https://stackoverflow.com/questions/48089426/what-is-a-retpoline-and-how-does-it-work
控制 Spectre 变体 2(间接分支推测)漏洞的缓解;默认操作保护内核免受用户空间攻击。
spectre_v2= on - unconditionally enable, implies spectre_v2_user=on off - unconditionally disable, implies spectre_v2_user=off auto - kernel detects whether your CPU model is vulnerable Selecting 'on' will, and 'auto' may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built. Selecting 'on' will also enable the mitigation against user space to user space task attacks. Selecting 'off' will disable both the kernel and the user space protections. Specific mitigations can also be selected manually: retpoline - replace indirect branches retpoline,generic - google's original retpoline retpoline,amd - AMD-specific minimal thunk Not specifying this option is equivalent to spectre_v2=auto.
为了获得最佳计算性能,例如在 HPC 和受控环境中,我知道没有用户(a)能够执行此漏洞利用(他们登录时遇到了足够的麻烦)并且(b)如果他们能够执行这样的操作,无论如何也不会获得任何好处壮举,我应该将此内核参数设置为关闭吗?这将位于具有 Intel LGA 3647 Platinum 8xxx 系列 cpu 的服务器上,并且在安装 RHEL 7.9 时它会自动执行此操作GRUB_CMDLINE_LINUX= sceptre_v2=retpoline。
答案1
是的,如果您对边境控制充满信心,并且愿意接受风险与性能影响,您当然可以设置spectre_v2=off不启用任何 Spectre/Meltdown 缓解措施。为了确保它们的完整性,您可以使用这个快速的脚本:
#!/bin/bash
#Works in RHEL7; does not work in RHEL8
items="pti_enabled retp_enabled ibrs_enabled"
DIR=/sys/kernel/debug/x86
echo "These should all be 0:"
for item in $items; do
printf "%-13s " $item: ; cat $DIR/$item;
done
need_to_set=false
for item in $items; do
grep -q 0 $DIR/$item || { echo "$item is not 0"; need_to_set=true; }
done
$need_to_set && {
read -p "Found value(s) that are not 0. Enter 'y' if you want 0 them: " a
[ "$a" = "y" ] && {
for item in $items; do
echo 0 > $DIR/$item
done
echo Done.
exit 0
}
echo "OK, will not set it to 0."
}
...当然,这只会在重新启动之前禁用缓解措施。正如您所建议的,修改内核命令行是使其坚持下去的方法。
顺便说一句,这是从 RHEL 7.9 开始的。我相信 8 中的命令行选项是相同的,但检查方式有所不同。