cybrnook Posted May 19, 2019 Posted May 19, 2019 (edited) UPDATE (010/11/2019) PLUGIN Updated for 6.8.0 RC1 + @Squid was awesome again in keeping with the newer kernel update, and the more simplified syntax now of "mitigations=off". If you already installed the plugin on a lower release and enabled it, nothing is needed prior to upgrading. Squid thought of and accounted for that and the plugin will handle it during boot. UPDATE (06/03/2019) PLUGIN AVAILABLE!!! @Squid was awesome enough to take this work and put it into a plugin, as many have asked for. It's a great start, and covers the basics out of the gate for everyone at the moment. Once the kernel starts rolling higher, we can change the current long string to a shorter variation, but I think that will be later in the future, post 6.8.0+..... Original Post: As many are aware, Intel has had some serious security vulnerabilities released over the past year. "Spectre", "Meltdown", and now one of the strongest dubbed "Zombieload" aka MDS. Intel seems to be having some skeletons coming out of the closet, which saw a CEO resign, and market share loss now to AMD. The mitigation's to these vulnerabilities have all individually come with a performance cost, Spectre/Meltdown in the range of ~%15, and now MDS rumored to need Hyperthreading disabled altogether to mitigate, costing upwards of %30-%40 (sources are based on the internet, so take with a grain of salt). So add them all together, and that's a pretty hefty penalty for users who may not even be a target for this kind of attack. Personally, I have nothing that sensitive at my home running in individual dockers or VM's that I would worry enough about if someone from one area could read data from the other. As well, my local users are myself and my wife 🙂 , so she could just TAKE the money from the bank in person 🙂 Not a threat to me. I don't care if someone is watching me play games on a vm, or is watching that I am encoding or decrypting a movie, big deal, not much going on at my house anyone would work hard enough to watch....... and if someone did make it that far to target me, I got bigger problems than speculative execution, like checking my firewall rules!! So, with that said, this is ALL AT YOUR OWN RISK, I or the community do not assume any responsibility of damage due to the disablement of these mitigation's. As of 6.7.0, we have kernel level 4.19.41 which marks the last kernel to NOT mitigate against MDS. To disable Spectre/Meltdown for release 6.7.0, adjust your syslinux.cfg file as follows (and reboot): pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier As of 6.7.1 RC1, we have kernel level 4.19.43 which marks the first kernel TO mitigate against Spectre/Meltdown AND MDS. To disable Spectre/Meltdown/MDS for release 6.7.1 RC1+, adjust your syslinux.cfg as follows (and reboot): pti=off spectre_v2=off l1tf=off mds=off nospec_store_bypass_disable no_stf_barrier You can validate the mitigation's on the OS before/after by: cat /sys/devices/system/cpu/vulnerabilities/* BEFORE: Should look similar to (notice the Mitigation's): Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable Mitigation: Clear CPU buffers; SMT vulnerable Mitigation: PTI Mitigation: Speculative Store Bypass disabled via prctl and seccomp Mitigation: __user pointer sanitization Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling AFTER: Should look similar to (notice the Vulnerable): Mitigation: PTE Inversion; VMX: vulnerable Vulnerable; SMT vulnerable Vulnerable Vulnerable Mitigation: __user pointer sanitization Vulnerable, IBPB: disabled, STIBP: disabled Edited October 11, 2019 by cybrnook Updated Plugin for 6.8* Series 3 5 Quote
cybrnook Posted May 19, 2019 Author Posted May 19, 2019 6 minutes ago, JoeUnraidUser said: How do we get to the Syslinux Configuration screen? On your "Main" tab, click on your "Flash" drive" Then scroll down: Quote
Helmonder Posted May 19, 2019 Posted May 19, 2019 Would be a great plugin.. I would love to do a live test to see if it really makes any difference to turn off or leave on... Quote
itimpi Posted May 19, 2019 Posted May 19, 2019 14 minutes ago, Helmonder said: Would be a great plugin.. I would love to do a live test to see if it really makes any difference to turn off or leave on... Why do you need a plugin? The above posts give you all the information needed to allow this to be done using the standard Unraid GUI? Quote
Helmonder Posted May 19, 2019 Posted May 19, 2019 Dont need it at all... I am allready testing with it... Its just that there are a lot of users that do not feel very comfortable with changing files, thats all.. Quote
1812 Posted May 19, 2019 Posted May 19, 2019 (edited) 7 hours ago, Helmonder said: Would be a great plugin.. I would love to do a live test to see if it really makes any difference to turn off or leave on... Would be easier to implement as a set of toggles like acs override. -----edit I modified my 6.7.0 syslinux.cfg to include the appropriate text from above. System appears to be normal and the "vulnerable" status is shown in terminal. I didn't benchmark anything because I'm lazy. Edited May 19, 2019 by 1812 Quote
cybrnook Posted May 20, 2019 Author Posted May 20, 2019 (edited) Figured I would share: https://www.tomshardware.com/news/intel-amd-mitigations-performance-impact,39381.html https://www.phoronix.com/scan.php?page=article&item=mds-zombieload-mit&num=10 Edited May 20, 2019 by cybrnook Quote
cybrnook Posted May 20, 2019 Author Posted May 20, 2019 (edited) Seems that we will be getting a newer, more simplified, flag we can set to disable mitigation's called: mitigations=off Other options would be: - mitigations=off: Disable all mitigations. - mitigations=auto: [default] Enable all the default mitigations, but leave SMT enabled, even if it's vulnerable. - mitigations=auto,nosmt: Enable all the default mitigations, disabling SMT if needed by a mitigation. In the meantime, we can continue to use the options above until I can test the new options out on unraid with a newer kernel (future releases once unraid upgrades kernel). There seems to be validation of it working in 5.0.16 Kernel. However seems to be a release intended for Kernel 5.2. https://www.phoronix.com/scan.php?page=news_item&px=Spectre-Meltdown-Easy-Switch-52 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.19.43&id=8cb932aca5d6728661a24eaecead9a34329903ff Edited May 20, 2019 by cybrnook 1 Quote
Alphahelix Posted May 23, 2019 Posted May 23, 2019 First... SUPER guide!!! easy to follow and instant result. 👍 But as others have mentioned, if this could be turned into a plugin with toggles for each security risk for the user to choose from it would be (in my world) perfect. Unfortunately I lack the knowledge to create such a plugin. I know it is always easier to ask others to do the hard work. sorry for that. /Alphahelix Quote
jbartlett Posted May 23, 2019 Posted May 23, 2019 (edited) I saw a 3% increase in the CPU score with 3DMark Timespy on a Ryzen 2950 (all but 4 cores assigned to the VM) after disabling the protections but several other tests/benchmarks showed no change within a small margin of error on it and a 1950x and an Intel CPU (can't think of the model off hand). Edited May 23, 2019 by jbartlett Quote
cybrnook Posted May 23, 2019 Author Posted May 23, 2019 (edited) AMD I am not so sure we will see any large gains vs the Intel side. But thanks for testing it out 🙂 I will have my TR setup going soon and will disable these on it anyways 🙂 Edited May 23, 2019 by cybrnook Quote
cybrnook Posted June 3, 2019 Author Posted June 3, 2019 New plugin added to the repo via @Squid Quote
zoggy Posted June 4, 2019 Posted June 4, 2019 (edited) whew okay, I have an intel i3-3220 CPU and wanted to see how much performance I can get back with disabling the mitigations as noted. I upgraded to 6.7.1rc1 and spun up the Phoronix Test Suite in a docker vm and focus on the cpu test -- https://openbenchmarking.org/suite/pts/cpu The array was running but no activity was ongoing, and no other dockers were active. Test suite cycle took about 3 hours in a run, each test ran 3 times and deviations is noted. Ran first set as is with the mitigations in place then rebooted with syslinux cfg modification to disable the mitigation (still get some due to microcode used) and re-ran same tests to compare. results: https://openbenchmarking.org/result/1906037-HV-190603PTS41,1906033-HV-190603PTS92 can see that 2-14% increase on various things. The ctx-clock micro-benchmark for looking at the context switching overhead shows the big impact since Spectre/Meltdown Which is why you can see is the most drastic reported as it targets that specific area.. 87% difference! hope this helps for those curious Edited June 4, 2019 by zoggy correcting url 2 Quote
cybrnook Posted June 4, 2019 Author Posted June 4, 2019 Thanks for sharing @zoggy , great testing Quote
Frank1940 Posted June 4, 2019 Posted June 4, 2019 7 hours ago, zoggy said: results: https://openbenchmarking.org/result/1906033-ZOGG-MERGE6861 I got a No Result File Found message... Quote
Frank1940 Posted June 4, 2019 Posted June 4, 2019 (edited) 14 minutes ago, zoggy said: can you try now, changed the permissions on the tests to be viewable by everyone Same result. I know this must be frustrating for you... EDIT: Perhaps the link has changed with the new permission. Edited June 4, 2019 by Frank1940 Quote
zoggy Posted June 4, 2019 Posted June 4, 2019 13 minutes ago, Frank1940 said: Same result. I know this must be frustrating for you... EDIT: Perhaps the link has changed with the new permission. ok, here we go: https://openbenchmarking.org/result/1906037-HV-190603PTS41,1906033-HV-190603PTS92 1 Quote
Frank1940 Posted June 4, 2019 Posted June 4, 2019 12 minutes ago, zoggy said: ok, here we go: https://openbenchmarking.org/result/1906037-HV-190603PTS41,1906033-HV-190603PTS92 👍 That works! Thanks Quote
cybrnook Posted August 7, 2019 Author Posted August 7, 2019 (edited) New Spectre V1 Intel vuln. out (SWAPGS): https://www.phoronix.com/scan.php?page=news_item&px=CVE-2019-1125-SWAPGS Looking at the commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a2059825986a1c8143fd6698774fa9d83733bb11 We should be okay as far as disablement goes as it's going to be lumped under "nospectre_v1", or "mitigations" (for newer Kernels). "The mitigations may be disabled with "nospectre_v1" or "mitigations=off"" As mostly has been the case, AMD seems not affected. Edited August 7, 2019 by cybrnook add " " Quote
Squid Posted August 7, 2019 Posted August 7, 2019 mitigations=off doesnt work with the current unraid kernel version Sent from my phone as I'm probably having a beer and enjoying a fire Quote
cybrnook Posted August 7, 2019 Author Posted August 7, 2019 (edited) 5 hours ago, Squid said: mitigations=off doesnt work with the current unraid kernel version Sent from my phone as I'm probably having a beer and enjoying a fire Correct, maybe I worded it wrong, but I wrote: 7 hours ago, cybrnook said: We should be okay as far as disablement goes as it's going to be lumped under "nospectre_v1", or "mitigations" (for newer Kernels). Meaning that for now, nospectre_v1 will work to disable this for our current Kernel. Then, in the future, all we will need is mitigations=off for newer Kernels. Sorry if it reads weird. In the end, as long as we are using nospectre_v1, we are good as this will also be disabled with that, since it's a v1 spectre variant. Edited August 7, 2019 by cybrnook add " " Quote
cybrnook Posted October 10, 2019 Author Posted October 10, 2019 Good article from Mike L. from Phoronix. New AMD vs Intel impacts: https://www.phoronix.com/scan.php?page=article&item=3900x-9900k-mitigations&num=1 I believe we will get mds=off in the 6.8rc whenever that comes around. Quote
Squid Posted October 10, 2019 Posted October 10, 2019 1 minute ago, cybrnook said: I believe we will get mds=off in the 6.8rc whenever that comes around. mitigations=off Plugin updated a week or so ago to reflect this 2 Quote
cybrnook Posted October 10, 2019 Author Posted October 10, 2019 (edited) 16 hours ago, Squid said: mitigations=off Plugin updated a week or so ago to reflect this Now just to get 6.8 RC out 🙂 ™ Edited October 10, 2019 by cybrnook ™ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.