Announcement

Collapse
No announcement yet.

The Performance Impact Of MDS / Zombieload Plus The Overall Cost Now Of Spectre/Meltdown/L1TF/MDS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Nice, I didn't realize mitigations=off made it into kernel 5.1 (confirmed on my end using 5.1.3, and it appears to have been introduced in 5.1.2 after checking changelog)

    Code:
    mitigations=
            [X86,PPC,S390] Control optional mitigations for CPU
            vulnerabilities.  This is a set of curated,
            arch-independent options, each of which is an
            aggregation of existing arch-specific options.
    
            off
                Disable all optional CPU mitigations.  This
                improves system performance, but it may also
                expose users to several CPU vulnerabilities.
                Equivalent to:
                           nopti [X86,PPC]
                           nospectre_v1 [PPC]
                           nobp=0 [S390]
                           nospectre_v2 [X86,PPC,S390]
                           spectre_v2_user=off [X86]
                           spec_store_bypass_disable=off [X86,PPC]
                           l1tf=off [X86]
                           mds=off [X86]
    
            auto (default)
                Mitigate all CPU vulnerabilities, but leave SMT
                enabled, even if it's vulnerable.  This is for
                users who don't want to be surprised by SMT
                getting disabled across kernel upgrades, or who
                have other ways of avoiding SMT-based attacks.
                Equivalent to: (default behavior)
    
            auto,nosmt
                Mitigate all CPU vulnerabilities, disabling SMT
                if needed.  This is for users who always want to
                be fully mitigated, even if it means losing SMT.
                Equivalent to:
                           l1tf=flush,nosmt [X86]
                           mds=full,nosmt [X86]
    After updating GRUB, I can confirm that mitigations=off is the exact same as the long list we've been using (I used spectre_meltdown_checker.sh to double check).

    Comment


    • #22
      Originally posted by xfcemint View Post

      Nice. Will it be backported to older LTS kernels? I hope so. Some or all?
      I just double checked some changelogs and they were all backported!

      5.1.2 and newer have it
      5.0.16 and newer have it
      4.19.43 and newer have it
      4.14.119 and newer have it
      4.9.176 and newer have it
      4.4.180 and newer have it

      Comment


      • #23
        Originally posted by Bsdisbetter View Post
        Likewise storing passwords in a browser is just plain dumb. Storing passwords anywhere other than a wallet not on the system in question is dumb. You can't mitigate stupidity, it seems.
        Indeed you can't, it seems. You may store them anywhere, you still enter them into the system, and they can be stolen exactly this very moment. After entering them, you get session keys that may be stored and reused as well. Etc.

        Comment


        • #24
          Originally posted by perpetually high View Post
          After updating GRUB, I can confirm that mitigations=off is the exact same as the long list we've been using (I used spectre_meltdown_checker.sh to double check).
          So instead of
          Code:
          pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier
          I just insert
          Code:
          mitigations=off
          ?

          Comment


          • #25
            Originally posted by mrazster View Post

            So instead of
            Code:
            pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier
            I just insert
            Code:
            mitigations=off
            Yup

            Comment


            • #26
              Originally posted by perpetually high View Post

              Yup
              FAANTASTIC....thnx, much appreciated.
              Thought I would have to wait for 5.2 to be released, for that switch to work.

              Comment


              • #27
                https://make-linux-fast-again.com/

                Code:
                noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off[URL="https://make-linux-fast-again.com/"][/URL]

                Comment


                • #28
                  Originally posted by xfcemint View Post

                  Good thing that I got that transcedental meditation typeless keyboard for entering passwords and credit card numbers. I just imagine the number in my head, and the meditation keyboard transmits it to any web shop transcendentally.

                  If you type the number on the keyboard, it can be stolen. If you copy-paste it, same thing. There can be no workaround, except for transcendental meditation keyboard.



                  To do: move my Phoronix forum password from browser store to the wallet. Because if I lose it, my life becomes worthless.



                  Um... so I have to decide, and old 386 or mitigations. Let me think, I'm not quite sure...

                  I would mostly prefer if the greedy bastards at Intel & friends did their job properly on the processor that I paid. Why can't they replace my CPU with a propery working model? I mean, it didn't say "full of holes" on the box I bought. Why am I not entitled to a CPU replacement? What a scam.
                  I'll leave you with this thought:
                  You hand your credit card information to ANYBODY whether personally or via entry, you are giving them your information. If you think this potential/now mitigated via microcode exploit leaves you more vulnerable than before, then more fool you.
                  You have more chance of having your information hacked from a third-party storage center than your own machine. But, hey, place that tin foil hat on real firm now.

                  Oh, and your apparently non-working cpu works just fine, has done and will continue to do. You want a refund because of a bug? LOL, that's hilarious.
                  Last edited by Bsdisbetter; 19 May 2019, 06:37 AM.

                  Comment


                  • #29
                    Originally posted by xfcemint View Post

                    Nice. Will it be backported to older LTS kernels? I hope so. Some or all?
                    Run... Run to the hills, mitigation is off!!!!!

                    Comment


                    • #30
                      So, is there any good proof-of-concept webpage that i can visit that would instantly rip all my passwords and install some rootkit on my Ubuntu machine? Just so i can test the awfullness of using "mitigations=off" vs. default.. using regular browser with all adds disabled.

                      Cos having a exploit that requires A and B and C to run, while version X of program D is used.. ONLY if E is alligned with jupiter, and its the 29th or february is kinda vague even for those in the tin-foil-hat departement

                      It's kind of a moot point to have 20 locks on your front door and spending 20 minutes locking yourself in and out of your house... if your back porch door is open - ie. Actually logging on to things like Facebook/phoronix/twitter++ from your main computer... which kind of is rather plausible if you ditched the tin-foil-hat a while back. There will probably be a multitude of ppl rambling about that "You should not use the internet from your main computer anyway", but the reality is that 99.9% of ALL internet users, they actually do. Learning to NOT click on every "You need to update your contact details on your bank by clicking this link that points to http:/iwill.steal.yourdetails.cn/" would be a better advise in the long run, and having all the mitigations in the world wont save you from being stupid.

                      Some questions then remains: How many uses "mitigations=off" (or equivalent) + surf the web in a "normal" way? Is it only weird ppl that actually cares for reaching 144+ fps (for that 144Hz monitor), and NOT settling for 121fps, when you KNOW your hardware is good for it? Are those ppl total whack-jobs? Is it THOSE ppl that ruin the interweb for the rest of the world?

                      Will it just boil down to every religion's statement of "Well.. you have free will, so if you WANT to experience eternal damnation, be my guest!"

                      Comment

                      Working...
                      X