On 10/10/24 07:57, Borislav Petkov wrote: > On Wed, Oct 09, 2024 at 09:52:19PM -0700, Josh Poimboeuf wrote: >> Is this a realistic use case? Are people really going to want to >> enable/disable VERW mitigations as a group? They have to. The way you do it today is by setting four different options. If you miss one and your system has the bug you missed, too bad, you're getting the mitigation enabled. Since we have four bugs but only one mitigation, I thought it made more sense to just have 1 knob to control it rather than 4. However, since we'd need to keep those old knobs around anyway it turns out we'd just have 5. :( <insert XKCD comic here> > > +1. > > David's per-attack-vector stuff will simplify the user side of this > considerably so I'm trying real-hard to find the point for a new option. > > IOW, the reason I requested this cleanup is to have proper sync between the > different mitigations all using VERW behind the scenes. But there's no need to > change the user interface, is it? > The reason I did the patches this way wasn't so much "need" as it just seemed a simpler way to do it. Why have 4 knobs when there is really only 1 mitigation under the hood? My question for you then is what you mean by "proper sync"? I'm guessing you mean that if any one of those 4 mitigations is set to off then assume all are off? No one should want to set say, MMIO to =off but RFDS to =on, so the only real issue is if I set some to =off, but leave others unset, the unspecified options will default to on, which means all are on. If the desire is to reverse that so any one of the 4 being disabled is enough to disable all VERW mitigations, I can make that change. I just want to make sure I know what the desired path is. Thanks, Dan > Thx. >