On Sun, Nov 18, 2018 at 1:49 PM Jiri Kosina <jikos@xxxxxxxxxx> wrote: > > > So why do that STIBP slow-down by default when the people who *really* > > care already disabled SMT? > > BTW for them, there is no impact at all. Right. People who really care about security and are anal about it do not see *any* advantage of the patch. But people who aren't that worried suddenly see potentially huge slowdowns. In other words, the behavior of the patch is basically essentially exactly the reverse of what you'd want. You penalize the people who don't even want it and don't care. > STIBP is only activated on systems with HT on; plus odds are that people > who don't care about spectrev2 already have 'nospectre_v2' on their > command-line, so they are fine as well. I'm talking about *normal* people. People who simply aren't all that invested in this all. People who just want to get their work done. > So, I think it's as theoretical as any other spectrev2 (only with the > extra "HT" condition added on top). What? No. It's *way* more theoretical than something like meltdown, which could be trivially used to get data from another protection domain. Have you seen any actual realistic attacks for normal human users? Things where the *kernel* should actually care? The javascript thing is for the browser to fix up, not for the kernel to say "now everything should run up to 50% slower". Linus