[lfs-support] kpti - no performance impact?
Interesting that Intel (https://newsroom.intel.de/news-releases/industr y-testing-shows-recently-released-security-updates-not-impacting- performance-real-world-deployments/) thinks that there is no performance issue. Meassuring LFS builds looks a bit different to me (column 2+3 are build times in seconds and may not be 100% accurate but the trend is clear): Package 4.14.10 .12 Ratio 034-binutils-pass1 97 113 1,16 035-gcc-pass1 261 296 1,13 036-linux-headers 617 2,83 037-glibc 149 178 1,19 038-gcc-libstdc++2429 1,20 039-binutils-pass2 3942 1,07 040-gcc-pass2 425 411 0,96 041-tcl 5057 1,14 042-expect4 6 1,50 043-dejagnu 2 2 1,00 044-check 6 8 1,33 045-ncurses 2225 1,13 046-bash 2125 1,19 047-bison2125 1,19 048-bzip2 1 1 1,00 049-coreutils4451 1,15 050-diffutils1923 1,21 051-file 6 6 1,00 052-findutils2934 1,17 053-gawk 1214 1,16 054-gettext 4957 1,16 055-grep 1619 1,18 056-gzip 1011 1,10 057-m4 1517 1,13 058-make 5 6 1,20 059-patch1719 1,11 060-perl 5158 1,13 061-sed 1516 1,06 062-tar 2732 1,18 063-texinfo 2124 1,14 064-util-linux 3136 1,16 065-xz 1011 1,10 072-creatingdirs 1 1 1,00 073-createfiles 1 1 1,00 074-linux-headers 8 8 1,00 075-man-pages 1 1 1,00 076-glibc 197 227 1,15 077-adjusting 1 1 1,00 078-zlib 1 2 2,00 079-file 5 6 1,20 080-readline 4 5 1,25 081-m4 1517 1,13 082-bc3 3 1,00 083-binutils114 121 1,06 084-gmp 2531 1,24 085-mpfr 1415 1,07 086-mpc 4 5 1,25 087-gcc 346 418 1,20 088-bzip2 4 2 0,50 089-pkg-config 1721 1,23 090-ncurses 1619 1,18 091-attr 3 3 1,00 092-acl 3 3 1,00 093-libcap1 1 1,00 094-sed 1519 1,26 095-shadow 1012 1,20 096-psmisc3 4 1,33 097-iana-etc 1 1 1,00 098-bison2024 1,20 099-flex 6 7 1,16 100-grep 1619 1,18 101-bash 2024 1,20 102-libtool 4 6 1,50 103-gdbm 5 5 1,00 104-gperf 2 3 1,50 105-expat 5 6 1,20 106-inetutils2935 1,20 107-perl 7286 1,19 108-xml-parser2 2 1,00 109-intltool 2 2 1,00 110-autoconf 2 2 1,00 111-automake 1 2 2,00 112-xz810 1,25 113-kmod 4 6 1,50 114-gettext 95 109 1,14 115-libffi3 4 1,33 116-Python 5358 1,09 117-ninja1417 1,21 118-meson 1 1 1,00 119-procps-ng 8 9 1,12 120-e2fsprogs1618 1,12 121-coreutils8498 1,16 122-diffutils2024 1,20 123-gawk 1316 1,23 124-findutils3035 1,16 125-groff4045 1,12 126-grub 3442 1,23 127-less 4 4 1,00 128-gzip 1011 1,10 129-iproute2 5 6 1,20 130-kbd 7 9 1,28 131-libpipeline 1215 1,25 132-make 5 6 1,20 133-patch1720 1,17 134-sysklogd 1 1 1,00 135-sysvinit 1 1 1,00 136-eudev1012 1,20 137-util-linux 2732 1,18 138-man-db 2832 1,14 139-tar 3136 1,16 140-texinfo 2528 1,12
Re: [lfs-support] Page Table Isolation
Am Montag, den 08.01.2018, 16:14 -0800 schrieb Paul Rogers: > I've just patched one of my older Core2 "Conroe", LFS-7.7, up to > 4.4.110. It's an i686 system. With each minor-version patch "make > oldconfig" was run. I saw no kernel config parameter for > PAGE_TABLE_ISOLATION when I rebuilt the patched kernel. I can find > no evidence it has been built into this kernel. I did get some hits > for "kaiser" in the source code, arch/x86/mm/kaiser.c, and the > mm/Makefile looks for CONFIG_PAGE_TABLE_ISOLATION. The make log I > kept does not contain the string "kaiser", nor does /boot/System.map. > > Any ideas? TIA. > You could check dmesg after reboot. If there is a line like [0.00] Kernel/User page tables isolation: enabled then it should be active. At least on x64_64 such a line comes up (with 4.14.12). Will do a i686 build today... -- Thomas -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote: > I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110. > It's an i686 system. With each minor-version patch "make oldconfig" was run. > I saw no kernel config parameter for PAGE_TABLE_ISOLATION when I rebuilt the > patched kernel. I can find no evidence it has been built into this kernel. > I did get some hits for "kaiser" in the source code, arch/x86/mm/kaiser.c, > and the mm/Makefile looks for CONFIG_PAGE_TABLE_ISOLATION. The make log I > kept does not contain the string "kaiser", nor does /boot/System.map. > > Any ideas? TIA. > Looking at my lkml mailbox, patch 02 of 37 for this version added KAISER, including apparently CONFIG_KAISER - but it depends on x86_64. Hmm, looking at 4.14.12 PAGE_TABLE_ISOLATION also depends on x86_64. Looks like there is nothing for 32-bit x86. Sorry. I'm afraid 32-bit x86 gets much less love these days. ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] The Spectre and Meltdown CPU vulnerabilities
On 01/08/2018 05:44 PM, Bruce Dubbs wrote: DJ Lucas wrote: I might be confused, but I thought microcode updates on consumer processors is handled by BIOS update from the motherboard manufacturer, the AGESA part of the BIOS version, currently 1.0.0.7. I'm not sure if we'll see a late-load .bin for the consumer processors. If anybody can confirm or deny, please speak up. BLFS shows how to update the microcode in an initrd. That's really just having the kernel do what the BIOS update would do. Bruce, the AGESA comment is specific to AMD R5/R7 processors. They obviously intend to provide the files for at least Epyc. Nothing has surfaced yet for Ryzen or Threadripper outside of the BIOS updates. --DJ -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] The Spectre and Meltdown CPU vulnerabilities
On 01/08/2018 03:12 PM, Michael Shell wrote: On Sun, 7 Jan 2018 16:47:00 -0600 DJ Lucas wrote: I might be confused, but I thought microcode updates on consumer processors is handled by BIOS update from the motherboard manufacturer, the AGESA part of the BIOS version, currently 1.0.0.7. I'm not sure if we'll see a late-load .bin for the consumer processors. DJ, Given that a microcode update would apply to all processors of a given type and given this is a security related matter, the chances are very good that *somebody* will extract and "leak" the microcode files to the public even if Intel/AMD does not (officially) do so > IMHO, tis kind of silly of Intel/AMD to expect microcode updates to come only by way of BIOS updates given how reluctantly motherboard makers issue BIOS updates. Agreed, however, it seems to be the case. AGESA (AMD Generic Encapsulated Software Architecture) is the working name. I suppose you can do so without a BIOS update, but somebody will have to either extract it, or break NDA (probably equally frowned upon in many jurisdictions). --DJ -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110. It's an i686 system. With each minor-version patch "make oldconfig" was run. I saw no kernel config parameter for PAGE_TABLE_ISOLATION when I rebuilt the patched kernel. I can find no evidence it has been built into this kernel. I did get some hits for "kaiser" in the source code, arch/x86/mm/kaiser.c, and the mm/Makefile looks for CONFIG_PAGE_TABLE_ISOLATION. The make log I kept does not contain the string "kaiser", nor does /boot/System.map. Any ideas? TIA. Here's the config file's security options (not mentioned): # # Security options # CONFIG_KEYS=y # CONFIG_PERSISTENT_KEYRINGS is not set # CONFIG_BIG_KEYS is not set # CONFIG_ENCRYPTED_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITY=y # CONFIG_SECURITYFS is not set CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_NETWORK_XFRM is not set # CONFIG_SECURITY_PATH is not set # CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_YAMA is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY="" CONFIG_XOR_BLOCKS=y CONFIG_ASYNC_CORE=y CONFIG_ASYNC_MEMCPY=y CONFIG_ASYNC_XOR=y CONFIG_ASYNC_PQ=y CONFIG_ASYNC_RAID6_RECOV=y CONFIG_CRYPTO=y # # Crypto core or helper # > > The ext3 filesystem is still available in 4.14. > > I read it wasn't: > "KernelNewbies: 4.3 Apparently that source was wrong. -- Paul Rogers paulgrog...@fastmail.fm Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] The Spectre and Meltdown CPU vulnerabilities
DJ Lucas wrote:
I might be confused, but I thought microcode updates on consumer
processors is handled by BIOS update from the motherboard manufacturer,
the AGESA part of the BIOS version, currently 1.0.0.7. I'm not sure if
we'll see a late-load .bin for the consumer processors. If anybody can
confirm or deny, please speak up.
BLFS shows how to update the microcode in an initrd. That's really just
having the kernel do what the BIOS update would do.
On my latest build (yesterday), I have:
menuentry 'LFS SVN-20180106 kernel 4.14.12' {
linux /vmlinuz-4.14.12-lfs-SVN-20180106 root=/dev/sda9 ro
initrd /microcode-06-5e-03.img
}
--
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
Do not top post on this list.
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] The Spectre and Meltdown CPU vulnerabilities
On Sun, 7 Jan 2018 16:47:00 -0600 DJ Lucas wrote: > I might be confused, but I thought microcode updates on consumer > processors is handled by BIOS update from the motherboard manufacturer, > the AGESA part of the BIOS version, currently 1.0.0.7. I'm not sure if > we'll see a late-load .bin for the consumer processors. DJ, Given that a microcode update would apply to all processors of a given type and given this is a security related matter, the chances are very good that *somebody* will extract and "leak" the microcode files to the public even if Intel/AMD does not (officially) do so. IMHO, tis kind of silly of Intel/AMD to expect microcode updates to come only by way of BIOS updates given how reluctantly motherboard makers issue BIOS updates. Cheers, Mike -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
[lfs-support] some thoughts on building lfs 8.0 + 8.1
Hallo, during winter vacation I had some fun building LFS again; I wanted to dive into UEFI systems. I installed Fedora 27 on a machine with an old-ish i5-3350, 16 GB RAM and 256 GB SSD. Fedora 27 comes with gcc 7.2, and this combination cannot build LFS 8.0 without changes. This information is obviously outdated because LFS 8.1 is out ;), but FYI here's why: gcc 7.2 is strictly conforming to the new ISO C/C++ standards and comes with some new constraints, both for syntax and semantics of source code. For some integer types you need to include the new , and additionally it will choke on some code that previously was accepted. You cannot compile the LFS 8.0-included gcc 6.3.0, there's a change to ubsan.c required (if you still want to build 8.0 for some reason). src/gcc-6.3.0/gcc/ubsan.c: 1474:23: error: ISO C++ forbids comparison between pointer and integer [-fpermissive] fix is simple: - || xloc.file == '0' || xloc.file[0] == 'xff' + || xloc.file[0] == '0' || xloc.file[0] == 'xff' Tschau...Thomas -- "Do you wanna be a legend or a passing footprint on the sands of time?" signature.asc Description: OpenPGP digital signature -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
