From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 535E9138330 for ; Sat, 6 Jan 2018 14:12:41 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0D496E0933; Sat, 6 Jan 2018 14:12:36 +0000 (UTC) Received: from mail-pl0-x22f.google.com (mail-pl0-x22f.google.com [IPv6:2607:f8b0:400e:c01::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8F6EFE08C9 for ; Sat, 6 Jan 2018 14:12:35 +0000 (UTC) Received: by mail-pl0-x22f.google.com with SMTP id s3so4864023plp.4 for ; Sat, 06 Jan 2018 06:12:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=BuDF6InlTjQl/U1IwEV9Sy2cJQdsM/GMHS9vgs9DbPw=; b=Bgw1TT4CSDi0POoYmwuoe0DOHErJuWJLBh5CQq1VbwkFFGBP67u7XOS55IuOFgWwFg 9ERVxIKutEsJ+c05KjQDxZ/oh5E5cCNspPz4nfFM2vsGdwLpQcnZFP0aO8G2rtJkcPdE Kb1r58grEMqoBLF+vC/11Bj/BJukMt4pOLaRRuyeW9do95lfId3a6TcVei36X6IZmvXl 6gu00A7mAvHCIjruSzvlR0BxLO3o+DQFNqtFuytYntXj8RCH08wlrWxx0uw1z/n1kzU1 VV2i4F/86EbnbOC6WnjuMZgWm5BCVz44VM84ZkUmnge8zpYgfap7JaL8npy6XXNOVm3c 6KPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=BuDF6InlTjQl/U1IwEV9Sy2cJQdsM/GMHS9vgs9DbPw=; b=ZSg03eGDgHbYFp6PIYfqBdMSiyFOuokOfMrldRZpgybAqUnu2nIeqxcUIV9ewREmgQ aK/7jU4nMbxV6rFutl4NQvq+GjSXpxI169Bz7W0ojnWwa6g73d/BkNH++gMHZ85eFHj4 7vibd9bLp2gwLID2T9BQv3YxCJc3okAraBJuKrfPAlrSHGGJwOmsYQH2C0To5D0ZMwzf eHrjHoo5M2ZzupXv3eZ65OY4YQHPu5FCGdvQsWly7o3HNotH5bges8oeYYJkI1fWsB9Q w1boNC6X94vNccqiPk4aYWNzVGY/DF39g++M0bY0R/XscegGOA0jI5WQWKc8anEZD+Al LZoQ== X-Gm-Message-State: AKGB3mL082FzoI7KwJuJr0YBhKf99g25dGnw0BOC2xVHIpv1j52BNQsL Xui8f7vZq1fGZu3ULvZLO6mcn10Q43MIbc8d0pjfH1lS X-Google-Smtp-Source: ACJfBot52/Q9XF9t57wFYswA2IiCgr9VmwkiLTLMcf70aADP4dw3hg8AvVqPCJ18eAXS9C66XCKj/WqVigWPn5O07cs= X-Received: by 10.84.246.21 with SMTP id k21mr6612202pll.174.1515247954096; Sat, 06 Jan 2018 06:12:34 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Sender: freemanrich@gmail.com Received: by 10.100.151.169 with HTTP; Sat, 6 Jan 2018 06:12:33 -0800 (PST) In-Reply-To: <20180106135808.GA29448@waltdnes.org> References: <1881593.SvZJgh6QS2@peak> <20180105180410.rh33vz2vdvgzjrn4@matica.foolinux.mooo.com> <1544555.tdgMk6EmPg@peak> <20180106135808.GA29448@waltdnes.org> From: Rich Freeman Date: Sat, 6 Jan 2018 09:12:33 -0500 X-Google-Sender-Auth: PznCIoyjyLb3F5zjTwiWRsl_5E4 Message-ID: Subject: Re: [gentoo-user] Re: Expect a ~15% average slowdown if you use an Intel processor To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 8f7ac66e-d570-45f5-90d9-e0135f429ae9 X-Archives-Hash: f1ba550dd63fd953e6e3fb579a71724b On Sat, Jan 6, 2018 at 8:58 AM, Walter Dnes wrote: > > I'm running openrc. On my 32-bit install, Intel Core2 duo, I get... > > zgrep BPF /proc/config.gz > CONFIG_BPF=y > # CONFIG_BPF_SYSCALL is not set > # CONFIG_NETFILTER_XT_MATCH_BPF is not set > # CONFIG_TEST_BPF is not set > > On my 64-bit install, Intel Silvermont (Atom), I get... > > zgrep BPF /proc/config.gz > CONFIG_BPF=y > # CONFIG_BPF_SYSCALL is not set > # CONFIG_NETFILTER_XT_MATCH_BPF is not set > # CONFIG_BPF_JIT is not set > CONFIG_HAVE_EBPF_JIT=y > # CONFIG_TEST_BPF is not set > > Does this improve security at all versus meltdown/spectre? Any > suggestions for changes? Intel hardware is vulnerable to Spectre variant 1, and Meltdown, regardless of any kernel settings, unless the kernel is patched to defeat it. I'm less sure about whether you're vulnerable to Spectre variant 2 with JIT BPF turned off. PTI is required to defeat Meltdown on Intel hardware. I don't think a patch to Spectre is in the stable linux kernel yet, though it seems like Redhat may have pushed out some kind of patch for it (possibly in conjunction with a microcode update to enable it). Disabling BPF JIT (which is the default state) does defeat the known Spectre attacks on AMD hardware, and AMD hardware is immune to Meltdown. Note that this is only talking about the kernel. Userspace code can also be vulnerable to cross-process Spectre attacks (particularly browsers) and those require specific hardening as well at the software level. On Gentoo we would get the benefit that if a gcc-level fix is developed we could harden everything at once with a complete rebuild. However, at this time gcc hasn't been patched. There is plenty of talk of it though. Some of the proposed solutions also need CPU microcode updates to enable them. The idea is that gcc would insert instructions in sensitive locations to fence in speculative execution, and the microcode would get the CPU to respect these boundaries. Intel has published this regarding their hardware: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf (This is targeted more at developers than users, including OS developers.) -- Rich