3

https://stackoverflow.com/questions/48089426/what-is-a-retpoline-and-how-does-it-work

https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html?highlight=kernel%20parameters

Control mitigation of Spectre variant 2 (indirect branch speculation) vulnerability; the default operation protects the kernel from user space attacks.

 spectre_v2= on - unconditionally enable, implies spectre_v2_user=on off - unconditionally disable, implies spectre_v2_user=off auto - kernel detects whether your CPU model is vulnerable Selecting 'on' will, and 'auto' may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built. Selecting 'on' will also enable the mitigation against user space to user space task attacks. Selecting 'off' will disable both the kernel and the user space protections. Specific mitigations can also be selected manually: retpoline - replace indirect branches retpoline,generic - google's original retpoline retpoline,amd - AMD-specific minimal thunk Not specifying this option is equivalent to spectre_v2=auto.

For best computing performance such as in hpc and a controlled environment where I know no user is (a) able to do this exploit (they have enough trouble logging in) and (b) would gain nothing anyway if they were able to perform such a feat, should i be setting this kernel parameter to off? This would be on a server having an Intel LGA 3647 platinum 8xxx series cpu and when installing RHEL 7.9 it automatically did GRUB_CMDLINE_LINUX= sceptre_v2=retpoline.

Improve this question

1 Answer 1

Reset to default
1

Yes, if you're confident in your border controls and are willing to accept the risk vs. performance impact, you can certainly set spectre_v2=off to not enable any Spectre/Meltdown mitigations. To ensure their unmitigated-ness, you can use this quick-n-dirty script:

#!/bin/bash #Works in RHEL7; does not work in RHEL8 items="pti_enabled retp_enabled ibrs_enabled" DIR=/sys/kernel/debug/x86 echo "These should all be 0:" for item in $items; do printf "%-13s " $item: ; cat $DIR/$item; done need_to_set=false for item in $items; do grep -q 0 $DIR/$item || { echo "$item is not 0"; need_to_set=true; } done $need_to_set && { read -p "Found value(s) that are not 0. Enter 'y' if you want 0 them: " a [ "$a" = "y" ] && { for item in $items; do echo 0 > $DIR/$item done echo Done. exit 0 } echo "OK, will not set it to 0." }

...of course, that will only disable the mitigations until a reboot. Modifying the kernel command line, as you suggest, is the way to make it stick.

This is as of RHEL 7.9, btw. I believe the command line option is the same in 8 but the check is different somehow.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.