From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-181795-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id BEAB41382C5
	for <garchives@archives.gentoo.org>; Fri,  5 Jan 2018 00:51:45 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 57EE8E0AE5;
	Fri,  5 Jan 2018 00:51:40 +0000 (UTC)
Received: from mail-ot0-x242.google.com (mail-ot0-x242.google.com [IPv6:2607:f8b0:4003:c0f::242])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id EC58AE0ACA
	for <gentoo-user@lists.gentoo.org>; Fri,  5 Jan 2018 00:51:39 +0000 (UTC)
Received: by mail-ot0-x242.google.com with SMTP id d2so2729886oth.9
        for <gentoo-user@lists.gentoo.org>; Thu, 04 Jan 2018 16:51:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=+Of23N6zpg3ie1Y8F1R4s8hbpk+CY4as6g7ua/cB47U=;
        b=WK9VHrn3FpDY6rPD6Acz5/KGIQIWb7spuUWz2PsMQ5I9DeDpj182U58L1uWwAkhgVh
         3JMHxjf1RHjTNV4CYFoueICMKGJhFPfxH3wuNG4GkcxC/9tRPblfx1YSl95sFzcYhgHn
         UUstM5w2ytT2fX3Xp6kYmBxaUAoV3PKd7Pb+LVK9dxuETohWybs6xQ1YQDzh9kGj2aaZ
         nJj2hmjPi4spk8Y9DX2MIljPVcDtpfJaNi4K7kYm2ze78MaCgsjJmeqIe3bOnqNhWJoZ
         JCZtAfCowj5YExTNEpJPxpdXuuT/TZYIMXNnmnaWQrr43Dlp/O/p+lMUiHKtY3+0VQ4Z
         jPSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=+Of23N6zpg3ie1Y8F1R4s8hbpk+CY4as6g7ua/cB47U=;
        b=TWfH95cpk8QE/QkSxMmtBRppRlsC8iJYfCFOnBOBmDSYgrYgSSmGCiXbUiMjq+Lbrz
         mMQkcPvioh4OKVDRuY/0yxNms4UNf68+AfO9BruTAQ3TmjTHxn2Q6iizspPTh+ihy4Mh
         NTXfhrSB0amo9WXKAtQssMCOQAdT9CNDL6lD1Ptm7qhYfdh82dzhkEnIxOmHjVXEFvuH
         PNfItqlJ6fIKc7E/L0o8AkUAAdhqnbFr19mp6dMfSBGPGpqg+9daWI4zOpu4Mo/Louxp
         9Luu+c4HnP3bnxXhNsK3mnphznpjCbq83YYFPH/qZ25WsqTT1+lDgHSHSif/H8rODeT0
         miaA==
X-Gm-Message-State: AKwxytdzWgbgITkq/ibvyoWfNt0LxhX4+0QzacX7Wb9uJBlHTjZmbMWc
	TNwjKIVsqtq11na605KuIYopqN+VjXrZK+qWAZKDe4GB
X-Google-Smtp-Source: ACJfBosVGgwhGwlcbMGe9EkGPlDUwMOUg29g0pwPLgjGCMWXj2q7Dh77dAcWdsJTyBxWNK+qmUoRHxnU9cJpUGQHK/k=
X-Received: by 10.157.12.221 with SMTP id o29mr904579otd.191.1515113498924;
 Thu, 04 Jan 2018 16:51:38 -0800 (PST)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.157.19.65 with HTTP; Thu, 4 Jan 2018 16:51:38 -0800 (PST)
In-Reply-To: <p2m6pr$ea0$1@blaine.gmane.org>
References: <CADX8ZBLJttMUsScnOk8jVUp_f0SvT_iLebGQmXjWK9gsO=DK8Q@mail.gmail.com>
 <CAC=wYCH+cTYoMrRtQZLeEvWuEoRb_uZcLs=m5twwUdF322GV_Q@mail.gmail.com>
 <CAC=wYCFiJe+MkTrSBCVR11fTvsRH7U5sbnxf60VYOoA4tHyQyQ@mail.gmail.com>
 <92ab5d0f-6111-cdec-5443-4f0cb0712eaf@charter.net> <CAGfcS_k3ycWn60Z8_ozORZD6cFMiuK699wT0_DRb-rVPAHi5rw@mail.gmail.com>
 <CAAD4mYjC_s3c+MBDY2VEoOZZ-raoXuEnq1P3JKtV63B5T-nOCQ@mail.gmail.com>
 <CAGfcS_mHspsszbin+GCo3wQzoKjYWkJ9soEdR_sAv50qB=Bbug@mail.gmail.com> <p2m6pr$ea0$1@blaine.gmane.org>
From: Adam Carter <adamcarter3@gmail.com>
Date: Fri, 5 Jan 2018 11:51:38 +1100
Message-ID: <CAC=wYCGgSRHUM_4OpUv9acM=AhZ2cZZ255+dhyBXeqUZEMicdw@mail.gmail.com>
Subject: Re: [gentoo-user] Re: Expect a ~15% average slowdown if you use an
 Intel processor
To: gentoo-user@lists.gentoo.org
Content-Type: multipart/alternative; boundary="001a1139072ce5dc6b0561fcd9f0"
X-Archives-Salt: e6eca7c2-1a54-4399-ad78-55a4dae6e1e5
X-Archives-Hash: 8f8453cd2d9780658dfe6f35ce96409c

--001a1139072ce5dc6b0561fcd9f0
Content-Type: text/plain; charset="UTF-8"

On Fri, Jan 5, 2018 at 8:39 AM, Nikos Chantziaras <realnc@gmail.com> wrote:

> On 04/01/18 18:18, Rich Freeman wrote:
>
>> For variant 1 the only known vulnerability is BPF which probably
>> next to nobody uses
>>
>
> I had to enable various BPF settings in the kernel because systemd
> wouldn't shut up about it. It prints warning messages during boot that the
> system doesn't support BPF. After enabling it, systemd was happy and
> stopped barking at me.
>
>
The vulnerability specifically mentions EBPF and JIT so I'd say its
CONFIG_HAVE_EBPF_JIT, but there's also CONFIG_BPF_JIT.

I notice EBPF_JIT is =y in my .config, grepping the sysctl -a output for
bpf only returns;
kernel.unprivileged_bpf_disabled = 0
And
https://github.com/linuxkit/linuxkit/commit/720fb219cea1fea99c2bba1d01f771eb43b2000b
"On 4.9.x and 4.14.x kernels ebpf verifier bugs allow ebpf programs to
access (read/write) random memory. Setting
kernel.unprivileged_bpf_disabled=1 mitigates this somewhat until it is
fixed upstream."

--001a1139072ce5dc6b0561fcd9f0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On F=
ri, Jan 5, 2018 at 8:39 AM, Nikos Chantziaras <span dir=3D"ltr">&lt;<a href=
=3D"mailto:realnc@gmail.com" target=3D"_blank">realnc@gmail.com</a>&gt;</sp=
an> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px=
 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class=
=3D"gmail-">On 04/01/18 18:18, Rich Freeman wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">
For variant 1 the only known vulnerability is BPF which probably<br>
next to nobody uses<br>
</blockquote>
<br></span>
I had to enable various BPF settings in the kernel because systemd wouldn&#=
39;t shut up about it. It prints warning messages during boot that the syst=
em doesn&#39;t support BPF. After enabling it, systemd was happy and stoppe=
d barking at me.<br>
<br>
</blockquote></div></div><div class=3D"gmail_extra"><br></div><div class=3D=
"gmail_extra">The vulnerability specifically mentions EBPF and JIT so I&#39=
;d say its CONFIG_HAVE_EBPF_JIT, but there&#39;s also CONFIG_BPF_JIT.<br></=
div><div><div class=3D"gmail_extra"><br></div><div class=3D"gmail_extra">I =
notice EBPF_JIT is =3Dy in my .config, grepping the sysctl -a output for bp=
f only returns;</div><div class=3D"gmail_extra">kernel.unprivileged_bpf_dis=
abled =3D 0<br></div><div class=3D"gmail_extra">And</div><div class=3D"gmai=
l_extra"><a href=3D"https://github.com/linuxkit/linuxkit/commit/720fb219cea=
1fea99c2bba1d01f771eb43b2000b">https://github.com/linuxkit/linuxkit/commit/=
720fb219cea1fea99c2bba1d01f771eb43b2000b</a></div><div class=3D"gmail_extra=
"><font size=3D"2"><span style=3D"font-family:arial,helvetica,sans-serif">&=
quot;On 4.9.x and 4.14.x kernels ebpf verifier bugs allow ebpf</span></font=
><font size=3D"2"><span style=3D"font-family:arial,helvetica,sans-serif"> p=
rograms to access (read/write) random memory. Setting</span></font><font si=
ze=3D"2"><span style=3D"font-family:arial,helvetica,sans-serif"> kernel.unp=
rivileged_bpf_disabled=3D1 mitigates this somewhat until it is fixed upstre=
am.&quot;</span></font></div><div class=3D"gmail_extra"><br></div><div clas=
s=3D"gmail_extra"><br></div><div class=3D"gmail_extra"><br></div></div></di=
v>

--001a1139072ce5dc6b0561fcd9f0--