Jump to content
Squid

[Plugin] Disable Security Mitigations

35 posts in this topic Last Reply

Recommended Posts

Look at the status before and after applying them. Any that stay mitigated are being handled via microcode

Sent via telekinesis

Share this post


Link to post
Posted (edited)

@Squid is right. It's a nicer two-fer. Since we are in a world of chips right now that are not immune to these attacks at the HW level, we are getting updates in two channels right now. BIOS level microcode updates, Windows patch level updates, linux kernel level patches and microcode updates. etc.... Okay so more than two channels 🙂 (It's a mess is the easy way).

 

With that, only some vulnerabilities are addressed at the BIOS level with microcode. Others are being handled by patches and updates. To FULLY disable it all, would require not only staying on an older un-patched BIOS (for some, they may have no option as MB vendors and Intel are only retrofitting but so far back), but also applying these mitigations. I don't really recommend staying on an old BIOS as other features come in newer BIOS versions, like AGESA updates and CPU compatibility for newer Chips on older chipsets. As noted in the plugin, there are still a good amount of mitigations we can disable at the kernel level, and users are seeing perf gains in the VM space.

 

As new CPU's are patched at the hardware level, this will be even more confusing since we will have microcode in BIOS updates that apply only to certain CPU's, but not other ones, and then patches at the OS level that will seemingly apply to everyone since we all pay the price at the OS level.

Edited by cybrnook

Share this post


Link to post
Posted (edited)

Disabling the patches gave me a 2.4% boost (5 tests averaged) on a Threadripper 2990WX using Passmark's CPU benchmark only testing against a single numa node in a Win 10 VM.

Edited by jbartlett

Share this post


Link to post
Posted (edited)
6 hours ago, jbartlett said:

Disabling the patches gave me a 2.4% boost (5 tests averaged) on a Threadripper 2990WX using Passmark's CPU benchmark only testing against a single numa node in a Win 10 VM.

Thanks for the input. So, in your case for one, you are an AMD system not Intel. So your platform isn't as heavily hit as say my 2011v3 based Intel systems, since Intel is really behind the ball on these patches.

 

As well, I don't want the impression that disabling these is a magic +%30 performance boost across the board on all benchmark suites, that's absolutely not the case. But what we can see, like from @zoggy 's EXCELLENT pre/post test case on an Intel based system, he see's perf boosts across the board, and up to %80 improvement in context switching (almost at the bottom of the page): https://openbenchmarking.org/result/1906037-HV-190603PTS41,1906033-HV-190603PTS92

 

So the benefits are real, if your use cases are in alignment, and are Intel based. Not to say though that disabling the overhead on an AMD system is not fruitful as well, especially on the OS level. Just don't expect an even +%30 across the board, all platforms, etc....

 

With that said, I look forward to maybe bouncing some ideas off you when I get my 2970WX system up and running. It's all here, just no time to actually build it out 🙂 Plus the fact we have been battling SLES scheduling issues on IBM Power at work, and  it's issues that we faced on incorrect affinity scheduling/assignments to non-optimal numa nodes.... I am taking a little time before hopping right back into that 🙂

Edited by cybrnook

Share this post


Link to post
36 minutes ago, cybrnook said:

So the benefits are real, if your use cases are in alignment, and are Intel based. Just don't expect an even +%30 across the board, all platforms, etc....

Honestly, getting 2 or 3% on average is already a lot in my book and enough to bother. People overclock and sometimes stress their components a lot for barely more than that. Getting more than that in some specific scenarios is just a nice bonus.

Share this post


Link to post

I'm not complaining about my 2-3%. I'm simply stating the results I got when I benchmarked the difference for an AMD system for others to be informed.

Share this post


Link to post
Posted (edited)

Has anyone updated to 6.7.1 or 6.7.2 and can confirm that this still works properly for the new zombieland vulnerability?

I assume everything is fine looking at cybrnook's post.

 

 

Edited by dnLL

Share this post


Link to post
17 minutes ago, dnLL said:

Has anyone updated to 6.7.1 or 6.7.2 and can confirm that this still works properly for the new zombieland vulnerability?

I assume everything is fine looking at cybrnook's post.

 

 

mds=off is for zombieload

Share this post


Link to post

Re: 80% improvement in context switching.

I run win10 vm's on my Intel 2670 dual cpu server and they seem more laggy recently. Am I one who will really notice the benefits of this plugin?

Sent from my chisel, carved into granite

Share this post


Link to post
2 hours ago, tr0910 said:

win10 vm's

Not the real expert, but it seems to me that Windows will have its own mitigations installed via updates which will override these on the VM.  You can also disable them via googling.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.