Hi! According to 1), disabling EPT offers the same maximum protection against L1TF as disabling SMT but has a severe performance impact. FWIW: With EPT disabled (2)), I can *not* confirm any performance-degradation for the VirtualBox Windows- or Linux-VMs that I use. Those VMs are for desktop-use, though. So to me it seems that the performance impact depends on the use case and in a desktop-setting disabling EPT may offer a simple max-protection-option with the advantage of still enabled hyperthreading. I have tried this with 4.18.1 and 4.14.63. Rainer Fiebig *** 1) https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html#mitigation-selection-guide 2) kvm-intel.ept=0 > tail /sys/devices/system/cpu/vulnerabilities/* ==> /sys/devices/system/cpu/vulnerabilities/l1tf <== Mitigation: PTE Inversion; VMX: EPT disabled ==> /sys/devices/system/cpu/vulnerabilities/meltdown <== Mitigation: PTI ==> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass <== Mitigation: Speculative Store Bypass disabled via prctl and seccomp ==> /sys/devices/system/cpu/vulnerabilities/spectre_v1 <== Mitigation: __user pointer sanitization ==> /sys/devices/system/cpu/vulnerabilities/spectre_v2 <== Mitigation: Full generic retpoline, IBPB, IBRS_FW
