20 Jul
2018
20 Jul
'18
1:56 p.m.
On Fri, 20 Jul 2018 11:24:57 +0200, David Kastrup wrote:
So the idea to take this into low-latency realms with a
view on
realtime effects seems a bit optimistic indeed.
;)
On Thu, 19 Jul 2018 22:52:45 -1000, _another_ david wrote:
I first tried it with 4.13.x and decided that items
like random
kernel panios, system freezes and crashes weren't very good ways to
defend against Spectre/Meltdown/DOS. ;)
Actually freezes and crashes do defend against attacks :D. But you are
right, for Claws and Firefox I'm experiencing way to often serious
issues and for virtualbox at least way to often an annoyance for an
unexplained reason.
I at least should test using it with PTI disabled.
The current default on my machine is:
[rocketmouse@archlinux ~]$ ls -hAl /sys/devices/system/cpu/vulnerabilities/; cat
/sys/devices/system/cpu/vulnerabilities/*
total 0
-r--r--r-- 1 root root 4.0K Jul 20 10:12 meltdown
-r--r--r-- 1 root root 4.0K Jul 20 10:12 spec_store_bypass
-r--r--r-- 1 root root 4.0K Jul 20 10:12 spectre_v1
-r--r--r-- 1 root root 4.0K Jul 20 10:12 spectre_v2
Mitigation: PTI
Vulnerable
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline, IBPB, IBRS_FW
'nopti' only would disable PTI, but keep the spectre mitigations. While
PTI is part of the kernel, the spectre mitigations are likely part
of the µcode. However, if I would run my CPU without the µcode, I
perhaps would get rid of the spectre mitigation, but IIRC I
unfortunately would get rid of TSC, too.