Subject:
Issue with Disabling CPU Mitigations According to Wiki Instructions
Overview:
I followed the instructions provided in the CachyOS Wiki to disable CPU mitigations on my system, but the mitigations remain active despite applying the recommended configurations. Below is a detailed account of the steps taken, the outputs observed, and the final results.
Steps Taken:
-
Configuration File Editing:
-
Edited the file
/etc/sdboot-manage.conf
to include the following lines to disable CPU mitigations:DISABLE CPU mitigations
see:General System Tweaks | CachyOS
retbleed=off
gather_data_sampling=off
mitigations=off
(I tested also only each of mitigation individually, mitigation persist active) -
Saved the changes and exited the text editor.
-
-
Bootloader Update:
-
Ran the command to update the bootloader:
sudo sdboot-manage update
-
Output:
Skipping “/boot/EFI/systemd/systemd-bootx64.efi”, same boot loader version in place already.
Skipping “/boot/EFI/BOOT/BOOTX64.EFI”, same boot loader version in place already.
Skipping “/boot/EFI/BOOT/BOOTX64.EFI”, same boot loader version in place already.
-
-
Reboot the System:
- After updating, I rebooted the system to apply the changes.
-
Verification of Kernel Parameters:
-
Checked the current kernel parameters with:
cat /proc/cmdline
-
Output:
initrd=\initramfs-linux-cachyos.img root=PARTUUID=e9f85c3c-3089-45e8-a7f5-750f98848891 rw rootflags=subvol=/@ zswap.enabled=0 nowatchdog splash
-
The expected parameters (
mitigations=off
,retbleed=off
,gather_data_sampling=off
) were not present.
-
-
Verification of Mitigations:
-
Checked the status of CPU mitigations:
grep . /sys/devices/system/cpu/vulnerabilities/*
-
Output included several active mitigations:
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling:Mitigation: Microcode
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Mitigation: VMX disabled
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Mitigation: Clear CPU buffers; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling:Not affected
/sys/devices/system/cpu/vulnerabilities/retbleed:Mitigation: Enhanced IBRS
/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Enhanced / Automatic IBRS; IBPB: conditional; RSB filling; PBRSB-eIBRS: SW sequence; BHI: SW loop, KVM: SW loop
/sys/devices/system/cpu/vulnerabilities/srbds:Mitigation: Microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Mitigation: TSX disabled
-
Conclusion:
Despite following the documented instructions to disable CPU mitigations, the mitigations remain active, and the expected kernel parameters do not appear in the output. This indicates that the provided instructions may not be functioning as intended.
Request for Assistance:
I kindly request that the development team review the current documentation related to disabling CPU mitigations and investigate the underlying issues to ensure that users can successfully apply these settings as intended.
Thank you for your attention to this matter. I look forward to your response.