How to disable Page Table Isolation to regain performance lost due to Intel CPU security hole patch?

security cpu intel patch

Solution 1:

The patch (aka "Page table isolation") will be part of a normal kernel update (which you'll get when you update your system). However, keeping the kernel up to date is highly recommended, as it also gets a lot of other security fixes. So I would not recommend just using an outdated kernel without the fix.

However, you can effectively disable the patch by adding pti=off (kernel patch adding this option, with more info) to your kernel command line (howto). Note that doing this will result in a less secure system.

There's more info and performance tests with PTI enabled and disabled on the PostgreSQL mailing list - TLDR is that it has a between 10 and 30% performance impact (For ProstgreSQL, that is - other things such as games will probably see less of an impact).

Note that this will only affect Intel processors, as AMD is apparently unaffected (reddit), so this will foreseeably be disabled by default on AMD.

Solution 2:

Update: The issue has been given a pair of monikers: Meltdown and Spectre. I've updated the answer with the new information.

It'll be a kernel patch initially. It'll show up as a higher version. It'll be installed because you have linux-image-generic installed. That's what that package is for. So you could remove linux-image-generic. It's a horrible, disastrous idea, that'll expose you to all sorts of nasties but you could do it. There may also be CPU microcode that follows in linux-firmware for an in-CPU fix. That's really on Intel.

The method you follow to un-fix this is irrelevant. You're asking to bypass something where you know neither the true impact of the bug, nor the performance cost of fixing it.

  • The bug is nasty. The reported CVEs are cross process memory reading. Any process being able to read the memory of any other process. Input, passwords, the whole lot. This likely has implications on sandboxes too. It's very early days and I expect people to push this further, both in impact and access.

  • The performance hit likely isn't as big as you're worried about. The numbers people are throwing around focus on the theoretical subsystem performance, or worst case. A poorly cached database is what's going to get hit hardest. Gaming, and day-to-day stuff likely isn't going to measurably change.

Even now we can see what the actual bug is, it's way too early to say what the impact is. While free read access to RAM is bad, there are worse things out there. I'd also test to see how much the fix actually impacts you (with the things you do).

Don't start pre-loading your GRUB config with flags, or removing Kernel meta packages just yet.

Solution 3:

Although I do not recommend this, it is possible to disable PTI

with the nopti kernel command-line parameter

according to Phoronix.

To do this, append nopti to the string next to the line that starts with GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub and then running

sudo update-grub

followed by a restart.

More about kernel boot parameters to disable performance-relevant security features, see: Spectre&Meltdown MitigationControls in Ubuntu Wiki

Related

Disabling Zeitgeist
Pulseaudio not detecting bluetooth headset automatically
easy_install/pip or apt-get
Mark bad sectors on hard drive without formatting
Can't switch anymore from Intel to NVIDIA GPU
Is system cleanup/optimization needed
How do I add myself into the sudoers group? [duplicate]
How to configure ADB access for Android devices?
Backup whole OS
How to completely remove Unity, and replace it with Cinnamon?
Why don't I have a password for "su"? Problems with "sudo"
How can I make a specific set of iptables rules permanent?