As the title says, do you keep the default setting in Windows or disable the mitigations for more performance?
On my main windows PC, CPU mitigations are enabled. On my old and slow linux laptop (openSUSE) those mitigations are disabled. I also tested with mitigations on (linux), but did not see any noticeable performance impact. Maybe if you use something like Blender or games in linux you might see some boost in performance. Like faster rendering time in Blender etc. But in production environments you should enable them i think.
Disabled, though not sure if it matters, since it is enabled by BIOS anyway. I have never found an example, how this vulnerability is supposed to work IRL, but I assume, you still have to get infected first for it to be exploited?
There were examples (PoC) in Javascript. You visit malicious website and credentials from browser's built-in password manager may be stolen. There is tuning needed for particular hardware and software configuration, so it is not a easy way to use it.
Which is why I have it disabled. It needs a very specific scenario that some site/hacker on this planet to wait for you knowing that you have this vulnerability to attack you. I just rely on my antivirus / windows updates / adblocker and I want nothing touching the performance of my laptop.
image? sure Basically, you disable the protection, then reboot, then run it again, and you will see the same image as above.
What is your CPU? The performance cannot be good if it was an Intel CPU and the Meltdown/Spectre patches are on unless you have an AMD CPU.
In Debian-based distros, edit ”/etc/default/grub”, find the line with: GRUB_CMDLINE_LINUX="" Change that to: GRUB_CMDLINE_LINUX="mitigations=off" If you change this file, run 'sudo update-grub' afterwards to update. That's what I did (I have an old Haswell processor...). Chances that someone hacks my system this way are practically zero. Besides, browsers have protection against this as well. https://winaero.com/secure-chrome-meltdown-spectre-vulnerabilities/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ https://blog.mozilla.org/security/2021/05/18/introducing-site-isolation-in-firefox/
Thanks guys , what you have written I can do. Me, I asked how is possible to measure in the easiest way possible (but not empirically) the difference in performance before/after. Like you can do with InSpectre.exe in Windows.
Hmm... Not that I know of. Here is a checker tool, but I have no idea how good it is: https://github.com/speed47/spectre-meltdown-checker Here is a test by Phoronix from January 2018, but it was with older kernels, so things might have improved now: https://www.phoronix.com/scan.php?page=article&item=linux-317-415&num=1
I have all mitigations enabled. I used Spectre-meldown-checker. It is a comprehensive tool that checks for a lot of side channel vulnerabilities, unlike InSpectre which checks only Meltdown and Spectre(though Spectre-meltdown-checker hasn't been updated for some time for the latest side channel vulnerabilities). It doesn't check performance though. But neither does InSpectre afaik. InSpectre only checks which CPU you have and if they are known to have a bigger performance hit. Afaik for Intel CPU's below 6th/7th gen(or somewhere around that, don't know for sure) the performance hit was bigger than for newer generations. That is what InSpectre displays. It doesn't do a performance test. I also think this was based on the initial Spectre mitigation called IBRS, which was the most performance heavy mitigation. For both Windows and Linux this has been replaced with less performance heavy Retpolines, so I'm not sure which gen CPU you have still makes a difference on how much the performance impact is. (Apart from the most recent gens which some of them are already fixed in hardware.) Also note that while the side channel vulnerabilities may be hard and take a long time to exploit, there have been a whole lot of newer variants that are relatively easier to exploit or make the original ones easier to exploit. And since the abuse of these hardware vulnerabilities can't be detected after the fact, it is hard to get a reliable view of how much this is being used in real attacks. The BIOS/microcode makes the mitigations available to the OS. If the OS doesn't enable them then it is not enabled.
