Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3241385rwa; Tue, 23 Aug 2022 00:59:17 -0700 (PDT) X-Google-Smtp-Source: AA6agR41LbNuB67L0H9NliW2/WC6x4NT10LU05yRHfikFgApuzbbiXotZT8dlvlAmkmHwSEIgd0F X-Received: by 2002:a17:90b:3008:b0:1fa:be55:d1bc with SMTP id hg8-20020a17090b300800b001fabe55d1bcmr2219642pjb.114.1661241557611; Tue, 23 Aug 2022 00:59:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661241557; cv=none; d=google.com; s=arc-20160816; b=SZX10ajuKHCebg4EyXMzrex8N5tk+WL6hpPcj+OdE0qG7Fh/Rdf3oeRA/8CQEV5rtZ twtpzxXZELFHZFSPhuIryFMyYq330pG92FgSOgbVVSbSqMqvvr2jcDA8mo06ra/dYsBe syPy8Iy7OkS+VsiUswZcQ/ihNtLMh9WBlwaxQfgWc5PaLhSBvzDAjehvufe0LHW0Hd8b dN6zzT4nQ1ZurQfljJE4kbi0bj7RcCJzULn2UhxYYxBOg4Xxg59rJyyOLVD/HCDqt4t7 6g3ItHuBsdnWGH+d/1gnBOyzh4ZqPl/yQE/g9l+fr94YtX37q5aUAu0hCseLBHNQTwY2 T/DA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:cc:to:from:date:dkim-signature:dkim-signature; bh=7rYnIbsTHqMgra5J+MjLdZgHDRmMu3X1VKDoHDywm+8=; b=DK7ZqMwG81qFh3v1C0m9UfyXnIS+4jSP3ItDvPyOSyf4MD30uVsseHmvYiTdtDjPU3 I4S4lUji4chUK11pgvxGNZO0kkaTSKSQ801oa/lMmEgBl9TFJiWDgiO8G9kDZnEBnyPT 24IKfj/trF8VsfmC1j3vJHpVbwViMKgpxc5GLTW2q35Yf6KCr6OV/YLUeb2LjKX8aY0F WXIWB0KczqzrcI93k6WHoDwP/6j7k/AB7JzD8wpAWvqLNiKaukMiEwRsrvXyW82Dafcr ytT1icNPffwqHsHUzWr+7aqn6BeiCHeHgcUameBvJuCkxfyb7teSoSJTf+yhznKgoLLb eHMg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=FnOZlSLS; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z3-20020aa79903000000b0053622c49905si10953319pff.289.2022.08.23.00.59.05; Tue, 23 Aug 2022 00:59:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=FnOZlSLS; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240398AbiHWHMv (ORCPT + 99 others); Tue, 23 Aug 2022 03:12:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45244 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240928AbiHWHMn (ORCPT ); Tue, 23 Aug 2022 03:12:43 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0541D61D78 for ; Tue, 23 Aug 2022 00:12:35 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 8558033F07; Tue, 23 Aug 2022 07:12:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1661238754; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type; bh=7rYnIbsTHqMgra5J+MjLdZgHDRmMu3X1VKDoHDywm+8=; b=FnOZlSLSPocaKobjTXbWHYwCCzGIpkek3KxBOW2F4vMHZSPX6ZJmgbUg53l9EOOff59E7g NsCJtQzbx+rumglvxzJ0csSGZs+48kdwCRMLlHThaD9syuq7eu+Gal3kBgtMX8CvziKKkm liFPYya6aEm4+rWx/L5cLMCGnxiTetg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1661238754; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type; bh=7rYnIbsTHqMgra5J+MjLdZgHDRmMu3X1VKDoHDywm+8=; b=jGyRtA4dANNwEYH0Ymriix/GaaBT1S8j/lNL8Y7Os6K5QsOKdtkJQHYD8s6/ldV7ADKswb RBT8zgzHZCu+OfDg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 6B66E13AB7; Tue, 23 Aug 2022 07:12:34 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id b8MCGuJ9BGPiNgAAMHmgww (envelope-from ); Tue, 23 Aug 2022 07:12:34 +0000 Date: Tue, 23 Aug 2022 09:12:33 +0200 From: Daniel Wagner To: x86@kernel.org Cc: linux-kernel@vger.kernel.org Subject: mitigations=off and failsafe boot options Message-ID: <20220823071233.v5shk3tpu7ssctpc@carbon.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Boris asked me to post my problem. So here we go. On my old lab box (i7-860) the kernel options mitigations=off had no effect. After booting the machine (openSUSE Tumbleweed kernel 5.19.2-1-default and also 6.0-rc2 with the same config) always enabled the mitigations: # cat lscpu-5.19.2-1-default.log Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 36 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Vendor ID: GenuineIntel Model name: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz CPU family: 6 Model: 30 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 1 Stepping: 5 BogoMIPS: 5596.26 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 popcnt lahf_lm ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid dtherm ida flush_l1d Virtualization: VT-x L1d cache: 128 KiB (4 instances) L1i cache: 128 KiB (4 instances) L2 cache: 1 MiB (4 instances) L3 cache: 8 MiB (1 instance) NUMA node(s): 1 NUMA node0 CPU(s): 0-3 Vulnerability Itlb multihit: KVM: Mitigation: VMX disabled Vulnerability L1tf: Mitigation; PTE Inversion; VMX vulnerable, SMT disabled Vulnerability Mds: Vulnerable; SMT disabled Vulnerability Meltdown: Vulnerable Vulnerability Mmio stale data: Not affected Vulnerability Retbleed: Not affected Vulnerability Spec store bypass: Vulnerable Vulnerability Spectre v1: Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers Vulnerability Spectre v2: Vulnerable, IBPB: disabled, STIBP: disabled, PBRSB-eIBRS: Not affected Vulnerability Srbds: Not affected Vulnerability Tsx async abort: Not affected After few experiments, I was able to identify the source of the problem. When I reinstalled the machine recently, the default settings of the boot medium didn't work so I used the failsafe option which worked. Those got added to /etc/default/grub and hence were enabled all the time. After removing those, the machine booted just fine and most mitigations are off as requested (except the itlb-multihit). # uname -a Linux lf.lan 6.0.0-rc2-1-default+ #4 SMP PREEMPT_DYNAMIC Tue Aug 23 08:29:06 CEST 2022 x86_64 x86_64 x86_64 GNU/Linux # lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 36 bits physical, 48 bits virtual Byte Order: Little Endian CPU(s): 8 On-line CPU(s) list: 0-7 Vendor ID: GenuineIntel Model name: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz CPU family: 6 Model: 30 Thread(s) per core: 2 Core(s) per socket: 4 Socket(s): 1 Stepping: 5 Frequency boost: enabled CPU max MHz: 2926.0000 CPU min MHz: 1197.0000 BogoMIPS: 5595.93 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 popcnt lahf_lm ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid dtherm ida flush_l1d Virtualization features: Virtualization: VT-x Caches (sum of all): L1d: 128 KiB (4 instances) L1i: 128 KiB (4 instances) L2: 1 MiB (4 instances) L3: 8 MiB (1 instance) NUMA: NUMA node(s): 1 NUMA node0 CPU(s): 0-7 Vulnerabilities: Itlb multihit: KVM: Mitigation: VMX disabled L1tf: Mitigation; PTE Inversion; VMX vulnerable Mds: Vulnerable; SMT vulnerable Meltdown: Vulnerable Mmio stale data: Not affected Retbleed: Not affected Spec store bypass: Vulnerable Spectre v1: Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers Spectre v2: Vulnerable, IBPB: disabled, STIBP: disabled, PBRSB-eIBRS: Not affected Srbds: Not affected Tsx async abort: Not affected The failsafe options in question are: apm=off acpi=off mce=off barrier=off ide=nodma idewait=50 i8042.nomux psmouse.proto=bare irqpoll pci=nommconf resume=... I am okay to leave at this. Maybe you might find this feedback helpful. Thanks, Daniel