WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: All kernel vulnerabilities mitigation Disabled, without re-compilation?  (Read 163 times)

Offline nick65go

  • Hero Member
  • *****
  • Posts: 841
I would like to use, under a virtual machine (Qemu), a TinyCore kernel that can ENABLE all vulnerabilities (for +5% extra speed). Which maxim kernel version will allow me this? Can I DISABLE all vulnerabilities mitigations (Meltdown, Spectre etc) by using the latest TC kernel and what kernel booting parameters should I use? Thank you.

FYI: According to "https://security.stackexchange.com/questions/177147/why-and-where-was-meltdown-made-public-before-schedule-for-the-first-time" it seams that it was on 09-JAN-2018.

TC-9.x has kernel 4.14.10, which is before kernel 4.15-rc4 when the Meltdown was discovered https://lwn.net/Articles/741878/

TC-10.1 with kernel 4.19.10 has:
vmlinux (on 2018-12-19 12:00:51)  at https://mirrors.dotsrc.org/tinycorelinux/10.x/x86/release_candidates/distribution_files/
vmlinux (on 2019-01-20 11:32:24) at https://mirrors.dotsrc.org/tinycorelinux/10.x/x86/release/distribution_files/

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11057
Re: All kernel vulnerabilities mitigation Disabled, without re-compilation?
« Reply #1 on: January 03, 2025, 07:10:35 AM »
mitigations=off
The only barriers that can stop you are the ones you create yourself.

Offline nick65go

  • Hero Member
  • *****
  • Posts: 841
Re: All kernel vulnerabilities mitigation Disabled, without re-compilation?
« Reply #2 on: January 03, 2025, 07:44:44 AM »
It seams that this is only from kernel 5.2+... and maybe not for TC-10.1 with kernel=4.19.10
performance - Disable Spectre and Meltdown mitigations - Unix & Linux Stack Exchange


"A number of kernel boot parameters are available to disable or fine-tune hardware vulnerability mitigations:
for Spectre v1 and v2: nospectre_v1 (x86, PowerPC), nospectre_v2 (x86, PowerPC, S/390, ARM64), spectre_v2_user=off (x86)
for SSB: spec_store_bypass_disable=off (x86, PowerPC), ssbd=force-off (ARM64)
for L1TF: l1tf=off (x86)
for MDS: mds=off (x86)
for TAA: tsx_async_abort=off
for iTLB multihit: kvm.nx_huge_pages=off
for SRBDS: srbds=off
for retbleed: retbleed=off
KPTI can be disabled with nopti (x86, PowerPC) or kpti=0 (ARM64)
A meta-parameter, mitigations, was introduced in 5.2 and back-ported to 5.1.2, 5.0.16, and 4.19.43 (and perhaps others).
It can be used to control all mitigations, on all architectures, as follows:

mitigations=off will disable all optional CPU mitigations;
mitigations=auto (the default setting) will mitigate all known CPU vulnerabilities, but leave SMT enabled (if it is already);
mitigations=auto,nosmt will mitigate all known CPU vulnerabilities and disable SMT if appropriate."

So, to use only "mitigations=off" and will disable ALL parametrests listed above? (nospectre_v1, nospectre_v2, spectre_v2_user=off, spec_store_bypass_disable=off, l1tf=off, mds=off, tsx_async_abort=off, kvm.nx_huge_pages=off, srbds=off, retbleed=off, nopti), without any extra parameterts to add? OK, Thank you!