Disable Spectre Meltdown Mitigations

[elvisimprsntr]

BACKGROUND

I'm running a homelab. I wanted to test the performance hit of all the mitigations including SMT, but the method I found does not seem to be working

QUESTION

What is the correct method?

VERSION

PVE 7.2-7
5.15.39-1-pve

METHOD USED

1. nano /etc/default/grub to GRUB_CMDLINE_LINUX_DEFAULT="quiet mitigations=off"
2. update-grub
3. Confirmed kernel option mitigations=off in /etc/grub/grub.cfg

linux   /ROOT/pve-1@/boot/vmlinuz-5.15.39-1-pve root=ZFS=rpool/ROOT/pve-1 ro  root=ZFS=rpool/ROOT/pve-1 boot=zfs quiet mitigations=off

4. reboot
5. lscpu still shows mitigations active.

Model name:                      Intel(R) Celeron(R) CPU  N3150  @ 1.60GHz

Vulnerability Itlb multihit:     Not affected
Vulnerability L1tf:              Not affected
Vulnerability Mds:               Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Mmio stale data:   Not affected
Vulnerability Spec store bypass: Not affected
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Retpolines, STIBP disabled, RSB filling
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected

6. Checked vulnerabilities

for f in /sys/devices/system/cpu/vulnerabilities/*; do echo "${f##*/} -" $(cat "$f"); done
itlb_multihit - Not affected
l1tf - Not affected
mds - Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
meltdown - Mitigation: PTI
mmio_stale_data - Not affected
spec_store_bypass - Not affected
spectre_v1 - Mitigation: usercopy/swapgs barriers and __user pointer sanitization
spectre_v2 - Mitigation: Retpolines, STIBP: disabled, RSB filling
srbds - Not affected
tsx_async_abort - Not affected

 

[Neobin]

You are probably using systemd-boot and not grub. Check with: [1]
If this is the case, you have to edit another file: [2]
You can check the currently used kernel cmdline with: cat /proc/cmdline

[1] https://pve.proxmox.com/wiki/Host_Bootloader#sysboot_determine_bootloader_used
[2] https://pve.proxmox.com/wiki/Host_Bootloader#sysboot_edit_kernel_cmdline

 

[elvisimprsntr]

Thanks

For the record

1. nano /etc/kernel/cmdfile -> root=ZFS=rpool/ROOT/pve-1 boot=zfs mitigations=off
2. proxmox-boot-tool refresh
3. reboot
4. lscpu

Vulnerability Itlb multihit:     Not affected
Vulnerability L1tf:              Not affected
Vulnerability Mds:               Vulnerable; SMT vulnerable
Vulnerability Meltdown:          Vulnerable
Vulnerability Mmio stale data:   Not affected
Vulnerability Spec store bypass: Not affected
Vulnerability Spectre v1:        Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Vulnerability Spectre v2:        Vulnerable, STIBP: disabled
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected

 

[JL17]

Thanks

For the record

1. nano /etc/kernel/cmdfile -> root=ZFS=rpool/ROOT/pve-1 boot=zfs mitigations=off
2. proxmox-boot-tool refresh
3. reboot
4. lscpu

Vulnerability Itlb multihit:     Not affected
Vulnerability L1tf:              Not affected
Vulnerability Mds:               Vulnerable; SMT vulnerable
Vulnerability Meltdown:          Vulnerable
Vulnerability Mmio stale data:   Not affected
Vulnerability Spec store bypass: Not affected
Vulnerability Spectre v1:        Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Vulnerability Spectre v2:        Vulnerable, STIBP: disabled
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected

thanx! This works!

 

[djismgaming]

Thanks

For the record

1. nano /etc/kernel/cmdfile -> root=ZFS=rpool/ROOT/pve-1 boot=zfs mitigations=off
2. proxmox-boot-tool refresh
3. reboot
4. lscpu

Vulnerability Itlb multihit:     Not affected
Vulnerability L1tf:              Not affected
Vulnerability Mds:               Vulnerable; SMT vulnerable
Vulnerability Meltdown:          Vulnerable
Vulnerability Mmio stale data:   Not affected
Vulnerability Spec store bypass: Not affected
Vulnerability Spectre v1:        Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Vulnerability Spectre v2:        Vulnerable, STIBP: disabled
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected

I had to use a slightly different command for this to work under Proxmox 7.3-4 (as per https://pve.proxmox.com/wiki/Host_Bootloader#sysboot_edit_kernel_cmdline for Systemd-boot)

1. nano /etc/kernel/cmdline -> root=ZFS=rpool/ROOT/pve-1 boot=zfs mitigations=off
-- a. alternative to nano command
---- echo root=ZFS=rpool/ROOT/pve-1 boot=zfs mitigations=off > /etc/kernel/cmdline
2. proxmox-boot-tool refresh
3. reboot
4. lscpu

 

[topstarnec]

I just installed the proxmox last night and update the kernel to 6.1 and enable Debian backports sources.
The above method didn't work for me. I got to mount the EFI partition
went to
/loader/entries/proxmox-XXXX-pve.conf
put the mitigations=off at the end