Proposed Linux Patch Would Allow Disabling CPU Security Mitigations At Build-Time

Written by Michael Larabel in Linux Security on 3 February 2023 at 07:30 AM EST. 16 Comments
LINUX SECURITY
A proposed Linux kernel patch would provide a new Kconfig build time option of "CONFIG_DEFAULT_CPU_MITIGATIONS_OFF" to build an insecure kernel if wanting to avoid the growing list of CPU security mitigations within the kernel and their associated performance overhead.

While risking system security, booting the Linux kernel with the "mitigations=off" option has been popular for avoiding the performance costs of Spectre, Meltdown, and the many other CPU security vulnerabilities that have come to light in recent years. Using mitigations=off allows run-time disabling of the various in-kernel security mitigations for these CPU problems.

A patch proposed this week would provide CONFIG_DEFAULT_CPU_MITIGATIONS_OFF as a Kconfig switch that could optionally be enabled to have the same affect as mitigations=off but to be applied at build-time to avoid having to worry about setting the "mitigations=off" flag.

CONFIG_DEFAULT_CPU_MITIGATIONS_OFF


Breno Leitao, a Debian developer and a kernel engineer at Meta, sent out the patch providing this option. Breno explained:
"Right now it is not possible to disable CPU vulnerabilities mitigations at build time. Mitigation needs to be disabled passing kernel parameters, such as 'mitigations=off'.

This patch creates an easy way to disable mitigation during compilation time (CONFIG_DEFAULT_CPU_MITIGATIONS_OFF), so, insecure kernel users don't need to deal with kernel parameters when booting insecure kernels."

For production environments and other areas where security is of any level of importance, it's certainly recommended sticking to the default mitigations. But for those in offline environments, using "throw-away" software environments, or other scenarios where security isn't too important, disabling these mitigations can enhance performance especially for aging Intel (and to a lesser extent, AMD and Arm) processors. Recent benchmarks I did following the Call Depth Tracking improvement on the Core i7 8700K and Xeon E3 v5 do include current "mitigations=off" numbers for those interested in the current overall performance impact.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week