Proposed Linux Patch Would Allow Disabling CPU Security Mitigations At Build-Time
([Linux Security] 5 Hours Ago
CONFIG_DEFAULT_CPU_MITIGATIONS_OFF)
- Reference: 0001370854
- News link: https://www.phoronix.com/news/Linux-Default-Mitigations-Off
- Source link:
A proposed Linux kernel patch would provide a new Kconfig build time option of "CONFIG_DEFAULT_CPU_MITIGATIONS_OFF" to build an insecure kernel if wanting to avoid the growing list of CPU security mitigations within the kernel and their associated performance overhead.
While risking system security, booting the Linux kernel with the " mitigations=off " option has been popular for avoiding the performance costs of Spectre, Meltdown, and the many other CPU security vulnerabilities that have come to light in recent years. Using mitigations=off allows run-time disabling of the various in-kernel security mitigations for these CPU problems.
A patch proposed this week would provide CONFIG_DEFAULT_CPU_MITIGATIONS_OFF as a Kconfig switch that could optionally be enabled to have the same affect as mitigations=off but to be applied at build-time to avoid having to worry about setting the "mitigations=off" flag.
Breno Leitao, a Debian developer and a kernel engineer at Meta, sent out [1]the patch providing this option. Breno explained:
"Right now it is not possible to disable CPU vulnerabilities mitigations at build time. Mitigation needs to be disabled passing kernel parameters, such as 'mitigations=off'.
This patch creates an easy way to disable mitigation during compilation time (CONFIG_DEFAULT_CPU_MITIGATIONS_OFF), so, insecure kernel users don't need to deal with kernel parameters when booting insecure kernels."
For production environments and other areas where security is of any level of importance, it's certainly recommended sticking to the default mitigations. But for those in offline environments, using "throw-away" software environments, or other scenarios where security isn't too important, disabling these mitigations can enhance performance especially for aging Intel (and to a lesser extent, AMD and Arm) processors. Recent benchmarks I did following the Call Depth Tracking improvement on the [2]Core i7 8700K and [3]Xeon E3 v5 do include current "mitigations=off" numbers for those interested in the current overall performance impact.
[1] https://lore.kernel.org/lkml/20230202180858.1539234-1-leitao@debian.org/
[2] https://www.phoronix.com/review/linux62-intel-calldepth
[3] https://www.phoronix.com/review/skylake-retbleed-stuff
While risking system security, booting the Linux kernel with the " mitigations=off " option has been popular for avoiding the performance costs of Spectre, Meltdown, and the many other CPU security vulnerabilities that have come to light in recent years. Using mitigations=off allows run-time disabling of the various in-kernel security mitigations for these CPU problems.
A patch proposed this week would provide CONFIG_DEFAULT_CPU_MITIGATIONS_OFF as a Kconfig switch that could optionally be enabled to have the same affect as mitigations=off but to be applied at build-time to avoid having to worry about setting the "mitigations=off" flag.
Breno Leitao, a Debian developer and a kernel engineer at Meta, sent out [1]the patch providing this option. Breno explained:
"Right now it is not possible to disable CPU vulnerabilities mitigations at build time. Mitigation needs to be disabled passing kernel parameters, such as 'mitigations=off'.
This patch creates an easy way to disable mitigation during compilation time (CONFIG_DEFAULT_CPU_MITIGATIONS_OFF), so, insecure kernel users don't need to deal with kernel parameters when booting insecure kernels."
For production environments and other areas where security is of any level of importance, it's certainly recommended sticking to the default mitigations. But for those in offline environments, using "throw-away" software environments, or other scenarios where security isn't too important, disabling these mitigations can enhance performance especially for aging Intel (and to a lesser extent, AMD and Arm) processors. Recent benchmarks I did following the Call Depth Tracking improvement on the [2]Core i7 8700K and [3]Xeon E3 v5 do include current "mitigations=off" numbers for those interested in the current overall performance impact.
[1] https://lore.kernel.org/lkml/20230202180858.1539234-1-leitao@debian.org/
[2] https://www.phoronix.com/review/linux62-intel-calldepth
[3] https://www.phoronix.com/review/skylake-retbleed-stuff
milkylainen