Re: [Patch v3 12/13] x86/speculation: Protect non-dumpable processes against Spectre v2 attack

From: Thomas Gleixner
Date: Thu Oct 18 2018 - 11:17:47 EST


On Wed, 17 Oct 2018, Tim Chen wrote:
> +void arch_set_dumpable(struct task_struct *tsk, unsigned int value)
> +{
> + bool update;
> +
> + if (!static_branch_unlikely(&spectre_v2_app_lite))
> + return;
> + if (!static_cpu_has(X86_FEATURE_STIBP))
> + return;
> + if (spectre_v2_app2app_enabled == SPECTRE_V2_APP2APP_NONE)
> + return;

Can spectre_v2_app_lite be enabled when the cpu does not support STIBP or
spectre_v2_app2app_enabled is not set to SPECTRE_V2_APP2APP_CMD_LITE?

No it cannot. So checking the static key is sufficient.

Thanks,

tglx