Announcement

Collapse
No announcement yet.

OpenSUSE Adds Option To Installer For Toggling Performance-Hitting CPU Mitigations

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Originally posted by brad0 View Post
    That's the worst possible place to disable it. But if you want to make a dumpster fire of shitshow even more shitshow go ahead.
    Are you aware of what these vulns actually need to be exploited?

    You need to be running untrusted software, be it javascript in a browser or whatever.

    Most embedded aren't running untrusted software.

    Comment


    • #22
      I confirm that it is possible to change this setting also post-installation, via Yast - Bootloader.

      Comment


      • #23
        Originally posted by starshipeleven View Post
        Are you aware of what these vulns actually need to be exploited?

        You need to be running untrusted software, be it javascript in a browser or whatever.

        Most embedded aren't running untrusted software.
        Maybe he/she was referring to IoT devices. Now, they're a minefield.

        Comment


        • #24
          Originally posted by useless View Post
          Maybe he/she was referring to IoT devices. Now, they're a minefield.
          IoT is the modern buzzword for "embedded".

          And no, what I said still applies, IoT isn't (supposed to be) running untrusted software. They have their own firmware, and that's it.

          That said, yes I agree on his statement that IoT is "a dumpster fire of a shitshow".

          Comment


          • #25
            Originally posted by zxy_thf View Post
            Those mitigations make little sense if only trusted code will be executed.
            I've seen this argument going around and ppl.. no.. Do you know you're running trusted code? Do you know your web browser is executing trusted code? Anti-virus has existed for ~40 years because people can't solve this problem.

            Enable them.

            Also on the placement of the option on the installer. It's actually not a very prominent option. (but available)

            Comment


            • #26
              This Intel pollution option was introduced in Tumbleweed installer in March and is/was available in Yast under bootloader. The big question is, does Ryzen 2700U needs that on mainline Kernel that gets a live update? Rc1 second patch (mitigation is turned OFF):

              Code:
              cat /proc/cmdline
              BOOT_IMAGE=/boot/vmlinuz-5.2.0-rc1-2.gb225e5a-default root=UUID=b6d59d21-b22b-427e-a648-d3bb42e4ddb1 splash=silent iommu=soft resume=/dev/disk/by-id/ata-SanDisk_SDSSDH3256G_183756420226-part3 quiet mitigations=off
              Code:
              cat  /sys/devices/system/cpu/vulnerabilities/mds
              Not affected
              Code:
              cat /sys/devices/system/cpu/vulnerabilities/*
              Not affected
              Not affected
              Not affected
              Vulnerable
              Mitigation: __user pointer sanitization
              Vulnerable, IBPB: disabled, STIBP: disabled

              Comment

              Working...
              X