Disable spectre/meltdown etc. mitigations

oleg · July 15, 2019, 5:39pm

On my home PC, when I am not running web server and just focus on compiling/execution of standalone executables, I would like to disable various latest mitigations (Spectre, Meltdown etc. ) I found on other distros it can be disabled by adding in the file /etc/sysconfig/grub the line: noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off and re-generating grub’s configuration file with grub2-mkconfig

But Clear Linux doesn’t have /etc/sysconfig directory. How can I disable those mitigations?

puneetse · July 15, 2019, 6:18pm

Have a look at this post for passing kernel cmdline boot parameters:

Tourette · July 15, 2019, 8:16pm

Kernel 5.2 will allow you to do that with just a terminal command.

oleg · July 15, 2019, 11:07pm

Great! So, will I be able to switch it “on” and “off” interactively, without rebooting? That would be the best scenario.

Kernel 5.2 is around a corner, right?

Tourette · July 15, 2019, 11:27pm

Yes. It was officially launched just recently, so Clear Linux should get it pretty soon.

oleg · July 23, 2019, 9:28pm

Ok, so now we have 5.2* kernel in 30480 version. What is the exact terminal command to disable/enable mitigations, please?

doct0rHu · July 23, 2019, 10:32pm

Check this

oleg · July 23, 2019, 10:42pm

Yes, I have read that. The question is - can I do it in some easy way through the terminal command (as Tourette has pointed), or still create the file, update clr-boot-manager, and than reboot?

doct0rHu · July 24, 2019, 12:31am

Yes

[ -d /etc/kernel/cmdline.d ] || \
    sudo mkdir -p /etc/kernel/cmdline.d && \
    echo "PARAMETERS" | sudo tee -a /etc/kernel/cmdline.d/SOMEFILE.conf && \
    sudo clr-boot-manager update"

It’s just one shell command.

oleg · July 24, 2019, 2:07am

So, basically it is the same old way, just simpler parameter syntax for mitigations handling. Still I need to reboot every time after updates in order to make it effective, correct?

doct0rHu · July 24, 2019, 2:50pm

The kernel parameters are written in the config files, and I think after the kernel update, the clr-boot-manager won’t discard/ignore these configurations.

nopro404 · August 9, 2019, 6:31pm

Right - you cannot en/disable after boot. Only as a boot command to the kernel.

Mine looks like this:

cat /etc/kernel/cmdline
mitigations=off rootflags=x-systemd.device-timeout=0

nvmd · January 11, 2021, 10:32pm

Is it just here that it doesn’t work?

$ cat /etc/kernel/cmdline.d/test_mitigations_disabled.conf 
mitigations=off
$ sudo clr-boot-manager update

After reboot

$ cat /proc/cmdline 
initrd=\EFI\org.clearlinux\freestanding-00-intel-ucode.cpio initrd=\EFI\org.clearlinux\freestanding-i915-firmware.cpio.xz root=PARTUUID=1840b1e8-4527-40b4-bad6-ce5dc5e75db2 quiet console=tty0 console=ttyS0,115200n8 cryptomgr.notests init=/usr/bin/initra-desktop initcall_debug intel_iommu=igfx_off kvm-intel.nested=1 no_timer_check noreplace-smp page_alloc.shuffle=1 rcupdate.rcu_expedited=1 rootfstype=ext4,btrfs,xfs,f2fs tsc=reliable rw

munk33 · July 1, 2021, 5:21am

Hi doct0rHu,

I used the shell script you wrote, but it didn’t seem to have any effect on numerous performance intensive benchmarks. I suspect mitigations were not successfully turned off, even though I’d created /etc/kernel/cmdline.d/SOMEFILE.conf that specified they were. Do you have any ideas? Thank you so much!

Cheers!

doct0rHu · July 2, 2021, 10:25pm

No idea. I never turned off mitigation.