Turning on DOITM at last
From: Demi Marie Obenour
Date: Sat Jul 18 2026 - 13:01:56 EST
Is it time to go ahead and turn on DOITM?
Here's my reasoning:
- If it doesn't do anything, it's a harmless no-op.
- If it does something, then that something needed to be done to
protect code that handles secrets, such as crypto code.
- The overhead of switching it on and off is too high, so it's best
to just leave it on all the time.
- Even people who don't care about speculative execution
vulnerabilities, because they only run trusted code on a particular
server, still likely need secure cryptography.
Xen already turned it on in the past.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature