This was posted on Redirecting... by Nick Chomey
HOW TO DISABLE AN UNNECESSARY SECURITY PATCH FOR AMD CPUS THAT KILLS PERFORMANCE
So it was brought up in a post the other day that a vulnerability was found for essentially all AMD CPUs. They patched it in the linux kernel, but the patch results in performance degradation for a lot of processes - mariadb (the database most of us use) in particular.
Here is more about the patch https://docs.kernel.org/admin-guide/hw-vuln/srso.html
In order to exploit vulnerability, an attacker needs to:
- gain local access on the machine
- break kASLR
- find gadgets in the running kernel in order to use them in the exploit
- potentially create and pin an additional workload on the sibling thread, depending on the microarchitecture (not necessary on fam 0x19)
- run the exploit
As you can see, if someone is able to make use of this vulnerability, then the battle was already long-since lost.
Run this command to see if the patch has been applied to your server
cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
If it says something like “Mitigation: Safe RET”, you’ll probably want to turn it off. The following command works for the Ubuntu 22.04 servers that I checked. YMMV.
echo ‘GRUB_CMDLINE_LINUX_DEFAULT=“$GRUB_CMDLINE_LINUX_DEFAULT spec_rstack_overflow=off”’ | sudo tee /etc/default/grub.d/z-srso.cfg && sudo update-grub
Then reboot your server and run this again to see if it took effect
cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
It should say something like “Vulnerable: No microcode”
I found it improved various benchmarks by 10% or so.