4 comments

[ 0.18 ms ] story [ 22.1 ms ] thread
Could anybody explain? They look like bootloader options and I see how Spectre mitigations slow down systems. But what about the rest?
Yep. It is turning off Spectre/Meltdown mitigations. I also see the new MDS mitigations turned off.
nopti is same as pti=off

  Control Page Table Isolation of user and
  kernel address spaces.  Disabling this feature
  removes hardening, but improves performance of
  system calls and interrupts.
nospectre_v2

  Disable all mitigations for the Spectre variant 2
  (indirect branch prediction) vulnerability. System may
  allow data leaks with this option, which is equivalent
  to spectre_v2=off.
 
nospectre_v1

  Disable mitigations for Spectre Variant 1 (bounds
  check bypass). With this option data leaks are possible
  in the system.
l1tf=off

  Control mitigation of the L1TF vulnerability on
  affected CPUs
  
  The kernel PTE inversion protection is unconditionally
  enabled and cannot be disabled.

  Disables hypervisor mitigations and doesn't
  emit any warnings.
  It also drops the swap size and available
  RAM limit restriction on both hypervisor and
  bare metal.
nospec_store_bypass_disable

  Disable all mitigations for the Speculative Store Bypass vulnerability
mds=off

  Control mitigation for the Micro-architectural Data
  Sampling (MDS) vulnerability.
  
  Certain CPUs are vulnerable to an exploit against CPU
  internal buffers which can forward information to a
  disclosure gadget under certain conditions.
  
  In vulnerable processors, the speculatively
  forwarded data can be used in a cache side channel
  attack, to access data to which the attacker does
  not have direct access.

  This parameter controls the MDS mitigation.
mitigations=off

  Disable all optional CPU mitigations.  This
  improves system performance, but it may also
  expose users to several CPU vulnerabilities.
  Equivalent to:
    nopti [X86,PPC]
    kpti=0 [ARM64]
    nospectre_v1 [PPC]
    nobp=0 [S390]
    nospectre_v2 [X86,PPC,S390,ARM64]
    spectre_v2_user=off [X86]
    spec_store_bypass_disable=off [X86,PPC]
    ssbd=force-off [ARM64]
    l1tf=off [X86]
    mds=off [X86]
Source: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux...

These seem to be undocumented or deprecated.

noibrs

  Disable Indirect Branch Restricted Speculation in the microcode.
noibpb

  Disable Indirect Branch Prediction Barriers.
no_stf_barrier

  Disable Store-forwarding barrier (PPC only).
Source:

https://access.redhat.com/articles/3311301

https://elixir.bootlin.com/linux/latest/source/arch/powerpc/...

Short, and to the point!

I salute you.