How to disable all CPU exploit mitigations?
-
I have some older units that are running only trusted VMs.
I'm looking to reduce as much as possible all speed impacting mitigations.
I found a stack exchange article with some info on setting kernel cmd line stuff, but I don't know what the correct way would be to apply it to XCP-ng 8.x systems.
https://unix.stackexchange.com/questions/554908/disable-spectre-and-meltdown-mitigations
What do I edit where? What commands to apply?
-
It's not enough to run trusted VMs. With one compromised VM, someone could read the memory of your other VMs and then extend their attacks on your machine. I would suggest that only a fully air gap setup could use no mitigations.
Anyway, you have to disable them on Xen level, not Linux level. See https://xenbits.xen.org/docs/unstable/misc/xen-command-line.html to find the right parameter.
-
I second what @olivierlambert says here, really should NOT disable them, these mitigations are in place for a reason and should be left in place regardless of how trusted or untrusted of an environment it is.
If this is a production system I would also note that you really shouldn't disable them, could be considered negligence in the event of a security incident.
