Enable or disable SPECULATION_MITIGATIONS in the Linux kernel
-
Updating to the currently latest longterm kernel version 5.15.68 I was asked to enable or disable the new kernel feature Mitigations for speculative execution vulnerabilities.
Usually I just choose the default (in most cases) when updating to a new kernel and being asked for adding/leaving out new features. With this one I am wondering what people think about it. Probably costs some performance and security does not really play much of a role in this case. On the other hand CPU performance is usually not the bottle neck when capturing or deploying an image.
-
@sebastian-roth Well, one would have to think the risks of not turning it on and why we might leave it off.
FOS Linux is a cloned memory only operating system. I would think the risk of vulnerability and compromise are a bit low. FOS Linux does not have persistent storage so it forgets everything between reboots. So if something happens to attack FOS Linux while its executing it will be lost upon reboot. Also the time it is actually running is pretty small, between 2 and 10 minutes with very few to no open services as an attack vector other than ssh. So delivering a risky payload to FOS Linux would be a bit difficult. So I’m not seeing the value in enabling this code.
With that said, FOG should always error on the side of security. So turning these features on since they are kernel defaults should be left in the default state.
I would say to build two kernels one with them on and one with them off and then test to measure the impact on imaging. If there is little to no impact then I would say yes leave the features on for the sake of security. If there is a 30% impact on image deployment then we should discuss.
-
@george1421 said in Enable or disable SPECULATION_MITIGATIONS in the Linux kernel:
I would say to build two kernels one with them on and one with them off and then test to measure the impact on imaging.
Good point.
@testers @moderators Please test those two kernels to compare performance and report here in this topic.
https://github.com/FOGProject/fos/releases/download/testing/bzImage-5.15.68-SM
https://github.com/FOGProject/fos/releases/download/testing/bzImage-5.15.68-no-SM -
Forgot to say that I turned SPECULATION_MITIGATIONS on in the current default kernels some days after my last post because there wasn’t any feedback from people testing those kernels.