03-07-2020, 12:47 PM
(03-07-2020, 12:00 AM)moonwalkers Wrote:(03-02-2020, 08:41 AM)danielt Wrote: I haven't experimented with removing the maxcpus= workaround yet but I have updated to v2.0 in the latest (2020-03-02) release. See first post for other changes.
After running v2.0 with your 5.5-1 build for a while I can say that without maxcpus= workaround it takes between 10 and 15 seconds for me to see screen come to life after pressing power button. If the price of not having workarounds with nasty security implications is a mere 10 seconds of extra boot time I'm perfectly fine with paying it.
The option turned off in the v5.4 was pretty theoretic; it is designed to prevent a hostile virtualized kernel from learning at what address the host kernel had been mapped (and there would have to be another security hole in the hypervisor for that info to be useful). The security implications certainly weren't all nasty or I wouldn't have turned them off! IMHO browsing the web is a *much* more signficant security risk.
Anyhow when looking at v5.5 I realized there was another errata that I wasn't happy to disable so I force both workaround to deploy even when maxcpus=4. In other words the HARDEN_EL2_VECTORS is reenabled in v5.5 and will deploy in both cases. around the problem in a different way and all the security features are enabled again in v5.5.