Overriding Spectre/Meltdown mitigations?
47 views
Skip to first unread message
arthur....@gmail.com
Aug 11, 2019, 5:17:54 PM8/11/19
to qubes-users
My use case for Qubes is less security-focused and more separation/compartmentalization of systems-focused. If XenClient was still a thing, I'd be using it. I even tried to hack at ESXi to get X11 running and maybe use it as a client hypervisor, but no luck.
That said, while I take security seriously, I also weigh it against things like risk and performance. I recently upgraded my BIOS to take care of an issue I had with my fans going at 100% after resuming from suspend:
Here is the BIOS I flashed:
However, the new BIOS appears to allow kernel modules that address the Spectre/Meltdown vulnerabilities to run . . . and WOW, did my system get slow. Running updates on one of my templates resulted in the VM crashing repeatedly and never successfully updating. VMs are regularly taking up a large percentage of CPU. I added the nospectre_v1, nospectre_v2, and nospec_store_bypass_disable kernel parameters, and that seemed to help somewhat, but I have two questions:
- In GRUB, do I add those kernel params to the multiboot /xen-XXXX line, the module /vmlinuz-XXXX line, or somewhere else?
- Are there other modules that I could disable to improve performance?
Obviously, I completely understand that this is not recommended and goes against the purpose of Qubes as an OS, but from a risk perspective, I'm willing to take the trade-off for a bit of extra performance.
Thanks!
awokd
Aug 12, 2019, 10:24:34 AM8/12/19
to qubes...@googlegroups.com
arthur....@gmail.com:
line. However, if you want them system-wide instead of just dom0, you
might want to look up the Xen equivalents and add to the Xen line
instead. See
https://github.com/Qubes-Community/Contents/blob/master/docs/misc/iaq.adoc#how-can-i-disable-xen-meltdown-mitigations
for example.
> My use case for Qubes is less security-focused and more
> separation/compartmentalization of systems-focused. If XenClient was still
> a thing, I'd be using it. I even tried to hack at ESXi to get X11 running
> and maybe use it as a client hypervisor, but no luck.
>
> That said, while I take security seriously, I also weigh it against things
> like risk and performance. I recently upgraded my BIOS to take care of an
> issue I had with my fans going at 100% after resuming from suspend:
> https://groups.google.com/forum/#!topic/qubes-users/hkj5BkR8Z8E
>
> Here is the BIOS I flashed:
> https://www.dell.com/support/home/us/en/04/drivers/driversdetails?driverid=MJ0KC&oscode=W732&productcode=precision-m6800-workstation
>
> However, the new BIOS appears to allow kernel modules that address the
> Spectre/Meltdown vulnerabilities to run . . . and WOW, did my system get
> slow. Running updates on one of my templates resulted in the VM crashing
> repeatedly and never successfully updating. VMs are regularly taking up a
> large percentage of CPU. I added the nospectre_v1, nospectre_v2, and
> nospec_store_bypass_disable kernel parameters, and that seemed to help
> somewhat, but I have two questions:
>
> - In GRUB, do I add those kernel params to the multiboot /xen-XXXX line,
> separation/compartmentalization of systems-focused. If XenClient was still
> a thing, I'd be using it. I even tried to hack at ESXi to get X11 running
> and maybe use it as a client hypervisor, but no luck.
>
> That said, while I take security seriously, I also weigh it against things
> like risk and performance. I recently upgraded my BIOS to take care of an
> issue I had with my fans going at 100% after resuming from suspend:
> https://groups.google.com/forum/#!topic/qubes-users/hkj5BkR8Z8E
>
> Here is the BIOS I flashed:
> https://www.dell.com/support/home/us/en/04/drivers/driversdetails?driverid=MJ0KC&oscode=W732&productcode=precision-m6800-workstation
>
> However, the new BIOS appears to allow kernel modules that address the
> Spectre/Meltdown vulnerabilities to run . . . and WOW, did my system get
> slow. Running updates on one of my templates resulted in the VM crashing
> repeatedly and never successfully updating. VMs are regularly taking up a
> large percentage of CPU. I added the nospectre_v1, nospectre_v2, and
> nospec_store_bypass_disable kernel parameters, and that seemed to help
> somewhat, but I have two questions:
>
> the module /vmlinuz-XXXX line, or somewhere else?
> - Are there other modules that I could disable to improve performance?
>
> Obviously, I completely understand that this is not recommended and goes
> against the purpose of Qubes as an OS, but from a risk perspective, I'm
> willing to take the trade-off for a bit of extra performance.
>
> Thanks!
>
Since those sound like kernel params, you'd add them to the vmlinuz
> Obviously, I completely understand that this is not recommended and goes
> against the purpose of Qubes as an OS, but from a risk perspective, I'm
> willing to take the trade-off for a bit of extra performance.
>
> Thanks!
>
line. However, if you want them system-wide instead of just dom0, you
might want to look up the Xen equivalents and add to the Xen line
instead. See
https://github.com/Qubes-Community/Contents/blob/master/docs/misc/iaq.adoc#how-can-i-disable-xen-meltdown-mitigations
for example.
Reply all
Reply to author
Forward
0 new messages