Disable Kernel patches

PLEASE NOTE: The following recipe applies to CentOS machines.

The recent kernels introducing fixes/patches for the Meltdown/Spectre issues reportedly cause machine slowdowns. There may be cases where this slowdown is too strongly impacting operations, and on the other hand the security of the machine is taken care of with other means: in our setup this is the case for our storage servers.

On such machines, there is an easy way to keep up-to-date with kernels and disable the recent security fixes.

Proceed as follows:

• Upgrade to most recent kernel:

  $ yum update
  

• See what kernels are available:

  $ grubby --info=ALL | grep -e kernel -e args
  

• Pick the kernel for which you want to disable the security fixes, for example: 3.10.0-693.17.1.el7.x86_64:

  $ grubby --args='noibrs noibpb nopti'  --update-kernel /boot/vmlinuz-3.10.0-693.17.1.el7.x86_64
  $ grubby --info=ALL | grep -e kernel -e args
  

• Then, reboot your server.

After boot, check that the patches are indeed disabled, the following commands should return ‘0’:

$ cat /sys/kernel/debug/x86/pti_enabled
$ cat /sys/kernel/debug/x86/ibpb_enabled
$ cat /sys/kernel/debug/x86/ibrs_enabled