MitigationControls

The Meltdown and Spectre vulnerabilities involve a performance-security tradeoff. The following describes the relevant tunables offered for selectively disabling mitigations in contexts where the tradeoffs have been evaluated and justified.

IMPORTANT: Vulnerability mitigations should only be disabled in carefully controlled environments where all of the code being executed is known and trusted. Disabling any of these mitigations in situations where untrusted code can be executed is not recommended.

CVE-2017-5754 (aka Meltdown)

Arch

Description

Kernel Parameter

Options

Ubuntu default

amd64

Control Kernel Page Table Isolation

pti=[on|off|auto]

on - unconditionally enable mitigations

off - unconditionally disable mitigations

auto - kernel detects whether your CPU model is vulnerable and enables mitigations if needed

pti=auto

amd64

Disable Kernel Page Table Isolation

nopti

Equivalent to pti=off

arm64

Control Kernel Page Table Isolation

kpti=[on|off]

on - unconditionally enable mitigations

off - unconditionally disable mitigations

(unspecified) - kernel detects whether your CPU model is vulnerable and enables mitigations if needed

(unspecified)

ppc64el

Disable mitigations by ignoring L1-D cache flushing on exit from kernel to user mode on powerpc processors

no_rfi_flush

ppc64el

On powerpc, nopti is just an alias to no_rfi_flush.

nopti

amd64

Disable the PCID cpu feature.

nopcid

PCID is enabled if CPU supports it.

CVE-2017-5715 (aka Spectre / Variant 2)

Arch

Description

Kernel Parameter

Options

Ubuntu default

amd64

Disable indirect branch restricted speculation (IBRS) and/or indirect branch prediction barrier (IBPB) feature when running in secure environment, to avoid performance overhead (system may allow data leaks with this option)

noibrs

noibpb

At run time:

echo 0 > /proc/sys/kernel/ibrs_enabled will turn off IBRS

echo 1 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in kernel

echo 2 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in both userspace and kernel

By default, the system will enable ibrs and ibpb usage if the CPU supports it

amd64

Mitigation selection

spectre_v2=[on|off|auto|retpoline|retpoline,generic|retpoline,amd]

on - unconditionally enable

off - unconditionally disable

auto - kernel detects whether your CPU model is vulnerable

Selecting 'on' will, and 'auto' may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built.

Specific mitigations can also be selected manually:

retpoline - replace indirect branches

retpoline,generic - google's original retpoline

retpoline,amd - AMD-specific minimal thunk

Not specifying this option is equivalent to spectre_v2=auto.

spectre_v2=auto

amd64

Disable all mitigations (system may allow data leaks with this option)

nospectre_v2

Equivalent to spectre_v2=off

s390x

Run the kernel with a modified branch predictor

nobp=[0|1]

With nobp=1, the kernel will switch to a modified branch prediction mode if the firmware interface is available.

With nobp=0, the kernel will run in the normal branch prediction mode.

nobp=1

s390x

Run the kernel in the normal branch prediction mode

nospec

Equivalent to nobp=0

s390x

Disable no-spec barriers

nogmb

CVE-2018-3639 (aka Variant 4)

Arch

Description

Kernel Parameter

Options

Ubuntu default

amd64

Fine grained mitigations

spec_store_bypass_disable=[prctl|seccomp]

prctl - mitigations disable by default with opt-in enablement available via prctl()

seccomp - same as "prctl" plus all applications with a seccomp filter are implicitly opted-in to mitigations

amd64
ppc64el

Global mitigations

spec_store_bypass_disable=[on|off|auto]

on - unconditionally enable mitigations

off - unconditionally disable mitigations

auto - On x86, same as "seccomp" above. On ppc64el, the kernel and virtual machines are protected.

auto

amd64
ppc64el

Disable all mitigations (system may allow data leaks with this option)

nospec_store_bypass_disable

Equivalent to spec_store_bypass_disable=off

SecurityTeam/KnowledgeBase/SpectreAndMeltdown/MitigationControls (last edited 2018-07-11 19:46:22 by tyhicks)