MitigationControls
The Meltdown and Spectre vulnerabilities involve a performance-security tradeoff. The following describes the relevant tunables offered for selectively disabling mitigations in contexts where the tradeoffs have been evaluated and justified.
CVE-2017-5754 (aka Meltdown)
Arch |
Description |
Kernel Parameter |
Options |
Ubuntu default |
amd64 |
Control Kernel Page Table Isolation |
pti=[on|off|auto] |
on - unconditionally enable mitigations |
pti=auto |
amd64 |
Disable Kernel Page Table Isolation |
nopti |
Equivalent to pti=off |
|
arm64 |
Control Kernel Page Table Isolation |
kpti=[on|off] |
on - unconditionally enable mitigations |
(unspecified) |
ppc64el |
Disable mitigations by ignoring L1-D cache flushing on exit from kernel to user mode on powerpc processors |
no_rfi_flush |
|
|
ppc64el |
On powerpc, nopti is just an alias to no_rfi_flush. |
nopti |
|
|
amd64 |
Disable the PCID cpu feature. |
nopcid |
|
PCID is enabled if CPU supports it. |
CVE-2017-5715 (aka Spectre / Variant 2)
Arch |
Description |
Kernel Parameter |
Options |
Ubuntu default |
amd64 |
Disable indirect branch restricted speculation (IBRS) and/or indirect branch prediction barrier (IBPB) feature when running in secure environment, to avoid performance overhead (system may allow data leaks with this option) |
noibrs |
At run time: |
By default, the system will enable ibrs and ibpb usage if the CPU supports it |
amd64 |
Mitigation selection |
spectre_v2=[on|off|auto|retpoline|retpoline,generic|retpoline,amd] |
on - unconditionally enable |
spectre_v2=auto |
amd64 |
Disable all mitigations (system may allow data leaks with this option) |
nospectre_v2 |
Equivalent to spectre_v2=off |
|
s390x |
Run the kernel with a modified branch predictor |
nobp=[0|1] |
With nobp=1, the kernel will switch to a modified branch prediction mode if the firmware interface is available. |
nobp=1 |
s390x |
Run the kernel in the normal branch prediction mode |
nospec |
Equivalent to nobp=0 |
|
s390x |
Disable no-spec barriers |
nogmb |
|
|
CVE-2018-3639 (aka Variant 4)
Arch |
Description |
Kernel Parameter |
Options |
Ubuntu default |
amd64 |
Fine grained mitigations |
spec_store_bypass_disable=[prctl|seccomp] |
prctl - mitigations disable by default with opt-in enablement available via prctl() |
|
amd64 |
Global mitigations |
spec_store_bypass_disable=[on|off|auto] |
on - unconditionally enable mitigations |
auto |
amd64 |
Disable all mitigations (system may allow data leaks with this option) |
nospec_store_bypass_disable |
Equivalent to spec_store_bypass_disable=off |
|