[kwlug-disc] Meltown fix for Linux kernel
Chris Irwin
chris at chrisirwin.ca
Fri Jan 12 10:11:55 EST 2018
On Fri, Jan 12, 2018 at 10:08 AM, Chris Irwin <chris at chrisirwin.ca> wrote:
> On Wed, Jan 10, 2018 at 9:24 AM, Khalid Baheyeldin <kb at 2bits.com> wrote:
>
>> Wow, the differences are significant ...
>>
>> For a dedicated server, the fix for Meltdown is not really needed, since
>> no one else is accessing RAM by exploiting the speculative execution.
>>
>> So I am thinking of pinning the kernel to what it is on those machines.
>>
>
> Don't pin your kernel to avoid the KPTI patches. All future kernels,
> likely forever (considering linux still supports 486 CPUs), will carry this
> functionality to be used with affected CPUs. Pinning your kernel will only
> serve to prevent you from getting other security-related kernel updates.
>
> If you really, *really* want to disable KPTI, put "nopti" on the kernel
> command-line. I obviously don't recommend this. Unless your typical
> workload resembles a synthetic benchmark, the performance impact will
> likely be negligible.
>
> The security threat posted by meltdown and spectre is serious, even if you
> don't see an attack vector. Any unrelated remote code execution exploit (in
> apache, etc) could potentially in turn exploit meltdown and spectre.
>
> The performance hit is apparently also somewhat limited on kernels and
> hardware that support PCID. IIRC, this is kernel >=4.14, and Intel >
> Haswell. I have no idea if Ubuntu ships a sufficiently new kernel. Finally,
> Intel is also shipping microcode updates for some of it's recent
> processors, although I'm not sure what effect those will have on
> performance.
>
> Remember, the meltdown patches are not a temporary workaround. All future
> kernels, likely forever (considering linux still supports 486 CPUs), will
> carry this functionality to be used with affected CPUs.
>
I didn't mean to send that yet. Sorry about the copy-paste duplicated
sentence. I also wanted to note that while I mention "Spectre" as well,
KPTI doesn't fix spectre attacks. From what I gather, that's going to be a
really pain to fix, and likely a long-term problem.
--
Chris Irwin
<chris at chrisirwin.ca>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180112/a8568c42/attachment.htm>
More information about the kwlug-disc
mailing list