leo@blog:~$

Disabling Intel and AMD CPU Vulnerability Mitigations in Debian and Ubuntu

Or, becoming the target of opportunity for that sweet sweet speculation

Over the past few years, Intel more so than AMD, vulnerabilities like Spectre, Meltdown and others have been found in the most common CPUs in use today. Further, these aren’t run of the mill vulnerabilities. They are architectural flaws that cannot be truly fixed in the CPU itself. In short, the CPUs were born to act in a way that we now know is flawed. They were made this way.

The best hope we have for mitigation is this case is software. Essentially, operating system patches that tell the CPU “no, don’t behave in the way you were built.” The up side to this is that we can feel confident running our systems again while knowing that, ultimately, the flaw still lives on. The down side is one of performance. Of course, the performance hits vary widely with the task, but speed reductions of 1% to 20% were possible in things like database usage, rendering, storage access, and office productivity software.

So let’s fix it!

Let me stop you right there. Fixing the “issue” here is nothing short of making your system vulnerable to these flaws again! If this is a desktop machine, or one that doesn’t leave the house often, and when it does, your firewall is solid, you may want to consider bringing these shields down to get that old performance back. So, proceed at your own risk.

To start, let’s check the current kernel version. In a terminal, run:

uname -r

My output was 5.4.0-53-generic. Then, let’s run lscpu to verify that the CPU has mitigations enabled.

leo@maya:~$ lscpu
Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
...
Vendor ID:                       GenuineIntel
...
Model name:                      Intel(R) Core(TM) i5-5300U ...
Vulnerability Itlb multihit:     KVM: Mitigation: Split huge pages
Vulnerability L1tf:              Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP conditional, RSB filling
Vulnerability Srbds:             Mitigation; Microcode
Vulnerability Tsx async abort:   Mitigation; Clear CPU buffers; SMT vulnerable
...

Notice the bold lines that begin with Vulnerability. This is the list of vulnerabilities that your system knows about. Further to the right, there is “Mitigation,” how that mitigation is applied and additional information. This system is as patched against known vulnerability variants as possible without fully disabling Simultaneous Multi Threading (Hyper-Threading). At this point we can proceed to turning off these mitigations.

To do this, edit the file /etc/default/grub using nano below.

sudo nano /etc/default/grub

Once in nano, arrow down to the GRUB_CMDLINE_LINUX_DEFAULT line. Mine looks like this:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

Then, if your kernel version above was 5.2 or higher, add mitigations=off to the end of the list like this:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash mitigations=off"

If your kernel version was below 5.2, the line will need to be more specific.

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off"

Save the file with CTRL+S, and exit the editor with CTRL+X. Finally, let’s update grub to make the changes permanent. In the command line, run:

sudo update-grub

That’s it! Reboot and the mitigations should be disabled. Run lscpu again to verify.

Leave a Reply

Your email address will not be published. Required fields are marked *