Bug #17386: Consider disabling CPU vulnerabilities mitigation features in our Vagrant build box

Bug #17386

Consider disabling CPU vulnerabilities mitigation features in our Vagrant build box

Added by intrigeri 2019-12-30 07:35:14 . Updated 2020-02-29 22:03:39 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Build system

Target version:

Tails_4.4

Start date:

Due date:

% Done:

100%

Feature Branch:

feature/17386-vagrant-disable-cpu-vuln-mitigations

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

Given the kind of things we do in our Vagrant build box, it seems very unlikely that vulnerabilities such as Spectre and Meltdown can be exploited in there. So perhaps we can reclaim some of the performance cost of the corresponding mitigation features?

This can be done by adding mitigations=off to the kernel command line.

Subtasks

Related issues

Related to Tails - ~~Feature #17387~~: Consider disabling CPU vulnerabilities mitigation features in our CI builder/tester VMs

Confirmed

History

#1 Updated by intrigeri 2019-12-30 07:36:33

Next steps:

measure if it measurably lowers build time on a developer’s system (no nested virt)
measure if it measurably lowers build time on our CI builders (nested virt)

#2 Updated by intrigeri 2019-12-30 07:57:19

Feature Branch set to feature/17386-vagrant-disable-cpu-vuln-mitigations

#3 Updated by intrigeri 2019-12-30 15:57:57

Status changed from In Progress to Needs Validation
Assignee deleted (~~intrigeri~~)
Target version set to Tails_4.2
Type of work changed from Test to Code

7% i.e. 2 minutes saved on my laptop (quick SquashFS compression)
2% i.e. 30 seconds saved on my local Jenkins (release-time SquashFS compression; also has mitigations=off both in the l0 virtualization host and in the l1 Jenkins slave VM).
3.5% i.e. 2.5 minutes saved on lizard (all builders & testers busy; release-time SquashFS compression; has mitigations=auto — the default — both in the l0 virtualization host and in the l1 Jenkins slave VM)

That’s not a ton, but it adds up:

When one is in a dev frenzy and builds lots of images in a day, it starts to make a significant difference.
Every minute saved on a build job on our CI not only shortens the feedback loop for this build, but in heavy load situations, it also frees the builder VM earlier, which in turn shortens the feedback loop for other, queued jobs.

So IMO we should do it. Thoughts?

#4 Updated by CyrilBrulebois 2020-01-07 18:00:45

Target version changed from Tails_4.2 to Tails_4.3

#5 Updated by hefee 2020-02-03 14:02:34

Assignee set to hefee

#6 Updated by hefee 2020-02-03 14:40:05

Assignee deleted (~~hefee~~)

The changes seems fine, but I’m not that deep into the CPU attacks so I don’t want to merge it.
As I understood correctly this patch is only for the Tails building VM and not for running the test suite?

#7 Updated by hefee 2020-02-03 14:41:47

Status changed from Needs Validation to In Progress
Assignee set to intrigeri

#8 Updated by intrigeri 2020-02-03 14:49:40

Status changed from In Progress to Needs Validation

> As I understood correctly this patch is only for the Tails building VM and not for running the test suite?

Yes.

#9 Updated by intrigeri 2020-02-03 14:51:33

Assignee deleted (~~intrigeri~~)

#10 Updated by anonym 2020-02-11 15:26:48

Target version changed from Tails_4.3 to Tails_4.4

#11 Updated by intrigeri 2020-02-20 18:01:45

related to ~~Feature #17387~~: Consider disabling CPU vulnerabilities mitigation features in our CI builder/tester VMs added

#12 Updated by intrigeri 2020-02-27 11:02:30

Hi @segfault,

this one is much less urgent than ~~Bug #17477~~, but it’s been waiting for 2 months and maybe you could batch it with that other review.

#13 Updated by segfault 2020-02-29 22:03:39

Status changed from Needs Validation to Resolved
% Done changed from 0 to 100

Applied in changeset commit:tails|b969a33a961427ae3201b99b1946639368b93ec7.