A Global Switch To Kill Linux's CPU Spectre/Meltdown Workarounds?
Written by Michael Larabel in Security on 25 August 2018 at 06:57 AM EDT. 87 Comments
SECURITY --
Something I have seen asked in our forums and elsewhere -- most recently on the kernel mailing list -- is whether there is a single kernel option that can be used for disabling all of the Spectre/Meltdown workarounds and any other performance-hurting CPU vulnerability workarounds.

With many of the mitigation patches for these speculative execution vulnerabilities hitting many processors these days, there's often a measurable "performance tax" associated with them. Fortunately, for most of the mitigations they can be disabled at run-time via various options.

But unfortunately there isn't one global option for easily disabling all of these mitigations... This was recently asked on the LKML but unfortunately no commentary from the upstream kernel developers if they would accept and mainline such an option, "Disabling is a good option for strictly confined environments where no 3d party untrusted code is ever to be run, e.g. a rendering farm, a supercomputer, or even a home server which runs Samba/SSH server and nothing else." That individual was also hoping for a Kconfig switch to be able to build kernels easily that permanently disable (or don't include) the mitigated work.


For now the closest way to making an unmitigated kernel for not losing out on CPU performance would be booting the kernel with pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier. Of course, that's not recommended unless you really trust the code running on your system and the overall system security. Some fresh kernel mitigation benchmarks will be coming up soon on Phoronix.
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Security News
Popular News This Week