1 |
On 12/02/18 11:51, Adam Carter wrote: |
2 |
> $ grep . /sys/devices/system/cpu/vulnerabilities/* |
3 |
> /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI |
4 |
> /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user |
5 |
> pointer sanitization |
6 |
> /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full |
7 |
> generic retpoline |
8 |
|
9 |
One other thing that's landed, is an option to completely disable the |
10 |
BPF interpreter in the kernel and force BPF JIT. Apparently, and |
11 |
contrary to what people (me included) wrote here in the past, BPF JIT is |
12 |
the secure option, and the interpreter is the insecure one. |
13 |
|
14 |
The option is CONFIG_BPF_JIT_ALWAYS_ON. The prompt for it only becomes |
15 |
available after enabling CONFIG_BPF_JIT. |