Is anyone interested in building good kernel config optimized for desktop systems/notebooks?
Right now, I am configuring 5.6.x kernel for Dell XPS 7390 2 in 1 in 1065g7 Ice lake CPU, and trying to find complete info of what spectre/meltdown can be safely disabled on new Intel CPU via kernel config or cmdline. Also I am planning to benchmark my config version with Phoronix Test Suite to see “objective” results comparing with native clear linux kernel builds.
The problem with what you’re doing is potentially insecure: If you use e.g. a browser, you are likely executing untrusted (web) code, and might possibly be vulnerable to unforeseen side channel attacks.
I would caution against making statements that would put “desktop use” in a classification that ignores side channel attacks. I would definitely write some clear disclaimers that your kernel disables security protections.
There are some valid use cases for something like this - e.g. airgapped computers. But I would caution against it for any network connected computer.
Yes, I fully understand you concern about security but I am searching for kernel flags that can be disabled safely because servers(where different users can run code ) and desktops where is one primary user are so different in security approach. Most of the side channels attacks from browsers are already solved likes this Mitigating Side-Channel Attacks or Speculative execution side-channel attack ("Spectre") — Mozilla
Also I want to disable security patches that are not affecting my CPU(new CPU).
“Ice Lake with its Sunny Cove microarchitecture – similar to Cascade Lake – is no longer affected by Meltdown, MDS, or L1TF / Foreshadow.”
I don’t think creating your own kernel is insecure … in fact that is the reason we use linux. If you don’t compile your kernel there is no point in using linux.
Although it is not an easy task due to the amount of hardware options that appear that it is impossible to know, there are ways to achieve it.
I usually start from the config that the system is using. and from there I begin to remove things that I am sure I do not need, in addition to changing processor options or removing everything that is from AMD since all that takes away performance from the system.
Regarding security in the kernel options, when you do make menuconfig, the security and internet protocols are well identified, so if you leave it as it is, you should have no problems.
The point is to go removing elements one by two at a time if we are not sure, compiling and testing, and so on until we can not remove anything.
A few months ago he was trying to compile a zen kernel starting from the liquorix config in a debian distribution … of the original 11 mb that the kernel weighed, it reached 7 mb and only 21 mb of modules: The result was to start debian 10 in only 15 seconds and run applications much faster.
Currently, although an advantage is obtained, it is not as noticeable as a few years ago … I remember compiling a 400 k kernel when I had my pentiun II and playing with the first versions of wine to Grand Theft Auto 4.