From: Andrew <ni...@se...> - 2019-01-24 16:15:11
|
Hi all. I upgraded one of BRASes to fresh LEAF 6.2 - and I saw that a lot of CPU time is wasted by spectre v2 protection: PerfTop: 12411 irqs/sec kernel:97.7% exact: 0.0% [4000Hz cycles], (all, 4 CPUs) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- 6.63% [kernel] [k] __indirect_thunk_start 3.29% [kernel] [k] igb_alloc_rx_buffers 2.82% [kernel] [k] memcpy 2.69% [kernel] [k] ipt_do_table 2.03% [kernel] [k] fib_table_lookup 1.89% [kernel] [k] __netif_receive_skb_core 1.66% [kernel] [k] htb_dequeue 1.62% [kernel] [k] __skb_flow_dissect 1.56% [kernel] [k] igb_xmit_frame_ring 1.45% bird [.] 0x0000000000006a5c 1.41% [kernel] [k] __dev_queue_xmit 1.39% [kernel] [k] fib_table_flush 1.29% [kernel] [k] leaf_walk_rcu 1.25% [kernel] [k] irq_entries_start 1.22% [kernel] [k] tcp_packet Meltdown/spectre vulnerabilities are 1) exploitable mostly by local-running untrusted code, and 2) just can grant read access to some protected memory pages (for ex., FS cache which can contain passwords). I think that this isn't a cases which are suitable for LEAF box (which runs only trusted code, and which has no or almost no valuable plaintext data). I disabled it via kernel options, but maybe it'll be good to disable these protections in kernel at build time? Or as option, these protections may be disabled by default in kernel command line, with mention in documentation about this. Any thoughts? |