The recent CPU flaw caused quite a mess. Most recent linux kernels have the problems patched, but what if I am willing to trade security for performance? I’ll need to compile my own kernel and here is how to do that on Ubuntu 17.

apt install git build-essential kernel-package fakeroot libncurses5-dev libssl-dev ccache
wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.15.tar.xz
tar Jxvf linux-4.15.tar.xz
cd linux-4.15

First, we need to make oldconfig. Basically copy the kernel compile config from Ubuntu and decide whether new features should be enabled

cp /boot/config-4.13.0-32-generic .config
make oldconfig

Here I disabled the first feature related to spectre and meltdown

RETPOLINE=n

Next, in menuconfig, disable another feature which was already enabled in 4.13.0-32

Remove the kernel mapping in user mode (aka CONFIG_PAGE_TABLE_ISOLATION=n)

If like me you have no plan to debug kernel issues, disable the kernel debug package which can save a lot of time. Disable it from Kernel hacking > Compile-time checks…

Probably all the staging drivers can be skipped too. Uncheck them from Device Driver > Staging…

Disabling debug and staging drivers reduce the compilation time by almost 50%. On my machine, that is about 30 minutes.

We are now ready to compile the kernel and create deb packages.

make -j 8 deb-pkg LOCALVERSION=-pos

The above will provide deb packages in the parent directory. It takes about 50 minutes for all of the above on a c5.2xlarge. $0.34 plus storage and network transfer price. Kernel compilation is no longer an excuse to upgrade to faster CPUs!

linux-headers-4.15.0-pos_4.15.0-pos-1_amd64.deb
linux-image-4.15.0-pos_4.15.0-pos-1_amd64.deb

I installed the Performance Over Security (pos) kernel on my desktop. The performance gain is noticeable. Do it at your own risk though.

Update

It may be possible to turn off these CPU fixes without compiling your own kernel. Add the followings to kernel boot parameters. Reference https://www.linux.com/blog/intro-to-linux/2018/1/linux-kernel-415-unusual-release-cycle

spectre_v2=off pti=off

The new kernel comes with an interesting sysfs entry:

# ls -1 /sys/devices/system/cpu/vulnerabilities
meltdown
spectre_v1
spectre_v2

Leave a Comment