The recent CPU flaw caused quite a mess. Most recent linux kernels have the problems patched, but what if I am willing to trade security for performance? I’ll need to compile my own kernel and here is how to do that on Ubuntu 17.
apt install git build-essential kernel-package fakeroot libncurses5-dev libssl-dev ccache wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.15.tar.xz tar Jxvf linux-4.15.tar.xz cd linux-4.15
First, we need to make oldconfig. Basically copy the kernel compile config from Ubuntu and decide whether new features should be enabled
cp /boot/config-4.13.0-32-generic .config make oldconfig
Here I disabled the first feature related to spectre and meltdown
RETPOLINE=n
Next, in menuconfig, disable another feature which was already enabled in 4.13.0-32
Remove the kernel mapping in user mode (aka CONFIG_PAGE_TABLE_ISOLATION=n)
If like me you have no plan to debug kernel issues, disable the kernel debug package which can save a lot of time. Disable it from Kernel hacking > Compile-time checks…
Probably all the staging drivers can be skipped too. Uncheck them from Device Driver > Staging…
Disabling debug and staging drivers reduce the compilation time by almost 50%. On my machine, that is about 30 minutes.
We are now ready to compile the kernel and create deb packages.
make -j 8 deb-pkg LOCALVERSION=-pos
The above will provide deb packages in the parent directory. It takes about 50 minutes for all of the above on a c5.2xlarge. $0.34 plus storage and network transfer price. Kernel compilation is no longer an excuse to upgrade to faster CPUs!
linux-headers-4.15.0-pos_4.15.0-pos-1_amd64.deb linux-image-4.15.0-pos_4.15.0-pos-1_amd64.deb
I installed the Performance Over Security (pos) kernel on my desktop. The performance gain is noticeable. Do it at your own risk though.
Update
It may be possible to turn off these CPU fixes without compiling your own kernel. Add the followings to kernel boot parameters. Reference https://www.linux.com/blog/intro-to-linux/2018/1/linux-kernel-415-unusual-release-cycle
spectre_v2=off pti=off
The new kernel comes with an interesting sysfs entry:
# ls -1 /sys/devices/system/cpu/vulnerabilities meltdown spectre_v1 spectre_v2
