cybrnook

AMD I am not so sure we will see any large gains vs the Intel side. But thanks for testing it out 🙂 I will have my TR setup going soon and will disable these on it anyways 🙂

I think he means the parity protected array portion?

Real long names are now being truncated to avoid overlapping. It's in the change log: webgui: Dashboard: fixed wrapping of long lines webgui: Dashboard: wrap long descriptions

You going to add to your Alpha runbook? 🙂

Seems that we will be getting a newer, more simplified, flag we can set to disable mitigation's called: mitigations=off Other options would be: - mitigations=off: Disable all mitigations. - mitigations=auto: [default] Enable all the default mitigations, but leave SMT enabled, even if it's vulnerable. - mitigations=auto,nosmt: Enable all the default mitigations, disabling SMT if needed by a mitigation. In the meantime, we can continue to use the options above until I can test the new options out on unraid with a newer kernel (future releases once unraid upgrades kernel). There seems to be validation of it working in 5.0.16 Kernel. However seems to be a release intended for Kernel 5.2. https://www.phoronix.com/scan.php?page=news_item&px=Spectre-Meltdown-Easy-Switch-52 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.19.43&id=8cb932aca5d6728661a24eaecead9a34329903ff

Figured I would share: https://www.tomshardware.com/news/intel-amd-mitigations-performance-impact,39381.html https://www.phoronix.com/scan.php?page=article&item=mds-zombieload-mit&num=10

On your "Main" tab, click on your "Flash" drive" Then scroll down:

@limetech Thread posted:

As many are aware, Intel has had some serious security vulnerabilities released over the past year. "Spectre", "Meltdown", and now one of the strongest dubbed "Zombieload" aka MDS. Intel seems to be having some skeletons coming out of the closet, which saw a CEO resign, and market share loss now to AMD. The mitigation's to these vulnerabilities have all individually come with a performance cost, Spectre/Meltdown in the range of ~%15, and now MDS rumored to need Hyperthreading disabled altogether to mitigate, costing upwards of %30-%40 (sources are based on the internet, so take with a grain of salt). So add them all together, and that's a pretty hefty penalty for users who may not even be a target for this kind of attack. Personally, I have nothing that sensitive at my home running in individual dockers or VM's that I would worry enough about if someone from one area could read data from the other. As well, my local users are myself and my wife 🙂 , so she could just TAKE the money from the bank in person 🙂 Not a threat to me. I don't care if someone is watching me play games on a vm, or is watching that I am encoding or decrypting a movie, big deal, not much going on at my house anyone would work hard enough to watch....... and if someone did make it that far to target me, I got bigger problems than speculative execution, like checking my firewall rules!! So, with that said, this is ALL AT YOUR OWN RISK, I or the community do not assume any responsibility of damage due to the disablement of these mitigation's. As of 6.7.0, we have kernel level 4.19.41 which marks the last kernel to NOT mitigate against MDS. To disable Spectre/Meltdown for release 6.7.0, adjust your syslinux.cfg file as follows (and reboot): pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier As of 6.7.1 RC1, we have kernel level 4.19.43 which marks the first kernel TO mitigate against Spectre/Meltdown AND MDS. To disable Spectre/Meltdown/MDS for release 6.7.1 RC1+, adjust your syslinux.cfg as follows (and reboot): pti=off spectre_v2=off l1tf=off mds=off nospec_store_bypass_disable no_stf_barrier You can validate the mitigation's on the OS before/after by: cat /sys/devices/system/cpu/vulnerabilities/* BEFORE: Should look similar to (notice the Mitigation's): Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable Mitigation: Clear CPU buffers; SMT vulnerable Mitigation: PTI Mitigation: Speculative Store Bypass disabled via prctl and seccomp Mitigation: __user pointer sanitization Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling AFTER: Should look similar to (notice the Vulnerable): Mitigation: PTE Inversion; VMX: vulnerable Vulnerable; SMT vulnerable Vulnerable Vulnerable Mitigation: __user pointer sanitization Vulnerable, IBPB: disabled, STIBP: disabled

Will do, thanks! I will work on working it up a bit nicer and then post once it's super clear.

Updated my post @BRiT and @glennv , got it working

@limetech Okay, so I did a bit a googling, and to build up, this is what I found based on Kernel level and availability (Leaving zombieload off the table for now since latest release does not yet mitigate it, that will be next): Kernel 4.15 Spectre v2 (CVE-2017-5715) - "nospectre_v2" Kernel 4.17 Spectre v4 (CVE-2018-3639) - "nospec_store_bypass_disable" Kernel 4.19 PR_SPEC_DISABLE_NOEXEC - During compilation Spectre v1 (CVE-2017-5753) - "nospectre_v1" Spectre v2 (CVE-2017-5715) - "nospectre_v2" Spectre v4 (CVE-2018-3639) - "nospec_store_bypass_disable" So checking uname on the latest 6.7.0 (non RC1), I can see we are at 4.19.41, so all three should be available nospectre_v1,v2, and store_bypass_disable. Of course seems there is a flag that can be set during compile, but that's not even worth getting into since that will never happen understandably. Then I found a phoronix forum thread that went back and forth, and I ultimately came out with this: pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier Where would be the best place to do this in Unraid during boot? Would it simple be an append in the syslinux file? append pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier EDIT: Seems zombieload (aka MDS) will be mds=off EDIT2: I am testing adding this to my unraid backup servers syslinux.cfg files boot section, like this: default menu.c32 menu title Lime Technology, Inc. prompt 0 timeout 50 label Unraid OS menu default kernel /bzimage append initrd=/bzroot pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier label Unraid OS GUI Mode kernel /bzimage append initrd=/bzroot,/bzroot-gui label Unraid OS Safe Mode (no plugins, no GUI) kernel /bzimage append initrd=/bzroot unraidsafemode label Unraid OS GUI Safe Mode (no plugins) kernel /bzimage append initrd=/bzroot,/bzroot-gui unraidsafemode label Memtest86+ kernel /memtest So far I have rebooted with the change, and boot was successful. I am working now to validate these are actually disabled. EDIT3: Okay, it worked. Here is my before and after: BEFORE: cat /sys/devices/system/cpu/vulnerabilities/* Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable Mitigation: PTI Mitigation: Speculative Store Bypass disabled via prctl and seccomp Mitigation: __user pointer sanitization Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling AFTER: cat /sys/devices/system/cpu/vulnerabilities/* Mitigation: PTE Inversion; VMX: vulnerable Vulnerable Vulnerable Mitigation: __user pointer sanitization Vulnerable, IBPB: disabled, STIBP: disabled You will notice "conditional cache flushes", "SMT vulnerable", "PTI", "Speculative Store Bypass disabled via prctl and seccomp", "Full generic retpoline"* are all disabled now. 😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁😁 I don't know about you, but I don't care if someone is watching me play games on a vm, or is watching that I am encoding or decrypting a movie, big deal, not much going on at my house anyone would work hard enough to watch....... and if someone did make it that far to target me, I got bigger problems than speculative execution, like checking my firewall rules!! I will post this in another thread for better visibility if you all agree?

I would also love to disable these as well. I got bigger fish to fry than cloud hosted VM vulnerabilities for my little home servers🙂 Much more important is my vm with pass through performance, Plex, and handbrake type conversions.

Thanks, I read that earlier in the thread, but from the last few posts it appeared to me that a user flashed SM IT mode firmware on it. Just wanted to check, moving on now..... 🙂

Just to clarify, can you flash this with Supermicro IT firmware and use it on other motherboards?