MitigationControls

The Meltdown and Spectre vulnerabilities involve a performance-security tradeoff. The following describes the relevant tunables offered for selectively disabling mitigations in contexts where the tradeoffs have been evaluated and justified.

Arch

Description

Kernel Parameter

Options

Ubuntu default

amd64

Control Page Table Isolation of user and kernel address spaces. Disabling this feature removes CVE-2017-5754 (aka Meltdown) mitigation on affected processors, but improves performance of system calls and interrupts.

pti=[on|off|auto]

on - unconditionally enable

off - unconditionally disable

auto - kernel detects whether your CPU model is vulnerable to CVE-2017-5754 (aka Meltdown)

Not specifying this option is equivalent to pti=auto.

pti=auto

amd64

Disable Kernel Page Table Isolation (KPTI).

nopti

Equivalent to pti=off

arm64

Disable Kernel Page Table Isolation (KPTI).

kpti=[on|off]

on - unconditionally enable

off - unconditionally disable

(unspecified) - kernel detects whether your CPU model is vulnerable to CVE-2017-5754 (aka Meltdown)

Not specifying this option is equivalent to pti=auto.

(unspecified)

ppc64el

Disable L1-D cache flushing on exit from kernel to user mode that is used as protection against CVE-2017-5754 (aka Meltdown) on powerpc processors.

no_rfi_flush

ppc64el

On powerpc, nopti is just an alias to no_rfi_flush.

nopti

amd64

Disable the PCID cpu feature.

nopcid

PCID is enabled if CPU supports it.

amd64

Disable indirect branch restricted speculation (IBRS) and/or indirect branch prediction barrier (IBPB) feature when running in secure environment, to avoid performance overhead. Disabling these features removes mitigations for CVE-2017-5715 (aka Spectre / Variant 2).

noibrs

noibpb

At run time:

echo 0 > /proc/sys/kernel/ibrs_enabled will turn off IBRS

echo 1 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in kernel

echo 2 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in both userspace and kernel

By default, the system will enable ibrs and ibpb usage if the CPU supports it

amd64

Control mitigation of CVE-2017-5715 (aka Spectre / Variant 2).

spectre_v2=[on|off|auto|retpoline|retpoline,generic|retpoline,amd]

on - unconditionally enable

off - unconditionally disable

auto - kernel detects whether your CPU model is vulnerable

Selecting 'on' will, and 'auto' may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built.

Specific mitigations can also be selected manually:

retpoline - replace indirect branches

retpoline,generic - google's original retpoline

retpoline,amd - AMD-specific minimal thunk

Not specifying this option is equivalent to spectre_v2=auto.

spectre_v2=auto

amd64

Disable all mitigations for the CVE-2017-5715 (aka Spectre / Variant 2). System may allow data leaks with this option.

nospectre_v2

Equivalent to spectre_v2=off

s390x

Run the kernel with a modified branch predictor.

nobp=[0|1]

With nobp=1, the kernel will switch to a modified branch prediction mode if the firmware interface is available.

With nobp=0, the kernel will run in the normal branch prediction mode.

nobp=1

s390x

Run the kernel in the normal branch prediction mode.

nospec

Equivalent to nobp=0

s390x

Disable no-spec barriers.

nogmb

SecurityTeam/KnowledgeBase/SpectreAndMeltdown/MitigationControls (last edited 2018-04-03 05:17:01 by dannf)