Re: [gentoo-user] AMD microcode updates - where are they?!
On Saturday, 13 July 2019 22:01:02 BST Rich Freeman wrote: > On Sat, Jul 13, 2019 at 4:16 PM Wols Lists wrote: > > On 13/07/19 20:23, Mick wrote: > > > Thanks Corbin, I wonder if despite articles about microcode patch > > > releases to deal with spectre and what not, there are just no patches > > > made available for my aging AMD CPUs. > > > > Or Spectre and what not are Intel specific ... > > > > I know a lot of the reports said many of the exploits don't work on AMD. > > It's something to do with the way Intel has implemented speculative > > execution, and AMD doesn't use that technique. > > Some spectre-related vulnerabilities apply to AMD, and some do not. > Most of the REALLY bad ones do not, but I believe that some of the AMD > ones still require microcode updates to be mitigated in the most > efficient way. Yes, the A10 is vulnerable to: CVE-2017-5753 (Spectre Variant 1, bounds check bypass) CVE-2017-5715 (Spectre Variant 2, branch target injection) > Take a look in /sys/devices/system/cpu/vulnerabilities on your system > for the kernel's assessment of what vulnerabilities apply, and how > they are being mitigated. What you want to see is every single one > either saying "Not affected" or they start with "Mitigation:" If you > see one starting with something like Partial Mitigation or Vulnerable > you should Google if there is something you can do to improve this. > > Note that this assumes you have a current kernel. The kernel can only > report the vulnerabilities it knows about, so if you're running some > kernel from 9 months ago it won't know about everything. > > For reference, on my Ryzen 5 1600 I get: > for x in * ; do echo -n "$x: " ; cat $x ; done > > l1tf: Not affected > mds: Not affected > meltdown: Not affected > spec_store_bypass: Mitigation: Speculative Store Bypass disabled via > prctl and seccomp > spectre_v1: Mitigation: __user pointer sanitization > spectre_v2: Mitigation: Full AMD retpoline, STIBP: disabled, RSB filling I get the same output on both AMD systems running gentoo-sources-4.19.57. I've also used this script for some more detailed checking and testing: https://github.com/speed47/spectre-meltdown-checker Unlike my old Intel which lights up like a christmas tree with "Vulnerable, no microcode found" because Intel has thrown its users to the kerb, both AMDs show "Not Vulnerable" and for some of the vulnerabilities it reports: (your CPU vendor reported your CPU model as not vulnerable) -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] AMD microcode updates - where are they?!
On Sat, Jul 13, 2019 at 4:16 PM Wols Lists wrote: > > On 13/07/19 20:23, Mick wrote: > > Thanks Corbin, I wonder if despite articles about microcode patch releases > > to > > deal with spectre and what not, there are just no patches made available for > > my aging AMD CPUs. > > Or Spectre and what not are Intel specific ... > > I know a lot of the reports said many of the exploits don't work on AMD. > It's something to do with the way Intel has implemented speculative > execution, and AMD doesn't use that technique. Some spectre-related vulnerabilities apply to AMD, and some do not. Most of the REALLY bad ones do not, but I believe that some of the AMD ones still require microcode updates to be mitigated in the most efficient way. Take a look in /sys/devices/system/cpu/vulnerabilities on your system for the kernel's assessment of what vulnerabilities apply, and how they are being mitigated. What you want to see is every single one either saying "Not affected" or they start with "Mitigation:" If you see one starting with something like Partial Mitigation or Vulnerable you should Google if there is something you can do to improve this. Note that this assumes you have a current kernel. The kernel can only report the vulnerabilities it knows about, so if you're running some kernel from 9 months ago it won't know about everything. For reference, on my Ryzen 5 1600 I get: for x in * ; do echo -n "$x: " ; cat $x ; done l1tf: Not affected mds: Not affected meltdown: Not affected spec_store_bypass: Mitigation: Speculative Store Bypass disabled via prctl and seccomp spectre_v1: Mitigation: __user pointer sanitization spectre_v2: Mitigation: Full AMD retpoline, STIBP: disabled, RSB filling -- Rich
Re: [gentoo-user] AMD microcode updates - where are they?!
On 13/07/19 20:23, Mick wrote: > Thanks Corbin, I wonder if despite articles about microcode patch releases to > deal with spectre and what not, there are just no patches made available for > my aging AMD CPUs. Or Spectre and what not are Intel specific ... I know a lot of the reports said many of the exploits don't work on AMD. It's something to do with the way Intel has implemented speculative execution, and AMD doesn't use that technique. Cheers, Wol
Re: [gentoo-user] AMD microcode updates - where are they?!
On Saturday, 13 July 2019 19:16:18 BST Corbin wrote: > For reference, the .config file for the kernel should have something > > along the lines of this: > > # > > # Firmware loader > > # > > CONFIG_FW_LOADER=y > > CONFIG_EXTRA_FIRMWARE="amd-ucode/microcode_amd.bin > > amd-ucode/microcode_amd_fam15h.bin amdgpu/polaris10_ce.bin > > amdgpu/polaris10_ce_2.bin amdgpu/polaris10_k_smc.bin > > amdgpu/polaris10_mc.bin amdgpu/polaris10_me.bin > > amdgpu/polaris10_me_2.bin amdgpu/polaris10_mec.bin > > amdgpu/polaris10_mec2.bin amdgpu/polaris10_mec2_2.bin > > amdgpu/polaris10_pfp.bin amdgpu/polaris10_pfp_2.bin > > amdgpu/polaris10_rlc.bin amdgpu/polaris10_sdma.bin > > amdgpu/polaris10_sdma1.bin amdgpu/polaris10_smc.bin > > amdgpu/polaris10_smc_sk.bin amdgpu/polaris10_uvd.bin > > amdgpu/polaris10_vce.bin" > > CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware/" > > CONFIG_FW_LOADER_USER_HELPER=y As I understand it the CONFIG_FW_LOADER_USER_HELPER has some edge use cases, but is not needed for our hardware/firmware. > CPU is a AMD FX-9590 ( Fam15h ) > > Video is a RX480 ( Polaris 10 ) > > And, yes, both microcode updates ( Fam10h / Fam15h ) need to be builtin. Are you sure about this? I added 'amd-ucode/microcode_amd.bin' for Fam10h, rebooted and nothing changed here as far as microcode patches is concerned. I am not using savedconfig on this PC, so all amd-ucode binaries are available to be loaded from the filesystem. > Previous generation CPU updates will be builtin, even if you try to > exclude them. Fine, so following the wiki page and ONLY adding the microcode specific to the CPU family should still work. > Corbin Thanks Corbin, I wonder if despite articles about microcode patch releases to deal with spectre and what not, there are just no patches made available for my aging AMD CPUs. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: escape from i3lock
On 2019-07-12, Ian Zimmerman wrote: > On 2019-07-11 21:28, Nuno Silva wrote: > >> vlock -n -a > > Does vlock work from an XWindow session? Or would I have to use it on > top of whatever I do to lock the XWindow session - xscreensaver/i3lock > etc? It does work from inside X11 here. I can, for example, run it inside a terminal emulator or through the window manager. (You will probably need to add your user to the "vlock" group.) > (I browsed to the vlock README page on github but it doesn't answer this > question.) -- Nuno Silva
Re: [gentoo-user] AMD microcode updates - where are they?!
For reference, the .config file for the kernel should have something along the lines of this: > # > # Firmware loader > # > CONFIG_FW_LOADER=y > CONFIG_EXTRA_FIRMWARE="amd-ucode/microcode_amd.bin > amd-ucode/microcode_amd_fam15h.bin amdgpu/polaris10_ce.bin > amdgpu/polaris10_ce_2.bin amdgpu/polaris10_k_smc.bin > amdgpu/polaris10_mc.bin amdgpu/polaris10_me.bin > amdgpu/polaris10_me_2.bin amdgpu/polaris10_mec.bin > amdgpu/polaris10_mec2.bin amdgpu/polaris10_mec2_2.bin > amdgpu/polaris10_pfp.bin amdgpu/polaris10_pfp_2.bin > amdgpu/polaris10_rlc.bin amdgpu/polaris10_sdma.bin > amdgpu/polaris10_sdma1.bin amdgpu/polaris10_smc.bin > amdgpu/polaris10_smc_sk.bin amdgpu/polaris10_uvd.bin > amdgpu/polaris10_vce.bin" > CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware/" > CONFIG_FW_LOADER_USER_HELPER=y CPU is a AMD FX-9590 ( Fam15h ) Video is a RX480 ( Polaris 10 ) And, yes, both microcode updates ( Fam10h / Fam15h ) need to be builtin. Previous generation CPU updates will be builtin, even if you try to exclude them. Corbin
Re: [gentoo-user] AMD microcode updates - where are they?!
On Saturday, 13 July 2019 18:42:27 BST Jack wrote: > > If linux-firmware is emerged with the savedconfig use flag, then only > the firmware not deleted from the config file is left. Yes. I used to do this, but gave up after a while. > I did find a > few extras based on the "failed to load..." messages after my initial > overzealous trimming of that config file. My current concern is indeed > with the microcode, about which no complaint. Looking at the link > below shows me I am missing the files for my 17h family Ryzen CPU. It > will be a bit before I can reboot to see if it does load them once I > re-emerge linux-firmware to get them. Make sure the corresponding AMDGPU driver settings are built in the kernel, not as modules. Ryzen CPUs are new(ish) and the MoBo OEMs should still be releasing UEFI/BIOS firmware updates, which will contain any needed microcode patches. You'll obtain these next time you flash your BIOS with the latest release, if/when there is one available. Your 'dmesg | grep micro' patch number will change as a result, but there will be no 'early microcode update ...' message since the OS will not be applying any microcode patches itself. It is older CPUs which need the patches, since OEMs usually abandon any intention to support their hardware beyond the nominal warranty period. > I'll update again once I've done that. > > Jack Cool, thanks for your input. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] AMD microcode updates - where are they?!
On 2019.07.13 13:18, Mick wrote: On Saturday, 13 July 2019 17:21:40 BST Jack wrote: > On 2019.07.12 08:18, Mick wrote: [snip] And, one question - if I have linux-firmware emerged with savedconfig use flag set, what's the best/easiest way to hunt through the actually available firmware, to check if I might have missed something relevant. So far, I've just searched the git repository for the package. I suppose I could have kept a copy of the manifest from the initial emerge (without savedconfig) but I didn't think of it at the time. Look under your /lib/firmware/ directory for the file you want to use, or the file dmesg complains is missing. For microcode there will be no complaining, but for other hardware there usually is something along the lines: "failed to load blah-blah.bin, file not found." If linux-firmware is emerged with the savedconfig use flag, then only the firmware not deleted from the config file is left. I did find a few extras based on the "failed to load..." messages after my initial overzealous trimming of that config file. My current concern is indeed with the microcode, about which no complaint. Looking at the link below shows me I am missing the files for my 17h family Ryzen CPU. It will be a bit before I can reboot to see if it does load them once I re-emerge linux-firmware to get them. I'll update again once I've done that. Jack
Re: [gentoo-user] AMD microcode updates - where are they?!
On Saturday, 13 July 2019 18:18:35 BST Mick wrote: > or > > xv -dc < /boot/EFI/... initramfs-XXX.img | cpio -idmv Oops! Typo alert! xv should of course be 'xz'. I think you can also use lzcat. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] AMD microcode updates - where are they?!
On Saturday, 13 July 2019 17:21:40 BST Jack wrote: > On 2019.07.12 08:18, Mick wrote: > > https://www.bleepingcomputer.com/news/hardware/amd-releases-spectre-v2-mic > > rocode-updates-for-cpus-going-back-to-2011/ > I have not yet done any further searching or digging, but that link > seems to only talk specifically about Windows updates, not generic > firmware updates. Yes, but any microcode releases are/should be CPU specific. If they're released for applying via one OS, they should be available to others too. Of course, if microcode has only been released to MoBo OEM's, then we're in the mercy of OEM commercial interests. I'm sure when asked for an update they will try to sell to us all the latest models they have recently launched. :p > I have three different AMD based PCs, and so far, I don't see anything > different from Mick. However, on two Artix linux systems, I'm still > not quite sure whether the microcode is in the initramfs or not. I > hate to admit I'm also not sure on my Gentoo box, having so far made > only minor changes to the kernel from the June stage 3 tarball, and > used genkernel to compile both kernel and initramfs. I'm working on > configuring 5.2.0, but it will take me a while to get through the > complete configuration (starting from scratch.) I'm not familiar with dracut to know what it uses as a default archiving engine and if you can run it to inspect directly the contents of an already created initramfs. I know it can output on the console what it is including in initramfs at the time of creation. Anyway, if you want to look at the initramfs contents manually, I suppose you will need to decompress your initramfs in a temporary directory to see its contents. First find what archive format has been used. file /boot/EFI/... initramfs-XXX.img will output gzip, bzip2, lzma or similar archive type. Then create a temporary directory to work in and use the corresponding compression type: mkdir ~/tmp_initramfs cd ~/tmp_initramfs zcat /boot/EFI/... initramfs-XXX.img | cpio -idmv or bzcat /boot/EFI/... initramfs-XXX.img | cpio -idmv or xv -dc < /boot/EFI/... initramfs-XXX.img | cpio -idmv Something like the above ought to do the job. > One suggestion - don't just grep for microcode, also check for > "firmware" for which I use 'dmesg | egrep -i "firmware|microcode"'. Well, 'firmware' will capture other firmware files, like graphics card, WiFi, BT, etc. rather than the CPU microcode. > And, one question - if I have linux-firmware emerged with savedconfig > use flag set, what's the best/easiest way to hunt through the actually > available firmware, to check if I might have missed something > relevant. So far, I've just searched the git repository for the > package. I suppose I could have kept a copy of the manifest from the > initial emerge (without savedconfig) but I didn't think of it at the > time. > > Jack Look under your /lib/firmware/ directory for the file you want to use, or the file dmesg complains is missing. For microcode there will be no complaining, but for other hardware there usually is something along the lines: "failed to load blah-blah.bin, file not found." The appropriate microcode file for your AMD CPUs can be deduced from the table here: https://wiki.gentoo.org/wiki/AMD_microcode and it should be stored under your: /lib/firmware/amd-ucode/ after you install linux-firmware. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: 2 months into an 8-month computation.
On 2019-07-12, Nikos Chantziaras wrote: > On 11/07/2019 20:59, Alan Grimes wrote: >> 'ey, I have the 2.3 months into an 8-month computation blues... >> [...] >> So basically all gentoo updates will have to be done at the end of this >> run, I'm not really sure when, sometime in the December-January timeframe. > > I guess you should have written your code in a way that can store > current state so that it can resume. No kidding. Isn't "how to use checkpoint files" lesson number zero when you start working on long-running computational jobs? -- Grant
Re: [gentoo-user] AMD microcode updates - where are they?!
On 2019.07.12 08:18, Mick wrote: I'm looking at dmesg output which on my Intel CPUS of various vintages shows "microcode updated early ..." but two different AMD APUs of mine do not show the same, despite AMD apparently releasing microcode updates going back to 2011: https://www.bleepingcomputer.com/news/hardware/amd-releases-spectre-v2-microcode-updates-for-cpus-going-back-to-2011/ I have not yet done any further searching or digging, but that link seems to only talk specifically about Windows updates, not generic firmware updates. I have three different AMD based PCs, and so far, I don't see anything different from Mick. However, on two Artix linux systems, I'm still not quite sure whether the microcode is in the initramfs or not. I hate to admit I'm also not sure on my Gentoo box, having so far made only minor changes to the kernel from the June stage 3 tarball, and used genkernel to compile both kernel and initramfs. I'm working on configuring 5.2.0, but it will take me a while to get through the complete configuration (starting from scratch.) One suggestion - don't just grep for microcode, also check for "firmware" for which I use 'dmesg | egrep -i "firmware|microcode"'. And, one question - if I have linux-firmware emerged with savedconfig use flag set, what's the best/easiest way to hunt through the actually available firmware, to check if I might have missed something relevant. So far, I've just searched the git repository for the package. I suppose I could have kept a copy of the manifest from the initial emerge (without savedconfig) but I didn't think of it at the time. Jack
Re: [gentoo-user] Re: AMD microcode updates - where are they?!
On Saturday, 13 July 2019 02:13:00 BST Adam Carter wrote: > grep fam /proc/cpuinfo > > -> 21 = 15h > -> 22 = 16h Yep, here's the laptop: $ grep fam -m1 /proc/cpuinfo cpu family : 21 and here's the dekstop: $ grep fam -m1 /proc/cpuinfo cpu family : 21 -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: AMD microcode updates - where are they?!
Thank you both, for your replies. On Saturday, 13 July 2019 01:56:30 BST Adam Carter wrote: > > > $ dmesg | grep -i micro > > > [0.622441] [drm] Loading ARUBA Microcode > > > [5.763242] [drm] Loading hainan Microcode > > > [6.653025] microcode: CPU0: patch_level=0x06001119 > > > [6.657962] microcode: CPU1: patch_level=0x06001119 > > > [6.658890] microcode: CPU2: patch_level=0x06001119 > > > [6.659881] microcode: CPU3: patch_level=0x06001119 > > > [6.661136] microcode: Microcode Update Driver: v2.2. > > > > I have a similar experience: > > > > [0.659996] microcode: CPU0: patch_level=0x01c8 > > [0.660001] microcode: CPU1: patch_level=0x01c8 > > [0.660006] microcode: CPU2: patch_level=0x01c8 > > [0.660011] microcode: CPU3: patch_level=0x01c8 > > [0.660029] microcode: Microcode Update Driver: v2.2. > > [7.853509] [drm] Loading RS780 Microcode > > > > I have a 10h generation processor, and I also build in microcode_amd.bin > > with the kernel. I had not until now built in 'amd-ucode/microcode_amd.bin', only 'amd-ucode/ microcode_amd_fam15h.bin', because this laptop has a 15h family CPU: # lscpu Architecture:x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian Address sizes: 48 bits physical, 48 bits virtual CPU(s): 4 On-line CPU(s) list: 0-3 Thread(s) per core: 2 Core(s) per socket: 2 Socket(s): 1 NUMA node(s):1 Vendor ID: AuthenticAMD CPU family: 21 Model: 19 Model name: AMD A10-5750M APU with Radeon(tm) HD Graphics Stepping:1 CPU MHz: 1330.218 CPU max MHz: 2500. CPU min MHz: 1400. BogoMIPS:4990.70 Virtualization: AMD-V L1d cache: 16K L1i cache: 64K L2 cache:2048K NUMA node0 CPU(s): 0-3 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc cpuid extd_apicid aperfmperf pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 popcnt aes xsave avx f16c lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs xop skinit wdt lwp fma4 tce nodeid_msr tbm topoext perfctr_core perfctr_nb cpb hw_pstate ssbd vmmcall bmi1 arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists pausefilter pfthreshold $ dmesg | grep family: [0.291910] smpboot: CPU0: AMD A10-5750M APU with Radeon(tm) HD Graphics (family: 0x15, model: 0x13, stepping: 0x1) > Piledriver gets the early message barcelona/fam10h doesnt; > > # dmesg | grep microc > [1.663099] microcode: microcode updated early to new > patch_level=0x06000852 > [1.664161] microcode: CPU0: patch_level=0x06000852 > [1.665147] microcode: CPU1: patch_level=0x06000852 > [1.666135] microcode: CPU2: patch_level=0x06000852 > [1.667119] microcode: CPU3: patch_level=0x06000852 > [1.668034] microcode: CPU4: patch_level=0x06000852 > [1.668955] microcode: CPU5: patch_level=0x06000852 > [1.670060] microcode: CPU6: patch_level=0x06000852 > [1.670985] microcode: CPU7: patch_level=0x06000852 > [1.672012] microcode: Microcode Update Driver: v2.2. OK, mine is also a Piledriver (mobile) CPU according to these tables: https://en.wikichip.org/wiki/amd/a10 However, I don't see any early microcode being loaded. :-/ I added 'amd-ucode/microcode_amd.bin' in the kernel, just in case it was needed and rebooted, but still no difference. > # dmesg | grep microc > [1.700378] microcode: CPU0: patch_level=0x01c8 > [1.700435] microcode: CPU1: patch_level=0x01c8 > [1.700488] microcode: CPU2: patch_level=0x01c8 > [1.700543] microcode: CPU3: patch_level=0x01c8 > [1.700684] microcode: Microcode Update Driver: v2.2. > > microcode_amd.bin hasn't changed since at least January 2018, so maybe > there hasnt been any updates for the recent CPU vulnerabilities. > > Assuming the numbering is sequential its odd that the APU is at 0x06001119 > but the latest from linux-firmware is only 0x01c8. Are you sure the APU > is not fam16h ? Yes, positive. As I've shown above the laptop has an A10 fam15h mobile Piledriver processor. The desktop has an A10 Steamroller, Kaveri APU: $ dmesg | grep family: [0.269754] smpboot: CPU0: AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G (family: 0x15, model: 0x30, stepping: 0x1) It has the 'amd-ucode/microcode_amd_fam15h.bin' built in the kernel and it also shows no early microcode being loaded: $ dmesg | grep micro [1.578553] microcode: CPU0: patch_level=0x06003106 [1.579338] microcode: CPU1: patch_level=0x06003106 [1.580943] microcode: CPU2: patch_level=0x06003106 [1.581729] microcode: CPU3: patch_level=0x06003106 [1.582608] microcode: Microcode Update Driver: v2.2. Notice the
