No. I guess it is very unlikely that kvm.enable_vmware_backdoor would ever become a default. If we listed all options that are implicit / default anyhow, things could get messy. Maybe we need some exception for this general rule sometimes but here I don’t see it.
If we follow our latest policy from Should all kernel patches for CPU bugs be unconditionally enabled? Vs Performance vs Applicability then yes.
What do they mean by If the software workaround is enabled for the host,?
See also L1TF - L1 Terminal Fault — The Linux Kernel documentation
The applicable part of us seems to be:
Mitigation selection guide
- Virtualization with untrusted guests
3.1. SMT not supported or disabled
If SMT is not supported by the processor or disabled in the BIOS or by the kernel, it’s only required to enforce L1D flushing on VMENTER.
Conditional L1D flushing is the default behaviour and can be tuned. See Mitigation control on the kernel command line and Mitigation control for KVM - module parameter.
kvm-intel.vmentry_l1d_flush=always is said to reduce performance. Therefore we shouldn’t enable it if it doesn’t benefit security at all.
Therefore I guess it’ not needed. Unless, does someone make the argument that one should set kvm-intel.vmentry_l1d_flush=always for better security even though we’re already disabling SMT? Can you find any such references?