From: KP K. <ka...@us...> - 2019-01-25 15:12:54
|
Hi Andrew; On Do, 2019-01-24 at 17:41 +0200, Andrew wrote: > Hi all. > > I upgraded one of BRASes to fresh LEAF 6.2 - and I saw that a lot of > CPU > time is wasted by spectre v2 protection: > > PerfTop: 12411 irqs/sec kernel:97.7% exact: 0.0% [4000Hz > cycles], (all, 4 CPUs) > ------------------------------------------------------------------- > ------------------------------------------------------------------- > --------------------------------- > > 6.63% [kernel] [k] __indirect_thunk_start > 3.29% [kernel] [k] igb_alloc_rx_buffers > 2.82% [kernel] [k] memcpy > 2.69% [kernel] [k] ipt_do_table > 2.03% [kernel] [k] fib_table_lookup > 1.89% [kernel] [k] __netif_receive_skb_core > 1.66% [kernel] [k] htb_dequeue > 1.62% [kernel] [k] __skb_flow_dissect > 1.56% [kernel] [k] igb_xmit_frame_ring > 1.45% bird [.] 0x0000000000006a5c > 1.41% [kernel] [k] __dev_queue_xmit > 1.39% [kernel] [k] fib_table_flush > 1.29% [kernel] [k] leaf_walk_rcu > 1.25% [kernel] [k] irq_entries_start > 1.22% [kernel] [k] tcp_packet > > Meltdown/spectre vulnerabilities are 1) exploitable mostly by > local-running untrusted code, and 2) just can grant read access to > some > protected memory pages (for ex., FS cache which can contain > passwords). > > I think that this isn't a cases which are suitable for LEAF box > (which > runs only trusted code, and which has no or almost no valuable > plaintext > data). You may be right, but better safe than sorry. > I disabled it via kernel options, but maybe it'll be good to disable > these protections in kernel at build time? > > Or as option, these protections may be disabled by default in kernel > command line, with mention in documentation about this. > > Any thoughts? Yes, I prefer The last one - "disabled by default on the kernel command line, but included in the kernel, and document how to enable protection by changing the kernel command line. Eventually the other way round - document how to disable the protection and gain some more CPU time with disabling in kernel command line, as you did? Either of these would be fine with me. What ever you choose, let me know what I should add to the wiki et el. kp > > > > _______________________________________________ > leaf-devel mailing list > lea...@li... > https://lists.sourceforge.net/lists/listinfo/leaf-devel |