[PATCH gnupg v11] Disable CPU speculation-related misfeatures
Steffen Nurpmeso
steffen at sdaoden.eu
Wed Jul 9 17:26:19 CEST 2025
Guido Trentalancia via Gnupg-devel wrote in
<1752063768.6141.10.camel at trentalancia.com>:
...
|common: Disable CPU speculative execution security
|vulnerabilities[.]
...
| - Flush L1D Cache on context switch out of the
| task (use the --enable-l1d-cache-flushing
| configure option and "nosmt l1d_flush=on" on the
| boot command line to mitigate the vulnerability)
Hm, i turn off SMT like
# git grep -i smt\/
bin/system.sh: [ -n "${SMTCONTROL}" ] && echo off > /sys/devices/system/cpu/smt/control
bin/zzz.sh: [ -f /sys/devices/system/cpu/smt/control ] && act 'echo off > /sys/devices/system/cpu/smt/control'
and on the Linux git master branch this seems to work still (i am
on 6.1.*, but i think i use it since 5.10?, or even earlier),
according to
git show origin/master:Documentation/ABI/testing/sysfs-devices-system-cpu
this should still work out? Maybe worth noting, at least boot
parameters are well documented...
(Off-topic: i used to temporarily turn it on during compile
sessions, but now am left with
[ -x /root/bin/cpupower.sh ] && /root/bin/cpupower.sh +
$time nice -n +19 ${SUPER} -u ports sh -c
...
and cpupower.sh no longer deals with SMT at all. It is off.
But kernel command line is quite heavy (i leave EFI alone if
i can). Only by updating the kernel series i think the build
time increased by yet another ~25 percent over the last months.)
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
|
|During summer's humble, here's David Leonard's grumble
|
|The black bear, The black bear,
|blithely holds his own holds himself at leisure
|beating it, up and down tossing over his ups and downs with pleasure
|
|Farewell, dear collar bear
More information about the Gnupg-devel
mailing list