Disabling Spectre/Meltdown/Zombieload mitigation's (PLUGIN AVAILABLE)


Recommended Posts

UPDATE (010/11/2019) PLUGIN Updated for 6.8.0 RC1 + @Squid was awesome again in keeping with the newer kernel update, and the more simplified syntax now of "mitigations=off". If you already installed the plugin on a lower release and enabled it, nothing is needed prior to upgrading. Squid thought of and accounted for that and the plugin will handle it during boot.

 

UPDATE (06/03/2019) PLUGIN AVAILABLE!!! @Squid was awesome enough to take this work and put it into a plugin, as many have asked for. It's a great start, and covers the basics out of the gate for everyone at the moment. Once the kernel starts rolling higher, we can change the current long string to a shorter variation, but I think that will be later in the future, post 6.8.0+.....

 

 

Original Post:

 

As many are aware, Intel has had some serious security vulnerabilities released over the past year. "Spectre", "Meltdown", and now one of the strongest dubbed "Zombieload" aka MDS. Intel seems to be having some skeletons coming out of the closet, which saw a CEO resign, and market share loss now to AMD.

 

The mitigation's to these vulnerabilities have all individually come with a performance cost, Spectre/Meltdown in the range of ~%15, and now MDS rumored to need Hyperthreading disabled altogether to mitigate, costing upwards of %30-%40 (sources are based on the internet, so take with a grain of salt). So add them all together, and that's a pretty hefty penalty for users who may not even be a target for this kind of attack.

 

Personally, I have nothing that sensitive at my home running in individual dockers or VM's that I would worry enough about if someone from one area could read data from the other. As well, my local users are myself and my wife 🙂 , so she could just TAKE the money from the bank in person 🙂 Not a threat to me. I don't care if someone is watching me play games on a vm, or is watching that I am encoding or decrypting a movie, big deal, not much going on at my house anyone would work hard enough to watch....... and if someone did make it that far to target me, I got bigger problems than speculative execution, like checking my firewall rules!!

 

So, with that said, this is ALL AT YOUR OWN RISK, I or the community do not assume any responsibility of damage due to the disablement of these mitigation's.

 

As of 6.7.0, we have kernel level 4.19.41 which marks the last kernel to NOT mitigate against MDS. To disable Spectre/Meltdown for release 6.7.0, adjust your syslinux.cfg file as follows (and reboot):

pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier

image.thumb.png.70caa9a82d9efe3d527bf91fa8f93a7d.png

 

As of 6.7.1 RC1, we have kernel level 4.19.43 which marks the first kernel TO mitigate against Spectre/Meltdown AND MDS. To disable Spectre/Meltdown/MDS for release 6.7.1 RC1+, adjust your syslinux.cfg as follows (and reboot):

 

pti=off spectre_v2=off l1tf=off mds=off nospec_store_bypass_disable no_stf_barrier

image.thumb.png.2c6db9851aa5519563f3cc0a85c33fb4.png

 

You can validate the mitigation's on the OS before/after by:

cat /sys/devices/system/cpu/vulnerabilities/*

BEFORE:

Should look similar to (notice the Mitigation's):

Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
Mitigation: Clear CPU buffers; SMT vulnerable
Mitigation: PTI
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling


AFTER:

Should look similar to (notice the Vulnerable):

Mitigation: PTE Inversion; VMX: vulnerable
Vulnerable; SMT vulnerable
Vulnerable
Vulnerable
Mitigation: __user pointer sanitization
Vulnerable, IBPB: disabled, STIBP: disabled
Edited by cybrnook
Updated Plugin for 6.8* Series
  • Like 3
  • Upvote 5
Link to comment
14 minutes ago, Helmonder said:

Would be a great plugin.. I would love to do a live test to see if it really makes any difference to turn off or leave on... 

Why do you need a plugin?    The above posts give you all the information needed to allow this to be done using the standard Unraid GUI?

Link to comment
7 hours ago, Helmonder said:

Would be a great plugin.. I would love to do a live test to see if it really makes any difference to turn off or leave on... 

 

Would be easier to implement as a set of toggles like acs override.

 

 

-----edit

 

I modified my 6.7.0 syslinux.cfg to include the appropriate text from above. System appears to be normal and the "vulnerable" status is shown in terminal.

 

I didn't benchmark anything because I'm lazy.

Edited by 1812
Link to comment
  • limetech pinned and featured this topic

Seems that we will be getting a newer, more simplified, flag we can set to disable mitigation's called:

 

mitigations=off

 

Other options would be:

- mitigations=off: Disable all mitigations.

- mitigations=auto: [default] Enable all the default mitigations, but leave SMT enabled, even if it's vulnerable.

- mitigations=auto,nosmt: Enable all the default mitigations, disabling SMT if needed by a mitigation.

 

In the meantime, we can continue to use the options above until I can test the new options out on unraid with a newer kernel (future releases once unraid upgrades kernel). There seems to be validation of it working in 5.0.16 Kernel. However seems to be a release intended for Kernel 5.2.

https://www.phoronix.com/scan.php?page=news_item&px=Spectre-Meltdown-Easy-Switch-52

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.19.43&id=8cb932aca5d6728661a24eaecead9a34329903ff

Edited by cybrnook
  • Upvote 1
Link to comment

First...

SUPER guide!!! easy to follow and instant result. 👍

 

But as others have mentioned, if this could be turned into a plugin with toggles for each security risk for the user to choose from it would be (in my world) perfect.

 

Unfortunately I lack the knowledge to create such a plugin. I know it is always easier to ask others to do the hard work. sorry for that.

 

/Alphahelix

Link to comment

I saw a 3% increase in the CPU score with 3DMark Timespy on a Ryzen 2950 (all but 4 cores assigned to the VM) after disabling the protections but several other tests/benchmarks showed no change within a small margin of error on it and a 1950x and an Intel CPU (can't think of the model off hand).

Edited by jbartlett
Link to comment

whew okay, I have an intel i3-3220 CPU and wanted to see how much performance I can get back with disabling the mitigations as noted.

I upgraded to 6.7.1rc1 and spun up the Phoronix Test Suite in a docker vm and focus on the cpu test -- https://openbenchmarking.org/suite/pts/cpu

The array was running but no activity was ongoing, and no other dockers were active.

Test suite cycle took about 3 hours in a run, each test ran 3 times and deviations is noted.

Ran first set as is with the mitigations in place then rebooted with syslinux cfg modification to disable the mitigation (still get some due to microcode used) and re-ran same tests to compare.

 

results:

https://openbenchmarking.org/result/1906037-HV-190603PTS41,1906033-HV-190603PTS92

 

can see that 2-14% increase on various things.

The ctx-clock micro-benchmark for looking at the context switching overhead shows the big impact since Spectre/Meltdown

Which is why you can see is the most drastic reported as it targets that specific area.. 87% difference!

 

hope this helps for those curious

 

 

Edited by zoggy
correcting url
  • Like 2
Link to comment
  • 2 months later...

New Spectre V1 Intel vuln. out (SWAPGS): https://www.phoronix.com/scan.php?page=news_item&px=CVE-2019-1125-SWAPGS

 

Looking at the commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a2059825986a1c8143fd6698774fa9d83733bb11

 

We should be okay as far as disablement goes as it's going to be lumped under "nospectre_v1", or "mitigations" (for newer Kernels).

 

"The mitigations may be disabled with "nospectre_v1" or "mitigations=off""

 

As mostly has been the case, AMD seems not affected.

Edited by cybrnook
add " "
Link to comment
5 hours ago, Squid said:

mitigations=off doesnt work with the current unraid kernel version

Sent from my phone as I'm probably having a beer and enjoying a fire
 

Correct, maybe I worded it wrong, but I wrote:

7 hours ago, cybrnook said:

We should be okay as far as disablement goes as it's going to be lumped under "nospectre_v1", or "mitigations" (for newer Kernels).

Meaning that for now, nospectre_v1 will work to disable this for our current Kernel. Then, in the future, all we will need is mitigations=off for newer Kernels. Sorry if it reads weird.

 

In the end, as long as we are using nospectre_v1, we are good as this will also be disabled with that, since it's a v1 spectre variant.

Edited by cybrnook
add " "
Link to comment
  • 2 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.