Disabling AUDIT in the kernel?

Optimize your system for ultimate performance.

Moderators: MattKingUSA, khz

Post Reply
User avatar
bluebell
Established Member
Posts: 1926
Joined: Sat Sep 15, 2012 11:44 am
Location: Saarland, Germany
Has thanked: 112 times
Been thanked: 121 times

Disabling AUDIT in the kernel?

Post by bluebell »

On the jack-devel mailing list I posted my switched off spectre mitigations and got a hint:

Code: Select all

>"nohz=off threadirqs noibrs noibpb nopti
>nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable
>no_stf_barrier mds=off mitigations=off quiet splash"

With those spectre mitigations turned off, it still might be of value
to disable audit, see
https://lists.archlinux.org/pipermail/arch-general/2018-September/045580.html
I use the AVLinux RT kernel and found out:

Code: Select all

hm@bubu:~$ zgrep -i audit /boot/config-4.16.12-rt5-avl1
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
Would it be advisable to disable those features in the kernel?

EDIT:
On https://www.kernel.org/doc/html/v4.14/a ... eters.html I found a kernel command line parm "audit" than can be set to 0.

Linux – MOTU UltraLite AVB – Qtractor – http://suedwestlicht.saar.de/

Top
User avatar
bluebell
Established Member
Posts: 1926
Joined: Sat Sep 15, 2012 11:44 am
Location: Saarland, Germany
Has thanked: 112 times
Been thanked: 121 times

Re: Disabling AUDIT in the kernel?

Post by bluebell »

With audit=0 I can down to a jackd buffer size of 12 without xruns when playing a mixcloud song in Firefox vie Pulseaudio via jack.

So my /etc/default/grub contains now:

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="nohz=off threadirqs audit=0 noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off quiet splash"

Linux – MOTU UltraLite AVB – Qtractor – http://suedwestlicht.saar.de/

Top
1234
Established Member
Posts: 10
Joined: Wed Nov 30, 2016 10:07 pm

Re: Disabling AUDIT in the kernel?

Post by 1234 »

Hi,

I'll rewrite my bootloader config soon. Today I discovered that for current kernel releases only 'mitigations=off' is needed to disable mitigations.
Since I don't need audit, I started to build my kernels with audit not set again.
What is the content of your files in /sys/devices/system/cpu/vulnerabilities/ with and without mitigations disabled?

For my machine it's probably not worth the hassle, so I'm not in a hurry to rewrite the bootloader config. For one entry I tested turning off mitigations, but I did not check, if it makes a difference related to audio performance.

Code: Select all

[rocketmouse@archlinux ~]$ uname -rm
5.2.19-rt11-1.0 x86_64
[rocketmouse@archlinux ~]$ zgrep -eAPPARMOR -eAUDIT\  /proc/config.gz 
# CONFIG_AUDIT is not set
# CONFIG_SECURITY_APPARMOR is not set
[rocketmouse@archlinux ~]$ grep https /boot/syslinux/syslinux.cfg
#   https://linuxreviews.org/HOWTO_make_Linux_run_blazing_fast_(again)_on_Intel_CPUs
[rocketmouse@archlinux ~]$ grep -A3 i^ /boot/syslinux/syslinux.cfg
    MENU LABEL Arch Linux Rt mitigati^ons=off
    LINUX ../vmlinuz-linux-rt
    APPEND root=LABEL=s3.archlinux ro mitigations=off
    INITRD ../intel-ucode.img,../initramfs-linux-rt.img
[rocketmouse@archlinux ~]$ grep . /sys/devices/system/cpu/vulnerabilities/* | cut -d/ -f7
l1tf:Mitigation: PTE Inversion; VMX: vulnerable, SMT disabled
mds:Vulnerable; SMT disabled
meltdown:Vulnerable
spec_store_bypass:Vulnerable
spectre_v1:Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
spectre_v2:Vulnerable, IBPB: disabled, STIBP: disabled
[rocketmouse@archlinux ~]$ sudo shutdown -r now
[sudo] password for rocketmouse:

[rocketmouse@archlinux ~]$ uname -rm
5.2.19-rt11-1.0 x86_64
[rocketmouse@archlinux ~]$ grep -A3 \ ^Rt /boot/syslinux/syslinux.cfg
    MENU LABEL Arch Linux ^Rt
    LINUX ../vmlinuz-linux-rt
    APPEND root=LABEL=s3.archlinux ro
    INITRD ../intel-ucode.img,../initramfs-linux-rt.img
[rocketmouse@archlinux ~]$ grep . /sys/devices/system/cpu/vulnerabilities/* | cut -d/ -f7
l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
mds:Mitigation: Clear CPU buffers; SMT disabled
meltdown:Mitigation: PTI
spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
spectre_v1:Mitigation: usercopy
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
Regards,
Ralf
Top
1234
Established Member
Posts: 10
Joined: Wed Nov 30, 2016 10:07 pm

Re: Disabling AUDIT in the kernel?

Post by 1234 »

Hi,

I'll rewrite my bootloader config soon. Today I discovered that for current kernel releases only 'mitigations=off' is needed to disable mitigations.
Since I don't need audit, I started to build my kernels with audit not set again.
What is the content of your files in /sys/devices/system/cpu/vulnerabilities/ with and without mitigations disabled?

For my machine it's probably not worth the hassle, so I'm not in a hurry to rewrite the bootloader config. For one entry I tested turning off mitigations, but I did not check, if it makes a difference related to audio performance.

Code: Select all

[rocketmouse@archlinux ~]$ uname -rm
5.2.19-rt11-1.0 x86_64
[rocketmouse@archlinux ~]$ zgrep -eAPPARMOR -eAUDIT\  /proc/config.gz 
# CONFIG_AUDIT is not set
# CONFIG_SECURITY_APPARMOR is not set
[rocketmouse@archlinux ~]$ grep https /boot/syslinux/syslinux.cfg
#   https://linuxreviews.org/HOWTO_make_Linux_run_blazing_fast_(again)_on_Intel_CPUs
[rocketmouse@archlinux ~]$ grep -A3 i^ /boot/syslinux/syslinux.cfg
    MENU LABEL Arch Linux Rt mitigati^ons=off
    LINUX ../vmlinuz-linux-rt
    APPEND root=LABEL=s3.archlinux ro mitigations=off
    INITRD ../intel-ucode.img,../initramfs-linux-rt.img
[rocketmouse@archlinux ~]$ grep . /sys/devices/system/cpu/vulnerabilities/* | cut -d/ -f7
l1tf:Mitigation: PTE Inversion; VMX: vulnerable, SMT disabled
mds:Vulnerable; SMT disabled
meltdown:Vulnerable
spec_store_bypass:Vulnerable
spectre_v1:Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
spectre_v2:Vulnerable, IBPB: disabled, STIBP: disabled
[rocketmouse@archlinux ~]$ sudo shutdown -r now
[sudo] password for rocketmouse:

[rocketmouse@archlinux ~]$ uname -rm
5.2.19-rt11-1.0 x86_64
[rocketmouse@archlinux ~]$ grep -A3 \ ^Rt /boot/syslinux/syslinux.cfg
    MENU LABEL Arch Linux ^Rt
    LINUX ../vmlinuz-linux-rt
    APPEND root=LABEL=s3.archlinux ro
    INITRD ../intel-ucode.img,../initramfs-linux-rt.img
[rocketmouse@archlinux ~]$ grep . /sys/devices/system/cpu/vulnerabilities/* | cut -d/ -f7
l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
mds:Mitigation: Clear CPU buffers; SMT disabled
meltdown:Mitigation: PTI
spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
spectre_v1:Mitigation: usercopy
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
Regards,
Ralf
Top
Post Reply

Return to “System Tuning and Configuration”