Yes.

You might as well ask whether we need ASLR, DEP, SELinux... heck, why do we even need sudo? Its not like you have state secrets on your laptop!

It's incredible that after years of boasting about the superior security of Linux over Windows, the entire community seems to have adopted this anti-security mentality that would accept severe security vulnerabilities in order to preserve performance.

Just run in ring 0 and we can entirely aoid context switches, I'm sure the performance will be great.

Windows at this point has gone through significant battle hardening and I would not be surprised to see the next botnets largely made up of Linux hosts because of this common sentiment.

I've got a faster box (5950X). The more reason to do mitigations=off, as the relative impact is actually higher.

Another reason faster box = turn off security: the botnet your PC finds itself on will gain significantly more resources.

Yeah, go full throttle, install 1 core and non-speculative CPU. You'll be safe unless botnet uses holes in software, probability of which is 10^(large N) times higher.

This snark only exists in a world where there is a tangible security benefit to going to a single core nonspeculative CPU. Turning off SELinux, running as root, and running in pure ring zero would absolutely provide a huge performance boost and would only really make you vulnerable to running untrusted code: mostly, the same things that spectre-type flaws exploit.

There are workloads that are sensitive to speculative (hah) exploits that are not known, which do mandate the use of separate CPU cores / sockets / nodes for those tasks because things like Rowhammer and Spectre exist. They still allow multicore / speculation because security is layered and there is a reasonable trade-off to be had here.

For the 99%, the risk posed by well-demonstrated speculative execution attacks is substantial enough and the penalty small enough that it is worth leaving enabled. Anyone using VMWare who will experience this severe performance hit is using a technical solution which rests on the assumption that VM boundaries are hard security boundaries against software exploits and these attacks blow that assumption out of the water. It is reckless to continue using any sort of virtualization system (outside of a pure, disconnected dev environment) without mitigating these attacks.

At the other end of the spectrum, the impact of these patches on home users is ultimately negligible especially when compared with something like antivirus, which is simultaneously more costly for performance and less effective for security.

We use things like AV, firewalls, IDS systems in order to catch the *unknown* flaws that might leave us open. What you seem to propose is leaving open a known flaw and hope that no one bothers to exploit it-- foolish, when everyone watching the landscape can see how many sysadmins are advocating turning the protections off. These attacks are going to be a dime a dozen in the coming years because of the high benefit-to-cost that comes with a huge target demographic.

No. This is only an information-disclosure issue, not an RCE. (The amount of well-intentioned but severely ignorant responses here is pretty disappointing for a technology site, but I guess everyone has to start learning somewhere; and emotional drama clickbait is what drives the ad industry, so "consumer" PC sites have a monetary interest in hyping everything as The End Of The World rather framing things in a reasonable and proportional way).

If you have nothing on that machine that you care about potentially being known (e.g. if it's mostly just an HTPC etc, not your main machine that you do your banking on etc) - especially when there's no actual exploit for it out in the wild (possibly "yet", but probably not ever) - and especially if you're not planning on installing random garbage from the internet on it like pirated Windows software, then you can ignore this entirely with absolutely no loss "safety" or security.

Back in the HDD lower ram days, people used to run 2-3 antiviruses. Their PCs were so slow, they were unusable. Unfortunately these security patches target external & internal threats. External I can understand. But internal can only really be justified on mission critical systems. There's so many mitigation, if combined, that can be quite a hit.

Remember on Linux we're pretty much all running systems with TPM full disk encryption disabled, some with secure boot disabled. No matter how much security you have, there'll always be a hole somewhere. Even if it's inside a compromised library from a trusted application.