Re: [lfs-support] Page Table Isolation on AMD Processors
On 11 February 2018 at 19:30, Ken Moffatwrote: > On Sun, Feb 11, 2018 at 07:10:41PM +, Mark Pokorny wrote: >> Hi all, >> >> I’ve been away for a while, but am back now starting a new SVN build >> of LFS. Since I’ve been away, however, the Spectre/Meltdown issue has >> been discussed at length. I’ve been reading through the archives with >> interest, but unfortunately little understanding. >> >> I am currently going through the motions of setting the configuration >> options for the Linux kernel (4.15.2) and have come across the option >> for Page Table Isolation. I have an AMD FX8350 processor, and from >> reading the discussions on this mailing list, I understand that AMD >> processors are _not_ vulnerable to the Meltdown issue that PTI is >> supposed to address. So, my question is: >> >> tl;dr: >> Should I compile Page Table Isolation into my kernel even though I >> have (a pre-Ryzen) AMD processor? It seems some people were having >> issues when PTI was compiled in, and others state the PTI is not >> activated at runtime anyway. Any thoughts? >> >> Tschüß! >> >> Mark. > > Enable it ;) > > The statement that it will not be activated at runtime if you are on > an AMD CPU is correct. OTOH, if you will never use that .config to > build on a different machine then I suppose it doesn't matter. > > ĸen Cheers! Thanks Ken! Will do! ;) Mark. -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
[lfs-support] Page Table Isolation on AMD Processors
Hi all, I’ve been away for a while, but am back now starting a new SVN build of LFS. Since I’ve been away, however, the Spectre/Meltdown issue has been discussed at length. I’ve been reading through the archives with interest, but unfortunately little understanding. I am currently going through the motions of setting the configuration options for the Linux kernel (4.15.2) and have come across the option for Page Table Isolation. I have an AMD FX8350 processor, and from reading the discussions on this mailing list, I understand that AMD processors are _not_ vulnerable to the Meltdown issue that PTI is supposed to address. So, my question is: tl;dr: Should I compile Page Table Isolation into my kernel even though I have (a pre-Ryzen) AMD processor? It seems some people were having issues when PTI was compiled in, and others state the PTI is not activated at runtime anyway. Any thoughts? Tschüß! Mark. -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
On Thu, Jan 11, 2018 at 02:37:49PM -0800, Paul Rogers wrote: > > In my investigation I too saw the 4GB/4GB split mentioned but with something > else that caused me to disregard it--it had been pulled or something. > > I have 4GB in my "everyday" Conroes, though the refurb box I dedicate to W10 > so's it can run TurboTax is only 2GB, IIRC. IMO, running a 64-bit OS is a > plus only if it has more than 4GB to play with. 4GB just about still works ok, although it is getting tight for compiling modern browsers. At one time I was thinking about trying X32 (full-width kernel, all the extra registers, but 32-bit pointers). That was for a low-end AMD with, ISTR, 1GB RAM (worked great in the early days of x86_64, but the software got bigger). But that old machines died and 4/8GB is now a normal size for RAM on a desktop machine, so I didn't bother. And LFS doesn't support it. If anybody wants to try that, many packages needed patching - again, gentoo is probably the primary place to look. But X32 seems to have missed the opportunity to become popular. ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
> I would not abandon hope just yet, although the chances are probably > slim. The *big* target is rented (by the hour or whatever) machines > and VMs - those are almost wholly x86_64 and that is where people's > data is most at risk of the Meltdown vulnerability. Certainly those, but I think there are many boxen "behind the scenes", for loose definitions of "embedded" something like kiosks, et al., that are running necessary functions that nobody but installers and maintenance techs ever sees or thinks about. In '98 or so I pulled into my usual gas station for a fillup, and one of the pumps had it's cover off. I immediately recognized a 40-pin DIP on the board and had to take a look. It was a 1976 vintage Zilog Z-80 running the gas pump. Computers have snuck in everywhere! > Gentoo writes: "... Currently, the KPTI patch-set is only available for > 64-bit Gentoo operating systems. Some 32-bit operating systems (for > example if you are using 4gb/4gb memory split) are immune because they > use separate memory maps for kernel and userspace. ..." > > Unfortunatly not specified what "Some 32-bit operating systems" are. In my investigation I too saw the 4GB/4GB split mentioned but with something else that caused me to disregard it--it had been pulled or something. I have 4GB in my "everyday" Conroes, though the refurb box I dedicate to W10 so's it can run TurboTax is only 2GB, IIRC. IMO, running a 64-bit OS is a plus only if it has more than 4GB to play with. -- Paul Rogers paulgrog...@fastmail.fm Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
On Thu, Jan 11, 2018 at 08:03:13PM +0100, Thomas Trepl wrote: > > Gentoo writes: "... Currently, the KPTI patch-set is only available for > 64-bit Gentoo operating systems. Some 32-bit operating systems (for > example if you are using 4gb/4gb memory split) are immune because they > use separate memory maps for kernel and userspace. ..." > > Unfortunatly not specified what "Some 32-bit operating systems" are. > > https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_ > and_Spectre > From reading two emails which arrived on lkml today: 1. 4GB/4GB was never accepted upstream - it was one of the options for i686 machines with more than 4GB RAM (PAE etc). I expect gentoo have patches to add it. 2. Suse have fixing it for their 32-bit kernels on their ToDo list, but they have nothing at the moment. If it happens it will be at http://kernel.suse.com ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
Am Mittwoch, den 10.01.2018, 17:10 + schrieb Ken Moffat: > On Tue, Jan 09, 2018 at 03:02:27PM -0800, Paul Rogers wrote: > > > On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote: > > > > I've just patched one of my older Core2 "Conroe", LFS-7.7, up > > > > to 4.4.110. It's an i686 system. > > > > > > > > Any ideas? TIA. > > > > > > > > > > Looking at my lkml mailbox, patch 02 of 37 for this version added > > > > I haven't been able to GET to LKML for 3 days now. It keeps > > timing-out. > > > > I had the same last night (on the main mirror), but I think there > used to be more than one mirror site. Haven't tried since, and it > is irrelevant to this problem. ... > > > > Sorry. I'm afraid 32-bit x86 gets much less love these days. > > > > Please, if anyone runs across the 32-bit patch, let me know. There > > certainly are many 32-bit system still in service! > > > > I asked on lwn, so far the consensus is that a lot of 32-bit x86 is > embedded and never gets updated anyway. Distros are gradually > dropping i686, AFAICS nobody has offered a potential fix - but there > is a PoC exploit at github which can apparently run on i686. > > And for Meltdown, although AMD x86_64 is not affected, nobody has > offered a view on whether or not AMD i686 is affected. > > There were some comments on the FreeBSD Questions list (for the > moment they do not have a fix even for x86_64) that they would hope > to fix i686 after x86_64 is fixed. But using FreeBSD, for someone > who understands linux, looks to be very painful. Another poster > said he *thought* the problem started with the Westmere generation. Gentoo writes: "... Currently, the KPTI patch-set is only available for 64-bit Gentoo operating systems. Some 32-bit operating systems (for example if you are using 4gb/4gb memory split) are immune because they use separate memory maps for kernel and userspace. ..." Unfortunatly not specified what "Some 32-bit operating systems" are. https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_ and_Spectre -- Thomas -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
On Tue, Jan 09, 2018 at 03:02:27PM -0800, Paul Rogers wrote: > > On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote: > > Please, if anyone runs across the 32-bit patch, let me know. There certainly > are many 32-bit system still in service! > I would not abandon hope just yet, although the chances are probably slim. The *big* target is rented (by the hour or whatever) machines and VMs - those are almost wholly x86_64 and that is where people's data is most at risk of the Meltdown vulnerability. > Yes, I can run x86-64 on my Conroes, but it's noticably slower, especially > for such things as starting X. For a machine which can run a 64-bit kernel, it used to be possible to run 32-bit userspace and build a 64-bit kernel by copying pass 1 binutils and gcc, but to create the conventional target (not -lfs-) and putting them somewhere convenient. Then, after spending time getting a 64-bit kernel which works (apart from the issues in configuring the kernel, the -cross- binutils and gcc need to be on the PATH for the user who builds the kernel, and also for root or whoever is running module_install) you need to change the initscripts so that linux32 is invoked - that should let your existing C and C++ compilers think you are running on i686. I've done that in the past when I used a sluggish powerpc64 mac "G5" which required a 64-bit kernel. All the userspace was plain 32-bit ppc. I also did something similar recently when trying to bring up an old machine as i686 (copy a working 64-bit kernel and modules, and use linux32 while trying to get a working i686 kernel built - in the end I couldn't use that (or i686 devuan) to build a fresh 32-bit LFS, but I did manage to get an adequate i686 kernel built. And no, I have no interest in trying to get a successful build there, too busy on other things. One thing which might now break building a 64-bit kernel on 32-bit, I suppose, is extra dependencies - in particular perl, flex, and (depending on your kernel config) elfutils and I think openssl was also mentioned (I don't need the latter for my kernel). ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
> Uuh, not that I'm aware of that in .10 the PTI stuff was implemented. > In that .10-system, "cat /proc/cpuinfo" shows nothing in the "bugs:" > line (while .12 says "bugs: cpu_insecure") and there is nothing about > KPTI in dmesg when booting the .10. I've just upgraded my LFS-7.10 system to 4.9.75 and dmesg shows: ... [0.00] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1 [0.00] Kernel/User page tables isolation: enabled [0.00] Hierarchical RCU implementation. ... I made sure to look for it! ;-) > > I have no idea about the changes with each generation, but for > recent models, provided hyperthreading is enabled, linux sees 8 > cores in this situation - depending on the kernel config, it might > slightly change how things are scheduled, but overall it rotates > jobs between all cores. True, there is scheduling being done at the OS level, and the hyperthreading chips are telling the OS, "Give me two threads to do, I can handle it." But there is also a scheduling process going on *within* the processor as the two threads vie for processing elements within the pipeline. There are differences between different architectures, but the best evidence for competitive bottlenecks within a hyperthreaded CPU is that Intel only claimed a 30% performance improvement (I believe on the single core P4D). My dual core Conroes will give much more because each pipeline is separate, without contention, and the cores only compete for L2 cache and the off-chip Bus Interface. > The difference with hyperthreading is that things like > floating-point get shared between siblings. More than that! See this for the Nehalem internals: https://upload.wikimedia.org/wikipedia/commons/6/64/Intel_Nehalem_arch.svg > If I watch 'top' (recent version) I can see an activity line for > each core. And the activity moves around. Indeed, but that's at the OS dispatching level. If you could get fine enough granularity, again depending on specific CPU architecture, you'd see that the "raw" performance of those "cores" either 1) split into two groups, or 2) change depending on whether there is one or two threads running in the core. > I asked on lwn, so far the consensus is that a lot of 32-bit x86 is > embedded and never gets updated anyway. Distros are gradually > dropping i686, AFAICS nobody has offered a potential fix - but there > is a PoC exploit at github which can apparently run on i686. Yeah, kernel devs always get the latest and greatest HW, so it's not their ox getting gored. It's so easy for them to presume nothing else matters. If you're on LKML, please tell them their assumption is wrong! The 32-bit systems are still vulnerable, still doing important jobs, and if updating the software is going to be difficult, replacing the hardware in a timely fashion is very much more so. What kind of important jobs? How about all the infrastructure we all depend upon? Like having potable water coming out of the tap? > said he *thought* the problem started with the Westmere generation. So the guys who found it and said it affected everything since PPro were wrong? Maybe he should tell them. -- Paul Rogers paulgrog...@fastmail.fm Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
On Tue, Jan 09, 2018 at 03:02:27PM -0800, Paul Rogers wrote: > > On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote: > > > I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110. > > > It's an i686 system. > > > > > > Any ideas? TIA. > > > > > > > Looking at my lkml mailbox, patch 02 of 37 for this version added > > I haven't been able to GET to LKML for 3 days now. It keeps timing-out. > I had the same last night (on the main mirror), but I think there used to be more than one mirror site. Haven't tried since, and it is irrelevant to this problem. ... > > Sorry. I'm afraid 32-bit x86 gets much less love these days. > > Please, if anyone runs across the 32-bit patch, let me know. There certainly > are many 32-bit system still in service! > I asked on lwn, so far the consensus is that a lot of 32-bit x86 is embedded and never gets updated anyway. Distros are gradually dropping i686, AFAICS nobody has offered a potential fix - but there is a PoC exploit at github which can apparently run on i686. And for Meltdown, although AMD x86_64 is not affected, nobody has offered a view on whether or not AMD i686 is affected. There were some comments on the FreeBSD Questions list (for the moment they do not have a fix even for x86_64) that they would hope to fix i686 after x86_64 is fixed. But using FreeBSD, for someone who understands linux, looks to be very painful. Another poster said he *thought* the problem started with the Westmere generation. ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
On Tue, Jan 09, 2018 at 03:02:27PM -0800, Paul Rogers wrote: > > On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote: > > > I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110. > > > It's an i686 system. > > > > > > Any ideas? TIA. > > > > > > > Looking at my lkml mailbox, patch 02 of 37 for this version added > > I haven't been able to GET to LKML for 3 days now. It keeps timing-out. > > > Sorry. I'm afraid 32-bit x86 gets much less love these days. > > Please, if anyone runs across the 32-bit patch, let me know. There certainly > are many 32-bit system still in service! > > Yes, I can run x86-64 on my Conroes, but it's noticably slower, especially > for such things as starting X. > > > > > Meassuring LFS builds looks a bit different to me (column 2+3 are build > > times in seconds and may not be 100% accurate but the trend is clear): > > > > Package 4.14.10 .12 Ratio > > > > 034-binutils-pass1 97 113 1,16 > > 035-gcc-pass1 261 296 1,13 > > 036-linux-headers 617 2,83 > > 037-glibc 149 178 1,19 > > AIUI chips, such as my elderly i7-940, are actually 4 cores that pretend to > have 8 using the hyperthreading introduced with the Pentium-D. The > hyperthreaded core is scheduled on an "as resources are available" basis--the > "real" core has priority. Performance figures I saw back in the day showed a > hyperthreaded system provided at most 140% of the equivalent single > core--certainly worth having, but NOT 200%. > I have no idea about the changes with each generation, but for recent models, provided hyperthreading is enabled, linux sees 8 cores in this situation - depending on the kernel config, it might slightly change how things are scheduled, but overall it rotates jobs between all cores. The difference with hyperthreading is that things like floating-point get shared between siblings. If I watch 'top' (recent version) I can see an activity line for each core. And the activity moves around. > "Wikipedia: According to Intel, the first hyper-threading implementation used > only 5% more die area than the comparable non-hyperthreaded processor, but > the performance was 15–30% better. Intel claims up to a 30% performance > improvement compared with an otherwise identical, non-simultaneous > multithreading Pentium 4." > > So exactly what preceeded the build would change the way tasks got assigned > to the next available "core", hence what ran on real cores vs hyperthreaded > "cores" and different timings. > ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
> On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote: > > I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110. > > It's an i686 system. > > > > Any ideas? TIA. > > > > Looking at my lkml mailbox, patch 02 of 37 for this version added I haven't been able to GET to LKML for 3 days now. It keeps timing-out. > Sorry. I'm afraid 32-bit x86 gets much less love these days. Please, if anyone runs across the 32-bit patch, let me know. There certainly are many 32-bit system still in service! Yes, I can run x86-64 on my Conroes, but it's noticably slower, especially for such things as starting X. > > Meassuring LFS builds looks a bit different to me (column 2+3 are build > times in seconds and may not be 100% accurate but the trend is clear): > > Package 4.14.10 .12 Ratio > > 034-binutils-pass1 97 113 1,16 > 035-gcc-pass1 261 296 1,13 > 036-linux-headers 617 2,83 > 037-glibc 149 178 1,19 AIUI chips, such as my elderly i7-940, are actually 4 cores that pretend to have 8 using the hyperthreading introduced with the Pentium-D. The hyperthreaded core is scheduled on an "as resources are available" basis--the "real" core has priority. Performance figures I saw back in the day showed a hyperthreaded system provided at most 140% of the equivalent single core--certainly worth having, but NOT 200%. "Wikipedia: According to Intel, the first hyper-threading implementation used only 5% more die area than the comparable non-hyperthreaded processor, but the performance was 15–30% better. Intel claims up to a 30% performance improvement compared with an otherwise identical, non-simultaneous multithreading Pentium 4." So exactly what preceeded the build would change the way tasks got assigned to the next available "core", hence what ran on real cores vs hyperthreaded "cores" and different timings. -- Paul Rogers paulgrog...@fastmail.fm Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
On Tue, Jan 09, 2018 at 07:32:01PM +0100, Thomas Trepl wrote: > > [0.00] Kernel/User page tables isolation: enabled > > > > then it should be active. At least on x64_64 such a line comes up > > (with 4.14.12). > > > > Will do a i686 build today... > > Did so. Looks like the KPTI stuff is somehow different (if at all) > implemented for 32bit kernels. Indeed, the option to select > CONFIG_PAGE_TABLE_ISOLATION isn't available and when booting a fresh > i686-4.14.12 kernel it does not show the "Kernel/User page tables > isolation: enabled" message. Havn't found much info about KPTI on i686 > yet. Nevertheless, when running the i686 kernel on a Xeon-E3-1245 > /proc/cpuinfo says "bugs : cpu_insecure". So, at least a bit has > changed for 32bit-kernels, too. > > Does anyone have more insights here? > See my reply from last night or early this morning - it looks as if PTI is not available on 32-bit x86. ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
Am Montag, den 08.01.2018, 16:14 -0800 schrieb Paul Rogers: > I've just patched one of my older Core2 "Conroe", LFS-7.7, up to > 4.4.110. It's an i686 system. With each minor-version patch "make > oldconfig" was run. I saw no kernel config parameter for > PAGE_TABLE_ISOLATION when I rebuilt the patched kernel. I can find > no evidence it has been built into this kernel. I did get some hits > for "kaiser" in the source code, arch/x86/mm/kaiser.c, and the > mm/Makefile looks for CONFIG_PAGE_TABLE_ISOLATION. The make log I > kept does not contain the string "kaiser", nor does /boot/System.map. > > Any ideas? TIA. > You could check dmesg after reboot. If there is a line like [0.00] Kernel/User page tables isolation: enabled then it should be active. At least on x64_64 such a line comes up (with 4.14.12). Will do a i686 build today... -- Thomas -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
On Mon, Jan 08, 2018 at 04:14:50PM -0800, Paul Rogers wrote: > I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110. > It's an i686 system. With each minor-version patch "make oldconfig" was run. > I saw no kernel config parameter for PAGE_TABLE_ISOLATION when I rebuilt the > patched kernel. I can find no evidence it has been built into this kernel. > I did get some hits for "kaiser" in the source code, arch/x86/mm/kaiser.c, > and the mm/Makefile looks for CONFIG_PAGE_TABLE_ISOLATION. The make log I > kept does not contain the string "kaiser", nor does /boot/System.map. > > Any ideas? TIA. > Looking at my lkml mailbox, patch 02 of 37 for this version added KAISER, including apparently CONFIG_KAISER - but it depends on x86_64. Hmm, looking at 4.14.12 PAGE_TABLE_ISOLATION also depends on x86_64. Looks like there is nothing for 32-bit x86. Sorry. I'm afraid 32-bit x86 gets much less love these days. ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
I've just patched one of my older Core2 "Conroe", LFS-7.7, up to 4.4.110. It's an i686 system. With each minor-version patch "make oldconfig" was run. I saw no kernel config parameter for PAGE_TABLE_ISOLATION when I rebuilt the patched kernel. I can find no evidence it has been built into this kernel. I did get some hits for "kaiser" in the source code, arch/x86/mm/kaiser.c, and the mm/Makefile looks for CONFIG_PAGE_TABLE_ISOLATION. The make log I kept does not contain the string "kaiser", nor does /boot/System.map. Any ideas? TIA. Here's the config file's security options (not mentioned): # # Security options # CONFIG_KEYS=y # CONFIG_PERSISTENT_KEYRINGS is not set # CONFIG_BIG_KEYS is not set # CONFIG_ENCRYPTED_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITY=y # CONFIG_SECURITYFS is not set CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_NETWORK_XFRM is not set # CONFIG_SECURITY_PATH is not set # CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_YAMA is not set CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY="" CONFIG_XOR_BLOCKS=y CONFIG_ASYNC_CORE=y CONFIG_ASYNC_MEMCPY=y CONFIG_ASYNC_XOR=y CONFIG_ASYNC_PQ=y CONFIG_ASYNC_RAID6_RECOV=y CONFIG_CRYPTO=y # # Crypto core or helper # > > The ext3 filesystem is still available in 4.14. > > I read it wasn't: > "KernelNewbies: 4.3 Apparently that source was wrong. -- Paul Rogers paulgrog...@fastmail.fm Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
>> Likewise, I'm not betting kernel patches will get pushed down >> to the kernels that support those old systems. ext3 is not >> supported in the latest kernels, so instructions to install >> the latest kernels will leave many systems non-functional. >> I think patches need to be pushed back to 3.19 kernels. > > The ext3 filesystem is still available in 4.14. I read it wasn't: "KernelNewbies: Linux_4.3 Last updated at 2017-12-30 01:30:22 Linux 4.3 has been released on 1 Nov 2015 Summary: This release removes the ext3 filesystem and leaves Ext4, which can also mount Ext3 filesystems, as the main Ext filesystem; " -- Paul Rogers paulgrog...@fastmail.fm Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
On Thu, Jan 04, 2018 at 10:13:16PM +, Ken Moffat wrote: [ Correcting my erroneous comment on the skylake firmware, although it's so embarrassing that I was strongly tempted not to bother. ] > > > > Intel are also in the process of releasing new firmware for > > processors released in the last 5 years. The current firmware is > > now 20171117 but I'm not sure if that is up to date (it might be!) > > > > https://downloadcenter.intel.com/download/27337/Linux-Processor-Microcode-Data-File?v=t > > > > Well, whatever else that does, it does NOT contain anything new for > my SandyBridge (I didn't really expect any update, it is more than 5 > years old), but also nothing new for my Haswell, which I had thought > might get an update. > > There _is_ a different file for my Skylake, but it doesn't load > (trying late loading, dmesg reported soemthing like 'unable to > save', and using it for early loading did not load, and it was a > PITA to get the earlier firmware loaded (early loading didn't > happen, but I've now extracted it again to /lib/firmware and managed > late loading). > I've just updated the Skylake to 4.14.12. Embarrassingly, I discovered my grub entries for this system didn't specify any initrd (for firmware). Using the debian firmware, which includes fixes for one of the Spectre vulnerabilities (and where there was an update for my Haswell), I'm again on 0xba from April. And although the new intel firmware had a different md5sum, after again altering grub.cfg and rebooting, it is still 0xba. Summary - apart from my local errors, for the moment most intel CPUs do NOT have new firmware to mitigate Spectre. Still no idea why late loading on the "new" firmware failed. ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
On 5 January 2018 at 22:28, Paul Rogerswrote: > > Likewise, I'm not betting kernel patches will get pushed down to the > kernels that support those old systems. ext3 is not supported in the > latest kernels, so instructions to install the latest kernels will leave > many systems non-functional. I think patches need to be pushed back to > 3.19 kernels. > > Ext3 can be run as a reduced-functionality ext4 by simply mounting the partition as ext4 in /etc/fstab. Richard -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
On Fri, Jan 05, 2018 at 02:28:04PM -0800, Paul Rogers wrote: > I have been searching and reading intently for the past day also. I am > disappointed by the rush to republish and dearth of solid data beyond the > Proof of Concept. > Yes, it's hard finding accurate information - the whole thing was originally under NDA until, I believe, 9th January - but it filtered out earlier after somebody worked out what some of it was about. > Apparently in theory Spectre haunts all processors back to the Pentium Pro. > There is very little solid evidence of what steppings of what processors are > vulnerable. Intel changes masks often enough that it's NOT clear that every > processors will have similar exposure, e.g. the infamous ancient FDIV bug > only affected certain steppings of one of the P54 CPUs. I'm not betting > anybody will critically evaluate the older CPUs still in service, e.g. my two > Core2 Duos and one Core2 Quad Extreme, i7/940 & 870, even a few Pentium 3's, > Coppermine, Tualatin and even Esther. > Please distinguish the two named vulnerabilities : Meltdown (one CVE, worked around by PTI and apparently only applying to Intel, although AMD users who enabled BPF in the kernel might be affected) Spectre (two CVEs, apparently affects all Intel CPUs since the PP, except for some Atoms from before 2013, and similarly all modern AMD processors, as well as many other architectures). Meltdown is the initial issue, for Spectre I think it is safe to assume that all recent x86 except those Atoms can be cracked, given time. On a desktop, the main line of attack is probably JIT compilers such as javascript. On servers, an attacker running in a VM to attack the host and other users is probably the most urgent problem. Where Intel release new firmware, it will be to mitigate Spectre. Kernel developers are now able to talk to each other and possible mitigating steps are under discussion - but I doubt any of them will be in the 4.15.0 kernel. But hopefully something will eventually get into later 4.14 kernels. > Likewise, I'm not betting kernel patches will get pushed down to the kernels > that support those old systems. ext3 is not supported in the latest kernels, > so instructions to install the latest kernels will leave many systems > non-functional. I think patches need to be pushed back to 3.19 kernels. > The ext3 filesystem is still available in 4.14. But from reading recent posts on lkml, the PTI code in 4.14/4.15 is very different from the earlier KAISER code that was backported to 4.9 and 4.4 - there seem to be nasty areas, and I would recommend moving to 4.14 (the current longterm stable release) if you can. > I'm making plans for patching kernels, and identifying systems that CAN be. > But I'll wait a few days for patches to solidify. There are significant > infrastructure issues all around. Not to mention (Windows & Linux) "kernel" > support for all the systems in commercial service in hospitals, grocery > stores, and offices that will never be updated. For all the systems that will never be updated (including most phones), there isn't a lot we can do. As for waiting a few days - yes, there are still problems. I'll be moving my (home) server (currently LFS-8.1 but running a 4.9 kernel) to 4.14.12 over the weekend if I have time (and that is not certain), but I'm expecting that I might have to revert to the current kernel. This has all been rushed, and much of the rationale was secret, so it's inevitable that issues will continue to show up for a while. When this first surfaced, there was talk of using the nopti boot argument - I am now very reluctant to recommend that unless people fully understand the vulnerability (I don't) and what they are running and who can access it. ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Page Table Isolation
I have been searching and reading intently for the past day also. I am disappointed by the rush to republish and dearth of solid data beyond the Proof of Concept. Apparently in theory Spectre haunts all processors back to the Pentium Pro. There is very little solid evidence of what steppings of what processors are vulnerable. Intel changes masks often enough that it's NOT clear that every processors will have similar exposure, e.g. the infamous ancient FDIV bug only affected certain steppings of one of the P54 CPUs. I'm not betting anybody will critically evaluate the older CPUs still in service, e.g. my two Core2 Duos and one Core2 Quad Extreme, i7/940 & 870, even a few Pentium 3's, Coppermine, Tualatin and even Esther. Likewise, I'm not betting kernel patches will get pushed down to the kernels that support those old systems. ext3 is not supported in the latest kernels, so instructions to install the latest kernels will leave many systems non-functional. I think patches need to be pushed back to 3.19 kernels. I'm making plans for patching kernels, and identifying systems that CAN be. But I'll wait a few days for patches to solidify. There are significant infrastructure issues all around. Not to mention (Windows & Linux) "kernel" support for all the systems in commercial service in hospitals, grocery stores, and offices that will never be updated. -- Paul Rogers paulgrog...@fastmail.fm Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
[lfs-support] Page Table Isolation
People who follow the news will be aware that big changes have been rushed into the linux kernel (and changes are/have been also rolled out by microsoft, and apparently by apple). There are two vulnerabilities, with the shiny names of Meltdown and Spectre. Both refer to ways of userspace finding where the kernel has been mapped, to try to do harm. Page Table Isolation addresses the first of these. Google claim it affects some AMD processors, AMD deny this. This started out under the name of KAISER, as an apparently theoretical hardening, but at one point (I suppose once those in the know realised it was a real issue) Forcefully Unmap Complete Kernel With Interrupt Trampolines was suggested before Page Table Isolation became the preferred name. In particular, note that userspace in a VM can exploit this to read data from the host or other VMs, which is why cloud providers are updating. PTI has been pushed into 4.15-rc6 as a matter of urgency, and added to 4.14.11 with backports to 4.9 and 4.4 in progress. Most testing, particularly by the 0-day kernel bot, has been on Intel hardware and running this on AMD has uncovered some problems which have been addressed in linus's tree and which will be in 4.14.12. With 4.14.12, if PTI is selected it will not be used at runtime on an AMD machine with the default auto option, although I think it can be forced by specifying the 'pti' boot argument. If a kernel has been built with PTI, it can be disabled by specifying 'nopti' in the command line. Once a kernel has booted, PTI cannot be enabled or disabled until you reboot. If you are running with PTI enabled, dmesg will show Kernel/User page tables isolation: enabled Obviously, the effect of this will vary with the workload. Figures of 5% to 30% are being suggested. So, on my SandyBridge i3 I've been running some build tests, first on 4.14.0 and then on 4.14.11 with PTI. Please bear in mind that because of the length of time these tests take, I've only run each set once. Linux is not a RTOS, and I have noticed some variation in the past when repeating tests to measure build times. I *guess* that a variation of plus or minus 2% is normal. From these tests, the following points are perhaps worth noting: kernel compilation : within normal variation (ok, it was quicker on the newer kernel, but only by 2 seconds) Running my script to rebuild binutils pass 1 on a completed system to get an updated SBU : 135.083s became 135.498s so no change. Building rustc-1.22.1 with Python3, running the tests and doing a DESTDIR install - 1.2% slower which I regard as within normal variation. Building firefox-57.0.3 and installing it in /opt : for this I used a variation of my normal script (first I tried pasting all the commands, but obviously got something wrong because rust panicked). This showed a speed reduction of 5.8% which is significant, but random screensavers were running and maybe affected this. git-2.15.1 with the tests : 3.9% slower. openssl-1.1.0g including make test : 3.4% slower asymptote-2.41 : within normal variation QupZilla-2.2.3 : 2.4% slower ImageMagick-7.0.7-11 : 2.4% slower for the build, but 7.6% slower running tests/validate. ffmpeg-3.4.1 (without tests) : within normal variation My latex-test-20160905 tests : within normal variation. Summary - although it has been noted that running postgresql on a laptop was significantly affected by PTI, I think that for most BLFS users the effect will be slight. The Spectre vulnerability is more general, and apparently much harder to exploit. It is claimed to affect almost all modern processors. Apparently, anything using a JIT compiler, e.g. javascript, can be hacked. Steps to mitigate this in the kernel are now being discussed, but this might require additions to gcc. Intel are also in the process of releasing new firmware for processors released in the last 5 years. The current firmware is now 20171117 but I'm not sure if that is up to date (it might be!) https://downloadcenter.intel.com/download/27337/Linux-Processor-Microcode-Data-File?v=t ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style