Closed deathtrip closed 4 years ago
Given that the "default" command line is whatever CONFIG_CMDLINE
is set to at build time, that's more of an issue with whatever compiled package you're using, no? Still, sure, currently on Arch the pti option is set to "on" by default, but as long as the kernel isn't build with CONFIG_CMDLINE_OVERRIDE
enabled, it should be possible to override that by supplying an additional option to the bootloader, like pti=off
.
Checking the output of $ cat /sys/devices/system/cpu/vulnerabilities/meltdown
should then tell if the mitigation is enabled or not.
I tried adding nopti
to the grub command line, and had both pti=on
and nopti
in the kernel command line. Then checked PTI status, and it was still enabled.
So you cannot override it because the option compiled into the kernel seems to take precedence.
The git link you gave is for the hardened kernel, not the stock one. On the stock kernel it's disabled, as linux by default excludes AMD users from PTI.
cat /sys/devices/system/cpu/vulnerabilities/meltdown
gives me a Not affected
, regardless if PTI is on or off.
This is a downstream choice in the Kconfig file, please report it to the distros bug tracker.
PTI isn't just to mitigate meltdown. It also prevents many KASLR bypasses which AMD is affected by.
But the performance impact can be pretty big, so it's better to let the user decide if they want it. Anyway, i'm gonna file an issue in the arch bug tracker.
linux-hardened isn't a performance-oriented kernel. It's focused on security. Plenty of other hardening options linux-hardened enables has large performance impacts too.
Currently the kernel-hardened command line forces pti=on on all users with no way to disable it. As the performance impact can be significant, and the benefit for AMD users is negligible, it would be wise to not enable it by default. AMD users who want it anyway can enable it manually, and for Intel it's on anyway.