[leaf-devel] Spectre/meltdown fixes

[Andrew <ni...@se...>]

Hi all.

I upgraded one of BRASes to fresh LEAF 6.2 - and I saw that a lot of CPU 
time is wasted by spectre v2 protection:

    PerfTop:   12411 irqs/sec  kernel:97.7%  exact:  0.0% [4000Hz 
cycles],  (all, 4 CPUs)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

      6.63%  [kernel]          [k] __indirect_thunk_start
      3.29%  [kernel]          [k] igb_alloc_rx_buffers
      2.82%  [kernel]          [k] memcpy
      2.69%  [kernel]          [k] ipt_do_table
      2.03%  [kernel]          [k] fib_table_lookup
      1.89%  [kernel]          [k] __netif_receive_skb_core
      1.66%  [kernel]          [k] htb_dequeue
      1.62%  [kernel]          [k] __skb_flow_dissect
      1.56%  [kernel]          [k] igb_xmit_frame_ring
      1.45%  bird              [.] 0x0000000000006a5c
      1.41%  [kernel]          [k] __dev_queue_xmit
      1.39%  [kernel]          [k] fib_table_flush
      1.29%  [kernel]          [k] leaf_walk_rcu
      1.25%  [kernel]          [k] irq_entries_start
      1.22%  [kernel]          [k] tcp_packet

Meltdown/spectre vulnerabilities are 1) exploitable mostly by 
local-running untrusted code, and 2) just can grant read access to some 
protected memory pages (for ex., FS cache which can contain passwords).

I think that this isn't a cases which are suitable for LEAF box (which 
runs only trusted code, and which has no or almost no valuable plaintext 
data).

I disabled it via kernel options, but maybe it'll be good to disable 
these protections in kernel at build time?

Or as option, these protections may be disabled by default in kernel 
command line, with mention in documentation about this.

Any thoughts?