On Fri, 14 Sep 2018 09:59:25 +0200, David Runge wrote:
However, I would not advice you to disable mitigations
such as page
table isolation (PTI), unless you know about the implied risks!
Regarding Meltdown, loosely speaking, if the audio workstation is
connected to the Internet, we could boot without disabling PTI. If the
audio workstation is used for audio productions, we could boot with
disabling PTI and without connecting to the Internet. IIRC the
microcode for my CPU not only is required for Spectre mitigation, but
also to make TSC available and perhaps to fix other CPU issues, too, so
there might be no option to boot without the microcode at all.
The '/sys/devices/system/cpu/vulnerabilities/*' "list" is increasing
;).
[rocketmouse@archlinux ~]$ uname -a
Linux archlinux 4.18.7-rt5-1-rt-securityink #1 SMP PREEMPT RT Thu Sep 13 08:01:15 CEST
2018 x86_64 GNU/Linux
[rocketmouse@archlinux ~]$ dmesg | grep micro
[ 0.000000] microcode: microcode updated early to revision 0x25, date = 2018-04-02
[ 0.457030] microcode: sig=0x306c3, pf=0x2, revision=0x25
[ 0.457083] microcode: Microcode Update Driver: v2.2.
[rocketmouse@archlinux ~]$ ls -l /sys/devices/system/cpu/vulnerabilities/*
-r--r--r-- 1 root root 4096 Sep 15 01:12 /sys/devices/system/cpu/vulnerabilities/l1tf
-r--r--r-- 1 root root 4096 Sep 15 01:12 /sys/devices/system/cpu/vulnerabilities/meltdown
-r--r--r-- 1 root root 4096 Sep 15 01:12
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass
-r--r--r-- 1 root root 4096 Sep 15 01:12
/sys/devices/system/cpu/vulnerabilities/spectre_v1
-r--r--r-- 1 root root 4096 Sep 15 01:12
/sys/devices/system/cpu/vulnerabilities/spectre_v2
[rocketmouse@archlinux ~]$ cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
Mitigation: PTI
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline, IBPB, IBRS_FW