Stumbled upon a cool kernel/hardware command

drunkenvicar · August 23, 2023, 1:10am

the command is $ grep -r . /sys/devices/system/cpu/vulnerabilities/

this is my result:

grep -r . /sys/devices/system/cpu/vulnerabilities/
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Retpolines, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling, PBRSB-eIBRS: Not affected
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Mitigation: VMX disabled
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Unknown: No mitigations
/sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT disabled
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling:Not affected
/sys/devices/system/cpu/vulnerabilities/retbleed:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow:Not affected
/sys/devices/system/cpu/vulnerabilities/srbds:Mitigation: Microcode
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

if you use this source (https://docs.kernel.org/admin-guide/hw-vuln/) to interpret your output you will eventually come to the conclusion—well I can only speak for myself----I came to the conclusion I was well-protected on this end. I interpret my own output as everything is being done that can be done, and I have an older Intel quad core.

It was about 20 minutes of learning for me, thought it was cool. this post is just FYI. edit/added word

mihalycsaba · August 23, 2023, 11:53am

lscpu same thing

YOLO

  Gather data sampling:  Not affected
  Itlb multihit:         Not affected
  L1tf:                  Not affected
  Mds:                   Not affected
  Meltdown:              Not affected
  Mmio stale data:       Not affected
  Retbleed:              Not affected
  Spec rstack overflow:  Vulnerable, no microcode
  Spec store bypass:     Vulnerable
  Spectre v1:            Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
  Spectre v2:            Vulnerable, IBPB: disabled, STIBP: disabled, PBRSB-eIBRS: Not affected
  Srbds:                 Not affected
  Tsx async abort:       Not affected

Come to the mitigations=off side padawan.

vazicebon · August 23, 2023, 12:40pm

For more verbosity and colors you have this script :

https://github.com/speed47/spectre-meltdown-checker/blob/master/spectre-meltdown-checker.sh

chromian · August 23, 2023, 2:02pm

Where should I enable this?

milkytwix · August 23, 2023, 2:38pm

You shouldn’t.

BS86 · August 23, 2023, 4:52pm

If you have to ask you clearly shouldn’t. Security mechanisms are default on for a reason.

drunkenvicar · August 23, 2023, 9:42pm

Not as verbose but more to the point. Filed that command, thanks.

drunkenvicar · August 23, 2023, 9:43pm

it can’t be --verbose enough for me , I’m at the link now, graci.

mihalycsaba · August 24, 2023, 12:06am

Yeah maybe you shouldn’t, but I didn’t hear any widespread exploitation of these vulnerabilities and I’ve been turning off these mitigations for years now, even on windows.

If you don’t do anything too sensitive on your pc, like you only game and visit trusted sites, you’re probably safe. Just don’t visit sketchy sites and run random programs with mitigations turned off. Personally I’d rather turn off javascript first, only enable it for trustworthy sites, than kneecap my cpu.

If you want to try it out, start here https://wiki.archlinux.org/title/improving_performance#Turn_off_CPU_exploit_mitigations and search here in the forum. Looks like you have an older cpu, you might notice a difference.

drunkenvicar · August 24, 2023, 12:54am

thank you, not looking for a performance boost, I’m content and don’t game beyond quadrapassel anymore. or that weird game where rabbits stab each other to death and do jujitsu I forget the name.

The salmon banner with 2 linked articles (I read them both) saying how dangerous mitigation=off is enough to dissuade me. Even Arch says my old Intel would gain only “up to” a 5% boost.
I don’t always trust the people/orgs who tell me what ‘untrustworthy’ and ‘sketchy’ is more than I do my own instincts at this point. Weird times!

chromian · September 20, 2023, 6:48am

I finally gotten around running benchmarks with and without these CPU exploit mitigations.

Intel Core 2 Duo E7400
Intel i3 7100

In both the cases Geekbench (CPU) shows minimal, as in 1-2%, difference in overall performance.

Left the mitigations turned on.

chromian · September 20, 2023, 6:51am

That seems like “security through obscurity”. Learning why something should be done in a particular way could be more rewarding.

When I finally learned how to turn off those CPU exploit mitigations it helped me run benchmarks to see if there is a performance cost which there isn’t.

mihalycsaba · September 20, 2023, 9:34am

interesting, I thought the performance hit would be worse on an older cpu

freebird54 · September 20, 2023, 12:14pm

I wonder if the older CPU doesn’t have the vulnerability (yet) - as most of the mitigations are for backdoors in ‘speculative execution’ workflows. Did a Core 2 even indulge in speculation? (if so - why were they so slow? )

chromian · September 22, 2023, 12:37pm

Surprising indeed. When I ran lscpu on Intel Core 2 Duo E7400 it did show a bunch of vulnerabilities. But I didn’t really mind those vulnerabilities.

@freebird54