On 12/02/18 11:51, Adam Carter wrote:
$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user
pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full
generic retpoline
One other thing that's landed, is an option to completely disable the
BPF interpreter in the kernel and force BPF JIT. Apparently, and
contrary to what people (me included) wrote here in the past, BPF JIT is
the secure option, and the interpreter is the insecure one.
The option is CONFIG_BPF_JIT_ALWAYS_ON. The prompt for it only becomes
available after enabling CONFIG_BPF_JIT.
