You are not logged in.

#1 2023-09-23 12:24:02

lior
Member
Registered: 2021-02-13
Posts: 8

Hardened kernel disables AVX?

Today while surfing the web with firefox, it randomly crashed on SIGILL.
The instruction was: vmovd  %r9d,%xmm0

I ran `cat /proc/cpuinfo` and I didn't see avx in the list of supported features.
I have "Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz", after checking the spec page on intel I was surprised to find out that its suppose to support avx2.
https://www.intel.com/content/www/us/en … tions.html

I switched to the LTS kernel, just for sanity check and I found out that the result of `/proc/cpuinfo` changed!
avx, and avx2 where listed.

Before I run to report a bug, I wanted to check if maybe its actually a hardening feature.

Workaround for firefox: Set the following environment variables to `1`
NSS_DISABLE_AVX2=1
NSS_DISABLE_AVX=1

I found out about this workaround after digging through the sources of nss (which was causing the SIGILL)
https://hg.mozilla.org/projects/nss/fil … nit.c#l121
https://hg.mozilla.org/projects/nss/fil … ache.c#l42
https://hg.mozilla.org/projects/nss/fil … 305.c#l433

Offline

#2 2023-09-23 13:27:08

loqs
Member
Registered: 2014-03-06
Posts: 18,130

Re: Hardened kernel disables AVX?

https://bugs.archlinux.org/task/79444
https://bbs.archlinux.org/viewtopic.php?id=288816
Edit:
I suspect this check [1] you located should be something like:

    /* For AVX2 we check AVX2, BMI1, BMI2, FMA, MOVBE,
     * OSXSAVE, and XSAVE             */
     * as well as XMM and YMM state.  */
     * We do not check for AVX above. */
    avx2_support_ = (PRBool)((ebx7 & AVX2_EBX_BITS) == AVX2_EBX_BITS &&
                             (ecx & AVX2_ECX_BITS) == AVX2_ECX_BITS &&
                             check_xcr0_ymm() && disable_avx2 == NULL);

[1] https://hg.mozilla.org/projects/nss/fil … nit.c#l121

Last edited by loqs (2023-09-23 13:44:30)

Offline

#3 2023-09-23 14:06:05

lior
Member
Registered: 2021-02-13
Posts: 8

Re: Hardened kernel disables AVX?

Thanks loqs!
So yeah it was a new security mitigation that disabled the AVX.
I'll open a ticket for nss to update their avx detection method.
https://bugzilla.mozilla.org/show_bug.cgi?id=1854795

Last edited by lior (2023-09-23 14:52:04)

Offline

Board footer

Powered by FluxBB