From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx3-rdu2.redhat.com ([66.187.233.73] helo=mx1.redhat.com) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1fAm4m-0004Dw-4r for speck@linutronix.de; Tue, 24 Apr 2018 02:44:56 +0200 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C451B4075A88 for ; Tue, 24 Apr 2018 00:44:49 +0000 (UTC) Received: from washington.bos.jonmasters.org (ovpn-124-56.rdu2.redhat.com [10.10.124.56]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9079A1C709 for ; Tue, 24 Apr 2018 00:44:49 +0000 (UTC) Subject: [MODERATED] Re: [patch 07/11] [PATCH v2 07/10] Linux Patch #7 References: <20180422093545.GA32218@pd.tnic> <2c7fa188-cd84-1a10-56cb-358d3f859559@redhat.com> <20180422103456.GC32218@pd.tnic> <3d7880e7-6b67-b35a-a090-2854f7db54ff@redhat.com> <2184fc1b-dcbc-a40c-64da-4965c7c48faa@redhat.com> <20180423175151.GA21779@dhcp-10-159-147-220.vpn.oracle.com> <217e6c7c-29f9-d754-33ec-fcc541792aab@redhat.com> <20180423223154.GT6694@tassilo.jf.intel.com> From: Jon Masters Message-ID: <4cac4cb1-77ba-4d00-2b0e-2793b0b1335f@redhat.com> Date: Mon, 23 Apr 2018 20:44:48 -0400 MIME-Version: 1.0 In-Reply-To: <20180423223154.GT6694@tassilo.jf.intel.com> Content-Type: multipart/mixed; boundary="5w9ojNY67FRH31EsnmGrtSlGXYYub1xHn"; protected-headers="v1" To: speck@linutronix.de List-ID: This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156) --5w9ojNY67FRH31EsnmGrtSlGXYYub1xHn Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 04/23/2018 06:31 PM, speck for Andi Kleen wrote: > With tieing it to seccomp many (most?) don't need to be patched > because they already use it. For example all the major Web Browsers > are already covered. As I mentioned on our call earlier, seccomp alone won't be sufficient. I know you know that, and it's been repeated by Tim, but just to be clear. We would either need seccomp to change, or a new prctl (e.g. one that controls speculation options for a process). > Some additional processes will need to be patched (e.g. JVM), > but to start that process requires defining a kernel API > first. So it's important that we define a kernel API. Indeed, that was my ask earlier, that Intel help drive this urgently if you'd like to save MD on by default by May 21. If we only have the big hammer, as I said on the other call with AMD/Microsoft/SuSE/Canonical etc. earlier this pm, we'll have to go with MD off by default in RHEL. We'd like to give you what you want, but we need a way to go and patch things like OpenJDK in the next couple of weeks, and we're out of time. Jon. --=20 Computer Architect | Sent from my Fedora powered laptop --5w9ojNY67FRH31EsnmGrtSlGXYYub1xHn--