You are not logged in.

#26 2018-01-31 16:47:14

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

@slithery from your link

We're working to incorporate silicon-based changed to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year.

Is consistent with IBRS_ALL and RDCL_NO.  My understand of that is it does not mean the CPU will not be vulnerable to Spectre V2 but it will provide an opt in feature to mitigate it.  It does not address Spectre V1.
It does mean Meltdown will be fixed.

Offline

#27 2018-01-31 21:36:10

viz0
Member
Registered: 2018-01-09
Posts: 1

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

Kernel:   4.15.0-rc8-ge1915c8195b3

CPU:       6 core AMD Ryzen 5 1600X Six-Core (-MT-MCP-) cache: 3072 KB
           clock speeds: max: 3600 MHz 1: 2721 MHz 2: 2929 MHz 3: 2967 MHz 4: 2964 MHz 5: 2966 MHz 6: 2964 MHz
           7: 2960 MHz 8: 2962 MHz 9: 2806 MHz 10: 2529 MHz 11: 2085 MHz 12: 2706 MHz

/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal AMD ASM retpoline

Last edited by viz0 (2018-01-31 21:36:39)

Offline

#28 2018-01-31 22:22:12

Batou
Member
Registered: 2017-01-03
Posts: 259

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

loqs wrote:

Is consistent with IBRS_ALL and RDCL_NO.  My understand of that is it does not mean the CPU will not be vulnerable to Spectre V2 but it will provide an opt in feature to mitigate it.  It does not address Spectre V1.
It does mean Meltdown will be fixed.

This is my understanding as well. This year's silicon from Intel and AMD won't be Spectre-proof at all and all they'll do is provide (performance tasking) features to mitigate some of it. Re-engineering pipelines will take years of work.

Linus:

That's part of the big problem here. The speculation control cpuid
stuff shows that Intel actually seems to plan on doing the right thing
for meltdown (the main question being _when_). Which is not a huge
surprise, since it should be easy to fix, and it's a really honking
big hole to drive through. Not doing the right thing for meltdown
would be completely unacceptable.

So the IBRS garbage implies that Intel is _not_ planning on doing the
right thing for the indirect branch speculation.

Honestly, that's completely unacceptable too.

....

The whole IBRS_ALL feature to me very clearly says "Intel is not
serious about this, we'll have a ugly hack that will be so expensive
that we don't want to enable it by default, because that would look
bad in benchmarks".

So instead they try to push the garbage down to us. And they are doing
it entirely wrong, even from a technical standpoint.

I'm sure there is some lawyer there who says "we'll have to go through
motions to protect against a lawsuit". But legal reasons do not make
for good technology, or good patches that I should apply.

....

BULLSHIT.

Have you _looked_ at the patches you are talking about?  You should
have - several of them bear your name.

The patches do things like add the garbage MSR writes to the kernel
entry/exit points. That's insane. That says "we're trying to protect
the kernel".  We already have retpoline there, with less overhead.

So somebody isn't telling the truth here. Somebody is pushing complete
garbage for unclear reasons. Sorry for having to point that out.

If this was about flushing the BTB at actual context switches between
different users, I'd believe you. But that's not at all what the
patches do.

As it is, the patches  are COMPLETE AND UTTER GARBAGE.

They do literally insane things. They do things that do not make
sense. That makes all your arguments questionable and suspicious. The
patches do things that are not sane.

WHAT THE F*CK IS GOING ON?

And that's actually ignoring the much _worse_ issue, namely that the
whole hardware interface is literally mis-designed by morons.

It's mis-designed for two major reasons:

- the "the interface implies Intel will never fix it" reason.

   See the difference between IBRS_ALL and RDCL_NO. One implies Intel
will fix something. The other does not.

   Do you really think that is acceptable?

- the "there is no performance indicator".

   The whole point of having cpuid and flags from the
microarchitecture is that we can use those to make decisions.

   But since we already know that the IBRS overhead is huge on
existing hardware, all those hardware capability bits are just
complete and utter garbage. Nobody sane will use them, since the cost
is too damn high. So you end up having to look at "which CPU stepping
is this" anyway.

I think we need something better than this garbage.

                Linus

https://lkml.org/lkml/2018/1/21/192

tl;dr: Intel will fix Meltdown but Spectre """fix""" will be a nasty IBRS_ALL hack for the next few years at the very least (or maybe forever??).

Last edited by Batou (2018-01-31 22:37:30)


Please vote for all the AUR packages you're using. You can mass-vote for all of them by doing: "pacman -Qqm | xargs aurvote -v" (make sure to run "aurvote --configure"  first)

Offline

#29 2018-01-31 22:31:39

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

$ grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

4.15 plus all patches from https://git.kernel.org/pub/scm/linux/ke … ?h=x86/pti

Offline

#30 2018-02-11 00:18:51

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

If I'm reading Intel's February 7th Microcode Revision Guidance[1] correctly, the combination of a skylake-u and microcode 0xc2 (which I have in my laptop) are stable. If the blacklist for this combo is removed from the kernel this is what 'grep -r . /sys/devices/system/cpu/vulnerabilities' has to say:

/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

[1] https://newsroom.intel.com/wp-content/u … idance.pdf


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#31 2018-02-11 01:20:48

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

@rookie that combination should not be blacklisted,  there should be a warning in dmesg if the microcode is blacklisted https://git.kernel.org/pub/scm/linux/ke … 912c71a1d7
(Full generic retpoline, IBPB from my understanding is the strongest mitigation 4.15.2 offers for V2.)

Offline

#32 2018-02-11 07:44:23

andmars
Member
Registered: 2012-03-13
Posts: 362

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

╭─ andreas@andreas-pc ~
╰─$ uname -r
4.15.2-2-ARCH
╭─ andreas@andreas-pc ~
╰─$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline

Offline

#33 2018-02-11 11:09:25

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

@loqs
Yes that is the commit that adds the blacklist, yes my cpu+microcode combo are on the list, yes I do see the warning and yes I had to remove the line pertaining to my cpu+microcode combo to get the output I have posted previously.

My cpu+microcode are matched by this line:

{ INTEL_FAM6_SKYLAKE_MOBILE, 0x03, 0xc2 },

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#34 2018-02-11 14:21:42

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

@Rookie have you seen any patches from upstream to remove your combination from the blacklist?

Offline

#35 2018-02-11 14:45:18

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

@R00KIE, loqs: There is a notification, but no patch yet: https://lkml.org/lkml/2018/2/10/123

Last edited by progandy (2018-02-11 14:46:47)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Online

#36 2018-02-11 16:03:25

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

I was not aware of any patches and it turns out there are none yet, I was just curious to see what I would get if I removed the blacklist now that the microcode was deemed stable.

Edit:
It seems there are now patches adjusting the blacklist according to the know good microcodes:
https://git.kernel.org/pub/scm/linux/ke … 688c455ac4
https://git.kernel.org/pub/scm/linux/ke … bb6533c7fc

Last edited by R00KIE (2018-02-15 14:13:46)


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#37 2018-04-14 06:51:06

barbuk
Member
Registered: 2010-08-19
Posts: 6

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

I edited the wiki with the following information: https://wiki.archlinux.org/index.php/Se … d_Metldown
Review and update are welcome.

Offline

#38 2018-05-18 21:52:40

vitaliy.kuzmich
Member
Registered: 2015-11-29
Posts: 64

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

Hey, please explain how could I disable that patches ?

Offline

#39 2018-05-18 23:48:36

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

Which patches spectre v2 and meltdown can be disabled by kernel options spectre v1 can not.
If you want to remove all patches from all three there are probably over a hundred patches now on 4.16 involved and I doubt that they would all revert cleanly.

Offline

#40 2018-05-24 07:52:25

vitaliy.kuzmich
Member
Registered: 2015-11-29
Posts: 64

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

I'd like to have option to disable that easy, because this issues with CPU are weird. Who knows, maybe next year, intel would annonce next bunch of planned  issues, then my laptop would become useless piece of hardware. Its not good that v1 can't be disabled. I started searching ways to disable it, because I've noticed that my i3 7gen, reduced performance. Maybe in multicore machine it is not significant, but not in laptop case. Maybe someone here have skills to cut that issues and put 'unpatched' kernel to aur ?

Last edited by vitaliy.kuzmich (2018-05-24 07:55:47)

Offline

#41 2018-05-24 09:47:51

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,425

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

Have you already disabled the other ones and can still say that performance isn't high enough despite v1 still being active? You should rule that out, maybe the perf hit from v1 isn't as noticeable.

Offline

#42 2018-06-08 13:13:12

doomguy84
Member
Registered: 2018-05-09
Posts: 48

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

this is the result for my check:

Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is Linux 4.16.13-2-zen #1 ZEN SMP PREEMPT Fri Jun 1 20:17:25 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i3-7100 CPU @ 3.90GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 0x9e family 0x6 stepping 0x9 ucode 0x84 cpuid 0x906e9)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 
  * Vulnerable to Variant 3a:  YES 
  * Vulnerable to Variant 4:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec (x86):  YES  (1 occurrence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm):  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  YES  (for kernel and firmware code)
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Kernel supports RSB filling:  YES 
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability:  NO 
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

> How to fix: The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed.

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* Kernel supports speculation store bypass:  YES  (found in /proc/self/status)
> STATUS:  VULNERABLE  (Your CPU doesn't support SSBD)

> How to fix: Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actually provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).

A false sense of security is worse than no security at all, see --disclaimer

seems to be ok but VULNERABLE to Variant 3a and Variant 4
to fix them it says to update the intel microcode but intel-ucode 20180425 is installed and loaded with kernel on boot.

so what's the point?

Offline

#43 2018-06-08 15:51:29

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

If you did not apply the intel-ucode the kernel would be vulnerable to variants 2 and 3 as well as 3a and 4.

Offline

#44 2018-06-08 16:37:23

doomguy84
Member
Registered: 2018-05-09
Posts: 48

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

loqs wrote:

If you did not apply the intel-ucode the kernel would be vulnerable to variants 2 and 3 as well as 3a and 4.

how do I apply the intel-ucode ??

Offline

#45 2018-06-08 16:38:29

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,425

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

Offline

#46 2018-06-08 16:47:50

doomguy84
Member
Registered: 2018-05-09
Posts: 48

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

well, if it's so "simple" I think it's already applied because my grub is:

...
initrd	/intel-ucode.img /initramfs-linux-zen.img
}

am I wrong?

Offline

#47 2018-06-08 16:57:44

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

No but as I stated the latest intel_ucode only contains support for the mitigations for variants 2 and 3 but not 3a and 4.
Which your tool confirmed.  If you did not use the intel_ucode and there was no firmware update providing updated microcode either the kernel would be vulnerable to 2, 3, 3a and 4.
Note variant 1 mitigation requires an ongoing audit of the kernel code so if that is mitigated is a matter for debate.
Note variant 2 mitigation assumes retpoline plus RSB filling is sufficient mitigation on Lakes+ systems due to the technical difficulty of exhausting the RSB and reaching an exploitable vector at that point.
Edit:
changed state to stated and bios to firmware.

Last edited by loqs (2018-06-08 16:58:40)

Offline

#48 2018-06-15 05:25:19

vitaliy.kuzmich
Member
Registered: 2015-11-29
Posts: 64

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

V1del wrote:

Have you already disabled the other ones and can still say that performance isn't high enough despite v1 still being active? You should rule that out, maybe the perf hit from v1 isn't as noticeable.

Yeah, not wondered. Intel announce new vulnerability  "Lazy FP State Restore ".

Offline

#49 2018-06-15 07:25:18

loqs
Member
Registered: 2014-03-06
Posts: 17,195

Re: Is your kernel vulnerable to MELTDOWN and SPECTRE ?

vitaliy.kuzmich wrote:
V1del wrote:

Have you already disabled the other ones and can still say that performance isn't high enough despite v1 still being active? You should rule that out, maybe the perf hit from v1 isn't as noticeable.

Yeah, not wondered. Intel announce new vulnerability  "Lazy FP State Restore ".

How is that related to V1del's suggestion?  What have you tried?  What performance differences have you measured?
Edit:
On Lazy FP State Restore
https://git.kernel.org/pub/scm/linux/ke … d997d46a19 switched the default to eager in 4.6 and dropped lazy in 4.10
https://git.kernel.org/pub/scm/linux/ke … 166fc2b9e7 https://git.kernel.org/pub/scm/linux/ke … e9941ed135

Last edited by loqs (2018-06-15 09:18:03)

Offline

Board footer

Powered by FluxBB