful. In preparation for kernel to be able to selectively apply mitigation per-process add a separate kernel entry/exit path that skips the mitigations. Originally-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@xxxxxxxxxxxxxxx>
For the current patch, not all x86 CPU vulnerability mitigations can be disabled. Maybe we should list the subset of mitigations that can be disabled.
Cheers, Longman
