[gentoo-user] Kernel 4.14.14 has meltdown / spectre info in /sys

[gentoo-user] Kernel 4.14.14 has meltdown / spectre info in /sys

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 324 bytes --]

Nice;

$ ls /sys/devices/system/cpu/vulnerabilities/
meltdown  spectre_v1  spectre_v2
$ cat /sys/devices/system/cpu/vulnerabilities/meltdown
Mitigation: PTI
$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
Vulnerable
$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Vulnerable: Minimal generic ASM retpoline

[-- Attachment #2: Type: text/html, Size: 414 bytes --]

[gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Nikos Chantziaras]

On 18/01/18 10:28, Adam Carter wrote:
> Nice;
> 
> $ ls /sys/devices/system/cpu/vulnerabilities/
> meltdown  spectre_v1  spectre_v2
> $ cat /sys/devices/system/cpu/vulnerabilities/meltdown
> Mitigation: PTI
> $ cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
> Vulnerable
> $ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
> Vulnerable: Minimal generic ASM retpoline

Good to know! Thanks.

For Spectre, GCC 7.3 is needed, which isn't released yet, but AFAIK is 
being fast-tracked for release by upstream. There's plans to backport to 
GCC 6 as well.

Not sure about the CPU microcode situation.

[gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Ian Zimmerman]

On 2018-01-18 19:28, Adam Carter wrote:

> Nice;
> 
> $ ls /sys/devices/system/cpu/vulnerabilities/
> meltdown  spectre_v1  spectre_v2
> $ cat /sys/devices/system/cpu/vulnerabilities/meltdown
> Mitigation: PTI
> $ cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
> Vulnerable
> $ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
> Vulnerable: Minimal generic ASM retpoline

So has 4.9.77, but it's dumb:

 matica!3 ~$ cat /sys/devices/system/cpu/vulnerabilities/meltdown 
Vulnerable
 matica!4 ~$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
Vulnerable
 matica!5 ~$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Vulnerable: Minimal AMD ASM retpoline

(AMD is not affected by Meltdown)

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.

Re: [gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Rich Freeman]

On Thu, Jan 18, 2018 at 2:31 PM, Ian Zimmerman <itz@very.loosely.org> wrote:
> On 2018-01-18 19:28, Adam Carter wrote:
>
>> Nice;
>>
>> $ ls /sys/devices/system/cpu/vulnerabilities/
>> meltdown  spectre_v1  spectre_v2
>> $ cat /sys/devices/system/cpu/vulnerabilities/meltdown
>> Mitigation: PTI
>> $ cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
>> Vulnerable
>> $ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
>> Vulnerable: Minimal generic ASM retpoline
>
> So has 4.9.77, but it's dumb:
>
>  matica!3 ~$ cat /sys/devices/system/cpu/vulnerabilities/meltdown
> Vulnerable
>  matica!4 ~$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
> Vulnerable
>  matica!5 ~$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
> Vulnerable: Minimal AMD ASM retpoline
>
> (AMD is not affected by Meltdown)
>

On my Ryzen 5-1600 I get:
cat /sys/devices/system/cpu/vulnerabilities/meltdown
Not affected

I'm not sure why you're getting a vulnerable message.

-- 
Rich

Re: [gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 619 bytes --]

> So has 4.9.77, but it's dumb:
> >
> >  matica!3 ~$ cat /sys/devices/system/cpu/vulnerabilities/meltdown
> > Vulnerable
> >  matica!4 ~$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
> > Vulnerable
> >  matica!5 ~$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
> > Vulnerable: Minimal AMD ASM retpoline
> >
> > (AMD is not affected by Meltdown)
> >
>
> On my Ryzen 5-1600 I get:
> cat /sys/devices/system/cpu/vulnerabilities/meltdown
> Not affected
>
> I'm not sure why you're getting a vulnerable message.
>
> On my fam10/barcelona;
cat /sys/devices/system/cpu/vulnerabilities/meltdown
Not affected

[-- Attachment #2: Type: text/html, Size: 1130 bytes --]

Re: [gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 129 bytes --]

>
> On my fam10/barcelona;
> cat /sys/devices/system/cpu/vulnerabilities/meltdown
> Not affected
>
> Ian. which CPU do you have?

[-- Attachment #2: Type: text/html, Size: 441 bytes --]

[gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Ian Zimmerman]

On 2018-01-19 08:22, Adam Carter wrote:

> > On my fam10/barcelona;
> > cat /sys/devices/system/cpu/vulnerabilities/meltdown
> > Not affected

> Ian. which CPU do you have?

 matica!13 linux$ dmesg | fgrep -i phenom
[    0.603608] smpboot: CPU0: AMD Phenom(tm) II X4 955 Processor
(family: 0x10, model: 0x4, stepping: 0x3)

Looking at the kernel source (for 4.9.77), the flag is initially set no
matter what in arch/x86/kernel/cpu/common.c @cpu_show_meltdown(), and
nothing afterwards clears it ...

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.

Re: [gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 618 bytes --]

On Fri, Jan 19, 2018 at 9:17 AM, Ian Zimmerman <itz@very.loosely.org> wrote:

>
>  matica!13 linux$ dmesg | fgrep -i phenom
> [    0.603608] smpboot: CPU0: AMD Phenom(tm) II X4 955 Processor
> (family: 0x10, model: 0x4, stepping: 0x3)
>
> Looking at the kernel source (for 4.9.77), the flag is initially set no
> matter what in arch/x86/kernel/cpu/common.c @cpu_show_meltdown(), and
> nothing afterwards clears it ...


With 4.14.14, pretty much same CPU;
model           : 4
model name      : AMD Phenom(tm) II X4 965 Processor
stepping        : 3

$ cat /sys/devices/system/cpu/vulnerabilities/meltdown
Not affected

[-- Attachment #2: Type: text/html, Size: 1157 bytes --]

Re: [gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Corbin Bird]

On 01/18/2018 02:43 PM, Rich Freeman wrote:
> cat /sys/devices/system/cpu/vulnerabilities/meltdown

Strange, get this response from kernel 4.9.76-r1
> Darkstar ~ # cat /sys/devices/system/cpu/vulnerabilities/meltdown
> cat: /sys/devices/system/cpu/vulnerabilities/meltdown: No such file or
> directory

/proc/cpuinfo has not changed.
> Darkstar ~ # cat /proc/cpuinfo
> processor    : 0
> vendor_id    : AuthenticAMD
> cpu family    : 21
> model        : 2
> model name    : AMD FX(tm)-9590 Eight-Core Processor
> stepping    : 0
> microcode    : 0x600084f
> cpu MHz        : 4700.000
> cache size    : 2048 KB
> bugs        : fxsave_leak sysret_ss_attrs null_seg

Did you compile your kernel with "vendor support" for Intel enabled?

Corbin

Re: [gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Rich Freeman]

On Sun, Jan 21, 2018 at 8:41 PM, Corbin Bird <corbinbird@charter.net> wrote:
> On 01/18/2018 02:43 PM, Rich Freeman wrote:
>> cat /sys/devices/system/cpu/vulnerabilities/meltdown
>
> Strange, get this response from kernel 4.9.76-r1

In the 4.9 series it was added in 4.9.77 upstream, unless Gentoo backported it.

>
> Did you compile your kernel with "vendor support" for Intel enabled?

Yes, though this is an AMD processor.  I'm pretty sure your issue is
just that you don't have the needed patch.

-- 
Rich

[gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Ian Zimmerman]

On 2018-01-19 10:50, Adam Carter wrote:

> > Looking at the kernel source (for 4.9.77), the flag is initially set no
> > matter what in arch/x86/kernel/cpu/common.c @cpu_show_meltdown(), and
> > nothing afterwards clears it ...
> 
> 
> With 4.14.14, pretty much same CPU;
> model           : 4
> model name      : AMD Phenom(tm) II X4 965 Processor
> stepping        : 3
> 
> $ cat /sys/devices/system/cpu/vulnerabilities/meltdown
> Not affected

Aha.

matica!1 ~$ cat /sys/devices/system/cpu/vulnerabilities/meltdown 
Not affected
 matica!2 ~$ uname -r
4.9.78

I guess these patches will be trickling down for a long time yet.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.

Re: [gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 489 bytes --]

>
> > $ cat /sys/devices/system/cpu/vulnerabilities/meltdown
> > Not affected
>
> Aha.
>
> matica!1 ~$ cat /sys/devices/system/cpu/vulnerabilities/meltdown
> Not affected
>  matica!2 ~$ uname -r
> 4.9.78
>
> I guess these patches will be trickling down for a long time yet.
>

Good to see.

Seems to me like point versions of 4.9 and 4.14 are often released on the
same date, but fixes that have gone into 4.14 don't make it into 4.9 until
the subsequent release. Could be my imagination.

[-- Attachment #2: Type: text/html, Size: 921 bytes --]

Re: [gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys

[Rich Freeman]

On Thu, Jan 25, 2018 at 1:39 AM, Adam Carter <adamcarter3@gmail.com> wrote:
>
> Seems to me like point versions of 4.9 and 4.14 are often released on the
> same date, but fixes that have gone into 4.14 don't make it into 4.9 until
> the subsequent release. Could be my imagination.

One of the issues with Meltdown/Spectre in particular is that the
affected parts of the kernel have undergone some change over the
years, and the changes themselves are not trivial.  For some of the
much older kernels the fixes are basically complete rewrites, with
their own quality issues and timelines.  For 4.9 that probably isn't
as much of a factor, but it wouldn't surprise me if the changes still
migrate their way backwards in time.  There have been regressions with
some of these changes, and that being the case the maintainers might
want to both reduce the number of people impacted and also test them
first on the kernels most similar to mainline where the patches were
developed.

-- 
Rich

[gentoo-user] PSA: GCC 7.3 allows to build kernel with full Spectre v2 mitigation

[Nikos Chantziaras]

On 18/01/18 20:31, Nikos Chantziaras wrote:
> On 18/01/18 10:28, Adam Carter wrote:
>> Nice;
>>
>> $ ls /sys/devices/system/cpu/vulnerabilities/
>> meltdown  spectre_v1  spectre_v2
>> $ cat /sys/devices/system/cpu/vulnerabilities/meltdown
>> Mitigation: PTI
>> $ cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
>> Vulnerable
>> $ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
>> Vulnerable: Minimal generic ASM retpoline
> 
> Good to know! Thanks.
> 
> For Spectre, GCC 7.3 is needed, which isn't released yet, but AFAIK is 
> being fast-tracked for release by upstream. There's plans to backport to 
> GCC 6 as well.

GCC 7.3.0 is now in the tree (~arch). If you want full mitigation 
against Spectre v2, you need to build the kernel with that version.

For this to work, you need to enable CONFIG_RETPOLINE in the kernel:

   Processor type and features
     [*] Avoid speculative indirect branches in kernel

Rebuild kernel and modules and you should see something like this:

$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full generic retpoline

Re: [gentoo-user] PSA: GCC 7.3 allows to build kernel with full Spectre v2 mitigation

[Rich Freeman]

On Mon, Jan 29, 2018 at 4:19 AM, Nikos Chantziaras <realnc@gmail.com> wrote:
> For this to work, you need to enable CONFIG_RETPOLINE in the kernel:
>
>   Processor type and features
>     [*] Avoid speculative indirect branches in kernel
>

Note that in general upstream recommends enabling these protections
even if your CPU isn't vulnerable.  In general the kernel detects at
boot what is needed and they've done some work to try to use the least
invasive solution needed for your particular CPU.  Then, if you later
re-use that config on a vulnerable CPU without thinking about it
(perhaps years from now) you won't be left unprotected.

The only really expensive mitigation is for Meltdown (PTI) and it is
disabled automatically on AMD CPUs.  The Retpolines are also adjusted
by CPU type.

There is talk of allowing KPTI to be disabled per-process in the
future, which would be the best of both worlds.  If you had a database
server you could disable KPTI on the database server process itself
(which does effectively give it root access, though only if exploited
- it isn't going to accidentally mess things up), but still leave the
overall system protected against random processes escalating privs.
If you have a dedicated database server then probably the only process
you truly worry about is the database server itself, so if something
is running malicious code on this process you've already lost whether
it has root access or not.  Though, I would probably also point out
that I would use care applying this to containers and not just to VMs,
because the vulnerability would let you cross container boundaries,
but not VMs (assuming you haven't enabled similar exceptions to PTI in
the hypervisor).


-- 
Rich