Spectre and Meltdown Mitigations

[elvisimprsntr]

BACKGROUND

I run both CORE and SCALE behind pfSense and don't expose either directly to the internet. Obviously, Spectre and Meltdown come with performance hits. I was hoping that there was an easy way to disable mitigations to assess the performance impact. On Linux, there is a mitigations=off kernel option that will disable all mitigations rather than having to specify all of them individually.

Disable Spectre Meltdown Mitigations

BACKGROUND I'm running a homelab. I wanted to test the performance hit of all the mitigations including SMT, but the method I found does not seem to be working QUESTION What is the correct method? VERSION PVE 7.2-7 5.15.39-1-pve METHOD USED 1. nano /etc/default/grub to...

forum.proxmox.com

QUESTIONS

1. Is there an equivalent for CORE (FreeBSD) and where to configure it to persist on updates?
2. Since SCALE is based on Debian, I assume it supports the mitigations=off kernel option, but where can it be configured to persist on updates?

 

[Samuel Tai]

For Core, you could try tunables from https://forums.freebsd.org/threads/...down-or-any-cache-side-channel-attacks.72437/. There's 2 loader tunables and 1 sysctl tunable:

1. LOADER: vm.pmap.pti=0
2. LOADER: hw.ibrs_disable=1
3. SYSCTL: hw.mds_disable=0

 

[elvisimprsntr]

Thanks.

If I check the current values.

Code:

root@NAS-1[~]# sysctl vm.pmap.pti
vm.pmap.pti: 1
root@NAS-1[~]# sysctl hw.ibrs_disable
hw.ibrs_disable: 1
root@NAS-1[~]# sysctl hw.mds_disable
hw.mds_disable: 0

I am trying to figure what the default states mean and what to change. There is no lscpu command in CORE (exists in FreeBSD) to display all the vulnerabilities and mitigation status. https://ixsystems.atlassian.net/browse/NAS-117291

BTW, I tried to perform a sysctl -a to display all the variables, but it resulted in a kernel panic and hard reboot. New bug reporting does not allow one to mark debug logs as private. https://ixsystems.atlassian.net/browse/NAS-117290

Also the hyperlinks do not parse the bug report title. It just parses the log in page.

Log in with Atlassian account

Log in to Jira, Confluence, and all other Atlassian Cloud products here. Not an Atlassian user? Sign up for free.

ixsystems.atlassian.net

 

[HoneyBadger]

Interested to see your benchmarks, but from my experience on non-FreeBSD servers the mitigations have only really shown an impact on heavily CPU loaded systems - it basically moves the inflection point on the latency curve to a lower CPU load value (you start observing impact at 70-75% CPU vs 80-85%)

I know these mitigations allegedly impact workloads with heavy I/O more. Curious to see the results from the King.

 

[elvisimprsntr]

For the record, on SCALE the command to disable all the mitigations

Code:

midclt call system.advanced.update '{"kernel_extra_options": "mitigations=off"}'

Not sure if persists on update.

Code:

lscpu                                                                       
Vulnerability Itlb multihit:     Not affected
Vulnerability L1tf:              Not affected
Vulnerability Mds:               Vulnerable; SMT vulnerable
Vulnerability Meltdown:          Vulnerable
Vulnerability Spec store bypass: Not affected
Vulnerability Spectre v1:        Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Vulnerability Spectre v2:        Vulnerable, IBPB: disabled, STIBP: disabled
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected

Sadly, it appears FreeBSD does not support the mitigations=off kernel boot option