linux安全策略对性能的影响

https://unix.stackexchange.com/questions/554908/disable-spectre-and-meltdown-mitigations

A number of kernel boot parameters are available to disable or fine-tune hardware vulnerability mitigations:

• for Spectre v1 and v2: nospectre_v1 (x86, PowerPC), nospectre_v2 (x86, PowerPC, S/390, ARM64), spectre_v2_user=off (x86)
• for SSB: spec_store_bypass_disable=off (x86, PowerPC), ssbd=force-off (ARM64)
• for L1TF: l1tf=off (x86)
• for MDS: mds=off (x86)
• for TAA: tsx_async_abort=off
• for iTLB multihit: nx_huge_pages=off
• KPTI can be disabled with nopti (x86, PowerPC) or kpti=0 (ARM64)
• TSX async abort: tsx_async_abort=off (x86)
• KVM NX huge pages: kvm.nx_huge_pages=off (x86)

A meta-parameter, mitigations, was introduced in 5.2 and back-ported to 5.1.2, 5.0.16, and 4.19.43 (and perhaps others). It can be used to control all mitigations, on all architectures, as follows:

• mitigations=off will disable all optional CPU mitigations;
• mitigations=auto (the default setting) will mitigate all known CPU vulnerabilities, but leave SMT enabled (if it is already);
• mitigations=auto,nosmt will mitigate all known CPU vulnerabilities and disable SMT if appropriate.

Some of these can be toggled at runtime; see the linked documentation for details.

部分参数：

noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx_async_abort=off 

tsx_async_abort=off：对调度影响很大，unixbench的syscall和context1两个case

mitigations=off：总开关，关了后性能会有很大提升！