Turning on DOITM at last

From: Demi Marie Obenour

Date: Sat Jul 18 2026 - 13:01:56 EST


Is it time to go ahead and turn on DOITM?

Here's my reasoning:

- If it doesn't do anything, it's a harmless no-op.

- If it does something, then that something needed to be done to
protect code that handles secrets, such as crypto code.

- The overhead of switching it on and off is too high, so it's best
to just leave it on all the time.

- Even people who don't care about speculative execution
vulnerabilities, because they only run trusted code on a particular
server, still likely need secure cryptography.

Xen already turned it on in the past.
--
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature