Announcement

Collapse
No announcement yet.

Linux Looks To Change The Default For Some Of Its Spectre Mitigations

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux Looks To Change The Default For Some Of Its Spectre Mitigations

    Phoronix: Linux Looks To Change The Default For Some Of Its Spectre Mitigations

    Upstream Linux kernel developers are looking at changing some of their Spectre mitigation defaults around what's applied to SECCOMP threads by default in part due to the performance hit as well as other reasons...

    http://www.phoronix.com/scan.php?pag...ECCOMP-Default

  • #2
    I wonder who design this adorable vulnerabilitiy mascottes/logos? So cute!
    I also wonder how safer is to use a ryzen system instead.. I guess depends which generation and perhaps there's no clear answer

    Comment


    • #3
      Originally posted by horizonbrave View Post
      I wonder who design this adorable vulnerabilitiy mascottes/logos? So cute!
      I also wonder how safer is to use a ryzen system instead.. I guess depends which generation and perhaps there's no clear answer
      Clear answer;
      PHP Code:
      C4uname -&& cd /sys/devices/system/cpu/vulnerabilities && grep . *
      5.7.0-odroid-arm64
      itlb_multihit
      :Not affected
      l1tf
      :Not affected
      mds
      :Not affected
      meltdown
      :Not affected
      spec_store_bypass
      :Not affected
      spectre_v1
      :Mitigation__user pointer sanitization
      spectre_v2
      :Not affected
      tsx_async_abort
      :Not affected 
      11th gen intel vs whatever inconsistent AMD naming is current are similarly more vulnerable than the less speculative ARM options. Phoronix will sometimes list mitigations in the details at the begining of the article for your comparative pleasure.

      Rpi is slow or vulnerable;
      https://openbenchmarking.org/embed.p...01ba9d9c39&p=2

      Intel is vulnerable but at least has good linux support;
      https://openbenchmarking.org/embed.p...72af9a1e27&p=2

      AMD is vulnerable but at least is fast;
      https://openbenchmarking.org/embed.p...ha=cc4b260&p=2

      .
      Last edited by elatllat; 05 November 2020, 08:59 AM.

      Comment


      • #4
        Originally posted by horizonbrave View Post
        I also wonder how safer is to use a ryzen system instead.. I guess depends which generation and perhaps there's no clear answer
        If you buy a CPU based on thinking its safer, tomorrow it might not be, a year later it might be once again. There's no guarantees. Up until the flaws were made public, everyone thought there wasn't any problem at all. So just pick something that works for you and enjoy.

        Comment


        • #5
          Which CPus will be affected?

          Comment


          • #6
            Originally posted by elatllat View Post

            Clear answer;
            PHP Code:
            C4uname -&& cd /sys/devices/system/cpu/vulnerabilities && grep . *
            5.7.0-odroid-arm64
            itlb_multihit
            :Not affected
            l1tf
            :Not affected
            mds
            :Not affected
            meltdown
            :Not affected
            spec_store_bypass
            :Not affected
            spectre_v1
            :Mitigation__user pointer sanitization
            spectre_v2
            :Not affected
            tsx_async_abort
            :Not affected 
            11th gen intel vs whatever inconsistent AMD naming is current are similarly more vulnerable than the less speculative ARM options. Phoronix will sometimes list mitigations in the details at the begining of the article for your comparative pleasure.

            Rpi is slow or vulnerable;
            https://openbenchmarking.org/embed.p...01ba9d9c39&p=2

            Intel is vulnerable but at least has good linux support;
            https://openbenchmarking.org/embed.p...72af9a1e27&p=2

            AMD is vulnerable but at least is fast;
            https://openbenchmarking.org/embed.p...ha=cc4b260&p=2

            .
            You could check with https://github.com/speed47/spectre-meltdown-checker
            For Ryzen 5 2600 gives me:
            Code:
            Spectre and Meltdown mitigation detection tool v0.43-21-g9e87439 
            
            Checking for vulnerabilities on current system
            Kernel is Linux 5.3.0-64-generic #58-Ubuntu SMP Fri Jul 10 19:33:51 UTC 2020 x86_64
            CPU is AMD Ryzen 5 2600 Six-Core Processor
            
            Hardware check
            * Hardware support (CPU microcode) for mitigation techniques
             * Indirect Branch Restricted Speculation (IBRS)
               * SPEC_CTRL MSR is available:  NO 
               * CPU indicates IBRS capability:  NO 
               * CPU indicates preferring IBRS always-on:  NO 
               * CPU indicates preferring IBRS over retpoline:  NO 
             * Indirect Branch Prediction Barrier (IBPB)
               * PRED_CMD MSR is available:  YES 
               * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit) 
             * Single Thread Indirect Branch Predictors (STIBP)
               * SPEC_CTRL MSR is available:  NO 
               * CPU indicates STIBP capability:  NO 
               * CPU indicates preferring STIBP always-on:  NO 
             * Speculative Store Bypass Disable (SSBD)
               * CPU indicates SSBD capability:  YES  (AMD non-architectural MSR) 
             * L1 data cache invalidation
               * FLUSH_CMD MSR is available:  NO 
               * CPU indicates L1D flush capability:  NO 
             * CPU supports Transactional Synchronization Extensions (TSX):  NO 
             * CPU supports Software Guard Extensions (SGX):  NO 
             * CPU supports Special Register Buffer Data Sampling (SRBDS):  NO 
             * CPU microcode is known to cause stability problems:  NO  (family 0x17 model 0x8 stepping 0x2 ucode 0x800820d cpuid 0x800f82) 
             * CPU microcode is the latest known available version:  YES  (latest version is 0x800820d dated 2019/04/16 according to builtin firmwares DB v163.20200930+i20200904) 
            * CPU vulnerability to the speculative execution attack variants
             * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES 
             * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES 
             * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  NO 
             * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  NO 
             * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES 
             * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  NO 
             * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  NO 
             * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  NO 
             * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)):  NO 
             * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)):  NO 
             * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)):  NO 
             * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)):  NO 
             * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)):  NO 
             * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)):  NO 
             * Vulnerable to CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)):  NO 
            
            CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
            * Mitigated according to the /sys interface:  YES  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) 
            * Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) 
            * Kernel has the Red Hat/Ubuntu patch:  NO 
            * Kernel has mask_nospec64 (arm64):  NO 
            * Kernel has array_index_nospec (arm64):  NO 
            > STATUS: NOT VULNERABLE  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) 
            
            CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
            * Mitigated according to the /sys interface:  YES  (Mitigation: Full AMD retpoline, IBPB: conditional, STIBP: disabled, RSB filling) 
            * Mitigation 1
             * Kernel is compiled with IBRS support:  YES 
               * IBRS enabled and active:  NO 
             * Kernel is compiled with IBPB support:  YES 
               * IBPB enabled and active:  YES 
            * Mitigation 2
             * Kernel has branch predictor hardening (arm):  NO 
             * Kernel compiled with retpoline option:  YES 
               * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation) 
            > STATUS: NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability) 
            
            CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
            * Mitigated according to the /sys interface:  YES  (Not affected) 
            * Kernel supports Page Table Isolation (PTI):  YES 
             * PTI enabled and active:  NO 
             * Reduced performance impact of PTI:  NO  (PCID/INVPCID not supported, performance impact of PTI will be significant) 
            * Running as a Xen PV DomU:  NO 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            CVE-2018-3640 aka 'Variant 3a, rogue system register read'
            * CPU microcode mitigates the vulnerability:  YES 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            CVE-2018-3639 aka 'Variant 4, speculative store bypass'
            * Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) 
            * Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status) 
            * SSB mitigation is enabled and active:  YES  (per-thread through prctl) 
            * SSB mitigation currently active for selected processes:  YES  (firefox-bin haveged irqbalance ModemManager pulseaudio systemd-journald systemd-logind systemd-timesyncd systemd-ud
            evd upowerd uuidd)
            > STATUS: NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) 
            
            CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
            * CPU microcode mitigates the vulnerability:  N/A 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
            * Mitigated according to the /sys interface:  YES  (Not affected) 
            * Kernel supports PTE inversion:  YES  (found in kernel image) 
            * PTE inversion enabled and active:  NO 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
            * Information from the /sys interface: Not affected
            * This system is a host running a hypervisor:  NO 
            * Mitigation 1 (KVM)
             * EPT is disabled:  N/A  (the kvm_intel module is not loaded) 
            * Mitigation 2
             * L1D flush is supported by kernel:  YES  (found flush_l1d in kernel image) 
             * L1D flush enabled:  NO 
             * Hardware-backed L1D flush supported:  NO  (flush will be done in software, this is slower) 
             * Hyper-Threading (SMT) is enabled:  YES 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
            * Mitigated according to the /sys interface:  YES  (Not affected) 
            * Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image) 
            * Kernel mitigation is enabled and active:  NO 
            * SMT is either mitigated or disabled:  NO 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
            * Mitigated according to the /sys interface:  YES  (Not affected) 
            * Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image) 
            * Kernel mitigation is enabled and active:  NO 
            * SMT is either mitigated or disabled:  NO 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
            * Mitigated according to the /sys interface:  YES  (Not affected) 
            * Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image) 
            * Kernel mitigation is enabled and active:  NO 
            * SMT is either mitigated or disabled:  NO 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
            * Mitigated according to the /sys interface:  YES  (Not affected) 
            * Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image) 
            * Kernel mitigation is enabled and active:  NO 
            * SMT is either mitigated or disabled:  NO 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
            * Mitigated according to the /sys interface:  YES  (Not affected) 
            * TAA mitigation is supported by kernel:  YES  (found tsx_async_abort in kernel image) 
            * TAA mitigation enabled and active:  NO 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
            * Mitigated according to the /sys interface:  YES  (Not affected) 
            * This system is a host running a hypervisor:  NO 
            * iTLB Multihit mitigation is supported by kernel:  YES  (found itlb_multihit in kernel image) 
            * iTLB Multihit mitigation enabled and active:  NO 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)'
            * Mitigated according to the /sys interface:  YES  (Not affected) 
            * SRBDS mitigation control is supported by the kernel:  YES  (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation) 
            * SRBDS mitigation control is enabled and active:  NO 
            > STATUS: NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable) 
            
            > SUMMARY:CVE-2017-5753:OKCVE-2017-5715:OKCVE-2017-5754:OKCVE-2018-3640:OKCVE-2018-3639:OKCVE-2018-3615:OKCVE-2018-3620:OKCVE-2018-3646:OKCVE-2018-12126:OKCVE-2018-12130:
            OKCVE-2018-12127:OKCVE-2019-11091:OKCVE-2019-11135:OKCVE-2018-12207:OKCVE-2020-0543:OK                                                                                         
            
            Need more detailed information about mitigation options? Use --explain
            A false sense of security is worse than no security at all, see --disclaimer

            Comment


            • #7
              Originally posted by c2p_ View Post
              ...spectre-meltdown-checker...
              Was useful before /sys/devices/system/cpu/vulnerabilities was implemented, less so now.
              I have had to fix a few bugs in spectre-meltdown-checker so I consider it somewhat unreliable.
              I also think it's less useful because it's less concise.


              Comment


              • #8
                Originally posted by elatllat View Post
                Was useful before /sys/devices/system/cpu/vulnerabilities was implemented, less so now.
                I have had to fix a few bugs in spectre-meltdown-checker so I consider it somewhat unreliable.
                I also think it's less useful because it's less concise.
                TIL it exists, thanks. Output is more readable
                Code:
                itlb_multihit:Not affected
                l1tf:Not affected
                mds:Not affected
                meltdown:Not affected
                spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
                spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
                spectre_v2:Mitigation: Full AMD retpoline, IBPB: conditional, STIBP: disabled, RSB filling
                srbds:Not affected
                tsx_async_abort:Not affected

                Comment


                • #9
                  Originally posted by elatllat View Post

                  Clear answer;

                  /sys/devices/system/cpu/vulnerabilities
                  I want to cry when I read answers like this. This is wrong on so many different levels. That is not a clear nor correct answer!!!

                  Comment


                  • #10
                    Originally posted by Jabberwocky View Post

                    I want to cry when I read answers like this. This is wrong on so many different levels. That is not a clear nor correct answer!!!
                    Are you trolling or are you planning on convincing us (but accidentally pressed post before you could)?

                    Comment

                    Working...
                    X