<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Jan 10, 2018 at 9:24 AM, Khalid Baheyeldin <span dir="ltr"><<a href="mailto:kb@2bits.com" target="_blank">kb@2bits.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>Wow, the differences are significant ... <br><br>For a dedicated server, the fix for Meltdown is not really needed, since no one else is accessing RAM by exploiting the speculative execution. <br><br>So I am thinking of pinning the kernel to what it is on those machines.<br></div></div></div></blockquote><div><br></div><div>Don't pin your kernel to avoid the KPTI patches. All future kernels, likely forever (considering linux still supports 486
CPUs), will carry this functionality to be used with affected CPUs. Pinning your kernel will only serve to prevent you from getting other security-related kernel updates.</div><div><br></div><div>If you really, *really* want to disable KPTI, put "nopti" on the kernel command-line. I obviously don't recommend this. Unless your typical workload resembles a synthetic benchmark, the performance impact will likely be negligible.<br></div><div><br></div><div>The security threat posted by meltdown and spectre is serious, even if
you don't see an attack vector. Any unrelated remote code execution
exploit (in apache, etc) could potentially in turn exploit meltdown and
spectre.</div><div><br></div><div>The performance hit is apparently also somewhat limited on kernels and hardware that support PCID. IIRC, this is kernel >=4.14, and Intel > Haswell. I have no idea if Ubuntu ships a sufficiently new kernel. Finally, Intel is also shipping microcode updates for some of it's recent processors, although I'm not sure what effect those will have on performance.<br></div><div><br></div></div></div><div class="gmail_extra">Remember, the meltdown patches are not a temporary workaround. All future kernels, likely forever (considering linux still supports 486 CPUs), will carry this functionality to be used with affected CPUs.<br></div><div class="gmail_extra"><br>-- <br><div class="gmail_signature"><div dir="ltr">Chris Irwin<br><<a href="mailto:chris@chrisirwin.ca" target="_blank">chris@chrisirwin.ca</a>></div></div>
</div></div>