Spectre/Meltdown Mitigations Can Now Be Toggled With Convenient "mitigations=" Option

Beginning with the Linux 5.2 kernel, it will be easier to disable Spectre, Meltdown, and other CPU vulnerability mitigations if you prefer maximum performance out of your system instead.

Queued up for Linux 5.2 is the easier/more convenient switches for these CPU vulnerabilities, principally Spectre/Meltdown at this point.

Up to this point there hasn't been a global switch for toggling the Spectre/Meltdown/L1TF workarounds but that is what's finally materialized thanks to Red Hat's Josh Poimboeuf.

Beginning with Linux 5.2 (though potentially seeing back-ports to current stable series) is the new mitigations= kernel command-line switch.

The mitigations=off switch will disable all optional CPU mitigations in order to improve system performance but potentially putting the hardware at risk. This includes disabling Spectre, Meltdown, and L1TF where relevant for x86, POWER, and s390 architectures.

The default behavior is mitigations=auto for the default mitigations. Or the other option is booting with mitigations=auto,nosmt for the mitigations but disabling SMT / Hyper Threading as needed for having a fully mitigated system albeit slower performance due to losing out on those logical threads.

The mitigations=off is much easier to remember and set than the current Intel equivalent of nopti nospectre_v2 spectre_v2_user=off spec_store_bypass_disable=off l1tf=off. It's too bad (and surprising) that it took a year and a half after Spectre/Meltdown came to light for having such an easy global switch.