Re: [lfs-support] Page Table Isolation on AMD Processors

[Mark Pokorny]

On 11 February 2018 at 19:30, Ken Moffat  wrote:
> On Sun, Feb 11, 2018 at 07:10:41PM +, Mark Pokorny wrote:
>> Hi all,
>>
>> I’ve been away for a while, but am back now starting a new SVN build
>> of LFS. Since I’ve been away, however, the Spectre/Meltdown issue has
>> been discussed at length. I’ve been reading through the archives with
>> interest, but unfortunately little understanding.
>>
>> I am currently going through the motions of setting the configuration
>> options for the Linux kernel (4.15.2) and have come across the option
>> for Page Table Isolation. I have an AMD FX8350 processor, and from
>> reading the discussions on this mailing list, I understand that AMD
>> processors are _not_ vulnerable to the Meltdown issue that PTI is
>> supposed to address. So, my question is:
>>
>> tl;dr:
>> Should I compile Page Table Isolation into my kernel even though I
>> have (a pre-Ryzen) AMD processor? It seems some people were having
>> issues when PTI was compiled in, and others state the PTI is not
>> activated at runtime anyway. Any thoughts?
>>
>> Tschüß!
>>
>> Mark.
>
> Enable it ;)
>
> The statement that it will not be activated at runtime if you are on
> an AMD CPU is correct.  OTOH, if you will never use that .config to
> build on a different machine then I suppose it doesn't matter.
>
> ĸen

Cheers! Thanks Ken! Will do! ;)

Mark.
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

[lfs-support] Page Table Isolation on AMD Processors

[Mark Pokorny]

Hi all,

I’ve been away for a while, but am back now starting a new SVN build
of LFS. Since I’ve been away, however, the Spectre/Meltdown issue has
been discussed at length. I’ve been reading through the archives with
interest, but unfortunately little understanding.

I am currently going through the motions of setting the configuration
options for the Linux kernel (4.15.2) and have come across the option
for Page Table Isolation. I have an AMD FX8350 processor, and from
reading the discussions on this mailing list, I understand that AMD
processors are _not_ vulnerable to the Meltdown issue that PTI is
supposed to address. So, my question is:

tl;dr:
Should I compile Page Table Isolation into my kernel even though I
have (a pre-Ryzen) AMD processor? It seems some people were having
issues when PTI was compiled in, and others state the PTI is not
activated at runtime anyway. Any thoughts?

Tschüß!

Mark.
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Ken Moffat]

On Thu, Jan 11, 2018 at 02:37:49PM -0800, Paul Rogers wrote:
> 
> In my investigation I too saw the 4GB/4GB split mentioned but with something 
> else that caused me to disregard it--it had been pulled or something.
> 
> I have 4GB in my "everyday" Conroes, though the refurb box I dedicate to W10 
> so's it can run TurboTax is only 2GB, IIRC.  IMO, running a 64-bit OS is a 
> plus only if it has more than 4GB to play with.

4GB just about still works ok, although it is getting tight for
compiling modern browsers.

At one time I was thinking about trying X32 (full-width kernel, all
the extra registers, but 32-bit pointers).  That was for a low-end
AMD with, ISTR, 1GB RAM (worked great in the early days of x86_64,
but the software got bigger).  But that old machines died and 4/8GB
is now a normal size for RAM on a desktop machine, so I didn't
bother.  And LFS doesn't support it.

If anybody wants to try that, many packages needed patching - again,
gentoo is probably the primary place to look.  But X32 seems to have
missed the opportunity to become popular.

ĸen
-- 
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
 - Unseen Academicals
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Paul Rogers]

> I would not abandon hope just yet, although the chances are probably
> slim.  The *big* target is rented (by the hour or whatever) machines
> and VMs - those are almost wholly x86_64 and that is where people's
> data is most at risk of the Meltdown vulnerability.

Certainly those, but I think there are many boxen "behind the scenes", for 
loose definitions of "embedded" something like kiosks, et al., that are running 
necessary functions that nobody but installers and maintenance techs ever sees 
or thinks about.

In '98 or so I pulled into my usual gas station for a fillup, and one of the 
pumps had it's cover off.  I immediately recognized a 40-pin DIP on the board 
and had to take a look.  It was a 1976 vintage Zilog Z-80 running the gas pump. 
 Computers have snuck in everywhere!

> Gentoo writes: "... Currently, the KPTI patch-set is only available for
> 64-bit Gentoo operating systems. Some 32-bit operating systems (for
> example if you are using 4gb/4gb memory split) are immune because they
> use separate memory maps for kernel and userspace.  ..."
> 
> Unfortunatly not specified what "Some 32-bit operating systems" are.

In my investigation I too saw the 4GB/4GB split mentioned but with something 
else that caused me to disregard it--it had been pulled or something.

I have 4GB in my "everyday" Conroes, though the refurb box I dedicate to W10 
so's it can run TurboTax is only 2GB, IIRC.  IMO, running a 64-bit OS is a plus 
only if it has more than 4GB to play with.

-- 
Paul Rogers
paulgrog...@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Ken Moffat]

On Thu, Jan 11, 2018 at 08:03:13PM +0100, Thomas Trepl wrote:
> 
> Gentoo writes: "... Currently, the KPTI patch-set is only available for
> 64-bit Gentoo operating systems. Some 32-bit operating systems (for
> example if you are using 4gb/4gb memory split) are immune because they
> use separate memory maps for kernel and userspace.  ..."
> 
> Unfortunatly not specified what "Some 32-bit operating systems" are.
> 
> https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_
> and_Spectre
> 
From reading two emails which arrived on lkml today:

1. 4GB/4GB was never accepted upstream - it was one of the options
for i686 machines with more than 4GB RAM (PAE etc).  I expect gentoo
have patches to add it.

2. Suse have fixing it for their 32-bit kernels on their ToDo list,
but they have nothing at the moment.  If it happens it will be at
http://kernel.suse.com

ĸen
-- 
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
 - Unseen Academicals
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Thomas Trepl]

Am Mittwoch, den 10.01.2018, 17:10 + schrieb Ken Moffat:
> On Tue, Jan 09, 2018 at 03:02:27PM -0800, Paul Rogers wrote:
> > > On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote:
> > > > I've just patched one of my older Core2 "Conroe", LFS-7.7, up
> > > > to 4.4.110.  It's an i686 system. 
> > > > 
> > > > Any ideas?  TIA.
> > > > 
> > > 
> > > Looking at my lkml mailbox, patch 02 of 37 for this version added
> > 
> > I haven't been able to GET to LKML for 3 days now.  It keeps
> > timing-out.
> > 
> 
> I had the same last night (on the main mirror), but I think there
> used to be more than one mirror site.  Haven't tried since, and it
> is irrelevant to this problem. ...
> 
> > > Sorry.  I'm afraid 32-bit x86 gets much less love these days.
> > 
> > Please, if anyone runs across the 32-bit patch, let me know.  There
> > certainly are many 32-bit system still in service!
> > 
> 
> I asked on lwn, so far the consensus is that a lot of 32-bit x86 is
> embedded and never gets updated anyway.  Distros are gradually
> dropping i686, AFAICS nobody has offered a potential fix - but there
> is a PoC exploit at github which can apparently run on i686.
> 
> And for Meltdown, although AMD x86_64 is not affected, nobody has
> offered a view on whether or not AMD i686 is affected.
> 
> There were some comments on the FreeBSD Questions list (for the
> moment they do not have a fix even for x86_64) that they would hope
> to fix i686 after x86_64 is fixed.  But using FreeBSD, for someone
> who understands linux, looks to be very painful.  Another poster
> said he *thought* the problem started with the Westmere generation.

Gentoo writes: "... Currently, the KPTI patch-set is only available for
64-bit Gentoo operating systems. Some 32-bit operating systems (for
example if you are using 4gb/4gb memory split) are immune because they
use separate memory maps for kernel and userspace.  ..."

Unfortunatly not specified what "Some 32-bit operating systems" are.

https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_
and_Spectre


--
Thomas
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Ken Moffat]

On Tue, Jan 09, 2018 at 03:02:27PM -0800, Paul Rogers wrote:
> > On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote:
> 
> Please, if anyone runs across the 32-bit patch, let me know.  There certainly 
> are many 32-bit system still in service!
> 
I would not abandon hope just yet, although the chances are probably
slim.  The *big* target is rented (by the hour or whatever) machines
and VMs - those are almost wholly x86_64 and that is where people's
data is most at risk of the Meltdown vulnerability.

> Yes, I can run x86-64 on my Conroes, but it's noticably slower, especially 
> for such things as starting X.

For a machine which can run a 64-bit kernel, it used to be possible
to run 32-bit userspace and build a 64-bit kernel by copying pass 1
binutils and gcc, but to create the conventional target (not -lfs-)
and putting them somewhere convenient.

Then, after spending time getting a 64-bit kernel which works (apart
from the issues in configuring the kernel, the -cross- binutils and
gcc need to be on the PATH for the user who builds the kernel, and
also for root or whoever is running module_install) you need to
change the initscripts so that linux32 is invoked - that should let
your existing C and C++ compilers think you are running on i686.

I've done that in the past when I used a sluggish powerpc64 mac "G5"
which required a 64-bit kernel.  All the userspace was plain 32-bit
ppc.

I also did something similar recently when trying to bring up an old
machine as i686 (copy a working 64-bit kernel and modules, and use
linux32 while trying to get a working i686 kernel built - in the end
I couldn't use that (or i686 devuan) to build a fresh 32-bit LFS, but
I did manage to get an adequate i686 kernel built.  And no, I have
no interest in trying to get a successful build there, too busy on
other things.

One thing which might now break building a 64-bit kernel on 32-bit, I
suppose, is extra dependencies - in particular perl, flex, and
(depending on your kernel config) elfutils and I think openssl was
also mentioned (I don't need the latter for my kernel).

ĸen
-- 
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
 - Unseen Academicals
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Paul Rogers]

> Uuh, not that I'm aware of that in .10 the PTI stuff was implemented. 
> In that .10-system, "cat /proc/cpuinfo" shows nothing in the "bugs:"
> line (while .12 says "bugs: cpu_insecure") and there is nothing about
> KPTI in dmesg when booting the .10. 

I've just upgraded my LFS-7.10 system to 4.9.75 and dmesg
shows:
... 
[0.00] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[0.00] Kernel/User page tables isolation: enabled
[0.00] Hierarchical RCU implementation.
...
I made sure to look for it!  ;-)

> 
> I have no idea about the changes with each generation, but for
> recent models, provided hyperthreading is enabled, linux sees 8
> cores in this situation - depending on the kernel config, it might
> slightly change how things are scheduled, but overall it rotates
> jobs between all cores.

True, there is scheduling being done at the OS level, and the hyperthreading 
chips are telling the OS, "Give me two threads to do, I can handle it."  But 
there is also a scheduling process going on *within* the processor as the two 
threads vie for processing elements within the pipeline.  There are differences 
between different architectures, but the best evidence for competitive 
bottlenecks within a hyperthreaded CPU is that Intel only claimed a 30% 
performance improvement (I believe on the single core P4D).  My dual core 
Conroes will give much more because each pipeline is separate, without 
contention, and the cores only compete for L2 cache and the off-chip Bus 
Interface.

> The difference with hyperthreading is that things like
> floating-point get shared between siblings.

More than that!  See this for the Nehalem internals:
https://upload.wikimedia.org/wikipedia/commons/6/64/Intel_Nehalem_arch.svg

> If I watch 'top' (recent version) I can see an activity line for
> each core.  And the activity moves around.

Indeed, but that's at the OS dispatching level.  If you could get fine enough 
granularity, again depending on specific CPU architecture, you'd see that the 
"raw" performance of those "cores" either 1) split into two groups, or 2) 
change depending on whether there is one or two threads running in the core.

> I asked on lwn, so far the consensus is that a lot of 32-bit x86 is
> embedded and never gets updated anyway.  Distros are gradually
> dropping i686, AFAICS nobody has offered a potential fix - but there
> is a PoC exploit at github which can apparently run on i686.

Yeah, kernel devs always get the latest and greatest HW, so it's not their ox 
getting gored.  It's so easy for them to presume nothing else matters.  If 
you're on LKML, please tell them their assumption is wrong!  The 32-bit systems 
are still vulnerable, still doing important jobs, and if updating the software 
is going to be difficult, replacing the hardware in a timely fashion is very 
much more so.  What kind of important jobs?  How about all the infrastructure 
we all depend upon?  Like having potable water coming out of the tap?

> said he *thought* the problem started with the Westmere generation.

So the guys who found it and said it affected everything since PPro were wrong? 
 Maybe he should tell them.


-- 
Paul Rogers
paulgrog...@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Ken Moffat]

On Tue, Jan 09, 2018 at 03:02:27PM -0800, Paul Rogers wrote:
> > On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote:
> > > I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110. 
> > >  It's an i686 system. 
> > > 
> > > Any ideas?  TIA.
> > > 
> > 
> > Looking at my lkml mailbox, patch 02 of 37 for this version added
> 
> I haven't been able to GET to LKML for 3 days now.  It keeps timing-out.
> 

I had the same last night (on the main mirror), but I think there
used to be more than one mirror site.  Haven't tried since, and it
is irrelevant to this problem. ...

> > Sorry.  I'm afraid 32-bit x86 gets much less love these days.
> 
> Please, if anyone runs across the 32-bit patch, let me know.  There certainly 
> are many 32-bit system still in service!
> 

I asked on lwn, so far the consensus is that a lot of 32-bit x86 is
embedded and never gets updated anyway.  Distros are gradually
dropping i686, AFAICS nobody has offered a potential fix - but there
is a PoC exploit at github which can apparently run on i686.

And for Meltdown, although AMD x86_64 is not affected, nobody has
offered a view on whether or not AMD i686 is affected.

There were some comments on the FreeBSD Questions list (for the
moment they do not have a fix even for x86_64) that they would hope
to fix i686 after x86_64 is fixed.  But using FreeBSD, for someone
who understands linux, looks to be very painful.  Another poster
said he *thought* the problem started with the Westmere generation.

ĸen
-- 
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
 - Unseen Academicals
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Ken Moffat]

On Tue, Jan 09, 2018 at 03:02:27PM -0800, Paul Rogers wrote:
> > On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote:
> > > I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110. 
> > >  It's an i686 system. 
> > > 
> > > Any ideas?  TIA.
> > > 
> > 
> > Looking at my lkml mailbox, patch 02 of 37 for this version added
> 
> I haven't been able to GET to LKML for 3 days now.  It keeps timing-out.
> 
> > Sorry.  I'm afraid 32-bit x86 gets much less love these days.
> 
> Please, if anyone runs across the 32-bit patch, let me know.  There certainly 
> are many 32-bit system still in service!
> 
> Yes, I can run x86-64 on my Conroes, but it's noticably slower, especially 
> for such things as starting X.
> 
> > 
> > Meassuring LFS builds looks a bit different to me (column 2+3 are build
> > times in seconds and may not be 100% accurate but the trend is clear):
> > 
> > Package 4.14.10   .12  Ratio
> >  
> > 034-binutils-pass1   97   113   1,16
> > 035-gcc-pass1   261   296   1,13
> > 036-linux-headers 617   2,83
> > 037-glibc   149   178   1,19
> 
> AIUI chips, such as my elderly i7-940, are actually 4 cores that pretend to 
> have 8 using the hyperthreading introduced with the Pentium-D.  The 
> hyperthreaded core is scheduled on an "as resources are available" basis--the 
> "real" core has priority.  Performance figures I saw back in the day showed a 
> hyperthreaded system provided at most 140% of the equivalent single 
> core--certainly worth having, but NOT 200%.
> 

I have no idea about the changes with each generation, but for
recent models, provided hyperthreading is enabled, linux sees 8
cores in this situation - depending on the kernel config, it might
slightly change how things are scheduled, but overall it rotates
jobs between all cores.

The difference with hyperthreading is that things like
floating-point get shared between siblings.

If I watch 'top' (recent version) I can see an activity line for
each core.  And the activity moves around.

> "Wikipedia: According to Intel, the first hyper-threading implementation used 
> only 5% more die area than the comparable non-hyperthreaded processor, but 
> the performance was 15–30% better. Intel claims up to a 30% performance 
> improvement compared with an otherwise identical, non-simultaneous 
> multithreading Pentium 4."
> 
> So exactly what preceeded the build would change the way tasks got assigned 
> to the next available "core", hence what ran on real cores vs hyperthreaded 
> "cores" and different timings.
> 

ĸen
-- 
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
 - Unseen Academicals
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Paul Rogers]

> On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote:
> > I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110.  
> > It's an i686 system. 
> > 
> > Any ideas?  TIA.
> > 
> 
> Looking at my lkml mailbox, patch 02 of 37 for this version added

I haven't been able to GET to LKML for 3 days now.  It keeps timing-out.

> Sorry.  I'm afraid 32-bit x86 gets much less love these days.

Please, if anyone runs across the 32-bit patch, let me know.  There certainly 
are many 32-bit system still in service!

Yes, I can run x86-64 on my Conroes, but it's noticably slower, especially for 
such things as starting X.

> 
> Meassuring LFS builds looks a bit different to me (column 2+3 are build
> times in seconds and may not be 100% accurate but the trend is clear):
> 
> Package 4.14.10   .12  Ratio
>  
> 034-binutils-pass1   97   113   1,16
> 035-gcc-pass1   261   296   1,13
> 036-linux-headers 617   2,83
> 037-glibc   149   178   1,19

AIUI chips, such as my elderly i7-940, are actually 4 cores that pretend to 
have 8 using the hyperthreading introduced with the Pentium-D.  The 
hyperthreaded core is scheduled on an "as resources are available" basis--the 
"real" core has priority.  Performance figures I saw back in the day showed a 
hyperthreaded system provided at most 140% of the equivalent single 
core--certainly worth having, but NOT 200%.

"Wikipedia: According to Intel, the first hyper-threading implementation used 
only 5% more die area than the comparable non-hyperthreaded processor, but the 
performance was 15–30% better. Intel claims up to a 30% performance improvement 
compared with an otherwise identical, non-simultaneous multithreading Pentium 
4."

So exactly what preceeded the build would change the way tasks got assigned to 
the next available "core", hence what ran on real cores vs hyperthreaded 
"cores" and different timings.

-- 
Paul Rogers
paulgrog...@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Ken Moffat]

On Tue, Jan 09, 2018 at 07:32:01PM +0100, Thomas Trepl wrote:
> > [0.00] Kernel/User page tables isolation: enabled
> > 
> > then it should be active. At least on x64_64 such a line comes up
> > (with 4.14.12).
> > 
> > Will do a i686 build today...
> 
> Did so. Looks like the KPTI stuff is somehow different (if at all)
> implemented for 32bit kernels. Indeed, the option to select
> CONFIG_PAGE_TABLE_ISOLATION isn't available and when booting a fresh
> i686-4.14.12 kernel it does not show the "Kernel/User page tables
> isolation: enabled" message. Havn't found much info about KPTI on i686
> yet. Nevertheless, when running the i686 kernel on a Xeon-E3-1245
> /proc/cpuinfo says "bugs : cpu_insecure". So, at least a bit has
> changed for 32bit-kernels, too.
> 
> Does anyone have more insights here?
> 
See my reply from last night or early this morning - it looks as if
PTI is not available on 32-bit x86.

ĸen
-- 
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
 - Unseen Academicals
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Thomas Trepl]

Am Montag, den 08.01.2018, 16:14 -0800 schrieb Paul Rogers:
> I've just patched one of my older Core2 "Conroe", LFS-7.7, up to
> 4.4.110.  It's an i686 system.  With each minor-version patch "make
> oldconfig" was run.  I saw no kernel config parameter for
> PAGE_TABLE_ISOLATION when I rebuilt the patched kernel.  I can find
> no evidence it has been built into this kernel.  I did get some hits
> for "kaiser" in the source code, arch/x86/mm/kaiser.c, and the
> mm/Makefile looks for CONFIG_PAGE_TABLE_ISOLATION.  The make log I
> kept does not contain the string "kaiser", nor does /boot/System.map.
> 
> Any ideas?  TIA.
> 
You could check dmesg after reboot. If there is a line like

[0.00] Kernel/User page tables isolation: enabled

then it should be active. At least on x64_64 such a line comes up (with
4.14.12).

Will do a i686 build today...

--
Thomas
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Ken Moffat]

On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote:
> I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110.  
> It's an i686 system.  With each minor-version patch "make oldconfig" was run. 
>  I saw no kernel config parameter for PAGE_TABLE_ISOLATION when I rebuilt the 
> patched kernel.  I can find no evidence it has been built into this kernel.  
> I did get some hits for "kaiser" in the source code, arch/x86/mm/kaiser.c, 
> and the mm/Makefile looks for CONFIG_PAGE_TABLE_ISOLATION.  The make log I 
> kept does not contain the string "kaiser", nor does /boot/System.map.
> 
> Any ideas?  TIA.
> 

Looking at my lkml mailbox, patch 02 of 37 for this version added
KAISER, including apparently CONFIG_KAISER - but it depends on
x86_64.

Hmm, looking at 4.14.12 PAGE_TABLE_ISOLATION also depends on x86_64.
Looks like there is nothing for 32-bit x86.

Sorry.  I'm afraid 32-bit x86 gets much less love these days.

ĸen
-- 
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
 - Unseen Academicals
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Paul Rogers]

I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110.  It's 
an i686 system.  With each minor-version patch "make oldconfig" was run.  I saw 
no kernel config parameter for PAGE_TABLE_ISOLATION when I rebuilt the patched 
kernel.  I can find no evidence it has been built into this kernel.  I did get 
some hits for "kaiser" in the source code, arch/x86/mm/kaiser.c, and the 
mm/Makefile looks for CONFIG_PAGE_TABLE_ISOLATION.  The make log I kept does 
not contain the string "kaiser", nor does /boot/System.map.

Any ideas?  TIA.

Here's the config file's security options (not mentioned):
#
# Security options
#
CONFIG_KEYS=y
# CONFIG_PERSISTENT_KEYRINGS is not set
# CONFIG_BIG_KEYS is not set
# CONFIG_ENCRYPTED_KEYS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
# CONFIG_SECURITYFS is not set
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_NETWORK_XFRM is not set
# CONFIG_SECURITY_PATH is not set
# CONFIG_SECURITY_SELINUX is not set
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_YAMA is not set
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_IMA is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_XOR_BLOCKS=y
CONFIG_ASYNC_CORE=y
CONFIG_ASYNC_MEMCPY=y
CONFIG_ASYNC_XOR=y
CONFIG_ASYNC_PQ=y
CONFIG_ASYNC_RAID6_RECOV=y
CONFIG_CRYPTO=y

#
# Crypto core or helper
#

> > The ext3 filesystem is still available in 4.14.
> 
> I read it wasn't:
> "KernelNewbies: 4.3

Apparently that source was wrong.


-- 
Paul Rogers
paulgrog...@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Paul Rogers]

>> Likewise, I'm not betting kernel patches will get pushed down
>> to the kernels that support those old systems.  ext3 is not
>> supported in the latest kernels, so instructions to install
>> the latest kernels will leave many systems non-functional.
>> I think patches need to be pushed back to 3.19 kernels.
> 
> The ext3 filesystem is still available in 4.14.

I read it wasn't:

"KernelNewbies:
Linux_4.3
Last updated at 2017-12-30 01:30:22

Linux 4.3 has been released on 1 Nov 2015

Summary: This release removes the ext3 filesystem and leaves Ext4, which can 
also mount Ext3 filesystems, as the main Ext filesystem; "

-- 
Paul Rogers
paulgrog...@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Ken Moffat]

On Thu, Jan 04, 2018 at 10:13:16PM +, Ken Moffat wrote:

[ Correcting my erroneous comment on the skylake firmware, although
it's so embarrassing that I was strongly tempted not to bother. ]
> > 
> > Intel are also in the process of releasing new firmware for
> > processors released in the last 5 years.  The current firmware is
> > now 20171117 but I'm not sure if that is up to date (it might be!)
> > 
> > https://downloadcenter.intel.com/download/27337/Linux-Processor-Microcode-Data-File?v=t
> > 
> 
> Well, whatever else that does, it does NOT contain anything new for
> my SandyBridge (I didn't really expect any update, it is more than 5
> years old), but also nothing new for my Haswell, which I had thought
> might get an update.
> 
> There _is_ a different file for my Skylake, but it doesn't load
> (trying late loading, dmesg reported soemthing like 'unable to
> save', and using it for early loading did not load, and it was a
> PITA to get the earlier firmware loaded (early loading didn't
> happen, but I've now extracted it again to /lib/firmware and managed
> late loading).
> 
I've just updated the Skylake to 4.14.12.  Embarrassingly, I
discovered my grub entries for this system didn't specify any initrd
(for firmware).  Using the debian firmware, which includes fixes for
one of the Spectre vulnerabilities (and where there was an update
for my Haswell), I'm again on 0xba from April.  And although the new
intel firmware had a different md5sum, after again altering grub.cfg
and rebooting, it is still 0xba.

Summary - apart from my local errors, for the moment most intel CPUs
do NOT have new firmware to mitigate Spectre.

Still no idea why late loading on the "new" firmware failed.

ĸen
-- 
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
 - Unseen Academicals
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Richard Melville]

On 5 January 2018 at 22:28, Paul Rogers  wrote:

>
> Likewise, I'm not betting kernel patches will get pushed down to the
> kernels that support those old systems.  ext3 is not supported in the
> latest kernels, so instructions to install the latest kernels will leave
> many systems non-functional.  I think patches need to be pushed back to
> 3.19 kernels.
>
> Ext3 can be run as a reduced-functionality ext4 by simply mounting the
partition as ext4 in /etc/fstab.

Richard
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Ken Moffat]

On Fri, Jan 05, 2018 at 02:28:04PM -0800, Paul Rogers wrote:
> I have been searching and reading intently for the past day also.  I am 
> disappointed by the rush to republish and dearth of solid data beyond the 
> Proof of Concept.
> 

Yes, it's hard finding accurate information - the whole thing was
originally under NDA until, I believe, 9th January - but it filtered
out earlier after somebody worked out what some of it was about.

> Apparently in theory Spectre haunts all processors back to the Pentium Pro.  
> There is very little solid evidence of what steppings of what processors are 
> vulnerable.  Intel changes masks often enough that it's NOT clear that every 
> processors will have similar exposure, e.g. the infamous ancient FDIV bug 
> only affected certain steppings of one of the P54 CPUs.  I'm not betting 
> anybody will critically evaluate the older CPUs still in service, e.g. my two 
> Core2 Duos and one Core2 Quad Extreme, i7/940 & 870, even a few Pentium 3's, 
> Coppermine, Tualatin and even Esther.  
> 

Please distinguish the two named vulnerabilities :

Meltdown (one CVE, worked around by PTI and apparently only applying
to Intel, although AMD users who enabled BPF in the kernel might be
affected)

Spectre (two CVEs, apparently affects all Intel CPUs since the
PP, except for some Atoms from before 2013, and similarly all modern
AMD processors, as well as many other architectures).

Meltdown is the initial issue, for Spectre I think it is safe to
assume that all recent x86 except those Atoms can be cracked, given
time.  On a desktop, the main line of attack is probably JIT
compilers such as javascript.  On servers, an attacker running in a
VM to attack the host and other users is probably the most urgent
problem.

Where Intel release new firmware, it will be to mitigate Spectre.
Kernel developers are now able to talk to each other and possible
mitigating steps are under discussion - but I doubt any of them will
be in the 4.15.0 kernel.  But hopefully something will eventually
get into later 4.14 kernels.

> Likewise, I'm not betting kernel patches will get pushed down to the kernels 
> that support those old systems.  ext3 is not supported in the latest kernels, 
> so instructions to install the latest kernels will leave many systems 
> non-functional.  I think patches need to be pushed back to 3.19 kernels.
> 

The ext3 filesystem is still available in 4.14.

But from reading recent posts on lkml, the PTI code in 4.14/4.15 is
very different from the earlier KAISER code that was backported to
4.9 and 4.4 - there seem to be nasty areas, and I would recommend
moving to 4.14 (the current longterm stable release) if you can.

> I'm making plans for patching kernels, and identifying systems that CAN be.  
> But I'll wait a few days for patches to solidify.  There are significant 
> infrastructure issues all around.  Not to mention (Windows & Linux) "kernel" 
> support for all the systems in commercial service in hospitals, grocery 
> stores, and offices that will never be updated.

For all the systems that will never be updated (including most
phones), there isn't a lot we can do.

As for waiting a few days - yes, there are still problems.  I'll be
moving my (home) server (currently LFS-8.1 but running a 4.9 kernel)
to 4.14.12 over the weekend if I have time (and that is not certain),
but I'm expecting that I might have to revert to the current kernel.
This has all been rushed, and much of the rationale was secret, so
it's inevitable that issues will continue to show up for a while.

When this first surfaced, there was talk of using the nopti boot
argument - I am now very reluctant to recommend that unless people
fully understand the vulnerability (I don't) and what they are
running and who can access it.

ĸen
-- 
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
 - Unseen Academicals
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Re: [lfs-support] Page Table Isolation

[Paul Rogers]

I have been searching and reading intently for the past day also.  I am 
disappointed by the rush to republish and dearth of solid data beyond the Proof 
of Concept.

Apparently in theory Spectre haunts all processors back to the Pentium Pro.  
There is very little solid evidence of what steppings of what processors are 
vulnerable.  Intel changes masks often enough that it's NOT clear that every 
processors will have similar exposure, e.g. the infamous ancient FDIV bug only 
affected certain steppings of one of the P54 CPUs.  I'm not betting anybody 
will critically evaluate the older CPUs still in service, e.g. my two Core2 
Duos and one Core2 Quad Extreme, i7/940 & 870, even a few Pentium 3's, 
Coppermine, Tualatin and even Esther.  

Likewise, I'm not betting kernel patches will get pushed down to the kernels 
that support those old systems.  ext3 is not supported in the latest kernels, 
so instructions to install the latest kernels will leave many systems 
non-functional.  I think patches need to be pushed back to 3.19 kernels.

I'm making plans for patching kernels, and identifying systems that CAN be.  
But I'll wait a few days for patches to solidify.  There are significant 
infrastructure issues all around.  Not to mention (Windows & Linux) "kernel" 
support for all the systems in commercial service in hospitals, grocery stores, 
and offices that will never be updated.

-- 
Paul Rogers
paulgrog...@fastmail.fm
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

[lfs-support] Page Table Isolation

[Ken Moffat]

People who follow the news will be aware that big changes have been
rushed into the linux kernel (and changes are/have been also rolled
out by microsoft, and apparently by apple).

There are two vulnerabilities, with the shiny names of Meltdown and
Spectre.  Both refer to ways of userspace finding where the kernel
has been mapped, to try to do harm.   Page Table Isolation addresses
the first of these.  Google claim it affects some AMD processors,
AMD deny this.

This started out under the name of KAISER, as an apparently
theoretical hardening, but at one point (I suppose once those in the
know realised it was a real issue) Forcefully Unmap Complete Kernel
With Interrupt Trampolines was suggested before Page Table Isolation
became the preferred name.

In particular, note that userspace in a VM can exploit this to read
data from the host or other VMs, which is why cloud providers are
updating.

PTI has been pushed into 4.15-rc6 as a matter of urgency, and
added to 4.14.11 with backports to 4.9 and 4.4 in progress.

Most testing, particularly by the 0-day kernel bot, has been on
Intel hardware and running this on AMD has uncovered some problems
which have been addressed in linus's tree and which will be in
4.14.12.  With 4.14.12, if PTI is selected it will not be used at
runtime on an AMD machine with the default auto option, although I
think it can be forced by specifying the 'pti' boot argument.

If a kernel has been built with PTI, it can be disabled by
specifying 'nopti' in the command line.  Once a kernel has booted,
PTI cannot be enabled or disabled until you reboot.

If you are running with PTI enabled, dmesg will show
 Kernel/User page tables isolation: enabled

Obviously, the effect of this will vary with the workload.  Figures
of 5% to 30% are being suggested.  So, on my SandyBridge i3 I've
been running some build tests, first on 4.14.0 and then on 4.14.11
with PTI.  Please bear in mind that because of the length of time
these tests take, I've only run each set once.  Linux is not a RTOS,
and I have noticed some variation in the past when repeating tests
to measure build times.  I *guess* that a variation of plus or minus
2% is normal.

From these tests, the following points are perhaps worth noting:

kernel compilation : within normal variation (ok, it was quicker on
the newer kernel, but only by 2 seconds)

Running my script to rebuild binutils pass 1 on a completed system
to get an updated SBU : 135.083s became 135.498s so no change.

Building rustc-1.22.1 with Python3, running the tests and doing a
DESTDIR install - 1.2% slower which I regard as within normal
variation.

Building firefox-57.0.3 and installing it in /opt : for this I used
a variation of my normal script (first I tried pasting all the
commands, but obviously got something wrong because rust panicked).
This showed a speed reduction of 5.8% which is significant, but
random screensavers were running and maybe affected this.

git-2.15.1 with the tests : 3.9% slower.

openssl-1.1.0g including make test : 3.4% slower

asymptote-2.41 : within normal variation

QupZilla-2.2.3 : 2.4% slower

ImageMagick-7.0.7-11 : 2.4% slower for the build, but 7.6% slower
running tests/validate.

ffmpeg-3.4.1 (without tests) : within normal variation

My latex-test-20160905 tests : within normal variation.

Summary - although it has been noted that running postgresql on a
laptop was significantly affected by PTI, I think that for most BLFS
users the effect will be slight.

The Spectre vulnerability is more general, and apparently much
harder to exploit.  It is claimed to affect almost all modern
processors.  Apparently, anything using a JIT compiler, e.g.
javascript, can be hacked.  Steps to mitigate this in the kernel
are now being discussed, but this might require additions to gcc.

Intel are also in the process of releasing new firmware for
processors released in the last 5 years.  The current firmware is
now 20171117 but I'm not sure if that is up to date (it might be!)

https://downloadcenter.intel.com/download/27337/Linux-Processor-Microcode-Data-File?v=t

ĸen
-- 
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
 - Unseen Academicals
-- 
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style