Nixpkgs: Add config option to disable Meltdown/Spectre patches

Meltdown/Spectre and includes kernel and microcode updates. This would mean to provide an alternative kernel, which excludes the patches? What other things need to be changed?

This would mean to provide an alternative kernel, which excludes the patches?

I guess that adding an alternative kernel might be avoided if we just pass the config attrset (that config which has config.allowUnfree) down to <nixpkgs/pkgs/os-specific/linux/kernel/common-config.nix> and <pkgs/os-specific/linux/microcode/intel.nix> so config.preferPerformanceOverSecuruty would alter some options

config mechanism IMHO is too stateful and implicit. boot.kernelPackages = pkgs.noMeltdownPatchesFor pkgs.linuxPackages_latest;?

Currenly I am using hot-patching of nixpkgs (because I mostly do IFD of nixpkgs):

let
  fix = { src
        , name      ? "${src.name}-fix"
        , patches   ? []
        , postPatch ? ""
        }: stdenv.mkDerivation {
    preferLocalBuild = true;
    allowSubstitutes = false;
    inherit name src patches postPatch;
    installPhase = "mkdir $out ; cp -R .version * $out/";
    dontFixup = true;
    dontStrip = true;
  };

  fix-no-meltdown = { src
                    , name ? "${src.name}-no-meltdown"
                    }:
    fix {
      inherit src name;
      postPatch = ''
        # disable performance penalty of meltdown/spectre patches
        substituteInPlace pkgs/os-specific/linux/kernel/common-config.nix                                                                                 \
          --replace 'security = {'                                                                                                                        \
                    'security = { PAGE_TABLE_ISOLATION = option no; RETPOLINE = no; HOTPLUG_SMT = option no;'  # https://lkml.org/lkml/2018/8/16/223
        substituteInPlace pkgs/os-specific/linux/kernel/manual-config.nix                                                                                 \
          --replace "prePatch = '''"                                                                                                                      \
                    "prePatch = '''substituteInPlace arch/x86/kernel/cpu/common.c --replace 'if (x86_match_cpu(cpu_no_speculation))' '//if (x86_match_cpu(cpu_no_speculation))'"

        substituteInPlace nixos/modules/system/boot/kernel.nix                                                                                            \
          --replace                                                                                                                        '[ "loglevel=' \
                    '(optionals (pkgs.stdenv.isx86_64 || pkgs.stdenv.isi686) [ "noibrs" "noibpb" "nopti" "noretpoline" "nospectre_v2" ]) ++ [ "loglevel='

        # microcode from 20171117
        cp ${fetchurl { url    = https://raw.githubusercontent.com/NixOS/nixpkgs/89fab177491af0e94f3edd793621740218161b1f/pkgs/os-specific/linux/microcode/intel.nix;
                        sha256 = "0cwc0qkg3xhsxgyahhbn869wfyp7bmcsfvksyddj6vyzd5m40vm6"; }
            } pkgs/os-specific/linux/microcode/intel.nix
        cp ${fetchurl { url    = https://raw.githubusercontent.com/NixOS/nixpkgs/89fab177491af0e94f3edd793621740218161b1f/pkgs/os-specific/linux/microcode/intel-microcode2ucode.c;
                        sha256 = "1ph3zq76dkikvxyrbpaxx8d9302bzl3n1d71qzcx790ncfb3m883"; }
            } pkgs/os-specific/linux/microcode/intel-microcode2ucode.c
      '';
    };
in

let
  upstream-nixpkgs = fetchFromGitHub {
    owner  = "nixos";
    repo   = "nixpkgs";
    inherit rev;
    sha256 = "168xwh2iv9jrbqwigk54z50mjx30i1d0cv3j078xm3g1mnvz9y83";
  };
  upstream-nixpkgs' = fix-no-meltdown { src = upstream-nixpkgs; };
in
  (import upstream-nixpkgs {}).blablabla # <- vanilla nixpkgs
  (import upstream-nixpkgs' {}).blablabla # <- vanilla nixpkgs without meltdown patches

I think this should just be:

{ ... }:

{
  boot.kernelParams = [ "pti=off" "spectre_v2=off" "l1tf=off" "nospec_store_bypass_disable" ];
}

?

This will be fixed soon with mitigations=off kernel parameter. Imho we don't really need a separate option in NixOS https://lkml.org/lkml/2019/5/15/389

won't it require Intel microcode from 2017 anyway?

yes, or no microcode

I think it would be reasonable to expect people who want this to bring their own microcode package.

mitigations=off is now available when using latest nixos-unstable

boot.kernelParams = [ "mitigations=off" ];

Linux nixos 4.19.43 #1-NixOS SMP Tue May 14 17:18:00 UTC 2019 x86_64 GNU/Linux
19.09.git.9b6accf (Loris)



md5-ea18a50bb94601ef3cbe4909a434a2fd



$ grep -R . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable, STIBP: disabled
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: vulnerable
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Vulnerable

Can we close this issue now that 20.03 has landed with linux 5.4?
Thanks

Can we close this issue now that 20.03 has landed with linux 5.4?
Thanks

:+1:

Can we close this issue now that 20.03 has landed with linux 5.4?

What is relevant to the issue in 5.4 ?

Can we close this issue now that 20.03 has landed with linux 5.4?

What is relevant to the issue in 5.4 ?

As explained by @gnidorah

boot.kernelParams = [ "mitigations=off" ];

is enough to disable all mitigations on latest NixOS stable.

What is relevant to the issue in 5.4 ?

As explained by @gnidorah

boot.kernelParams = [ "mitigations=off" ];

is enough to disable all mitigations on latest NixOS stable.

Even without using older microcode-intel ?

What is relevant to the issue in 5.4 ?

As explained by @gnidorah

boot.kernelParams = [ "mitigations=off" ];

is enough to disable all mitigations on latest NixOS stable.

Even without using older microcode-intel ?

Naturally the kernel can't influence mitigations implemented by microcode updates. Disable the microcode to achieve this.

Edit: Note that in these cases you also shouldn't update your motherboard bios, since it might contain newer microcode versions. I in no way recommend disabling the microcode updates or mitigations, all parties are doing their best to get the updates to users and mitigate the performance loss in the kernel.