[kwlug-disc] Meltown fix for Linux kernel
Chris Irwin
chris at chrisirwin.ca
Fri Jan 12 10:08:08 EST 2018
On Wed, Jan 10, 2018 at 9:24 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:
> Wow, the differences are significant ...
>
> For a dedicated server, the fix for Meltdown is not really needed, since
> no one else is accessing RAM by exploiting the speculative execution.
>
> So I am thinking of pinning the kernel to what it is on those machines.
>
Don't pin your kernel to avoid the KPTI patches. All future kernels, likely
forever (considering linux still supports 486 CPUs), will carry this
functionality to be used with affected CPUs. Pinning your kernel will only
serve to prevent you from getting other security-related kernel updates.
If you really, *really* want to disable KPTI, put "nopti" on the kernel
command-line. I obviously don't recommend this. Unless your typical
workload resembles a synthetic benchmark, the performance impact will
likely be negligible.
The security threat posted by meltdown and spectre is serious, even if you
don't see an attack vector. Any unrelated remote code execution exploit (in
apache, etc) could potentially in turn exploit meltdown and spectre.
The performance hit is apparently also somewhat limited on kernels and
hardware that support PCID. IIRC, this is kernel >=4.14, and Intel >
Haswell. I have no idea if Ubuntu ships a sufficiently new kernel. Finally,
Intel is also shipping microcode updates for some of it's recent
processors, although I'm not sure what effect those will have on
performance.
Remember, the meltdown patches are not a temporary workaround. All future
kernels, likely forever (considering linux still supports 486 CPUs), will
carry this functionality to be used with affected CPUs.
--
Chris Irwin
<chris at chrisirwin.ca>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180112/00956151/attachment.htm>
More information about the kwlug-disc
mailing list