XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How to disable all CPU exploit mitigations?

    Scheduled Pinned Locked Moved Compute
    3 Posts 3 Posters 1.6k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • michael-newsrxM Offline
      michael-newsrx
      last edited by

      I have some older units that are running only trusted VMs.

      I'm looking to reduce as much as possible all speed impacting mitigations.

      I found a stack exchange article with some info on setting kernel cmd line stuff, but I don't know what the correct way would be to apply it to XCP-ng 8.x systems.

      https://unix.stackexchange.com/questions/554908/disable-spectre-and-meltdown-mitigations

      What do I edit where? What commands to apply?

      1 Reply Last reply Reply Quote 0
      • olivierlambertO Offline
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by

        It's not enough to run trusted VMs. With one compromised VM, someone could read the memory of your other VMs and then extend their attacks on your machine. I would suggest that only a fully air gap setup could use no mitigations.

        Anyway, you have to disable them on Xen level, not Linux level. See https://xenbits.xen.org/docs/unstable/misc/xen-command-line.html to find the right parameter.

        1 Reply Last reply Reply Quote 1
        • planedropP Offline
          planedrop Top contributor
          last edited by

          I second what @olivierlambert says here, really should NOT disable them, these mitigations are in place for a reason and should be left in place regardless of how trusted or untrusted of an environment it is.

          If this is a production system I would also note that you really shouldn't disable them, could be considered negligence in the event of a security incident.

          1 Reply Last reply Reply Quote 0

          Hello! It looks like you're interested in this conversation, but you don't have an account yet.

          Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

          With your input, this post could be even better 💗

          Register Login
          • First post
            Last post