Disable spectre/meltdown etc. mitigations

On my home PC, when I am not running web server and just focus on compiling/execution of standalone executables, I would like to disable various latest mitigations (Spectre, Meltdown etc. ) I found on other distros it can be disabled by adding in the file /etc/sysconfig/grub the line: noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off and re-generating grub’s configuration file with grub2-mkconfig

But Clear Linux doesn’t have /etc/sysconfig directory. How can I disable those mitigations?

Have a look at this post for passing kernel cmdline boot parameters:

Kernel 5.2 will allow you to do that with just a terminal command.

1 Like

Great! So, will I be able to switch it “on” and “off” interactively, without rebooting? That would be the best scenario.

Kernel 5.2 is around a corner, right?

Yes. It was officially launched just recently, so Clear Linux should get it pretty soon.

Ok, so now we have 5.2* kernel in 30480 version. What is the exact terminal command to disable/enable mitigations, please?

Check this

Yes, I have read that. The question is - can I do it in some easy way through the terminal command (as Tourette has pointed), or still create the file, update clr-boot-manager, and than reboot?

1 Like

Yes

[ -d /etc/kernel/cmdline.d ] || \
    sudo mkdir -p /etc/kernel/cmdline.d && \
    echo "PARAMETERS" | sudo tee -a /etc/kernel/cmdline.d/SOMEFILE.conf && \
    sudo clr-boot-manager update"

It’s just one shell command.

1 Like

So, basically it is the same old way, just simpler parameter syntax for mitigations handling. Still I need to reboot every time after updates in order to make it effective, correct?

The kernel parameters are written in the config files, and I think after the kernel update, the clr-boot-manager won’t discard/ignore these configurations.

Right - you cannot en/disable after boot. Only as a boot command to the kernel.

Mine looks like this:

cat /etc/kernel/cmdline
mitigations=off rootflags=x-systemd.device-timeout=0
1 Like

Is it just here that it doesn’t work?

$ cat /etc/kernel/cmdline.d/test_mitigations_disabled.conf 
mitigations=off
$ sudo clr-boot-manager update

After reboot

$ cat /proc/cmdline 
initrd=\EFI\org.clearlinux\freestanding-00-intel-ucode.cpio initrd=\EFI\org.clearlinux\freestanding-i915-firmware.cpio.xz root=PARTUUID=1840b1e8-4527-40b4-bad6-ce5dc5e75db2 quiet console=tty0 console=ttyS0,115200n8 cryptomgr.notests init=/usr/bin/initra-desktop initcall_debug intel_iommu=igfx_off kvm-intel.nested=1 no_timer_check noreplace-smp page_alloc.shuffle=1 rcupdate.rcu_expedited=1 rootfstype=ext4,btrfs,xfs,f2fs tsc=reliable rw

Hi doct0rHu,

I used the shell script you wrote, but it didn’t seem to have any effect on numerous performance intensive benchmarks. I suspect mitigations were not successfully turned off, even though I’d created /etc/kernel/cmdline.d/SOMEFILE.conf that specified they were. Do you have any ideas? Thank you so much!

Cheers!

No idea. I never turned off mitigation.