Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
speculations mitigation
View unanswered posts
View posts from last 24 hours
View posts from last 7 days

 
Reply to topic    Gentoo Forums Forum Index Deutsches Forum (German)
View previous topic :: View next topic  
Author Message
Erdie
Advocate
Advocate


Joined: 20 May 2004
Posts: 2356
Location: Heidelberg - Germany

PostPosted: Fri Aug 05, 2022 4:59 pm    Post subject: speculations mitigation Reply with quote

Bei meinem aktuellen oldconfig bin ich auf folgende Optoin gestooßen:

Code:

CONFIG_CPU_IBRS_ENTRY:                                                                                                                                         │ 
  │                                                                                                                                                                │ 
  │ Compile the kernel with support for the spectre_v2=ibrs mitigation.                                                                                            │ 
  │ This mitigates both spectre_v2 and retbleed at great cost to                                                                                                   │ 
  │ performance.                                                                                                                                                   │ 
  │                                                                                                                                                                │ 
  │ Symbol: CPU_IBRS_ENTRY [=y]                                                                                                                                    │ 
  │ Type  : bool                                                                                                                                                   │ 
  │ Defined at arch/x86/Kconfig:2451                                                                                                                               │ 
  │   Prompt: Enable IBRS on kernel entry                                                                                                                          │ 
  │   Depends on: SPECULATION_MITIGATIONS [=y] && CPU_SUP_INTEL [=y]                                                                                               │ 
  │   Location:                                                                                                                                                    │ 
  │     -> Mitigations for speculative execution vulnerabilities (SPECULATION_MITIGATIONS [=y])



Wie muß ich mir die Performance Einbußen bezügliche "at great cost to performance." vorstellen? Ich kann mich an die Spetre Diskussion noch erinnern. Ist diese Option unabdingbar?
_________________
Desktop AMD Ryzen 9 5900X 32GB RAM, Asus GF GTX 1060.
Notebook Tuxedo Pulse 15 Gen1 AMD Ryzen 7 4800H mit Radeon Vega 7
Raspberry Pi 1 + 2 + 3B+ + Zero W
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 1795
Location: Bavaria

PostPosted: Fri Aug 05, 2022 6:53 pm    Post subject: Reply with quote

Ich habe bei LWN etwas von 30 % gelesen, habe dies aber an meiner Kiste nicht bemerkt ... :oops: Egal, es bleibt vorerst bei mir enabled; so wie ich es verstanden habe, soll hier eh' noch nachgebessert werden:
Quote:
IBRS works, but it has the unwelcome side effect of reducing performance by as much as 30%.

=> https://lwn.net/Articles/901834/
Back to top
View user's profile Send private message
Erdie
Advocate
Advocate


Joined: 20 May 2004
Posts: 2356
Location: Heidelberg - Germany

PostPosted: Sat Aug 06, 2022 7:28 am    Post subject: Reply with quote

ich werde das mal testen, evlt abschalen und dann ein Performance Test laufen lassen. Video rendern oder ähnliches ..

Ich frage mich auch welche Art von Angriffen hier verhindernt werden. Wenn es nur lokale Angriffe wären, wäre mir das egal. Meinen Rechner verwende nur ich - aber ich befürchte es werden dadurch Exploids möglich, die man über das Netz unerschieben kann. Dann ist es wieder Mist.

Update:
Nun ja .. Webbrowser, bei denen irgendein Code einer Webseite den Passwortspeicher auslesen kann ist nicht schön ..
_________________
Desktop AMD Ryzen 9 5900X 32GB RAM, Asus GF GTX 1060.
Notebook Tuxedo Pulse 15 Gen1 AMD Ryzen 7 4800H mit Radeon Vega 7
Raspberry Pi 1 + 2 + 3B+ + Zero W
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 3950
Location: Frankfurt, Germany

PostPosted: Sat Aug 06, 2022 9:53 am    Post subject: Reply with quote

Auf Maschinen, auf denen mehrere User oder Systeme gleichzeitig arbeiten, würde ich die Mitigations einschalten:
  • Shared Hosting Plattformen
  • VM-Plattformen
  • Login-Server - z.B. an der Uni oder in Firmen
Auf meinem Linux-Rechner zuhause sehe ich keinen Grund für die Mitigations. Dort habe ich sie ausgeschaltet.
Back to top
View user's profile Send private message
Erdie
Advocate
Advocate


Joined: 20 May 2004
Posts: 2356
Location: Heidelberg - Germany

PostPosted: Sat Aug 06, 2022 12:15 pm    Post subject: Reply with quote

Würde der Rechner nicht dadurch anfälliger durch über Webbrowser eingeschleuste Exploids?
_________________
Desktop AMD Ryzen 9 5900X 32GB RAM, Asus GF GTX 1060.
Notebook Tuxedo Pulse 15 Gen1 AMD Ryzen 7 4800H mit Radeon Vega 7
Raspberry Pi 1 + 2 + 3B+ + Zero W
Back to top
View user's profile Send private message
guru meditation
Tux's lil' helper
Tux's lil' helper


Joined: 18 Mar 2018
Posts: 96
Location: Planet Earth

PostPosted: Mon Aug 08, 2022 12:16 pm    Post subject: Reply with quote

Du könntest in /etc/default/grub folgendes testen:
Code:
GRUB_CMDLINE_LINUX_DEFAULT="noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off

und dann einmal grub-mkconfig aufrufen.

Damit ist das ganze „Herumgewürge“ (nicht negativ gemeint: Aufgaben, die die Hardware/CPU machen sollte und die Software stattdessen erledigen muß) temporär abgeschaltet und du kannst ein paar Tests fahren.

Einige davon sind hier veröffentlicht (englisch): [url=https://linuxreviews.org/HOWTO_make_Linux_run_blazing_fast_(again)_on_Intel_CPUs]https://linuxreviews.org/HOWTO_make_Linux_run_blazing_fast_(again)_on_Intel_CPUs[/url]
Deutsch: https://www.linux-community.de/ausgaben/linuxuser/2019/08/schnell-oder-sicher/2/

Auf den durchschnittlichen Bürorechner hat das kaum Auswirkungen. Wenn man allerdings jedes Prozent Rechenleistung benötigt (Programme kompilieren, Daddel- oder Videorechner), ist eine Abschaltung eine Überlegung wert.
Back to top
View user's profile Send private message
Erdie
Advocate
Advocate


Joined: 20 May 2004
Posts: 2356
Location: Heidelberg - Germany

PostPosted: Mon Aug 08, 2022 12:34 pm    Post subject: Reply with quote

Das probier ich mal aus, allerdings hatte ich die mitigation bereits im menuconfig abgeschaltet. Aber in deiner Liste steht ja noch mehr drin.
_________________
Desktop AMD Ryzen 9 5900X 32GB RAM, Asus GF GTX 1060.
Notebook Tuxedo Pulse 15 Gen1 AMD Ryzen 7 4800H mit Radeon Vega 7
Raspberry Pi 1 + 2 + 3B+ + Zero W
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 3950
Location: Frankfurt, Germany

PostPosted: Mon Aug 08, 2022 12:54 pm    Post subject: Reply with quote

Quote:
Code:
GRUB_CMDLINE_LINUX_DEFAULT="noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off

Scheint mir doppelt-gemoppelt zu sein. /usr/src/linux/admin-guide/kernel-parameters.txt schreibt:
Code:
mitigations=
    [X86,PPC,S390,ARM64] Control optional mitigations for CPU vulnerabilities.
    This is a set of curated, arch-independent options, each of which is an
    aggregation of existing arch-specific options.

    off
        Disable all optional CPU mitigations. This improves system performance,
        but it may also expose users to several CPU vulnerabilities.

        Equivalent to:
            nopti [X86,PPC]
            kpti=0 [ARM64]
            nospectre_v1 [X86,PPC]
            nobp=0 [S390]
            nospectre_v2 [X86,PPC,S390,ARM64]
            spectre_v2_user=off [X86]
            spec_store_bypass_disable=off [X86,PPC]
            ssbd=force-off [ARM64]
            l1tf=off [X86]
            mds=off [X86]
            tsx_async_abort=off [X86]
            kvm.nx_huge_pages=off [X86]
            no_entry_flush [PPC]
            no_uaccess_flush [PPC]
            mmio_stale_data=off [X86]
            retbleed=off [X86]

        Exceptions:
            This does not have any effect on
            kvm.nx_huge_pages when
            kvm.nx_huge_pages=force.

TLDR: "mitigations=off" sollte ausreichend sein.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Deutsches Forum (German) All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum