q5sys
commented
5 years ago We will have to talk about this internally. Personally, I'm in favor of having speculative execution protection enabled but not restrict a user from disabling it on offline machines if they choose to. Their machine == their choice. I'm not opposed to requiring a user to have to reboot if they want to turn it off.
On Trident I checked the state of the ibrs with sysctl hw.ibrs_active It came back false, meaning speculative execution was NOT restricted. I discovered the ability to disable ibrs was true, that is, the configurable sysctl hw.ibrs_disable was true.
To ensure the ibrs could NOT be disabled I used sudo sysctl hw.ibrs_disable=0
Then, sysctl hw.ibrs_active came back true.
For this to persist, however, across re-starts of the pc I edited /etc/sysctl.conf by adding hw.ibrs_disable=0
So, shouldn’t my modification to sysctl.conf be part of the default Trident installation, or at least a choice during installation or updates?