Disabling CPU Mitigations issue

Subject:
Issue with Disabling CPU Mitigations According to Wiki Instructions

Overview:
I followed the instructions provided in the CachyOS Wiki to disable CPU mitigations on my system, but the mitigations remain active despite applying the recommended configurations. Below is a detailed account of the steps taken, the outputs observed, and the final results.

Steps Taken:

  1. Configuration File Editing:

    • Edited the file /etc/sdboot-manage.conf to include the following lines to disable CPU mitigations:

      DISABLE CPU mitigations

      see:General System Tweaks | CachyOS

      retbleed=off
      gather_data_sampling=off
      mitigations=off
      (I tested also only each of mitigation individually, mitigation persist active)

    • Saved the changes and exited the text editor.

  2. Bootloader Update:

    • Ran the command to update the bootloader:

      sudo sdboot-manage update

    • Output:

      Skipping “/boot/EFI/systemd/systemd-bootx64.efi”, same boot loader version in place already.
      Skipping “/boot/EFI/BOOT/BOOTX64.EFI”, same boot loader version in place already.
      Skipping “/boot/EFI/BOOT/BOOTX64.EFI”, same boot loader version in place already.

  3. Reboot the System:

    • After updating, I rebooted the system to apply the changes.
  4. Verification of Kernel Parameters:

    • Checked the current kernel parameters with:

      cat /proc/cmdline

    • Output:

      initrd=\initramfs-linux-cachyos.img root=PARTUUID=e9f85c3c-3089-45e8-a7f5-750f98848891 rw rootflags=subvol=/@ zswap.enabled=0 nowatchdog splash

    • The expected parameters (mitigations=off, retbleed=off, gather_data_sampling=off) were not present.

  5. Verification of Mitigations:

    • Checked the status of CPU mitigations:

      grep . /sys/devices/system/cpu/vulnerabilities/*

    • Output included several active mitigations:

      /sys/devices/system/cpu/vulnerabilities/gather_data_sampling:Mitigation: Microcode
      /sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Mitigation: VMX disabled
      /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
      /sys/devices/system/cpu/vulnerabilities/mds:Not affected
      /sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
      /sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Mitigation: Clear CPU buffers; SMT vulnerable
      /sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling:Not affected
      /sys/devices/system/cpu/vulnerabilities/retbleed:Mitigation: Enhanced IBRS
      /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow:Not affected
      /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl
      /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
      /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Enhanced / Automatic IBRS; IBPB: conditional; RSB filling; PBRSB-eIBRS: SW sequence; BHI: SW loop, KVM: SW loop
      /sys/devices/system/cpu/vulnerabilities/srbds:Mitigation: Microcode
      /sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Mitigation: TSX disabled

Conclusion:
Despite following the documented instructions to disable CPU mitigations, the mitigations remain active, and the expected kernel parameters do not appear in the output. This indicates that the provided instructions may not be functioning as intended.

Request for Assistance:
I kindly request that the development team review the current documentation related to disabling CPU mitigations and investigate the underlying issues to ensure that users can successfully apply these settings as intended.

Thank you for your attention to this matter. I look forward to your response.

You need to do sudo sdboot-manage gen and not update.

Hi,
I definitely used sudo elevated privileges, tried gen and also update no disable result with:
retbleed:Mitigation: Enhanced IBRS
gather_data_sampling:Mitigation: Microcode
srbds:Mitigation: Microcode

still mitigations active, some partially see result:

❯ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling:Mitigation: Microcode
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Mitigation: VMX disabled
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Mitigation: Clear CPU buffers; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling:Not affected
/sys/devices/system/cpu/vulnerabilities/retbleed:Mitigation: Enhanced IBRS
/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Enhanced / Automatic IBRS; IBPB: conditional; RSB filling; PBRSB-eIBRS: SW sequence; BHI: SW loop, KVM: SW loop
/sys/devices/system/cpu/vulnerabilities/srbds:Mitigation: Microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Mitigation: TSX disabled

Analysis of CPU Mitigations
Mitigations Still Active:
gather_data_sampling:

Output: Mitigation: Microcode
Status: This indicates that microcode updates are still in place to mitigate gather data sampling. This is not disabled.
itlb_multihit:

Output: Mitigation: VMX disabled
Status: It suggests mitigation by disabling VMX (Virtual Machine Extensions). This mitigation is active.
mmio_stale_data:

Output: Mitigation: Clear CPU buffers; SMT vulnerable
Status: This indicates that there are mitigations related to MMIO stale data, specifically clearing CPU buffers. SMT (Simultaneous Multithreading) remains vulnerable, but this mitigation is active.
retbleed:

Output: Mitigation: Enhanced IBRS
Status: This mitigation is still active with Enhanced IBRS, despite the retbleed=off option in /etc/sdboot-manage.conf.
spec_store_bypass:

Output: Mitigation: Speculative Store Bypass disabled via prctl
Status: Speculative Store Bypass mitigation is still enabled via prctl.
spectre_v1 and spectre_v2:

Output:
Mitigation: usercopy/swapgs barriers and __user pointer sanitization (for Spectre V1)
Mitigation: Enhanced / Automatic IBRS; IBPB: conditional; RSB filling; PBRSB-eIBRS: SW sequence; BHI: SW loop, KVM: SW loop (for Spectre V2)
Status: Both Spectre vulnerabilities have mitigations active. These include IBRS and conditional IBPB (Indirect Branch Prediction Barrier).
srbds:

Output: Mitigation: Microcode
Status: This suggests the SRBDS (Special Register Buffer Data Sampling) mitigation is active via microcode.
tsx_async_abort:

Output: Mitigation: TSX disabled
Status: The Transactional Synchronization Extensions (TSX) feature is disabled, which is a mitigation for TSX Async Abort vulnerability.

Can you show your boot/loader/entries config of the used kernel as well as the output of:
/etc/sdboot-manage.conf

Edit: Also please try to use codeblocks. Its really hard readable.

You can also show what vulnerabilities you are affected by and if its being mitigated or not via lscpu command.

Thanks for hint, ‘boot/loader/entries config’

i did not add there mitigation=off

current status:

❯ cat /proc/cmdline
initrd=\initramfs-linux-cachyos.img root=PARTUUID=e9f85c3c-3089-45e8-a7f5-750f98848891 rw rootflags=subvol=/@ zswap.enabled=0 nowatchdog splash mitigations=off

Status of mitigation,

gather_data_sampling:Vulnerable

retbleed:Vulnerable

those two by phoronix degrade performance between 14 - 39% depend on CPU.

Thanks all for hint and tip, now testing Intel i9-9900KS on Alienware Area51m R1 without mitigations.

Have nice and successful working week :smiley:

Yes you are right, KEES (keep it simple)

This look better cear :smiley:

Vulnerabilities:
Gather data sampling: Vulnerable
Itlb multihit: KVM: Mitigation: VMX disabled
L1tf: Not affected
Mds: Not affected
Meltdown: Not affected
Mmio stale data: Vulnerable
Reg file data sampling: Not affected
Retbleed: Vulnerable
Spec rstack overflow: Not affected
Spec store bypass: Vulnerable
Spectre v1: Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Spectre v2: Vulnerable; IBPB: disabled; STIBP: disabled; PBRSB-eIBRS: Vulnerable; BHI: Vulnerable
Srbds: Vulnerable
Tsx async abort: Mitigation; TSX disabled

1 Like

Well mitigations is all off now. You are vulnerable. Good luck.

Air-gapped system/network?