Fedora 36 Retbleed mitigations on off check
Retbleed is all over the Linux news sites and this blog post is about checking mitigations are on or off.
Here at Fedorum, most computers run on Fedora and some of them have processors that are affected by Retbleed. Namely, the SkyLake series, which are from the 6000 to 8000 series.
The Dell Inspiron 5680 is used for graphics design and has an Intel 8700 12-core CPU, which is definitely affected. The newer Dell Precision 3440 workstation has a 10th generation processor which is not affected by Redbleed. Since this PC is the one that connects to the internet, I don’t need to pay too much attention. Then again, who knows? The next exploit might just be around the corner.
How to see which mitigations are implemented
The beauty of Linux is in the power of the command line.
Typing lscpu into the terminal generates all the information I need to know.
Fedora was quick to implement the Retbleed mitigation
Fedora, although not a rolling Linux distribution, still receives several system updates per week. Because of that, we can breathe a bit easier knowing that our vulnerable systems are protected for now. Since not all of the computers here at the Fedorum studio are online, I will turn mitigations off. Please understand that this is risky at best.
When to change the mitigation default setting
A few years back, CPU chip makers AMD and Intel got hit with Spectre V1, V2 and Meltdown. This means that all computers that use those processors need patching. The patch which protects INTEL CPUs from the Redbleed mitigation reduces up to ~30% of the processing power. AMD devices are less affected but still need the patch.
Some power users will opt to turn mitigations off and I too will do so on all computers that are used for 3D modelling and rendering.
On Fedora, I can see the boot info by entering the following command into the terminal:
sudo grubby –info=ALL
Here is how to turn Retbleed mitigation of on some of my machines. Please don’t run this command unless you understand what it does. To turn off Retbleed mitigation, I run: sudo grubby –update-kernel=ALL –args=”retbleed=off”
What is an air gap and is it secure
I recommend to not turn Retbleed mitigations off unless you air gap the computer. Although an air gap is overkill for casual use, it is the only safe option for those who need maximum processing speed. If the topic of disconnecting one of the PCs from the network is new, then you should read up on what Wikipedia says about air gap and how to safely set that up.
It’s actually easy to do. Unplugging the network cable and, if possible, removing the WIFI card is all that’s needed. A computer with no WiFi card and no local network connection can not access the internet. If data needs to be transferred from or to such a machine, it must be done via a USB stick “over the air”.
If you have more than one computer, then creating an air gap, while not practical, is a good option. There is no need to update an air gapped system because nothing can piggyback and infiltrate the system unless we are careless.
Long-term backup strategies
In closing, I want to mention something that makes a lot of sense but is not often talked about. Everyone who uses a computer for work understands that backing up the data and files is a must. Unfortunately, if a computer has been compromised, then the files backed up from it will also be compromised. Because of that, I create some long-term backups about twice a year. If a problem arises, then I can go back one or two backups and start over from a clean state.
Right now, Retbleed is new, just as Spectre and Meltdown were when they surfaced. My hope is that in time, better and more efficient patches will become available, which can restore the lost processing power. For now, it’s better to err on the side of caution and be smart about online activities.
Running Linux goes a long way towards security because we (Linux users) are at least not tempted to install some crack for Maya or whatever people are cracking these days. Email and browsers are the weak links in the chain, so segregate your browser activity and delete suspicious email links without opening.
If Fedora interests you, then check out the other blog posts. Stay safe, be smart and thank you for your time.
