Announcement

**Peter Fodrek** · 26 February 2018, 12:37 PM

Is it really needed for AMD

Linux 4.15.6-1.g06f0b06-default #1 SMP PREEMPT Sun Feb 25 18:51:57 UTC 2018 (06f0b06) x86_64 x86_64 x86_64 GNU/Linux
more /sys/devices/system/cpu/vulnerabilities/meltdown
Not affected
more /sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: __user pointer sanitization
more /sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full AMD retpoline

?

**davidbepo** · 26 February 2018, 01:30 PM

Originally posted by Peter Fodrek View Post

Is it really needed for AMD

Linux 4.15.6-1.g06f0b06-default #1 SMP PREEMPT Sun Feb 25 18:51:57 UTC 2018 (06f0b06) x86_64 x86_64 x86_64 GNU/Linux
more /sys/devices/system/cpu/vulnerabilities/meltdown
Not affected
more /sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: __user pointer sanitization
more /sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full AMD retpoline

?

spectre v1 yes
spectre v2 no, amd processor aren't affected unless you change the jit parameters, add nospectre_v2 to boot options to get the performance back

**sireangelus** · 26 February 2018, 08:12 PM

what will happen after all these optimization if you turn the security off but keep the patches on? Also, are these required for a server not running any vm with a browser on it?

**boxie** · 26 February 2018, 09:36 PM

Originally posted by sireangelus View Post

what will happen after all these optimization if you turn the security off but keep the patches on? Also, are these required for a server not running any vm with a browser on it?

for meltdown, any process can read kernel memory. if you control all the code running on it, it might be safe to disable.

but, as you said "browser" leave it on, you do not control the code that runs in a browser

**quaz0r** · 26 February 2018, 10:28 PM

the shitshow continues

**michael-vb** · 27 February 2018, 05:46 AM

The fix for meltdown was moving from having all kernel memory mapped into every process to having virtually no kernel memory mapped into user mode page tables. I wonder if there are more parts of kernel memory which could benefit from being mapped globally without leaking sensitive information.

**sireangelus** · 04 March 2018, 04:57 AM

Originally posted by boxie View Post

for meltdown, any process can read kernel memory. if you control all the code running on it, it might be safe to disable.

but, as you said "browser" leave it on, you do not control the code that runs in a browser

what about a wordpress server. Or a firewall(running snort)?

**boxie** · 06 March 2018, 10:43 AM

Originally posted by sireangelus View Post

what about a wordpress server. Or a firewall(running snort)?

even if it is all your own code with no 3rd party plugins but still end user facing, then you would still need these mitigations for when there is an exploit.

if (and only if) it is a server running an internal workload with no outward facing network connections - then you could get away with it.

one example might be a database server that only has internal network connections, not internet facing. but only if you have a write heavy workload and cannot afford the performance hit. and even then that's a weak excuse!

Announcement

Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations

Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment