On 4/15/19 10:49 AM, Dario Faggioli wrote:

On Mon, 2019-04-15 at 09:59 -0700, PGNet Dev wrote: It's pretty much what we do by default, which might be seen as a good sign, I guess.

*Suse also enables "IBPB" by default. is that (still) correct?

Which I'd like to NOT take the purported ~20% performance hit for, and believe I've correctly (?) DISabled with adding:

spectre_v2=retpoline,generic

to my grub config's kernel command line

Well, not quite. :-/

In fact, this is from inside a guest. In order for things to be 100% safe, hyperthreading should be disabled at the _host_ level, which is something that the guest can't know.

Actually, the guest can't know for sure whether or not the underlying host it is running on has L1D flush supported and enabled either.

So, I think it is calling it "NOT VULNERABLE" on the ground, e.g., that , as it says, "this system is not running an hypervisor". But that is going to be true for any VM, unless one is using nested virtualization.

If that's the case, the whole 'Foreshadow-NG (VMM)' block appears to be rather bogous... but I really want to speak only after having checked the code. :-)

Understood.

Also, I *did* see a KVM host-side change (namely, an upgrade to a fully patched Host) that switched the reporting of Variant 3a & 4 vulnerabilities from VULNERABLE ==> NOT VULNERABLE, in the guest.

Which I believe is expected.