Skip to content

Instantly share code, notes, and snippets.

@jfeilbach

jfeilbach/grub.md

Last active February 8, 2024 10:06
Show Gist options
  • Star 11 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save jfeilbach/f06bb8408626383a083f68276fa4df8a to your computer and use it in GitHub Desktop.
Save jfeilbach/f06bb8408626383a083f68276fa4df8a to your computer and use it in GitHub Desktop.
Download ZIP
Make Linux fast
Raw
grub.md

In /etc/default/grub, modify:

noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off

Then sudo update-grub

from https:// make-linux-fast-again.com/ This domain does not seem to be maintained any longer.

noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off
@eugrus
Copy link

eugrus commented Mar 21, 2023
edited

Here are some explanations from ChatGPT:

These kernel parameters are related to security and performance mitigations that can be enabled or disabled in the Linux kernel. Here is a brief explanation of each of them:

noibrs: Disables the Indirect Branch Restricted Speculation (IBRS) feature, which is a hardware mitigation for Spectre variant 2 (CVE-2017-5715). Disabling this feature can improve performance, but it can also make the system more vulnerable to Spectre variant 2 attacks.

noibpb: Disables the Indirect Branch Predictor Barrier (IBPB) feature, which is a software mitigation for Spectre variant 2. Disabling this feature can improve performance, but it can also make the system more vulnerable to Spectre variant 2 attacks.

nopti: Disables the Kernel Page Table Isolation (KPTI) feature, which is a software mitigation for Meltdown (CVE-2017-5754). Disabling this feature can improve performance, but it can also make the system more vulnerable to Meltdown attacks.

nospectre_v2: Disables all mitigations for Spectre variant 2, including IBRS and IBPB. This can significantly improve performance, but it can also make the system more vulnerable to Spectre variant 2 attacks.

nospectre_v1: Disables all mitigations for Spectre variant 1 (CVE-2017-5753). This can improve performance, but it can also make the system more vulnerable to Spectre variant 1 attacks.

l1tf=off: Disables the L1 Terminal Fault (L1TF) mitigation, which is a hardware mitigation for L1TF (CVE-2018-3620 and CVE-2018-3646). Disabling this feature can improve performance, but it can also make the system more vulnerable to L1TF attacks.

nospec_store_bypass_disable: Disables the Speculative Store Bypass Disable (SSBD) feature, which is a hardware mitigation for Spectre variant 4 (CVE-2018-3639). Disabling this feature can improve performance, but it can also make the system more vulnerable to Spectre variant 4 attacks.

no_stf_barrier: Disables the Single Thread Indirect Branch Predictors (STIBP) feature, which is a hardware mitigation for Spectre variant 2. Disabling this feature can improve performance, but it can also make the system more vulnerable to Spectre variant 2 attacks.

mds=off: Disables the Microarchitectural Data Sampling (MDS) mitigation, which is a hardware mitigation for MDS (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091). Disabling this feature can improve performance, but it can also make the system more vulnerable to MDS attacks.

tsx=on: Enables Intel Transactional Synchronization Extensions (TSX), which can improve performance for certain workloads that use transactional memory.
tsx_async_abort=off: Disables the TSX Asynchronous Abort (TAA) mitigation, which is a hardware mitigation for TAA (CVE-2019-11135). Disabling this feature can improve performance, but it can also make the system more vulnerable to TAA attacks.

mitigations=off: Disables all security mitigations. This can significantly improve performance, but it can also make the system very vulnerable to security attacks.

It's worth noting that disabling security mitigations can significantly increase the risk of security attacks on the system, so it's important to understand the potential risks before using these kernel parameters.

@kkm000
Copy link

kkm000 commented Sep 13, 2023

mitigations=off is all you need. The setting turns off all mitigations that can be turned off. Repeating a long and, by the way, very obsolete list of individual vulnerability mitigation options is entirely unnecessary.

The kernel parameters are documented in kernel sources /Documentation/admin-guide/kernel-parameters.txt, and also included as plain text in the kernel documentation page: https://www.kernel.org/doc/html/v6.2/admin-guide/kernel-parameters.html. Search for mitigation=, and read the list of mitigations that are turned off by this option. Replace v6.2 with your kernel version; https://www.kernel.org/doc/html/ lists all available versions. The part /admin-guide/kernel-parameters.html never changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment