May 19, 20197 yr UPDATE (010/11/2019) PLUGIN Updated for 6.8.0 RC1 + @Squid was awesome again in keeping with the newer kernel update, and the more simplified syntax now of "mitigations=off". If you already installed the plugin on a lower release and enabled it, nothing is needed prior to upgrading. Squid thought of and accounted for that and the plugin will handle it during boot. UPDATE (06/03/2019) PLUGIN AVAILABLE!!! @Squid was awesome enough to take this work and put it into a plugin, as many have asked for. It's a great start, and covers the basics out of the gate for everyone at the moment. Once the kernel starts rolling higher, we can change the current long string to a shorter variation, but I think that will be later in the future, post 6.8.0+..... Original Post: As many are aware, Intel has had some serious security vulnerabilities released over the past year. "Spectre", "Meltdown", and now one of the strongest dubbed "Zombieload" aka MDS. Intel seems to be having some skeletons coming out of the closet, which saw a CEO resign, and market share loss now to AMD. The mitigation's to these vulnerabilities have all individually come with a performance cost, Spectre/Meltdown in the range of ~%15, and now MDS rumored to need Hyperthreading disabled altogether to mitigate, costing upwards of %30-%40 (sources are based on the internet, so take with a grain of salt). So add them all together, and that's a pretty hefty penalty for users who may not even be a target for this kind of attack. Personally, I have nothing that sensitive at my home running in individual dockers or VM's that I would worry enough about if someone from one area could read data from the other. As well, my local users are myself and my wife 🙂 , so she could just TAKE the money from the bank in person 🙂 Not a threat to me. I don't care if someone is watching me play games on a vm, or is watching that I am encoding or decrypting a movie, big deal, not much going on at my house anyone would work hard enough to watch....... and if someone did make it that far to target me, I got bigger problems than speculative execution, like checking my firewall rules!! So, with that said, this is ALL AT YOUR OWN RISK, I or the community do not assume any responsibility of damage due to the disablement of these mitigation's. As of 6.7.0, we have kernel level 4.19.41 which marks the last kernel to NOT mitigate against MDS. To disable Spectre/Meltdown for release 6.7.0, adjust your syslinux.cfg file as follows (and reboot): pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier As of 6.7.1 RC1, we have kernel level 4.19.43 which marks the first kernel TO mitigate against Spectre/Meltdown AND MDS. To disable Spectre/Meltdown/MDS for release 6.7.1 RC1+, adjust your syslinux.cfg as follows (and reboot): pti=off spectre_v2=off l1tf=off mds=off nospec_store_bypass_disable no_stf_barrier You can validate the mitigation's on the OS before/after by: cat /sys/devices/system/cpu/vulnerabilities/* BEFORE: Should look similar to (notice the Mitigation's): Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable Mitigation: Clear CPU buffers; SMT vulnerable Mitigation: PTI Mitigation: Speculative Store Bypass disabled via prctl and seccomp Mitigation: __user pointer sanitization Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling AFTER: Should look similar to (notice the Vulnerable): Mitigation: PTE Inversion; VMX: vulnerable Vulnerable; SMT vulnerable Vulnerable Vulnerable Mitigation: __user pointer sanitization Vulnerable, IBPB: disabled, STIBP: disabled Edited October 11, 20196 yr by cybrnook Updated Plugin for 6.8* Series
May 19, 20197 yr Author 6 minutes ago, JoeUnraidUser said: How do we get to the Syslinux Configuration screen? On your "Main" tab, click on your "Flash" drive" Then scroll down:
May 19, 20197 yr Would be a great plugin.. I would love to do a live test to see if it really makes any difference to turn off or leave on...
May 19, 20197 yr 14 minutes ago, Helmonder said: Would be a great plugin.. I would love to do a live test to see if it really makes any difference to turn off or leave on... Why do you need a plugin? The above posts give you all the information needed to allow this to be done using the standard Unraid GUI?
May 19, 20197 yr Dont need it at all... I am allready testing with it... Its just that there are a lot of users that do not feel very comfortable with changing files, thats all..
May 19, 20197 yr 7 hours ago, Helmonder said: Would be a great plugin.. I would love to do a live test to see if it really makes any difference to turn off or leave on... Would be easier to implement as a set of toggles like acs override. -----edit I modified my 6.7.0 syslinux.cfg to include the appropriate text from above. System appears to be normal and the "vulnerable" status is shown in terminal. I didn't benchmark anything because I'm lazy. Edited May 19, 20197 yr by 1812
May 20, 20197 yr Author Figured I would share: https://www.tomshardware.com/news/intel-amd-mitigations-performance-impact,39381.html https://www.phoronix.com/scan.php?page=article&item=mds-zombieload-mit&num=10 Edited May 20, 20197 yr by cybrnook
May 20, 20197 yr Author Seems that we will be getting a newer, more simplified, flag we can set to disable mitigation's called: mitigations=off Other options would be: - mitigations=off: Disable all mitigations. - mitigations=auto: [default] Enable all the default mitigations, but leave SMT enabled, even if it's vulnerable. - mitigations=auto,nosmt: Enable all the default mitigations, disabling SMT if needed by a mitigation. In the meantime, we can continue to use the options above until I can test the new options out on unraid with a newer kernel (future releases once unraid upgrades kernel). There seems to be validation of it working in 5.0.16 Kernel. However seems to be a release intended for Kernel 5.2. https://www.phoronix.com/scan.php?page=news_item&px=Spectre-Meltdown-Easy-Switch-52 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.19.43&id=8cb932aca5d6728661a24eaecead9a34329903ff Edited May 20, 20197 yr by cybrnook
May 23, 20197 yr First... SUPER guide!!! easy to follow and instant result. 👍 But as others have mentioned, if this could be turned into a plugin with toggles for each security risk for the user to choose from it would be (in my world) perfect. Unfortunately I lack the knowledge to create such a plugin. I know it is always easier to ask others to do the hard work. sorry for that. /Alphahelix
May 23, 20197 yr I saw a 3% increase in the CPU score with 3DMark Timespy on a Ryzen 2950 (all but 4 cores assigned to the VM) after disabling the protections but several other tests/benchmarks showed no change within a small margin of error on it and a 1950x and an Intel CPU (can't think of the model off hand). Edited May 23, 20197 yr by jbartlett
May 23, 20197 yr Author AMD I am not so sure we will see any large gains vs the Intel side. But thanks for testing it out 🙂 I will have my TR setup going soon and will disable these on it anyways 🙂 Edited May 23, 20197 yr by cybrnook
June 4, 20197 yr whew okay, I have an intel i3-3220 CPU and wanted to see how much performance I can get back with disabling the mitigations as noted. I upgraded to 6.7.1rc1 and spun up the Phoronix Test Suite in a docker vm and focus on the cpu test -- https://openbenchmarking.org/suite/pts/cpu The array was running but no activity was ongoing, and no other dockers were active. Test suite cycle took about 3 hours in a run, each test ran 3 times and deviations is noted. Ran first set as is with the mitigations in place then rebooted with syslinux cfg modification to disable the mitigation (still get some due to microcode used) and re-ran same tests to compare. results: https://openbenchmarking.org/result/1906037-HV-190603PTS41,1906033-HV-190603PTS92 can see that 2-14% increase on various things. The ctx-clock micro-benchmark for looking at the context switching overhead shows the big impact since Spectre/Meltdown Which is why you can see is the most drastic reported as it targets that specific area.. 87% difference! hope this helps for those curious Edited June 4, 20197 yr by zoggy correcting url
June 4, 20197 yr 7 hours ago, zoggy said: results: https://openbenchmarking.org/result/1906033-ZOGG-MERGE6861 I got a No Result File Found message...
June 4, 20197 yr 14 minutes ago, zoggy said: can you try now, changed the permissions on the tests to be viewable by everyone Same result. I know this must be frustrating for you... EDIT: Perhaps the link has changed with the new permission. Edited June 4, 20197 yr by Frank1940
June 4, 20197 yr 13 minutes ago, Frank1940 said: Same result. I know this must be frustrating for you... EDIT: Perhaps the link has changed with the new permission. ok, here we go: https://openbenchmarking.org/result/1906037-HV-190603PTS41,1906033-HV-190603PTS92
June 4, 20197 yr 12 minutes ago, zoggy said: ok, here we go: https://openbenchmarking.org/result/1906037-HV-190603PTS41,1906033-HV-190603PTS92 👍 That works! Thanks
August 7, 20196 yr Author New Spectre V1 Intel vuln. out (SWAPGS): https://www.phoronix.com/scan.php?page=news_item&px=CVE-2019-1125-SWAPGS Looking at the commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a2059825986a1c8143fd6698774fa9d83733bb11 We should be okay as far as disablement goes as it's going to be lumped under "nospectre_v1", or "mitigations" (for newer Kernels). "The mitigations may be disabled with "nospectre_v1" or "mitigations=off"" As mostly has been the case, AMD seems not affected. Edited August 7, 20196 yr by cybrnook add " "
August 7, 20196 yr mitigations=off doesnt work with the current unraid kernel version Sent from my phone as I'm probably having a beer and enjoying a fire
August 7, 20196 yr Author 5 hours ago, Squid said: mitigations=off doesnt work with the current unraid kernel version Sent from my phone as I'm probably having a beer and enjoying a fire Correct, maybe I worded it wrong, but I wrote: 7 hours ago, cybrnook said: We should be okay as far as disablement goes as it's going to be lumped under "nospectre_v1", or "mitigations" (for newer Kernels). Meaning that for now, nospectre_v1 will work to disable this for our current Kernel. Then, in the future, all we will need is mitigations=off for newer Kernels. Sorry if it reads weird. In the end, as long as we are using nospectre_v1, we are good as this will also be disabled with that, since it's a v1 spectre variant. Edited August 7, 20196 yr by cybrnook add " "
October 10, 20196 yr Author Good article from Mike L. from Phoronix. New AMD vs Intel impacts: https://www.phoronix.com/scan.php?page=article&item=3900x-9900k-mitigations&num=1 I believe we will get mds=off in the 6.8rc whenever that comes around.
October 10, 20196 yr 1 minute ago, cybrnook said: I believe we will get mds=off in the 6.8rc whenever that comes around. mitigations=off Plugin updated a week or so ago to reflect this
October 10, 20196 yr Author 16 hours ago, Squid said: mitigations=off Plugin updated a week or so ago to reflect this Now just to get 6.8 RC out 🙂 ™ Edited October 10, 20196 yr by cybrnook ™
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.