Linux devs decided to change the scope and method of these mitigations by default in upcoming kernel version. Let’s try to make head or tail of how this affects older systems and if we need to keep them toggled on
Looks like it’s not done. Quote:
We’ll keep monitoring to see if/when this change is accepted.
Related settings file:
We set the strictest option anyhow -
spec_store_bypass_disable=on. The new default that’s being suggested upstream is weaker and only enables this mitigation for processes that explicitly ask for it. It’s still best to enable it system-wide by default for security albeit at a performance loss which I think we can handle.