CentOS KPTI Disabling Method

To address the security risks posed by the recently exposed Meltdown vulnerability, SurferCloud's official CentOS 6.x and 7.x images have been updated. The new version of the images has enabled KPTI (Kernel Page Table Isolation) by default to fix this vulnerability. Please see Meltdown Vulnerability Details (opens in a new tab)

However, according to tests, enabling KPTI may have a 5%-30% impact on the virtual machine Computational tasks are less affected, while IO/memory-intensive tasks are more significantly impacted.

You can determine whether to disable KPTI based on actual circumstances, in order to restore performance under the premise of assuming security risks.

Centos 6.x

1）Disable KPTI

vim /boot/grub/grub.conf 

Add to the kernel line

nopti 

Reboot the virtual machine for the change to take effect.

2）Verify if it has been disabled

Enter the command:

dmesg | grep isolation 

If the following information is displayed, it means that KPTI is still enabled.

x86/pti: Kernel page table isolation enabled

If successful, the above line of information will not be displayed.

CentOS 7.x

1）Disable KPTI

Enter the command:

vim /boot/grub2/grub.cfg

Add to the /boot/vmlinuz-* line

nopti

Reboot the virtual machine for the change to take effect

2）Verify if it has been disabled

Enter the command:

dmesg | grep isolation 

If the following information is displayed, it means that KPTI is still enabled.

x86/pti: Unmapping kernel while in userspace

If successfully disabled, the above line of information will not be displayed.