On 05/03/2016 02:12 PM, Borislav Petkov wrote: > On Tue, May 03, 2016 at 02:04:40PM -0700, Dave Hansen wrote: >> My concern was not necessarily with folks booting with 'nosmep', but > > Btw, does anything speak for even keeping that 'nosmep' thing?
Generally, I'm not sure we need the no$foo options at all. There's always "clearcpuid=" which does the same thing. It just requires you to go look up the X86_FEATURE_* bit first. >> with processors that have MPX present and SMEP fused off (or made >> unavailable by a hypervisor) and which are unaffected by this issue. > > So we won't init MPX on those... Yes, and as long as such a processor doesn't exist today and never exists in the future or the folks that buy such a processor truly don't care about MPX, that's fine to do. I'm just a bit nervous about the whole "never exists in the future" part. >> People would have to be very careful to never create a processor which >> did not have SMEP but did have MPX, since MPX would effectively be >> unusable on such a processor. > > We can disable that combination in qemu too, right? What do you mean by disable? Have qemu error out if MPX and SMEP aren't disabled in concert with each other?
