Disabling Spectre and Meltdown mitigations (speculative execution)

Add any particular hints or tricks you have found to help with your ZoneMinder experience.
Post Reply
User avatar
snake
Posts: 337
Joined: Sat May 21, 2016 2:20 am

Disabling Spectre and Meltdown mitigations (speculative execution)

Post by snake »

Since the speculative execution CPU vulnerabilities have come about, all fixes and mitigations have come at a cost to CPU intensive applications such as Zoneminder. Basically, all PCs became slower in 2018. This is a significant loss for Zoneminder and we should document ways to disable these fixes, should users wish.

This thread can be a place to gather any options to disable the changes (since they can vary), so that the PCs can run at full speed.
User avatar
snake
Posts: 337
Joined: Sat May 21, 2016 2:20 am

Re: Disabling Spectre and Meltdown mitigations (speculative execution)

Post by snake »

For starters, I'm going to link to
https://make-linux-fast-again.com
Which currently has:

Code: Select all

noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off
These are obviously some options you can pass to the Kernel (such as via bootloader / Grub: https://wiki.ubuntu.com/Kernel/KernelBootParameters). If you want to make kernel config file changes, you will need to investigate, as there doesn't seem to be a simple guide for this yet (see below). This is what I was referring to in the intro post. There are MULTIPLE changes you have to make. And the options are changed with every new vulnerability, so it's not as simple as one flag.

Perhaps the installation guides should touch upon this subject...

Regarding Kernel config options, One possible approach would be to run this script:
https://github.com/speed47/spectre-meltdown-checker
and review what you have been patched against. Then investigate the shell script. I looked briefly, and the script appears to have distinct functions for all CVE / vulnerabilities, so if you are patched for one, look at that function is the script. It includes a lookup for configs, so there are various kernel flags there such as CONFIG_RETPOLINE, CONFIG_PAGE_TABLE_ISOLATION, CONFIG_KAISER, CONFIG_HARDEN_BRANCH_PREDICTOR, etc.

If someone goes through this process it would be helpful to leave a list of what flags you changed.

5/17/19 - Post edited to include details searching for kernel flags
Last edited by snake on Fri May 17, 2019 5:06 pm, edited 2 times in total.
User avatar
zd59
Posts: 102
Joined: Wed Jan 18, 2017 1:39 pm
Location: EU - Slovenia

Re: Disabling Spectre and Meltdown mitigations (speculative execution)

Post by zd59 »

snake wrote: Thu May 16, 2019 1:39 pm For starters, I'm going to link to
https://make-linux-fast-again.com
Which currently has:

Code: Select all

noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off
These are obviously some options you can pass to the Kernel (such as via Grub: https://wiki.ubuntu.com/Kernel/KernelBootParameters or a flag if you are compiling your kernel)
Playing and testing with Linux & ZM on Virtualbox. Slackware-current, updated today. Kernel is clean, unmodified from original source.
I'm currently compiling kernel-5.1.3 to check on Vbox.
Would you be so kind to write me a hint, which options in Kernel config should be set off regarding above you mention in a code. There are not a single option you mentioned above in a kernel .config file. It's only CONFIG_RESET_ATTACK_MITIGATION.
User avatar
snake
Posts: 337
Joined: Sat May 21, 2016 2:20 am

Re: Disabling Spectre and Meltdown mitigations (speculative execution)

Post by snake »

zd59 wrote: Fri May 17, 2019 8:32 amWould you be so kind to write me a hint, which options in Kernel config should be set off regarding above you mention in a code.
Thanks for pointing that out. I've updated the post.
MoOz
Posts: 31
Joined: Tue Jan 17, 2017 9:49 pm

Re: Disabling Spectre and Meltdown mitigations (speculative execution)

Post by MoOz »

Hi
can someone write a more detail procedure

So far I collected

**Run Spectre & Meltdown Checker
https://github.com/speed47/spectre-meltdown-checker
what do you change without breaking things

*** GRUB
KernelBootParameters
https://wiki.ubuntu.com/Kernel/KernelBootParameters
Post Reply