Disabling speculative execution mitigations
O'Connor, Daniel
darius at dons.net.au
Sat Dec 7 03:54:22 UTC 2019
> On 7 Dec 2019, at 00:52, Konstantin Belousov <kostikbel at gmail.com> wrote:
>
> On Fri, Dec 06, 2019 at 03:51:04PM +1030, O'Connor, Daniel wrote:
>> Hi,
>> I am trying to track down a performance drop with the ASPEED xorg video driver between FreeBSD 11 and 12 (I'm not expecting miracles from it but it was basically unusable..)
>>
>> I wondered if some of the speculative execution mitigations could be causing the problem so I did some digging and found these..
>>
>> vm.pmap.pti="0" # Disable page table isolation
>> hw.ibrs_disable="1" # Disable Indirect Branch Restricted Speculation
> This line enables IBRS.
Oops, thanks.
>> hw.mds_disable="0" # Disable Microarchitectural Data Sampling flush
>> hw.vmm.vmx="1" # Don't flush RSB on vmexit (presumably only affects bhyve etc)
> I have no idea what this line should configure.
It should have been..
hw.vmm.vmx.no_flush_rsb="1"
Not that it would affect my test system since I'm not use vmm.ko
>> hw.lazy_fpu_switch="1" # Lazily flush FPU
>>
>> Does anyone know of any others?
> Did you read security(7) (on HEAD)?
Nope, I didn't even know it existed.
Basically, I went through the MFCs listed at https://wiki.freebsd.org/SpeculativeExecutionVulnerabilities and looked for tuneables and sysctls.
With respect to the man page, I find it difficult to know what a given value for each sysctl will do, as evidenced by my confusion above about IBRS.
--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
-- Andrew Tanenbaum
More information about the freebsd-stable
mailing list