Disable spectre/meltdown etc. mitigations

On my home PC, when I am not running web server and just focus on compiling/execution of standalone executables, I would like to disable various latest mitigations (Spectre, Meltdown etc. ) I found on other distros it can be disabled by adding in the file /etc/sysconfig/grub the line: noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off and re-generating grub’s configuration file with grub2-mkconfig

But Clear Linux doesn’t have /etc/sysconfig directory. How can I disable those mitigations?

Have a look at this post for passing kernel cmdline boot parameters:

Kernel 5.2 will allow you to do that with just a terminal command.

1 Like

Great! So, will I be able to switch it “on” and “off” interactively, without rebooting? That would be the best scenario.

Kernel 5.2 is around a corner, right?

Yes. It was officially launched just recently, so Clear Linux should get it pretty soon.

Ok, so now we have 5.2* kernel in 30480 version. What is the exact terminal command to disable/enable mitigations, please?

Check this

https://www.phoronix.com/scan.php?page=news_item&px=Spectre-Meltdown-Easy-Switch-52

Yes, I have read that. The question is - can I do it in some easy way through the terminal command (as Tourette has pointed), or still create the file, update clr-boot-manager, and than reboot?

Yes

[ -d /etc/kernel/cmdline.d ] || \
    sudo mkdir -p /etc/kernel/cmdline.d && \
    echo "PARAMETERS" | sudo tee -a /etc/kernel/cmdline.d/SOMEFILE.conf && \
    sudo clr-boot-manager update"

It’s just one shell command.

So, basically it is the same old way, just simpler parameter syntax for mitigations handling. Still I need to reboot every time after updates in order to make it effective, correct?

The kernel parameters are written in the config files, and I think after the kernel update, the clr-boot-manager won’t discard/ignore these configurations.

Right - you cannot en/disable after boot. Only as a boot command to the kernel.

Mine looks like this:

cat /etc/kernel/cmdline
mitigations=off rootflags=x-systemd.device-timeout=0
1 Like