On 10/29/24 08:00, Borislav Petkov wrote: > On Tue, Oct 29, 2024 at 07:40:28AM -0700, Daniel Sneddon wrote: >> Sure, I'll split this up as much as possible. > > Actually, thinking about this more and looking at David's rework: > > https://lore.kernel.org/r/20240912190857.235849-1-david.kaplan@xxxxxxx > > his basically is achieving what you're doing - a post-everything routine which > selects the final mitigation strategy once all the mitigation options have > been parsed and evaluated. > > So I'm wondering if we should simply take his directly... > > He removes that md_clear* function: > > https://lore.kernel.org/r/20240912190857.235849-8-david.kaplan@xxxxxxx > > in favor of doing the final selection in the ->apply* functions and keeping > each mitigation functions simple. > > Yours does this in a single function. > > Practically speaking, the end result is the same. > > Hmm... > I really like the attack vector idea David is using. I suspect people really care about "protect my kernel from bad users" or "protect my host vm from guests" more than "protect me from mds and rfds." I was trying to get rid of the need to do a call to any kind of update function where he took the existing function and split it into one for each mitigation that needs it. Like you said, different approach same end result really.
