<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Jan 12, 2018 at 10:08 AM, Chris Irwin <span dir="ltr"><<a href="mailto:chris@chrisirwin.ca" target="_blank">chris@chrisirwin.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="">On Wed, Jan 10, 2018 at 9:24 AM, Khalid Baheyeldin <span dir="ltr"><<a href="mailto:kb@2bits.com" target="_blank">kb@2bits.com</a>></span> wrote:<br></span><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>Wow, the differences are significant ... <br><br>For a dedicated server, the fix for Meltdown is not really needed, since no one else is accessing RAM by exploiting the speculative execution. <br><br>So I am thinking of pinning the kernel to what it is on those machines.<br></div></div></div></blockquote><div><br></div></span><div>Don't pin your kernel to avoid the KPTI patches. All future kernels, likely forever (considering linux still supports 486
CPUs), will carry this functionality to be used with affected CPUs. Pinning your kernel will only serve to prevent you from getting other security-related kernel updates.</div><div><br></div><div>If you really, *really* want to disable KPTI, put "nopti" on the kernel command-line. I obviously don't recommend this. Unless your typical workload resembles a synthetic benchmark, the performance impact will likely be negligible.<br></div><div><br></div><div>The security threat posted by meltdown and spectre is serious, even if
you don't see an attack vector. Any unrelated remote code execution
exploit (in apache, etc) could potentially in turn exploit meltdown and
spectre.</div><div><br></div><div>The performance hit is apparently also somewhat limited on kernels and hardware that support PCID. IIRC, this is kernel >=4.14, and Intel > Haswell. I have no idea if Ubuntu ships a sufficiently new kernel. Finally, Intel is also shipping microcode updates for some of it's recent processors, although I'm not sure what effect those will have on performance.<br></div><div><br></div></div></div><div class="gmail_extra">Remember, the meltdown patches are not a temporary workaround. All future kernels, likely forever (considering linux still supports 486 CPUs), will carry this functionality to be used with affected CPUs.<span class="HOEnZb"><font color="#888888"><br></font></span></div></div></blockquote><div><br></div><div>I didn't mean to send that yet. Sorry about the copy-paste duplicated sentence. I also wanted to note that while I mention "Spectre" as well, KPTI doesn't fix spectre attacks. From what I gather, that's going to be a really pain to fix, and likely a long-term problem.<br></div></div><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Chris Irwin<br><<a href="mailto:chris@chrisirwin.ca" target="_blank">chris@chrisirwin.ca</a>></div></div>
</div></div>