Project

General

Profile

Bug #17386

Consider disabling CPU vulnerabilities mitigation features in our Vagrant build box

Added by intrigeri 3 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Build system
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
feature/17386-vagrant-disable-cpu-vuln-mitigations
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

Given the kind of things we do in our Vagrant build box, it seems very unlikely that vulnerabilities such as Spectre and Meltdown can be exploited in there. So perhaps we can reclaim some of the performance cost of the corresponding mitigation features?

This can be done by adding mitigations=off to the kernel command line.


Related issues

Related to Tails - Feature #17387: Consider disabling CPU vulnerabilities mitigation features in our CI builder/tester VMs In Progress

Associated revisions

Revision d4722d41 (diff)
Added by intrigeri 3 months ago

Vagrant build box: disable mitigation features for CPU vulnerabilities (refs: #17386)

Given the kind of things we do in our Vagrant build box, it seems very unlikely
that vulnerabilities such as Spectre and Meltdown can be exploited in there.
Let's reclaim some of the performance cost of the corresponding
mitigation features.

As of Linux 4.9.189, mitigations=off is equivalent to:

nopti nospectre_v1 nospectre_v2 spectre_v2_user=off
spec_store_bypass_disable=off l1tf=off mds=off

As of Linux 5.4.5, these extra options are added to the above list:

kpti=0 nobp=0 ssbd=force-off tsx_async_abort=off kvm.nx_huge_pages=off

Revision b969a33a
Added by segfault about 1 month ago

Merge branch 'feature/17386-vagrant-disable-cpu-vuln-mitigations' into stable (Closes: #17386)

Revision fa64ff39 (diff)
Added by intrigeri about 1 month ago

Vagrant build box: disable mitigation features for CPU vulnerabilities (refs: #17386)

Given the kind of things we do in our Vagrant build box, it seems very unlikely
that vulnerabilities such as Spectre and Meltdown can be exploited in there.
Let's reclaim some of the performance cost of the corresponding
mitigation features.

As of Linux 4.9.189, mitigations=off is equivalent to:

nopti nospectre_v1 nospectre_v2 spectre_v2_user=off
spec_store_bypass_disable=off l1tf=off mds=off

As of Linux 5.4.5, these extra options are added to the above list:

kpti=0 nobp=0 ssbd=force-off tsx_async_abort=off kvm.nx_huge_pages=off

History

#1 Updated by intrigeri 3 months ago

Next steps:

  • measure if it measurably lowers build time on a developer's system (no nested virt)
  • measure if it measurably lowers build time on our CI builders (nested virt)

#2 Updated by intrigeri 3 months ago

  • Feature Branch set to feature/17386-vagrant-disable-cpu-vuln-mitigations

#3 Updated by intrigeri 3 months ago

  • Status changed from In Progress to Needs Validation
  • Assignee deleted (intrigeri)
  • Target version set to Tails_4.2
  • Type of work changed from Test to Code
  • 7% i.e. 2 minutes saved on my laptop (quick SquashFS compression)
  • 2% i.e. 30 seconds saved on my local Jenkins (release-time SquashFS compression; also has mitigations=off both in the l0 virtualization host and in the l1 Jenkins slave VM).
  • 3.5% i.e. 2.5 minutes saved on lizard (all builders & testers busy; release-time SquashFS compression; has mitigations=auto — the default — both in the l0 virtualization host and in the l1 Jenkins slave VM)

That's not a ton, but it adds up:

  • When one is in a dev frenzy and builds lots of images in a day, it starts to make a significant difference.
  • Every minute saved on a build job on our CI not only shortens the feedback loop for this build, but in heavy load situations, it also frees the builder VM earlier, which in turn shortens the feedback loop for other, queued jobs.

So IMO we should do it. Thoughts?

#4 Updated by CyrilBrulebois 3 months ago

  • Target version changed from Tails_4.2 to Tails_4.3

#5 Updated by hefee 2 months ago

  • Assignee set to hefee

#6 Updated by hefee 2 months ago

  • Assignee deleted (hefee)

The changes seems fine, but I'm not that deep into the CPU attacks so I don't want to merge it.
As I understood correctly this patch is only for the Tails building VM and not for running the test suite?

#7 Updated by hefee 2 months ago

  • Status changed from Needs Validation to In Progress
  • Assignee set to intrigeri

#8 Updated by intrigeri 2 months ago

  • Status changed from In Progress to Needs Validation

As I understood correctly this patch is only for the Tails building VM and not for running the test suite?

Yes.

#9 Updated by intrigeri 2 months ago

  • Assignee deleted (intrigeri)

#10 Updated by anonym about 2 months ago

  • Target version changed from Tails_4.3 to Tails_4.4

#11 Updated by intrigeri about 1 month ago

  • Related to Feature #17387: Consider disabling CPU vulnerabilities mitigation features in our CI builder/tester VMs added

#12 Updated by intrigeri about 1 month ago

Hi @segfault,

this one is much less urgent than #17477, but it's been waiting for 2 months and maybe you could batch it with that other review.

#13 Updated by segfault about 1 month ago

  • Status changed from Needs Validation to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF