View previous topic :: View next topic |
Author |
Message |
mikefot l33t
Joined: 19 Nov 2014 Posts: 709
|
Posted: Wed Jan 24, 2018 10:38 am Post subject: checking if I have installed retpoline or not...... |
|
|
Dear All,
I am running gentoo testing on an amd kaveri box.
My kernel is 4.14.14.
I notice from looking at these two articles:
https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.9-4.14-Retpoline
and
https://www.neowin.net/news/retpoline-patch-coming-to-linux-49-and-linux-414
that I probably need at least gcc 7.3 or gcc 8.0 to make retpoline work at present.
I am currently running gcc 7.2.0.
Do I need to upgrade to 7.3 or higher?
Also are the KPTI and retpoline (perhaps we could call it "ratholine" if it escapes being installed to easily) automatically turned in the kernel (I guess they have
added flags you would see when you run make menuconfig somewhere) when you compile it?
People in the debian community are also looking at this issue.
Comments appreciated.
Regards
Michael Fothergill |
|
Back to top |
|
|
ryszardzonk Apprentice
Joined: 18 Dec 2003 Posts: 225 Location: Rzeszów, POLAND
|
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Wed Jan 24, 2018 11:03 am Post subject: |
|
|
Quote: | Do I need to upgrade to 7.3 or higher? |
This is what you'll get with kernel 4.14.14 and GCC 6.4:
Code: | # cd /sys/devices/system/cpu/vulnerabilities/*
# for file in *; do echo "$file : $(tail -n1 $file)"; done
meltdown : Mitigation: PTI
spectre_v1 : Vulnerable
spectre_v2 : Vulnerable: Minimal generic ASM retpoline |
And this is the output of kernel 4.14.14 compiled with GCC 7.3.0RC1:
Code: | # cd /sys/devices/system/cpu/vulnerabilities
# for file in *; do echo "$file : $(tail -n1 $file)"; done
meltdown : Mitigation: PTI
spectre_v1 : Vulnerable
spectre_v2 : Mitigation: Full generic retpoline |
|
|
Back to top |
|
|
mikefot l33t
Joined: 19 Nov 2014 Posts: 709
|
Posted: Wed Jan 24, 2018 11:15 am Post subject: checking if I have installed retpoline or not...... |
|
|
Many thanks for the advice here.
I ran the kernel checker as follows:
Code: | djt /home/mikef/spectre-meltdown-checker # ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.32
Checking for vulnerabilities on current system
Kernel is Linux 4.14.14-gentoo #1 SMP Tue Jan 23 13:06:23 GMT 2018 x86_64
CPU is AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
> STATUS: VULNERABLE (Vulnerable)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
* Mitigation 1
* Hardware support (CPU microcode)
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: NO (kernel reports minimal retpoline compilation)
* Retpoline enabled: YES
> STATUS: VULNERABLE (Vulnerable: Minimal AMD ASM retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that your CPU is unaffected)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: NO
* Running under Xen PV (64 bits): NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see --disclaimer
djt /home/mikef/spectre-meltdown-checker # |
I think I need to upgrade from gcc 7.2 to 7.3.
Cheers
MF
PS The latest build for gcc that I can see here https://packages.gentoo.org/packages/sys-devel/gcc
is 7.2.0-r1
I am using it.
How do you install 7.3?
By hand from the gcc folks?
ie no build?
Cheers
OK, it's apparently coming soon:
ttps://www.phoronix.com/scan.php?page=news_item&px=GCC-7.3-In-January |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54391 Location: 56N 3W
|
Posted: Wed Jan 24, 2018 12:04 pm Post subject: |
|
|
mikefot,
The kernel assemble code is fixed now.
The C code needs >=gcc-7.3
gcc-7.3-rc2 is on the GNU site now. gcc-7.3 may be released on 25 Jan. Its unlikely to be in Gentoo then but I'm sure the toolchain team know about it. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
mikefot l33t
Joined: 19 Nov 2014 Posts: 709
|
Posted: Wed Jan 24, 2018 1:33 pm Post subject: checking if I have installed retpoline or not...... |
|
|
Many thanks for all the suggestions here.
I think I will wait until build file is created either for 7.3 rc1 or 7.3 proper.
Installing from gcc from a tar file sounds potentially untidy to me.
Doing it for printer driver is OK I think but for gcc I would prefer a build file.
In Debian sid there you can now install gcc 7.3 rc1 as a deb file apparently I am told.
If you would then use the debian manual kernel compilation recipe they have that should in theory also work for kernel 4.14.14 that I currently have.
So they are also moving toward solutions for this particular patch.
Cheers
MF
PS
I have noticed that an entry for gcc 7.3 has appeared on the gentoo gcc webpage:
https://packages.gentoo.org/packages/sys-devel/gcc
It is not listed as being readied as an amd64 version of the build etc.
I tried doing the oneshot command and didn't see it.
What would be the command to emerge it?
Should I wait a little bit before trying? |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Wed Jan 31, 2018 2:56 pm Post subject: |
|
|
Mikefot, some different results here with 4.14.15 and gcc 6.4.0
Code: | cat /sys/devices/system/cpu/vulnerabilities/*
Not affected
Vulnerable
Vulnerable: Minimal AMD ASM retpoline
uname -a
Linux gentoo.MsHome 4.14.15-gentoo #5 SMP Wed Jan 31 07:00:13 CST 2018 x86_64 AMD A8-7600 Radeon R7, 10 Compute Cores 4C+6G AuthenticAMD GNU/Linux
|
|
|
Back to top |
|
|
mikefot l33t
Joined: 19 Nov 2014 Posts: 709
|
Posted: Thu Feb 01, 2018 8:54 am Post subject: checking if I have installed retpoline or not...... |
|
|
Dear Tony,
Here is a comparison with gcc 7.2 and 7.3 compilations:
Code: | djt /home/mikef/spectre-meltdown-checker # cat /proc/version
Linux version 4.14.14-gentoo (root@djt) (gcc version 7.2.0 (Gentoo 7.2.0-r1)) #1 SMP Tue Jan 23 13:06:23 GMT 2018
|
Here is a useful bit of the output from the spectre patch checker:
Code: | * Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: NO (kernel reports minimal retpoline compilation)
* Retpoline enabled: YES
> STATUS: VULNERABLE (Vulnerable: Minimal AMD ASM retpoline) |
As can be seen here, the compiler I used to create this kernel was not recent enough to make retpoline work.
Since I now have gcc 7.3 installed I then ran it again to see if I could change the NO in
" Code: | * Kernel compiled with a retpoline-aware compiler: NO (kernel reports minimal retpoline compilation)"
|
to YES.....
Code: | djt /home/mikef # cat /proc/version
Linux version 4.14.15-gentoo (root@djt) (gcc version 7.3.0 (Gentoo 7.3.0)) #1 SMP Tue Jan 30 16:22:47 GMT 2018
|
and now the spectre kernel checker says the following:
Code: | * Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Retpoline enabled: YES
> STATUS: NOT VULNERABLE (Mitigation: Full AMD retpoline) |
Cheers
MF |
|
Back to top |
|
|
|