1. 6

  2. 5

    I disabled the mitigations only to benchmark them (compiling a Rust library and parallel gzip compression) and it got slower not faster: https://gist.github.com/klingtnet/f7c9e051092715f6fa06710905e62736

    1. 3

      I recently upgraded my daily driver from xubuntu 14.04 to fully patched 18.04 and it’s been noticeably slower. Never occurred to me until just now these mitigations might be the reason.

      1. 2

        Just don’t do this on any computer which ever runs untrusted code.

        Especially don’t do it if you browse the web on such a computer with Javascript turned on.

        1. 2

          Yes! Forgot to add the satire tag. Added. :-)

          1. 1

            I have computers that don’t ever run javascript. I’m bookmarking this. I haven’t heard of most of these arguments… Did the author miss any?

            The idea could be expanded to include gcc flags, right?

            1. 1

              I would suggest not and just trust the kernel maintainers. There may be very specific reasons for why the kernel is optimized the way it is. Sometimes over optimization actually introduces security vulns because compilers get too smart for their own good.

              1. 1

                Oh, let me try again.

                The kernel command line arguments shown in this post appear to deliberately disable important security features in favor of performance. (Are none of these ‘free’ to enable? I don’t know how much work the author put into selecting this specific list.)

                Just for fun, using a computer disconnected from the internet… Can we push this idea further?

                Are the binaries in popular contemporary linux distros compiled with compiler options that favor security over performance? That is, are there compile-time choices we can make to favor performance over security?

                I’d like to imagine this line of thought could actually be meaningful in some hypothetical situation. Like using old hardware to play HD video (on a machine not connected to the internet) or something.

                1. 1

                  Sure, link everything into the kernel and avoid syscall and context switch overhead.

                  1. 1

                    That sounds good. As I understand it, context switches are very expensive.

                    But, that’s a lot more work than changing some parameters, right? What would a utility like grep even look like after ‘linking everything into the kernel’?

                    tedu, are you talking about putting a bunch of kernel into a grep binary, or putting a bunch of grep application into the kernel?

                    (This line of conversation would rightly be classified as a thought experiment, right?)

                    1. 1

                      (This line of conversation would rightly be classified as a thought experiment, right?)

                      I suspect it would be classified as trolling.

                      But having a unibinary system would be fascinating, offer very little by way of runtime customization (let alone programming any compiled language), and have miserable separation between user accounts (if you maintain a mostly POSIX compatible interface).

                      1. 2

                        Unibinary. Ok, so, we’re talking about putting the functionality of applications into the kernel. Yes, the downsides you describe make sense. Though, customization is still possible through self-modification.

                        …I’m certainly not trying to have any kind of negative impact on anyone. I am, I’ll admit, trying to get something out of folks. I want to know how computers work. Actually, I guess I want to know how compilers work–in practice. I seem to know how compilers work in theory.

                        Moreover, I have believed for some time that my various CPUs spend a lot of time and heat on tasks that are somehow adjacent to whatever task I ask of them. More and more I am biased towards leaner systems that do less.

            2. 1

              That’s computer, right? How much of that command line even applies to my intel-free devices?

              1. 2

                The spectre mitigations apply to everyone that does branch prediction.