Can I disable Spectre and Meltdown mitigation features in Ubuntu 18.04LTS?
I want to test how much more performance I gain when I disable these two features in Linux, and if the performance is big, to make it permanently.
Asked
Active
Viewed 5.6k times
53
-
maybe you have to recompile kernel – 炸鱼薯条德里克 Nov 30 '19 at 08:52
-
1[ArchWiki](https://wiki.archlinux.org/title/Security#Simultaneous_multithreading_(hyper-threading)) provides information about how to secure your system too – somenxavier May 01 '22 at 13:28
-
1How much performance did you gain? – RogerS Aug 20 '22 at 22:11
3 Answers
58
A number of kernel boot parameters are available to disable or fine-tune hardware vulnerability mitigations:
- for Spectre v1 and v2:
nospectre_v1(x86, PowerPC),nospectre_v2(x86, PowerPC, S/390, ARM64),spectre_v2_user=off(x86) - for SSB:
spec_store_bypass_disable=off(x86, PowerPC),ssbd=force-off(ARM64) - for L1TF:
l1tf=off(x86) - for MDS:
mds=off(x86) - for TAA:
tsx_async_abort=off - for iTLB multihit:
kvm.nx_huge_pages=off - for SRBDS:
srbds=off - for retbleed:
retbleed=off - KPTI can be disabled with
nopti(x86, PowerPC) orkpti=0(ARM64)
A meta-parameter, mitigations, was introduced in 5.2 and back-ported to 5.1.2, 5.0.16, and 4.19.43 (and perhaps others). It can be used to control all mitigations, on all architectures, as follows:
mitigations=offwill disable all optional CPU mitigations;mitigations=auto(the default setting) will mitigate all known CPU vulnerabilities, but leave SMT enabled (if it is already);mitigations=auto,nosmtwill mitigate all known CPU vulnerabilities and disable SMT if appropriate.
Some of these can be toggled at runtime; see the linked documentation for details.
Stephen Kitt
- 411,918
- 54
- 1,065
- 1,164
-
Does specifying mitigations=auto,nosmt make linux more secure on CPU without hyperthreading? – Vladimir Kunschikov Feb 09 '23 at 18:24
-
1@VladimirKunschikov no, if there’s no SMT to start with then `nosmt` doesn’t change anything. – Stephen Kitt Feb 09 '23 at 22:18
23
With a kernel 5.1.13 or newer :
On boot parameter you can use
mitigations=off
With a kernel older than 5.1.13 :
noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off
Add either mitigations=off or that long one-liner to your /etc/sysconfig/grub and re-generate grub's configuration file with
grub2-mkconfig
(your distributions procedure will vary).
Debian/Ubuntu derived distributions:
Edit the file /etc/default/grub then run
update-grub
Stephen Kitt
- 411,918
- 54
- 1,065
- 1,164
Tu4n3r
- 331
- 2
- 2
-
I notice you have `mitigations=off` in that long one-liner. Is that going to do anything on older kernels? – Mike S Feb 17 '22 at 21:45
-
-
In CentOS 7 and probably all Red Hat distros, you should use `sudo grub2-mkconfig -o /boot/grub2/grub.cfg` to properly update and apply these grub changes properly. – OwN Apr 23 '23 at 01:34
2
On Fedora 37, with a sufficiently new kernel, mitigations status can be displayed by printing the content of files under /sys/devices/system/cpu/vulnerabilities/.
$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Mitigation: VMX disabled
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Mitigation: Clear CPU buffers; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/retbleed:Mitigation: Enhanced IBRS
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling, PBRSB-eIBRS: SW sequence
/sys/devices/system/cpu/vulnerabilities/srbds:Mitigation: Microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
To disable the mitigations in one swoop, do
sudo grubby --update-kernel=ALL --args="mitigations=off"
and behold how the printout changed after a reboot
$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Mitigation: VMX disabled
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Vulnerable
/sys/devices/system/cpu/vulnerabilities/retbleed:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable, IBPB: disabled, STIBP: disabled, PBRSB-eIBRS: Vulnerable
/sys/devices/system/cpu/vulnerabilities/srbds:Vulnerable
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
Beware: Spectre proof-of-concept exploits can run in browser JavaScript
As the leaky.page proof-of-concept demonstrates, this vulnerability can be exploited from browser JavaScript code. Therefore, as long as you use a web browser, there is value in keeping the mitigations on.
user7610
- 1,878
- 2
- 18
- 22