2 min Security

Linux kernel gets new option to disable Spectre solutions

Linux kernel gets new option to disable Spectre solutions

Security researchers found vulnerabilities in processors in early 2018, which were given the name Spectre. Various solutions have now been rolled out for this, but they also appear to result in significantly lower performance in Linux systems. Now an option to disable the solutions has been added, reports ZDNet.

In several benchmarks it became clear that Linux 4.20 has to make a substantial performance loss with the solutions for Spectre. For example, Phoronix’ test results showed that an Intel Core i9-7980XE has taken 1.28 times longer in the Rodina 2.4 heterogeneous compute benchmark suite since the Linux 4.20 kernel. And the DaCapo benchmark shows a collapse of almost 50 percent.

Several system and network administrators have asked the Linux project in the past year for options to disable the protections. Many argue that the threat is theoretical and easy to control with good perimeter protections. Even Linus Torvalds asked for a delay in the deployment of some solutions that reduce performance.

Options

The team behind the Linux kernel has responded positively to this and is gradually rolling out options to disable some of the problematic solutions. For example, since Linux Kernel 4.15 it is possible to disable the built-in solutions for Spectre v2 vulnerability with the “nospectre_v2” kernel command line parameter.

However, system administrators also wanted a way to ensure that the solutions did not work at all, so that three new parameters have been added in recent kernel releases. The last option to disable and keep the solutions disabled is to add the PR_SPEC_DISABLE_NOEXEC control in the kernel.

This option prevents child processes from starting in a state in which the protections for Spectre v4 are still activated, even though they are deactivated in the parent process. Experts argue that some processes don’t need Spectre solutions and that the impact on performance is more important than the impact on security, especially in closed systems where malicious code cannot be introduced.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.