mitigations=off and failsafe boot options
From: Daniel Wagner
Date: Tue Aug 23 2022 - 03:12:54 EST
Hi,
Boris asked me to post my problem. So here we go.
On my old lab box (i7-860) the kernel options mitigations=off had no
effect. After booting the machine (openSUSE Tumbleweed kernel
5.19.2-1-default and also 6.0-rc2 with the same config) always enabled
the mitigations:
# cat lscpu-5.19.2-1-default.log
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 36 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Vendor ID: GenuineIntel
Model name: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz
CPU family: 6
Model: 30
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
Stepping: 5
BogoMIPS: 5596.26
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 popcnt lahf_lm ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid dtherm ida flush_l1d
Virtualization: VT-x
L1d cache: 128 KiB (4 instances)
L1i cache: 128 KiB (4 instances)
L2 cache: 1 MiB (4 instances)
L3 cache: 8 MiB (1 instance)
NUMA node(s): 1
NUMA node0 CPU(s): 0-3
Vulnerability Itlb multihit: KVM: Mitigation: VMX disabled
Vulnerability L1tf: Mitigation; PTE Inversion; VMX vulnerable, SMT disabled
Vulnerability Mds: Vulnerable; SMT disabled
Vulnerability Meltdown: Vulnerable
Vulnerability Mmio stale data: Not affected
Vulnerability Retbleed: Not affected
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1: Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Vulnerability Spectre v2: Vulnerable, IBPB: disabled, STIBP: disabled, PBRSB-eIBRS: Not affected
Vulnerability Srbds: Not affected
Vulnerability Tsx async abort: Not affected
After few experiments, I was able to identify the source of the
problem. When I reinstalled the machine recently, the default settings
of the boot medium didn't work so I used the failsafe option which
worked. Those got added to /etc/default/grub and hence were enabled
all the time.
After removing those, the machine booted just fine and most mitigations
are off as requested (except the itlb-multihit).
# uname -a
Linux lf.lan 6.0.0-rc2-1-default+ #4 SMP PREEMPT_DYNAMIC Tue Aug 23 08:29:06 CEST 2022 x86_64 x86_64 x86_64 GNU/Linux
# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 36 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Vendor ID: GenuineIntel
Model name: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz
CPU family: 6
Model: 30
Thread(s) per core: 2
Core(s) per socket: 4
Socket(s): 1
Stepping: 5
Frequency boost: enabled
CPU max MHz: 2926.0000
CPU min MHz: 1197.0000
BogoMIPS: 5595.93
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 popcnt lahf_lm ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid dtherm ida flush_l1d
Virtualization features:
Virtualization: VT-x
Caches (sum of all):
L1d: 128 KiB (4 instances)
L1i: 128 KiB (4 instances)
L2: 1 MiB (4 instances)
L3: 8 MiB (1 instance)
NUMA:
NUMA node(s): 1
NUMA node0 CPU(s): 0-7
Vulnerabilities:
Itlb multihit: KVM: Mitigation: VMX disabled
L1tf: Mitigation; PTE Inversion; VMX vulnerable
Mds: Vulnerable; SMT vulnerable
Meltdown: Vulnerable
Mmio stale data: Not affected
Retbleed: Not affected
Spec store bypass: Vulnerable
Spectre v1: Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Spectre v2: Vulnerable, IBPB: disabled, STIBP: disabled, PBRSB-eIBRS: Not affected
Srbds: Not affected
Tsx async abort: Not affected
The failsafe options in question are:
apm=off acpi=off mce=off barrier=off ide=nodma idewait=50 i8042.nomux
psmouse.proto=bare irqpoll pci=nommconf resume=...
I am okay to leave at this. Maybe you might find this feedback helpful.
Thanks,
Daniel