spectre / meltdown mitigation defaults changed

HulaHoop · November 7, 2020, 12:17am

Linux devs decided to change the scope and method of these mitigations by default in upcoming kernel version. Let’s try to make head or tail of how this affects older systems and if we need to keep them toggled on

Patrick · November 7, 2020, 4:32pm

Looks like it’s not done. Quote:

We’ll keep monitoring to see if/when this change is accepted.

Related settings file:

github.com

Kicksecure/security-misc/blob/master/etc/default/grub.d/40_cpu_mitigations.cfg

## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Enables all known mitigations for CPU vulnerabilities.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647

## Enable mitigations for Spectre variant 2 (indirect branch speculation).
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"

## Disable Speculative Store Bypass.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"

## Enable mitigations for the L1TF vulnerability through disabling SMT
## and L1D flush runtime control.
##
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html

This file has been truncated. show original

madaidan · November 9, 2020, 8:12pm

We set the strictest option anyhow - spec_store_bypass_disable=on. The new default that’s being suggested upstream is weaker and only enables this mitigation for processes that explicitly ask for it. It’s still best to enable it system-wide by default for security albeit at a performance loss which I think we can handle.