MitigationControls
The Meltdown and Spectre vulnerabilities involve a performance-security tradeoff. The following describes the relevant tunables offered for selectively disabling mitigations in contexts where the tradeoffs have been evaluated and justified.
IMPORTANT: Vulnerability mitigations should only be disabled in carefully controlled environments where all of the code being executed is known and trusted. Disabling any of these mitigations in situations where untrusted code can be executed is not recommended.
CVE-2017-5754 (aka Meltdown)
Arch |
Description |
Kernel Parameter |
Options |
Ubuntu default |
amd64 |
Control Kernel Page Table Isolation |
pti=[on|off|auto] |
on - unconditionally enable mitigations |
pti=auto |
amd64 |
Disable Kernel Page Table Isolation |
nopti |
Equivalent to pti=off |
|
arm64 |
Control Kernel Page Table Isolation |
kpti=[on|off] |
on - unconditionally enable mitigations |
(unspecified) |
ppc64el |
Disable mitigations by ignoring L1-D cache flushing on exit from kernel to user mode on powerpc processors |
no_rfi_flush |
|
|
ppc64el |
On powerpc, nopti is just an alias to no_rfi_flush. |
nopti |
|
|
amd64 |
Disable the PCID cpu feature. |
nopcid |
|
PCID is enabled if CPU supports it. |
CVE-2017-5715 (aka Spectre / Variant 2)
Arch |
Description |
Kernel Parameter |
Options |
Ubuntu default |
amd64 |
Disable indirect branch restricted speculation (IBRS) and/or indirect branch prediction barrier (IBPB) feature when running in secure environment, to avoid performance overhead (system may allow data leaks with this option) |
noibrs |
At run time: |
By default, the system will enable ibrs and ibpb usage if the CPU supports it |
amd64 |
Mitigation selection |
spectre_v2=[on|off|auto|retpoline|retpoline,generic|retpoline,amd] |
on - unconditionally enable |
spectre_v2=auto |
amd64 |
Disable all mitigations (system may allow data leaks with this option) |
nospectre_v2 |
Equivalent to spectre_v2=off |
|
s390x |
Run the kernel with a modified branch predictor |
nobp=[0|1] |
With nobp=1, the kernel will switch to a modified branch prediction mode if the firmware interface is available. |
nobp=1 |
s390x |
Run the kernel in the normal branch prediction mode |
nospec |
Equivalent to nobp=0 |
|
s390x |
Disable no-spec barriers |
nogmb |
|
|
CVE-2018-3639 (aka Variant 4)
Arch |
Description |
Kernel Parameter |
Options |
Ubuntu default |
amd64 |
Fine grained mitigations |
spec_store_bypass_disable=[prctl|seccomp] |
prctl - mitigations disable by default with opt-in enablement available via prctl() |
|
amd64 |
Global mitigations |
spec_store_bypass_disable=[on|off|auto] |
on - unconditionally enable mitigations |
auto |
amd64 |
Disable all mitigations (system may allow data leaks with this option) |
nospec_store_bypass_disable |
Equivalent to spec_store_bypass_disable=off |
|
SecurityTeam/KnowledgeBase/SpectreAndMeltdown/MitigationControls (last edited 2018-07-11 19:46:22 by tyhicks)