Well that was ridiculously easy. No complaints here.

Unrelated really, but for fun I ran the following:

ubuntu@primary:~$ cat /sys/devices/system/cpu/vulnerabilities/*
Not affected
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
Mitigation: Clear CPU buffers; SMT Host state unknown
Mitigation: PTI
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
Not affected

Installed phoronix, ran:

ubuntu@primary:~/phoronix-test-suite$ ./phoronix-test-suite benchmark pts/ctx-clock-1.0.0
Estimated Time To Completion: 1 Minute [09:19 PST]
Started Run 1 @ 09:19:09
Started Run 2 @ 09:19:16
Started Run 3 @ 09:19:23

Context Switch Time:
1021
1018
1021

Then on my own machine with mitigations=off:

~ ❯ uname -a
Linux ubuntu 5.4.3-050403+custom-generic #050403+201912130841 SMP PREEMPT Fri Dec 13 10:46:17 PST 2019 x86_64 x86_64 x86_64 GNU/Linux
~ ❯ cat /sys/devices/system/cpu/vulnerabilities/*
KVM: Vulnerable
Mitigation: PTE Inversion; VMX: vulnerable, SMT disabled
Vulnerable; SMT disabled
Vulnerable
Vulnerable
Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Vulnerable, IBPB: disabled, STIBP: disabled
Not affected

phoronix-test-suite - master ❯ ./phoronix-test-suite benchmark pts/ctx-clock-1.0.0
Estimated Time To Completion: 1 Minute [09:20 PST]
Started Run 1 @ 09:20:06
Started Run 2 @ 09:20:10
Started Run 3 @ 09:20:15

Context Switch Time:
142
142
142

It's just crazy how much an ubuntu vm gets crippled on an Intel machine by default nowadays. Not even trying to start a flame war.

I'm not sure I understood your point, but the mitigations are on by default on probably every distribution. I don't know how multipass configures QEMU, but in order for the VM to use/see hardware support for mitigations on Intel CPUs it has to have appropriate CPU flags set to at least: +md_clear +pcid +spec_ctrl +ssbd.

No native bhyve Ubuntu? Seems pretty easy to add since HyperKit is bhyve for macos..

let's just say that on my dual xeon l5640 using a recompiled kernel without the mitigations and optimized makes me feel like i've bought a new computer.

The most stupid test: opening facebook... it takes literally a tenth of the time to open facebook on the custom kernel. Believe me or not, it almost feels faster than my gaming rig- overclocked 4770k.

Shuttleworth and his fking cloud hardon. Dude can't even keeps snaps from breaking infrastructure. It's predicable and tiresome.

Maybe it's not very relevant, but yesterday I saw a Richard Brown Twitter post that says ""The @SUSE security team just closed the bug for addressing security concerns preventing @snapcraftio being included in @openSUSE due to a lack of response by the upstream developers & packagers.. I guess @FlatpakApps wins the new-age packaging war by default"" and ""I'd like to point out that the reason for the closure was not a failure at addressing any of the raised issues, but a failure to reply to either of the requests for a status update in July and September."".

Leeloo Dallas Multipass.


mmmulltiipasssss.

Canonical does a terrible job of making Snap run on other distros, having it barely run is good enough.

Canonical. Reinventing the wheel since 2004!