The performance benefits of Not protecting against Zombieload, Spectre, Meltdown.


With the news about MDS (Zombieload) I've seen a few paranoid posts and sensational headlines about intel CPU's with HT. Looking at you Wired.

From the reading I've done about these exploits they all share a few traits – they are all pretty difficult to pull off, they are all patched, and all of the patches reduce performance by some percentage.

For a critical system these things should of course be patched i.e., my ESXi server that runs my network with pfSense gets all security patches.

However, for a home user running linux as a desktop for work or play – I have a feeling that patching these things is pretty pointless in terms of security. Security is always a compromise with practicality, and most home users (even [probably most] advanced users) do use known insecure things (that Android phone) and mitigate (maybe) those known vulnerabilities with network segregation or something along those lines.

And lets be real, people do this for good reason – it's practical and you are almost certainly not a focused target. There are no governments trying to Stuxnet the WD Raptors in your home Plex server.

So my thought is, the fixes for these vulnerabilities might even be an actively bad idea for your average home user. Each one reduces performance by a little bit and protects you from an attack that isn't coming.

Not applying these updates is pretty easy – just don't update the BIOS, or modify the BIOS so that theese microcode updates aren't applied.

Then on the OS level you either disable or rollback your version of linux's microcode update package such as intel-microcode

The same process could re-enable TSX-NI on some CPU's – which doesn't work in some specific cases, but some users might have a use for it and be able to accept it's instabilities.

So my question is – how much performance could be re-gained by not protecting against these threats that almost certainly aren't worth thinking about to a home user?

submitted by /u/californiaCabotage
[link] [comments]

Leave a Reply

Your email address will not be published. Required fields are marked *