
Make Linux Fast Again (2019) - laurentdc
https://make-linux-fast-again.com/
======
miles
The GRUB parameters that appear on Make-Linux-Fast-Again.com apparently
disable Spectre/Meltdown mitigations:

[https://gist.github.com/rizalp/ff74fd9ededb076e6102fc0b636bd...](https://gist.github.com/rizalp/ff74fd9ededb076e6102fc0b636bd52b)

[https://securitronlinux.com/bejiitaswrath/how-to-get-a-
nice-...](https://securitronlinux.com/bejiitaswrath/how-to-get-a-nice-speed-
boost-for-ubuntu-this-really-does-work-well/)

[https://www.phoronix.com/scan.php?page=news_item&px=Spectre-...](https://www.phoronix.com/scan.php?page=news_item&px=Spectre-
Meltdown-Easy-Switch-52)

~~~
jcelerier
Yes, that's the point of this site - if your workflow is hurt by the perf
impact of mitigations and SPECTRE & friends are not a credible attack, for
instance because you disable JS by default, then you can just curl and pipe
this to your kernel parameters

~~~
danShumway
To be clear, SPECTRE leaks privileged memory at an OS-level -- up to in some
cases allowing arbitrary virtual memory reads.

While Javascript is the most likely attack vector for most people, you should
not use this command on a system that's running untrusted code from anywhere
in any context, and you should consider moving sensitive information like
passwords off of the computer.

I use uMatrix to disable Javascript by default on every site I visit, and I
still would not feel safe running this command on anything other than a
single-purpose device.

That's not to say that there would _never_ be a good reason to run it. A very
imprecise, easy test I would propose is, "is your Linux system vetted enough
or just unimportant enough that you would feel comfortable getting rid of
users and running all of your software as root?" In which case, SPECTRE &
friends is probably not a credible threat to you on that machine.

~~~
pantalaimon
Don't browsers fudge the accuracy of the available clocks already to mitigate
SPECTRE?

~~~
danShumway
I would appreciate someone else who knows more than me about the current state
of these attacks and more than me about Linux security in general answering
this question. Take what I'm about to say with a grain of salt.

My understanding is that Firefox still reduces timer accuracy, Chrome _did_ ,
but increased timer accuracy again after adding other protections. I'm not
sure if Chrome's protections rely on Meltdown vulnerabilities being patched on
the OS level or not. It's been a while since I checked back on what the status
was there, so I might be wrong.

There are also some concerns about shared memory buffers, which is why I think
some of the features around them haven't been enabled in WASM yet. I haven't
checked the status on that stuff in a while either.

In any case, for a vulnerability of this scale I bias towards saying people
should practice defense in depth. Sometimes browsers have bugs in them, and
this would be a particularly bad one. And again, there are userland native
apps and systems and package managers that people need to worry about that go
beyond browsers.

------
foobarian
The thing I would really like to figure out is how to prevent a Linux system
from essentially livelocking when it close to runs out of memory. We've all
seen it. Try to ssh in, connections get established but do not proceed. If
you're lucky to have a console shell open from before, it shows gigantic load.
Wish there was a way to put a few system critical processes into a container
to guarantee them some resources.

~~~
O_H_E
Try a userspace oom. EarlyOOM has been a life saver for me, but there is a few
others. AFAIK Fedora and Clear linux have begun shipping EarlyOOM by default.

nohang's README have a gist about other projects.

[https://github.com/hakavlad/nohang](https://github.com/hakavlad/nohang)

~~~
TD-Linux
Fedora even enabled it by default:
[https://fedoraproject.org/wiki/Changes/EnableEarlyoom](https://fedoraproject.org/wiki/Changes/EnableEarlyoom)

------
jwr
I did my own testing a while back, because I wanted to _measure_ if these
actually make a performance impact for my use case.

Net result: they do not. For my use case (Clojure/JVM and ClojureScript
compilation), compile times did not get shorter. There seemed to be a slight
improvement, but it was below the level of measuring noise (which was around
8%).

My conclusion was that while the system might indeed be faster by several
percent, it is not measurable in my case, so I should not even bother, given
the possible risks.

~~~
walki
> Net result: they do not. For my use case (Clojure/JVM and ClojureScript
> compilation), compile times did not get shorter. There seemed to be a slight
> improvement, but it was below the level of measuring noise (which was around
> 8%).

I think the level of measuring noise is 0.5%, at least that is what low level
system programmers generally consider as noise...

~~~
abainbridge
I don't think anyone else gets to say how much noise the GP saw in their test.

------
CodeArtisan
only mitigations=off is enough now. more information at

[https://www.kernel.org/doc/html/latest/admin-guide/kernel-
pa...](https://www.kernel.org/doc/html/latest/admin-guide/kernel-
parameters.html)

search for mitigations=

~~~
sneak
To clarify parent comment: if you understand the security risks and wish to
turn off these mitigations, on modern kernels the entirety of the linked
website's kernel args can be shortened to:

    
    
        mitigations=off
    

All of the rest is now redundant.

TIL: the default `mitigations` value, `auto`, leaves SMT enabled—even if it's
vulnerable(!!!)—to avoid surprising sysadmins who upgrade to find SMT
disabled. The full protection, non-default option is:

    
    
        mitigations=auto,nosmt
    

Thanks for the doc link!

~~~
joombaga
>> the default `mitigations` value, `auto`, leaves SMT enabled—even if it's
vulnerable(!!!)

Is SMT always vulnerable? Is there a way to only disable SMT if it's
vulnerable on the target system?

~~~
petronio
To my knowledge it's always vulnerable on Intel processors, but not on AMD
ones due to architectural differences. The nosmt option, when added to the
mitigations option, should only disable SMT on vulnerable processors according
to the Linux admin guide.

------
aruggirello
That's insane. If you actually care about Linux performance so much, instead
of poking security holes in your system, you might consider switching to
Intel's Clear Linux (on AMD too) or (better yet) a performance-tuned kernel
like XanMod:

[https://www.phoronix.com/vr.php?view=28805](https://www.phoronix.com/vr.php?view=28805)

~~~
sample2448
How is it insane? Dropping few lines in grub cfg is much easier than
installing a whole new kernel

~~~
jbjohns
And dropping those lines of config is opening vulnerabilities on your system.
In 2020, that's insane.

------
superasn
Doing a little research I came across this article (1) which explains what the
flags are for:

(1)
[https://linuxreviews.org/HOWTO_make_Linux_run_blazing_fast_(...](https://linuxreviews.org/HOWTO_make_Linux_run_blazing_fast_\(again\)_on_Intel_CPUs)

------
Pedrit0
Promoting to disable the spectre mitigation should at least come with
explanation and warning...

~~~
jsjddbbwj
You're supposed to investigate those before you use them.

~~~
Pedrit0
More broadly I am just wondering if this submitted link to 'Make Linux Fast
Again' is just relevant. Let me explain:

\- For tech savvy people, the boot options disabling the spectre mitigation
are a very poor information as it takes 2 secs to find it with google. A
'rich' information would also consider the expected gains in terms or
performance and the risks in terms of security, which might be the only
matters for people who wonder if they should do it, assuming that making the
change by itself is an easy and fast operation.

\- For non tech savvy people, the boot options mean nothing at all, so they
will not be able to benefit about the information as nothing is explained.

So if this submitted link is useless for both tech-savvy and non tech-savvy
people, who is it intended to ? If it is intended and useful to no one, is it
relevant ?

------
basementcat
Windows version is here: (scroll down to where it says "Manage mitigations for
CVE-2017-5715")

[https://support.microsoft.com/en-us/help/4072698/windows-
ser...](https://support.microsoft.com/en-us/help/4072698/windows-server-
speculative-execution-side-channel-vulnerabilities)

~~~
papermachete
Here, run as admin and click disable, restart.
[https://www.grc.com/inspectre.htm](https://www.grc.com/inspectre.htm)

~~~
badsectoracula
The irony here is that these mitigations were meant to save from potential
threats that most desktop users will never be suspect to, yet people who want
to get back the performance of the computers they paid for are going to
attempt doing that by running programs that they have no idea what they are
actually doing which is a more likely way for getting their systems infected
than anything these mitigations would protect.

After all it is much easier to tell someone "here, click this as an admin to
make your computer fast" and directly extract any data you want, than try and
take advantage of all the issues the mitigations fix and the gamble that all
the assumptions you are making will be correct.

~~~
papermachete
A lot of people wouldn't read the source code anyway.

------
m0xte
I thought this was going to be a replacement for all the free desktop crap for
a minute. Now I’m disappointed.

------
superkuh
The problem with this is that linux is no longer the OS. The browser is. And
"modern" "browsers" do one thing, they automatically run arbitrary code from
random places in a virtual machine. The very thing all these mitigations
protect.

~~~
testrun
Yeah right, databases, app servers, network systems etc all run in a browser.

------
jankotek
Serious question: In old Sandy Bridge days it was recommended to disable
hyperthreading. That would decrease heat produced by CPU and allow better
overclocking (2600k versus 2500k debate).

Are there some features in CPU (such as hyperthreading), I can disable, so I
can run system without those workarounds? I think faster Linux kernel could
offset slightly lower CPU performance. Also there is lower energy consumption
on laptop...

~~~
petronio
On Intel: For some mitigations disabling hyperthreading will disable them as
some vulnerabilities are only present with it enabled. That being said, the
overall performance impact will be greater from disabling hyperthreading than
by enabling the mitigations (though some vulnerabilities remain so long as you
don't disable hyperthreading).

I wouldn't expect lower energy energy consumption from disabling
hyperthreading: completing tasks faster allows the CPUs to reduce frequency
faster.

------
dang
Small previous threads:

[https://news.ycombinator.com/item?id=19928110](https://news.ycombinator.com/item?id=19928110)

[https://news.ycombinator.com/item?id=19936386](https://news.ycombinator.com/item?id=19936386)

------
throwaway888abc
There should be some disclosure that it will make it fast but very insecure

~~~
taneliv
Well, if you have an idea what to do with the undocumented string returned by
the site, maybe you also have an idea of what effects it might have, beyond
making linux fast again?

~~~
thaumasiotes
As mentioned in another comment:
[https://linuxreviews.org/HOWTO_make_Linux_run_blazing_fast_(...](https://linuxreviews.org/HOWTO_make_Linux_run_blazing_fast_\(again\)_on_Intel_CPUs)

~~~
ainar-g
Important quotes:

> You are (probably) an adult. You can and should wisely decide just how much
> risk you are willing to take. Do or don't try this at home. You do not want
> to try this at work.

> As the above charts show: The effect of default parameters vs
> mitigations=off is measurable but not hugely impressive. (…)

~~~
nullc
> You can and should wisely decide just how much risk you are willing to take

That requires informed consent. But we can see that people are not well
informed: many don't realize that a web broswer or an attacker accessible
network stack are attack vectors.

I've been using these options for a while (well, mitigations=off is new to
me)... on dedicated rendering computers that are on a port isolated network
inaccessible to the internet and without the ability to make outgoing
connections at all.

That's probably (I hope?) a reasonable usecase for these settings... but not
exactly a super common one.

------
ThePhysicist
Does anyone know a benchmarking utility that can quantify the impact of these
mitigations? I mean I don't do much CPU bound work like heavy compiling on my
machine, but I would nevertheless be interested in seeing what the effect is.

~~~
boudin
I guess you can use phoronix test suite: [https://www.phoronix-test-
suite.com](https://www.phoronix-test-suite.com)

Those migrations are benchmarked quite frequently on phoronix.com, for
example:
[https://www.phoronix.com/scan.php?page=article&item=3900x-99...](https://www.phoronix.com/scan.php?page=article&item=3900x-9900k-mitigations&num=1)

------
emadmokhtar
Is this needed for AMD based machines

~~~
chronogram
You can run the Phoronix test suite before and after enabling them. There's
not a lot of data on the various recent AMD platforms, presumably because of
the smaller market share especially until recently. I imagine there's a large
difference between mitigations=on and mitigations=off on the pre-Zen AMD
platforms and a smaller difference between the two on the most recent AMD
generation.

------
grandinj
Excellent, thanks! I have a box where literally the only thing I care about is
CPU speed (build cluster) and nothing on that box is worth anything at all.

~~~
nevi-me
I'm saying this lightly, but in some cases malware starts with boxes where
nothing in them are worth anything at all, where CPU speed and an Internet
connection are tools for botnets.

~~~
tsimionescu
Fortunately, neither Spectre nor Meltdown allow write access of any kind.

~~~
pixl97
At least until it reads credentials out of memory.

------
sgt
For what it's worth, I tried this on my home server and load average remains
at 0.00 0.00 0.00 when the machine is doing nothing. That is perhaps
understandable, but before I enabled mitigations=off, it was always at some
kind of a load, e.g. 0.07 or so.

------
dgrant
How much of a difference will these make? Trying to decide if it's worth my
time.

~~~
softwarejosh
first, do you use js?

~~~
dvfjsdhgfv
You make it sound as if JS was the only attack surface, whereas it's just the
most common one.

~~~
saagarjha
I did not get that impression at all from that comment, FWIW.

------
craftoman
Make Linux Vulnerable Again.

------
dsign
Are there any javascript exploits, on desktop, of these?

~~~
saagarjha
Spectre v2, possibly?

------
nialv7
a.k.a Make Linux Unsafe Again.

------
smabie
Is there any public PoC that can exploit an Intel or AMD system with
mitigations=off? And if so, what kind of access is needed?

------
Legogris
Would be good with some context on motivation and impact. Some of these are
specific to x86, for example.

------
tomcooks
I suggest adding a quick paragraph explanation, at first I thought that the
server had been hugged to death

Thanks for this

------
smabie
What kind of performance gains would an AMD Zen2 system receive from disabling
all of these mitigations?

------
tasubotadas
If I disable these fixes, how likely (how much effort?) it is that somebody
would make use of these vulnerabilities?

AFAIK, I (my personal workstation) would only be exposed via browser JS so if
I do not spend too much time on shady sites, I should be good?

~~~
kstenerud
Basically: If you're fine with every program running on the system (including
web browser in your case) having full, unfettered access to everything else on
the system, then it's fine to disable the fixes.

In other words: Only do this on systems where you actually trust each running
program not to be compromised in its day-to-day operations and turn against
you. Anything that runs arbitrary code from an outside source (for example JS)
is not safe.

~~~
tasubotadas
I trust all of my programs as I use either only open-source or "big-player"
packages. The only problem would seem to be JS from shady websites.

I guess now the question is, how much time to I have to spend on that site
before it can get my private ssh keys?

~~~
spockz
The JavaScript of shady adverts that sometimes pop through can also occur on
no. Shady websites. So you are not entirely safe by only browsing safe sites.

~~~
CamperBob2
That doesn't answer the question, of course; it's just a sales pitch for the
proverbial tiger-proof rock. To reiterate: how long does s/he have to spend on
a shady site before a successful SPECTRE exploit takes place?

If this were actually _happening_ in the real world, maybe we'd know.

But it's not, so we don't, and life goes on.

Albeit slowly.

------
ipunchghosts
noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off
nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off
mitigations=off

------
justaj
mds=off

Does this mitigate MDS attacks?

[https://mdsattacks.com/](https://mdsattacks.com/)

------
sneak
Is there anything like this for macOS (for systems that do not run any
untrusted code/scripts or are not internet connected, of course)?

~~~
astrange
There might be some under 'sysctl -a'.

------
pluc
because you can doesn't mean you should

------
40four
Amazing that a 'website' like this can make the top page. Just a plain un-
styled string of, presumably, some sort of configuration. No explanation on
how to use it, or what it does.

I see 'specter' in there so there's a clue. I mean, after reading comments/
googling/ etc. I understand now, but at first I thought the site was broken.

Wouldn't it have been better to post an actual write up that explains what
this is? We are setting the bar really low here :)

~~~
pluc
I see is as a sort of expertise threshold. It's not for you if you don't get
it, but if you do there's lots to discuss. It's what relevance used to be
without marketing.

~~~
40four
Haha, I suppose that is what they were going for. I'll admit it's not for me.
I definitely don't go poking around in my GRUB config very often, _but_ ,
after reading the write ups others have posted, I did learn some new things,
so there's that.

From other commenters:

[https://linuxreviews.org/HOWTO_make_Linux_run_blazing_fast_(...](https://linuxreviews.org/HOWTO_make_Linux_run_blazing_fast_\(again\)_on_Intel_CPUs)

[https://www.kernel.org/doc/html/latest/admin-guide/kernel-
pa...](https://www.kernel.org/doc/html/latest/admin-guide/kernel-
parameters.html)

------
29athrowaway
This is the same mindset that led the MAGA people to shut down the pandemics
response team.

~~~
dang
Please don't post political flamebait to HN. It leads nowhere good.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
dvfjsdhgfv
Or, you can use AMD.

~~~
saagarjha
AMD has speculative side channels as well…

------
nkkollaw
Linux 2020! :-D

------
jankotek
Or use AMD....

~~~
Arnavion
Spectre mitigations are applied for both Intel and AMD.

~~~
jankotek
Only partly

> Based on external and internal analysis, AMD believes it is not vulnerable
> to the SWAPGS variant attacks because AMD products are designed not to
> speculate on the new GS value following a speculative SWAPGS. For the attack
> that is not a SWAPGS variant, the mitigation is to implement our existing
> recommendations for Spectre variant 1.

[https://www.amd.com/en/corporate/product-
security](https://www.amd.com/en/corporate/product-security)

~~~
saagarjha
Most of the Spectre variants _do_ affect AMD as well, however.

------
chris_wot
Needs a domain [http://make-linux-insecure-again.com](http://make-linux-
insecure-again.com)

------
RIMR
This has some serious "I disabled my password to make logging in easier, but
I'm still safe because the hacker would have to guess my username" vibes to
it.

------
axegon_
Unless you're doing it on a computer completely off any network and doesn't
have any form of communication with the outside world, that's a very bad idea.

Edit: Ok, plenty of people already said things in that context already
apparently...

------
irthomasthomas
I did this on my laptop a few months ago. It was like getting a new computer.
I haven't benchmarked it, but boot time halved and it felt much faster to use.

