Re: [CentOS] Meltdown and Spectre

[Peter Kjellström]

On Mon, 12 Feb 2018 11:13:57 +
isdtor  wrote:

> Does anyone know if Red Hat are working on backporting improved
> mitigation techniques and features from newer, 4.14.14+ kernels?
> 
> $ grep . /sys/devices/system/cpu/vulnerabilities/*
> /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
> /sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
> /sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable:
> Minimal generic ASM retpoline $ 

As it is Redhat has a more comprehensive set of fixes than your 4.14
example above.

For everyone (regardless of microcode etc.) you get PTI and some
additional LFENCE.

For CPUs with microcode support you also get IBRS (restrict speculation)
and IBPB (branch predict barrier).

My understanding is that today for CPUs without microcode support
(most/all since it was revoked) that means slightly less protection (no
retpoline). But for CPUs with support and for Skylake (limited
retpoline usefullness) IBRS+IBPB gives better coverage.

You can view this status in /sys/kernel/debug/x86 (with mounted
debugfs).

The above goes for C6/C7 while Fedora has upstream vanilla stuff.

/Peter
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Meltdown and Spectre

[isdtor]

Does anyone know if Red Hat are working on backporting improved mitigation 
techniques and features from newer, 4.14.14+ kernels?

$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic 
ASM retpoline
$ 

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos