"Until a modified cache block has updated memory, a CBO.INVAL instruction may expose stale data values in memory if the CSRs are programmed to perform an invalidate operation. This behavior may result in a security hole if lower privileged level software performs an invalidate operation and accesses sensitive information in memory." But also do we actually _want_ to enable cmo always ... Greg was talking about backwards compatiblity in his response as well.
