Disabling Spectre and Meltdown mitigations (speculative execution)

[snake]

Since the speculative execution CPU vulnerabilities have come about, all fixes and mitigations have come at a cost to CPU intensive applications such as Zoneminder. Basically, all PCs became slower in 2018. This is a significant loss for Zoneminder and we should document ways to disable these fixes, should users wish.

This thread can be a place to gather any options to disable the changes (since they can vary), so that the PCs can run at full speed.

[snake]

For starters, I'm going to link to
https://make-linux-fast-again.com
Which currently has:

Code: Select all

noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off

These are obviously some options you can pass to the Kernel (such as via bootloader / Grub: https://wiki.ubuntu.com/Kernel/KernelBootParameters). If you want to make kernel config file changes, you will need to investigate, as there doesn't seem to be a simple guide for this yet (see below). This is what I was referring to in the intro post. There are MULTIPLE changes you have to make. And the options are changed with every new vulnerability, so it's not as simple as one flag.

Perhaps the installation guides should touch upon this subject...

Regarding Kernel config options, One possible approach would be to run this script:
https://github.com/speed47/spectre-meltdown-checker
and review what you have been patched against. Then investigate the shell script. I looked briefly, and the script appears to have distinct functions for all CVE / vulnerabilities, so if you are patched for one, look at that function is the script. It includes a lookup for configs, so there are various kernel flags there such as CONFIG_RETPOLINE, CONFIG_PAGE_TABLE_ISOLATION, CONFIG_KAISER, CONFIG_HARDEN_BRANCH_PREDICTOR, etc.

If someone goes through this process it would be helpful to leave a list of what flags you changed.

5/17/19 - Post edited to include details searching for kernel flags

[zd59]

For starters, I'm going to link to
https://make-linux-fast-again.com
Which currently has:

Code: Select all

noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off

These are obviously some options you can pass to the Kernel (such as via Grub: https://wiki.ubuntu.com/Kernel/KernelBootParameters or a flag if you are compiling your kernel)

Playing and testing with Linux & ZM on Virtualbox. Slackware-current, updated today. Kernel is clean, unmodified from original source.
I'm currently compiling kernel-5.1.3 to check on Vbox.
Would you be so kind to write me a hint, which options in Kernel config should be set off regarding above you mention in a code. There are not a single option you mentioned above in a kernel .config file. It's only CONFIG_RESET_ATTACK_MITIGATION.

[snake]

Would you be so kind to write me a hint, which options in Kernel config should be set off regarding above you mention in a code.

Thanks for pointing that out. I've updated the post.

[MoOz]

Hi
can someone write a more detail procedure

So far I collected

**Run Spectre & Meltdown Checker
https://github.com/speed47/spectre-meltdown-checker
what do you change without breaking things

*** GRUB
KernelBootParameters
https://wiki.ubuntu.com/Kernel/KernelBootParameters