On Wed, Sep 02, 2020 at 06:55:01PM +0200, Borislav Petkov wrote: > On Wed, Sep 02, 2020 at 06:45:38PM +0200, pet...@infradead.org wrote: > > We really should clear the CPUID bits when the kernel explicitly > > disables things. > > Actually, you want to *disable* the functionality behind it by clearing > a bit in CR4 - and yes, not all features have CR4 bits - so that > luserspace doesn't "probe" the existence of certain instructions. > > Example: you can still try to run RDRAND and succeed even if the > corresponding CPUID bit is clear.
Well yes, but as you say, we don't have that :/ Clearing it in CPUID is the best we can do.
