Date: Tue, 28 Feb 2023 21:45:56 +0100 From: Borislav Petkov <bp@xxxxxxxxx> > So you mean we should stick *all* CPUID leafs in there just because > anything can run in guests? > > What is the hypervisor then for? I'm still a kernel newbie and I don't have a strong opinion for that. I just thought it would be helpful if the KVM_GET_SUPPORTED_CPUID API returns the same security information as the host, as long as it is harmless. I'm inclined to withdraw this patch if it is not worth enough. > Really? Says who? > > $ grep -r . /sys/devices/system/cpu/vulnerabilities/ > > gives you all you need to know. > > And if something's missing, then I'm listening. "De facto standard" was too much. I apologize for my incorrect expression and poor English. What I wanted to say is that the script was introduced as a useful tool by Intel and SLES and it provides some additional information (IBRS always-on in this case). https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/spectre-and-meltdown-checker-script.html https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-spectre.html Best regards, Takahiro Itazuri
