Today we see how to disable the patches produced by Intel with a simple change to the Grub configuration file.
These patches are going to have a huge impact on the original performance of Intel CPUs. Regardless of your risk appetite, I highly recommend that you follow this guide only if you are fully aware of using the operating system. Do you use your PC just for gaming and don't want to give up on performances? This is a typical case where patches can be waived at the cost of being exposed to these vulnerabilities.
As a first step, we need to find out which version of the Linux kernel we are using. To do this, just type in the terminal:
cat /proc/version
Now, we will have to go a separate way based on the version we have on our distribution. If we are using version 5.1.13 or later, and we are on a Debian or derivative, we need to edit the Grub configuration file which we will find at the following address:
sudo nano /etc/default/grub
If instead, we are on CentOS or RedHat, we will have to use the path /etc/sysconfig/grub. We then modify this string and save:
GRUB_CMDLINE_LINUX="mitigations=off"
After checking the version of the kernel in use, if we notice that we are rather using a version of Linux prior to 5.1.13, we have to modify the Grub configuration as follows:
GRUB_CMDLINE_LINUX="noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off"
Subsequently, to effectively restore the performance of Intel processors, we update and restart the system with the following commands:
sudo update-grub // on Debian and derivativessudo grub2-mkconfig // on RedHat and derivatives
sudo reboot
Let's check if the patches for Meltdown and Specter are disabled
To be sure that the change was successful, once the system has restarted, we use a tool that performs this check for us. On Debian based distros, to install it we give the following command:
sudo apt install spectre-meltdown-checker
On RedHat and derived instead:
sudo yum install epel-releasesudo yum install spectre-meltdown-checker
sudo dnf install spectre-meltdown-checker //specific for Fedora
Then we call the command with administrator privileges from the terminal. If the output is like the following, we will have successfully made the change, and then restored the performance of our Intel processor:
[...]> STATUS: VULNERABLE (Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers)
[...]
> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)
[...]
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
0 Comments