Menu
blog.headdesk.me
blog.headdesk.me

Trade security with performance

Posted on 2018/01/292018/02/23

The recent CPU flaw caused quite a mess. Most recent linux kernels have the problems patched, but what if I am willing to trade security for performance? I’ll need to compile my own kernel and here is how to do that on Ubuntu 17.

apt install git build-essential kernel-package fakeroot libncurses5-dev libssl-dev ccache
wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.15.tar.xz
tar Jxvf linux-4.15.tar.xz
cd linux-4.15

First, we need to make oldconfig. Basically copy the kernel compile config from Ubuntu and decide whether new features should be enabled

cp /boot/config-4.13.0-32-generic .config
make oldconfig

Here I disabled the first feature related to spectre and meltdown

RETPOLINE=n

Next, in menuconfig, disable another feature which was already enabled in 4.13.0-32

Remove the kernel mapping in user mode (aka CONFIG_PAGE_TABLE_ISOLATION=n)

If like me you have no plan to debug kernel issues, disable the kernel debug package which can save a lot of time. Disable it from Kernel hacking > Compile-time checks…

Probably all the staging drivers can be skipped too. Uncheck them from Device Driver > Staging…

Disabling debug and staging drivers reduce the compilation time by almost 50%. On my machine, that is about 30 minutes.

We are now ready to compile the kernel and create deb packages.

make -j 8 deb-pkg LOCALVERSION=-pos

The above will provide deb packages in the parent directory. It takes about 50 minutes for all of the above on a c5.2xlarge. $0.34 plus storage and network transfer price. Kernel compilation is no longer an excuse to upgrade to faster CPUs!

linux-headers-4.15.0-pos_4.15.0-pos-1_amd64.deb
linux-image-4.15.0-pos_4.15.0-pos-1_amd64.deb

I installed the Performance Over Security (pos) kernel on my desktop. The performance gain is noticeable. Do it at your own risk though.

Update

It may be possible to turn off these CPU fixes without compiling your own kernel. Add the followings to kernel boot parameters. Reference https://www.linux.com/blog/intro-to-linux/2018/1/linux-kernel-415-unusual-release-cycle

spectre_v2=off pti=off

The new kernel comes with an interesting sysfs entry:

# ls -1 /sys/devices/system/cpu/vulnerabilities
meltdown
spectre_v1
spectre_v2

facebookShare on Facebook
TwitterTweet

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Full text search

Recent Posts

  • Terraform and segregated permissions
  • LVM Compression and Deduplication
  • Edit gpg encrypted file with vim
  • Lelit Elizabeth PL92T Pressure Tuning
  • jq transformation
  • aws (8)
  • coffee (1)
  • headfi (1)
  • linux (6)
  • others (58)
  • security (2)
  • tech (36)
  • wordpress (2)

apache aws awscli azure backup clearlinux cloud coffee docker DOCP ec2 EL8 epyc espresso featured gpg jenkins kernel lelit linux lvm meltdown memory MFA mikrotik php python rdp Redhat RHEL roasting rpm Ryzen site-to-site snapshot spectre tech terraform tuning ubuntu ubuntu upgrade vim vpn wordpress xdotool

©2023 blog.headdesk.me | Powered by SuperbThemes & WordPress