Disable mitigations for CPU vulnerabilities in Alibaba Cloud Linux - Alibaba Cloud Linux

By default, mitigations for vulnerabilities are enabled in Alibaba Cloud Linux. However, the mitigations may affect system performance. You can disable mitigations for vulnerabilities as needed. This topic describes the CPU vulnerabilities that are present in Alibaba Cloud Linux, files that indicate the mitigation status of CPU vulnerabilities, and how to disable mitigations for CPU vulnerabilities.

Background information

In January 2018, Google Project Zero disclosed a new class of vulnerabilities, known as Spectre and Meltdown, that affect modern processors. Attackers may exploit these vulnerabilities to steal privileged data, severely compromising system security. Spectre and Meltdown vulnerabilities are present in most mainstream processors, including Intel, AMD, and ARM processors, and have attracted much attention since the initial disclosure. Alibaba Cloud products are inevitably affected by the vulnerabilities. Mainstream operating systems, including Linux operating systems, provide software mitigations for vulnerabilities. Spectre and Meltdown vulnerabilities continue to evolve into more variants and types from their first disclosure back in January 2018, and are expected to linger for a long time.

Important

Spectre and Meltdown vulnerabilities exploit the speculative execution and out-of-order execution features on processor hardware that are necessary for processor performance improvement. Mitigations for Spectre and Meltdown vulnerabilities degrade CPU performance.
In most cases, software mitigations can only mitigate the vulnerabilities but cannot eliminate them.

Vulnerabilities

The following tables describe the CPU vulnerabilities in Alibaba Cloud Linux 2 and Alibaba Cloud Linux 3 and how to disable mitigations for the vulnerabilities in the kernel boot cmdline.

Alibaba Cloud Linux 3

x86

CVE	Path to the mitigation status file^①	Default handling method	Method for disabling mitigations
Spectre Variant 1 (Bounds Check Bypass)	/sys/devices/system/cpu/vulnerabilities/spectre_v1	By default, mitigations are enabled.	Mitigations are force enabled and cannot be disabled.
Spectre Variant 1 (swapgs)	/sys/devices/system/cpu/vulnerabilities/spectre_v1	By default, mitigations are enabled.	Add the `nospectre_v1` parameter.
Spectre Variant 2	/sys/devices/system/cpu/vulnerabilities/spectre_v2	By default, mitigations are enabled.	Add the `nospectre_v2` parameter.
Spectre Variant 4 (Speculative Store Bypass)	/sys/devices/system/cpu/vulnerabilities/spec_store_bypass	Mitigations are enabled by the kernel based on hardware features.	Add one of the following parameters: `nospec_store_bypass_disable` `spec_store_bypass_disable=off`
Meltdown	/sys/devices/system/cpu/vulnerabilities/meltdown	By default, mitigations are enabled.	Add one of the following parameters: `pti=off` `nopti`
L1TF	/sys/devices/system/cpu/vulnerabilities/l1tf	By default, mitigations are enabled.	Add the `l1tf=off` parameter.
MDS	/sys/devices/system/cpu/vulnerabilities/mds	By default, mitigations are enabled.	Add the following parameters: `mds=off` `tsx_async_abort=off`
SRBDS	/sys/devices/system/cpu/vulnerabilities/srbds	By default, a microcode mitigation is provided.	Add the `srbds=off` parameter.
MMIO Stale Data	/sys/devices/system/cpu/vulnerabilities/mmio_stale_data	By default, mitigations are enabled.	Add the following parameters: `mmio_stale_data=off` Note Only kernel version `5.10.134-12` and later support this parameter. `mds=off` `tsx_async_abort=off`
TAA	/sys/devices/system/cpu/vulnerabilities/tsx_async_abort	By default, mitigations are enabled.	Add the following parameters: `tsx_async_abort=off` `mds=off`
RETBleed	/sys/devices/system/cpu/vulnerabilities/retbleed	By default, mitigations are enabled.	Add the `retbleed=off` parameter. Note Only kernel version `5.10.134-12` and later support this parameter.
N/A	N/A	N/A	Add the `mitigations=off` parameter to disable all CPU vulnerability mitigations.

ARM64

CVE	Path to the mitigation status file^①	Default handling method	Method for disabling mitigations
Spectre Variant 1 (Bounds Check Bypass)	/sys/devices/system/cpu/vulnerabilities/spectre_v1	By default, mitigations are enabled.	Mitigations are force enabled and cannot be disabled.
Spectre Variant 2	/sys/devices/system/cpu/vulnerabilities/spectre_v2	By default, mitigations are enabled.	Add the `nospectre_v2` parameter. For more information, see the Disable mitigations for CPU vulnerabilities section of this topic.
Spectre Variant 2 (BHB)	/sys/devices/system/cpu/vulnerabilities/spectre_v2	By default, mitigations are enabled.	Add the `nospectre_bhb` parameter. Note Only kernel version `5.10.134-12` and later support this parameter.
Spectre Variant 4 (Speculative Store Bypass)	/sys/devices/system/cpu/vulnerabilities/spec_store_bypass	By default, mitigations are enabled.	Add the `ssbd=force-off` parameter.
Meltdown	/sys/devices/system/cpu/vulnerabilities/meltdown	By default, mitigations are enabled.	Add the `kpti=0` parameter.
N/A	N/A	N/A	Add the `mitigations=off` parameter to disable all mitigations for CPU vulnerabilities.

Alibaba Cloud Linux 2

CVE	Path to the mitigation status file^①	Default handling method	Method for disabling mitigations
Spectre Variant 1 (Bounds Check Bypass)	/sys/devices/system/cpu/vulnerabilities/spectre_v1	By default, mitigations are enabled.	Mitigations are force enabled and cannot be disabled.
Spectre Variant 1 (swapgs)	/sys/devices/system/cpu/vulnerabilities/spectre_v1	By default, mitigations are enabled.	Add the nospectre_v1=off parameter. Note Only kernel version `4.19.57-15.al7` and later support this parameter.
Spectre Variant 2	/sys/devices/system/cpu/vulnerabilities/spectre_v2	By default, mitigations are enabled. (spectre_v2=auto)	Add one of the following parameters: nospectre_v2 spectre_v2=off Note Only kernel version `4.19.43-13.al7` and later support the parameters.
Spectre Variant 4 (Speculative Store Bypass)	/sys/devices/system/cpu/vulnerabilities/spec_store_bypass	If the processor supports the `Speculative Store Bypass Disable` feature, mitigations are enabled by default. Otherwise, all mitigations are disabled by default. (spec_store_bypass_disable=auto)	Add one of the following parameters: spec_store_bypass_disable=off nospec_store_bypass_disable Note Only kernel version `4.19.43-13.al7` and later support the parameters.
Meltdown	/sys/devices/system/cpu/vulnerabilities/meltdown	By default, mitigations are enabled.	Add one of the following parameters: pti=off nopti Note Only kernel version `4.19.43-13.al7` and later support the parameters.
L1TF	/sys/devices/system/cpu/vulnerabilities/l1tf	By default, only mitigation for `PTE Inversion` is enabled in the guest kernel.	Add the l1tf=off parameter. Note Only kernel version `4.19.43-13.al7` and later support this parameter.
MDS	/sys/devices/system/cpu/vulnerabilities/mds	By default, mitigations are enabled.	Add the mds=off parameter. Note Only kernel version `4.19.43-13.al7` and later support this parameter.
N/A	N/A	N/A	Add the `mitigations=off` parameter to disable all CPU vulnerability mitigations.

Note

^① Migration status files indicate whether CPUs on Alibaba Cloud Linux instances are vulnerable and which mitigations are active. Valid values in the files:

Not affected: The CPU is not vulnerable.
Vulnerable: The CPU is vulnerable, and mitigations are disabled.
Mitigation: The CPU is vulnerable, and mitigations are enabled.

Disable mitigations for CPU vulnerabilities

This section describes how to disable mitigations for the Spectre Variant 2 vulnerability in Alibaba Cloud Linux 3.

Run the following command to add the nospectre_v2 parameter to the default kernel boot cmdline to disable mitigations for the Spectre Variant 2 vulnerability:
```
sudo grubby --update-kernel=`sudo grubby --default-kernel` --args='nospectre_v2'
```
Run the following command to restart the instance to apply the configurations.
Warning
Restarting an instance temporarily stops the instance, which may cause service interruption and data loss. We recommend that you back up critical data before you restart the instance and restart the instance in off-peak hours.
```
sudo reboot
```
Run the following command to view the mitigation status file for Spectre Variant 2 and check whether mitigations for the Spectre Variant 2 vulnerability are disabled:
```
cd /sys/devices/system/cpu/vulnerabilities/
for i in `ls`;do echo -n $i": ";cat $i;done
```
A command similar to the following one is displayed. spectre_v2: Vulnerable indicates that mitigations for the Spectre Variant 2 vulnerability are disabled.