From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id CC564138334 for ; Thu, 18 Jul 2019 18:23:17 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EA74EE0822; Thu, 18 Jul 2019 18:23:10 +0000 (UTC) Received: from mail-wr1-x443.google.com (mail-wr1-x443.google.com [IPv6:2a00:1450:4864:20::443]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6A7E6E0802 for ; Thu, 18 Jul 2019 18:23:10 +0000 (UTC) Received: by mail-wr1-x443.google.com with SMTP id p17so29691411wrf.11 for ; Thu, 18 Jul 2019 11:23:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references:mime-version; bh=E9c9AOTOC/IYoR4B+Vpk80wXzJchZn6Z9Qf26/l829U=; b=HLRNV2FDQrNuL4qADZIUJdFkk0ry+6yZzG1WGpjCdTppzkLT05k3joTc4mFG9n0xdU TrVSzA8drME7kZDKOHrLOZBTGtwPyekGeSCfsx8XcyVBjD763AnTOf5x448VoVpS8skc t4fAhF/H+NJiD5UQedr4shnPUOzRP3G+QIb1aichEeabLCj84+V3WDEgw8SbH1KL7OFb g1xlCProL2nszR8SjDV4ktU1d2tF6r0Z/Kc3luW42desbAOxdQ4/F2bpiFK9chmncrW8 j+ZLX+QJ4LjDhlBE3WCXByQ6Zl2XO5QgXIZW+RM/jM2MNxzMZA+Zd3uVb+ffxTXImD/6 jDhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version; bh=E9c9AOTOC/IYoR4B+Vpk80wXzJchZn6Z9Qf26/l829U=; b=s43SPp8fFWHXmKFuf+tXH4QfMzNt06TFNDdiA5rhknrdDxRiyejdXQzbnKNAXAbSG3 +pJoUFi3hg59nYdRJjvgoMLM+hubaNKLUT0SsUcQElm4lRCKkZsH1R19Y1N60IhN+OAO ZaiI4XJ+YeILOZ56cftX8OPz+iSbgb5bQFMSDly2uiUe75SxBWgc+tSnHPQ7x340Vk2f fRFKrbP86quiElYdmsr+a9ocjkfzUpb+jdJIj12C5WnaVnwra8msDdAdQWO0Kpv80jR2 qrGgs5n0itmCXHRu14Okf6h5t1m1foGSdOtuKy5KTuQj28ofJYED96xPfsUu962D3KFo Xbpw== X-Gm-Message-State: APjAAAVDi1Hu7vc5z+NGKyPXj3F53nuQDfTiKlZZ+bbIvk3RMkbX+LYq 6y5+MMX9Yxc0BEvwaTag3ltsivAX X-Google-Smtp-Source: APXvYqysHSVxOplkvijfW+ODGjbrCwNLzK9K1ulaYuQr7YWUe+VODxuRf8f498BVU4/j9nbRY97Upw== X-Received: by 2002:a5d:6408:: with SMTP id z8mr35982243wru.246.1563474188903; Thu, 18 Jul 2019 11:23:08 -0700 (PDT) Received: from localhost.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by smtp.gmail.com with ESMTPSA id z1sm31138602wrp.51.2019.07.18.11.23.07 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Jul 2019 11:23:07 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: AMD microcode updates - where are they?! Date: Thu, 18 Jul 2019 19:23:06 +0100 Message-ID: <11416330.qN9LcM7mFG@localhost> In-Reply-To: <6827e723-50ee-a7da-49c0-51b622dc48f8@charter.net> References: <20190717205106.4qajy7dmc7rctnjr@matica.foolinux.mooo.com> <6827e723-50ee-a7da-49c0-51b622dc48f8@charter.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4420703.nPDs4SXWIS"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-Archives-Salt: 34f6432b-8486-4c51-a231-54d421f295f2 X-Archives-Hash: 3442bb23cd6289ca2136bda5c22bbb88 --nextPart4420703.nPDs4SXWIS Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="UTF-8" On Thursday, 18 July 2019 13:33:36 BST Corbin wrote: > On 7/17/19 3:51 PM, Ian Zimmerman wrote: > > pti=0 ibrs=0 ibpb=1 retp=1 -> fix variant #1 #2 if the microcode > > update is applied pti=0 ibrs=2 ibpb=1 retp=1 -> fix variant #1 #2 on > > older processors that can disable indirect branch prediction without > > microcode updates > > > > Note: A microcode patch provided by the vendor must be applied in > > order for the tunables to be visible.> > > which of course is self-contradictory, so not a full answer but maybe a > > clue. I did read this but wasn't sure what to deduce from it. I took it to mean earlier CPUs won't receive a microcode patch, but will still have spectre mitigated, presumably using a different method. Later CPUs will receive a patch. My AMD APUs are later fam15h models and if the above is to be believed they probably ought to have received a patch - but none is observable. :-/ Then I thought the note in the RHL article may need to be taken literally, to mean a microcode patch will just make tunables *visible*, rather than present. > > Are those settings meant to go on a boot command line? > > As for what Red Hat / Fedora is doing, no idea. > > The parameters I used came from the kernel documentation. > > > Corbin According to kernel-4.19.57 docs at least, all CPU vulnerabilities and spectre related mitigations are automatically switched on, without the need to specify anything on the kernel line. In addition, the selection of individual spectre_v2 mitigation methods is determined dynamically "... at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built." Anyway, selecting 'spectre_v2=on' "... will also enable the mitigation against user space to user space task attacks", so this is a useful option to use. Regarding ibpb not being displayed under my /sys fs the docs say: Default mitigation: If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl" Therefore, I am not sure if ibpb is meant to show up unless it has been specified on the kernel line as a spectre_v2_user mitigation method. -- Regards, Mick --nextPart4420703.nPDs4SXWIS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEt7MNaGaS6HvTUrEz6WnU8jC95dcFAl0wuQoACgkQ6WnU8jC9 5dcqhg//eMQAq3YfPXvWhPAUKQW2TUjhkyxY1he61aZTctl6VpFh8oGAYadLqXr8 6YcBYzTFrhdnOqoZKLfxgZBZyQE+lAZzkla332k+oz4P7CO9PjXoa36NasZMLfDV km1h+sOJ1Iqp+mQIVsGsjQtyMsiNVO+lWtuAOLSlE0bJHgloHLFcyx5D1uhwf04B CjzYxXCLDdu/t94fV5DgyvLP727ak/PqMWQeSGdLTuNa+46NujXCWqCMj4KoPDsU VB2wLA+RIPqWxvyHJpmcQpWZP8jYtCIu+EUk3nvFqhmCtTc+g3RtnX+iJulo3yQf OyS0T2x+TdqeurH13BEvldWpTDiR4qx256ALefnn3FbXUSRosNnk5uzAjnLxJEUy HTRFnmO58pABqfdnRQONMBzBdOif+pjdNeYGAGpBeXiT6C2mO+dWwZZ/IZoFNZZr pXkw0X1N0XVpMFRbC9/hoVwePxL2vEiIGtTDxb5GPqAh8KJF/n3VhZ3INK7/EoII MHY8cxrv84HfLnhQL5lDwbBiej6tr0BcJSUXTpkCt2+bfTrsSEJJHrfUTp0mP40s LY0f5BAZgivfGTlGddfa6dgRcMnZdjhyYcrmsuir6CvsVW4So6nNt77WuqjUiwg4 LAiJmbONu7BP5567kgPKa/0RqblE1+r1Zg5J/JjD56g2mxqhDN0= =08SR -----END PGP SIGNATURE----- --nextPart4420703.nPDs4SXWIS--