Re: [PATCH RFC 1/2] x86/entry_64: Add a separate unmitigated entry/exit path

From: Waiman Long
Date: Fri Sep 20 2024 - 02:58:05 EST



On 9/19/24 17:52, Pawan Gupta wrote:
CPU mitigations are deployed system-wide, but usually not all of the
userspace is malicious. Yet, they suffer from the performance impact
of the mitigations. This all or nothing approach is due to lack of a
way for kernel to know which userspace can be trusted and which cannot.

For scenarios where an admin can decide which processes to trust, an
interface to tell the kernel to possibly skip the mitigation would be
useful.

In preparation for kernel to be able to selectively apply mitigation
per-process add a separate kernel entry/exit path that skips the
mitigations.

Originally-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@xxxxxxxxxxxxxxx>

For the current patch, not all x86 CPU vulnerability mitigations can be disabled. Maybe we should list the subset of mitigations that can be disabled.

Cheers,
Longman