Are CPU Security Mitigations turned up to 11 good for everyone or is it too much?

I have been doing some thinking, soul searching, whatever, and have decided I need to revisit some of my security decisions. I am all about making sure that I keep my systems safe but I am starting to question the numbers of tinfoil hats I have been wearing. I recently watched this video on YouTube by Red Robbo:

Looked at the documentation concerning this on SUSE.com

https://www.suse.com/support/kb/doc/?id=7023836

ACTUALLY read thru the CVEs and decided that I would turn the mitigations off on my laptop, NOT my server. If you look at the wording of the reports, it is littered with, “Local attacker”, “In theory”, “…a possible approach”, “could be made to leak”.

I have decided to write a bit about it here.

What do you think? I have historically been a security nut but maybe I have a few too many deadbolts on my doors and I have ripped a few off. I could be very wrong and I really want to hear what the community thinks of this.

1 Like

Interesting as I found this option weeks ago and decided to turn Mitigations off. I do not feel unprotected at all

and like you I am not sure of the benefit. but then my CPU is AMD and I do believe was less effected than Intel.

Regards Zeb…
Be Kind Whenever Possible… It is Always Possible - Dalai Lama

Linux User #565092
x64 Desktop - AMD Threadripper 2950X - 64Gb RAM - NVIDIA RTX2080Ti 11Gb - 2 x 27" 4k 3840x2160 - 1 x 34" 5120x2160
x64 Laptop - i7-7700HQ @ 2.80GHz - 8Gb RAM - Nvidia GTX1050 4Gb - 15.6" HD 1920x1080

1 Like

I tend to leave the mitigations as they come with my distro. Haven’t noticed performance issues since they went into the kernel

1 Like

I need to see about doing some stress testing to see the differences. I think for the most part, these mitigations are meant for server and virtualization loads but that is the speculation of someone that does very little of each.

Maybe someone like @jdu might know - I know Jon is heavily into Server type stuff :slight_smile:

Regards Zeb…
Be Kind Whenever Possible… It is Always Possible - Dalai Lama

Linux User #565092
x64 Desktop - AMD Threadripper 2950X - 64Gb RAM - NVIDIA RTX2080Ti 11Gb - 2 x 27" 4k 3840x2160 - 1 x 34" 5120x2160
x64 Laptop - i7-7700HQ @ 2.80GHz - 8Gb RAM - Nvidia GTX1050 4Gb - 15.6" HD 1920x1080

2 Likes

For desktops at home that have zero chance of people actually attaching them I would say you are perfectly safe in the choice you have made.

For servers sitting in a data center, one has to make the choice based on the server role.

2 Likes

Thank you and that’s good to know. I am not a data center / server type but I now appreciate SUSE allowing me to tune my security mitigations. Even more so now that you have given your assessment. Do you know if this is an option in other distributions by default?

I have never seen it or if it’s there, so easily found in ANY other distribution

Regards Zeb…


Be Kind Whenever Possible… It is Always Possible - Dalai Lama

Linux User #565092
x64 Desktop - AMD Threadripper 2950X - 64Gb RAM - NVIDIA RTX2080Ti 11Gb - 2 x 27" 4k 3840x2160 - 1 x 34" 5120x2160
x64 Laptop - i7-7700HQ @ 2.80GHz - 8Gb RAM - Nvidia GTX1050 4Gb - 15.6" HD 1920x1080

1 Like

Most of the CPU security issues require local attacker which i as always say if attacker is local that cpu security issue is least of your problems