• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Enable or disable SPECULATION_MITIGATIONS in the Linux kernel

Scheduled Pinned Locked Moved
General
2
4
3.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Sebastian Roth Moderator
    last edited by Sep 17, 2022, 11:49 AM

    Updating to the currently latest longterm kernel version 5.15.68 I was asked to enable or disable the new kernel feature Mitigations for speculative execution vulnerabilities.

    Usually I just choose the default (in most cases) when updating to a new kernel and being asked for adding/leaving out new features. With this one I am wondering what people think about it. Probably costs some performance and security does not really play much of a role in this case. On the other hand CPU performance is usually not the bottle neck when capturing or deploying an image.

    Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

    Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

    G 1 Reply Last reply Sep 17, 2022, 1:53 PM Reply Quote 0
    • G
      george1421 Moderator @Sebastian Roth
      last edited by Sep 17, 2022, 1:53 PM

      @sebastian-roth Well, one would have to think the risks of not turning it on and why we might leave it off.

      FOS Linux is a cloned memory only operating system. I would think the risk of vulnerability and compromise are a bit low. FOS Linux does not have persistent storage so it forgets everything between reboots. So if something happens to attack FOS Linux while its executing it will be lost upon reboot. Also the time it is actually running is pretty small, between 2 and 10 minutes with very few to no open services as an attack vector other than ssh. So delivering a risky payload to FOS Linux would be a bit difficult. So I’m not seeing the value in enabling this code.

      With that said, FOG should always error on the side of security. So turning these features on since they are kernel defaults should be left in the default state.

      I would say to build two kernels one with them on and one with them off and then test to measure the impact on imaging. If there is little to no impact then I would say yes leave the features on for the sake of security. If there is a 30% impact on image deployment then we should discuss.

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

      1 Reply Last reply Reply Quote 0
      • S
        Sebastian Roth Moderator
        last edited by Sebastian Roth Sep 17, 2022, 9:46 AM Sep 17, 2022, 3:46 PM

        @george1421 said in Enable or disable SPECULATION_MITIGATIONS in the Linux kernel:

        I would say to build two kernels one with them on and one with them off and then test to measure the impact on imaging.

        Good point.

        @testers @moderators Please test those two kernels to compare performance and report here in this topic.

        https://github.com/FOGProject/fos/releases/download/testing/bzImage-5.15.68-SM
        https://github.com/FOGProject/fos/releases/download/testing/bzImage-5.15.68-no-SM

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        1 Reply Last reply Reply Quote 0
        • S
          Sebastian Roth Moderator
          last edited by Oct 6, 2022, 2:49 PM

          Forgot to say that I turned SPECULATION_MITIGATIONS on in the current default kernels some days after my last post because there wasn’t any feedback from people testing those kernels.

          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

          1 Reply Last reply Reply Quote 0
          • 1 / 1
          • First post
            Last post

          185

          Online

          12.0k

          Users

          17.3k

          Topics

          155.1k

          Posts
          Copyright © 2012-2024 FOG Project