On 7/14/20 2:04 PM, Pawan Gupta wrote: >> I see three inputs and four possible states (sorry for the ugly table, >> it was this or a spreadsheet :): >> >> X86_FEATURE_VMX CONFIG_KVM_* hpage split Result Reason >> N x x Not Affected No VMX >> Y N x Not affected No KVM >> Y Y Y Mitigated hpage split >> Y Y N Vulnerable > Thank you. > > Just a note... for the last 2 cases kernel wont know about "hpage split" > mitigation until KVM is loaded. So for these cases reporting at boot > will be "Vulnerable" and would change to "Mitigated" once KVM is loaded > and deploys the mitigation. This is the current behavior. That's OK with me, because it's actually pretty closely tied to reality. You are literally "vulnerable" until you've committed to a mitigation and that doesn't happen until KVM is loaded. When are we going to force kvm to be built in, again? ;)
