One interesting semi related news item, there's a submission for 6.11 kernel to turn Spectre branch-history-injection mitigation on only for VMs, leaving it off for the host. https://www.phoronix.com/news/Linux-Spectre-BHI-VMEXIT
I'm low key excited to see some new security postures evolve, beyond the fairly maximalist stance we've been running with. If there's no one else on the host - like if everyone's isolated to vm's - maybe don't keep all the costly mitigations going on it!
1 comment
[ 2.2 ms ] story [ 14.0 ms ] threadI'm low key excited to see some new security postures evolve, beyond the fairly maximalist stance we've been running with. If there's no one else on the host - like if everyone's isolated to vm's - maybe don't keep all the costly mitigations going on it!