Re: [gentoo-user] Re: Expect a ~15% average slowdown if you use an Intel processor

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

From: Rich Freeman <rich0@gentoo.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: Expect a ~15% average slowdown if you use an Intel processor
Date: Sat, 6 Jan 2018 09:12:33 -0500	[thread overview]
Message-ID: <CAGfcS_mztPxz8=weF9vjD1Qg3eooevrXibuuZmcqxHg1um1_nA@mail.gmail.com> (raw)
In-Reply-To: <20180106135808.GA29448@waltdnes.org>

On Sat, Jan 6, 2018 at 8:58 AM, Walter Dnes <waltdnes@waltdnes.org> wrote:
>
>   I'm running openrc.  On my 32-bit install, Intel Core2 duo, I get...
>
> zgrep BPF /proc/config.gz
> CONFIG_BPF=y
> # CONFIG_BPF_SYSCALL is not set
> # CONFIG_NETFILTER_XT_MATCH_BPF is not set
> # CONFIG_TEST_BPF is not set
>
>   On my 64-bit install, Intel Silvermont (Atom), I get...
>
> zgrep BPF /proc/config.gz
> CONFIG_BPF=y
> # CONFIG_BPF_SYSCALL is not set
> # CONFIG_NETFILTER_XT_MATCH_BPF is not set
> # CONFIG_BPF_JIT is not set
> CONFIG_HAVE_EBPF_JIT=y
> # CONFIG_TEST_BPF is not set
>
>   Does this improve security at all versus meltdown/spectre?  Any
> suggestions for changes?

Intel hardware is vulnerable to Spectre variant 1, and Meltdown,
regardless of any kernel settings, unless the kernel is patched to
defeat it.  I'm less sure about whether you're vulnerable to Spectre
variant 2 with JIT BPF turned off.  PTI is required to defeat Meltdown
on Intel hardware.  I don't think a patch to Spectre is in the stable
linux kernel yet, though it seems like Redhat may have pushed out some
kind of patch for it (possibly in conjunction with a microcode update
to enable it).

Disabling BPF JIT (which is the default state) does defeat the known
Spectre attacks on AMD hardware, and AMD hardware is immune to
Meltdown.

Note that this is only talking about the kernel.  Userspace code can
also be vulnerable to cross-process Spectre attacks (particularly
browsers) and those require specific hardening as well at the software
level.  On Gentoo we would get the benefit that if a gcc-level fix is
developed we could harden everything at once with a complete rebuild.
However, at this time gcc hasn't been patched.  There is plenty of
talk of it though.  Some of the proposed solutions also need CPU
microcode updates to enable them.  The idea is that gcc would insert
instructions in sensitive locations to fence in speculative execution,
and the microcode would get the CPU to respect these boundaries.

Intel has published this regarding their hardware:
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf

(This is targeted more at developers than users, including OS developers.)

-- 
Rich

next prev parent reply	other threads:[~2018-01-06 14:12 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-04  3:15 [gentoo-user] Expect a ~15% average slowdown if you use an Intel processor P Levine
2018-01-04  3:25 ` Adam Carter
2018-01-04  3:34   ` Adam Carter
2018-01-04 13:44     ` Corbin Bird
2018-01-04 14:17       ` Rich Freeman
2018-01-04 15:21         ` Corbin Bird
2018-01-04 15:44         ` R0b0t1
2018-01-04 15:46           ` R0b0t1
2018-01-04 16:18           ` Rich Freeman
2018-01-04 21:39             ` [gentoo-user] " Nikos Chantziaras
2018-01-04 21:40               ` Nikos Chantziaras
2018-01-05  0:51               ` Adam Carter
2018-01-05  1:18                 ` Rich Freeman
2018-01-05  1:31                   ` Adam Carter
2018-01-05 11:10                   ` Peter Humphrey
2018-01-05 18:04                     ` Ian Zimmerman
2018-01-05 19:21                       ` Peter Humphrey
2018-01-06  0:26                         ` Adam Carter
2018-01-06  0:40                           ` Rich Freeman
2018-01-06 13:58                           ` Walter Dnes
2018-01-06 14:12                             ` Rich Freeman [this message]
2018-01-05  2:22             ` [gentoo-user] " R0b0t1
2018-01-05  2:31               ` Rich Freeman
2018-01-05  1:52     ` Jalus Bilieyich
2018-01-05  2:16       ` Rich Freeman
2018-01-05 10:28         ` Joerg Schilling

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGfcS_mztPxz8=weF9vjD1Qg3eooevrXibuuZmcqxHg1um1_nA@mail.gmail.com' \
    --to=rich0@gentoo.org \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox