mitigations=off Kernel parameter

[rssfed23]

Hey Proxmox team.

Just wondering if the "mitigations=off" parameter (that disables all meltdown-style fix protections) is available in the latest version of PVE?

Security considerations aside, major OS vendors (E.G suse.com/support/kb/doc/?id=7023836) are starting to include this option, so wondering if I can make use of it in PVE as well?

Many thanks in advance,
Rob

 

[t.lamprecht]

Just wondering if the "mitigations=off" parameter (that disables all meltdown-style fix protections) is available in the latest version of PVE?

No, currently, in the 4.15 based kernel this "all-in-one" parameter is not available, but the specifics like "nospectre_v1", "nospectre_v2" "pti=off", "kvm-intel.vmentry_l1d_flush=never", ... (see the our 4.15 based Kernel Documentation - search for "mitigation"). With the upcoming 6.0 a newer kernel will be used as base, it will include this option.
As disclaimer for others reading this: I do not recommend setting any of these if not fully sure what the implications are! Really only enable if you can trust the VM/CT guests and the software they run, as those knobs have big security implications.

 

[rssfed23]

Thanks for the reply.

I gave it a try anyway on a test system and it did the job; everything shown as vulnerable when running

for f in /sys/devices/system/cpu/vulnerabilities/*; do echo "${f##*/} -" $(cat "$f"); done

I also found in that Kernel docs link you sent the option for all (around the 14th appearance of the word "mitigation").

Glad to have those options present.

But yes; to anyone reading this thread although you may potentially gain big performance improvements/restore previous performance levels (depending on your workload) there are huge security implications that you must understand before disabling the mitigations.