[arch-proaudio] 4.14.18-rt15 Intel Spectre v2 broken microcode detected
Hi, today I build 4.14.18-rt15 and now dmesg shows this: [rocketmouse@archlinux ~]$ dmesg | grep microcode [ 0.000000] microcode: microcode updated early to revision 0x23, date = 2017-11-20 [ 0.000000] Intel Spectre v2 broken microcode detected; disabling Speculation Control [ 0.469182] microcode: sig=0x306c3, pf=0x2, revision=0x23 [ 0.469263] microcode: Microcode Update Driver: v2.2. [rocketmouse@archlinux ~]$ hwinfo --cpu | grep Model | sort -u Model: 6.60.3 "Intel(R) Celeron(R) CPU G1840 @ 2.80GHz" [rocketmouse@archlinux ~]$ pacman -Q intel-ucode intel-ucode 20180108-1 [rocketmouse@archlinux ~]$ uname -a Linux archlinux 4.14.18-rt15-1-rt-securityink #1 SMP PREEMPT RT Sat Feb 10 09:46:04 CET 2018 x86_64 GNU/Linux :( Regards, Ralf
On Sat, 10 Feb 2018 11:10:08 +0100 Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
today I build 4.14.18-rt15 and now dmesg shows this:
[rocketmouse@archlinux ~]$ dmesg | grep microcode [ 0.000000] microcode: microcode updated early to revision 0x23, date = 2017-11-20 [ 0.000000] Intel Spectre v2 broken microcode detected; disabling Speculation Control [ 0.469182] microcode: sig=0x306c3, pf=0x2, revision=0x23 [ 0.469263] microcode: Microcode Update Driver: v2.2. [rocketmouse@archlinux ~]$ hwinfo --cpu | grep Model | sort -u Model: 6.60.3 "Intel(R) Celeron(R) CPU G1840 @ 2.80GHz" [rocketmouse@archlinux ~]$ pacman -Q intel-ucode intel-ucode 20180108-1 [rocketmouse@archlinux ~]$ uname -a Linux archlinux 4.14.18-rt15-1-rt-securityink #1 SMP PREEMPT RT Sat Feb 10 09:46:04 CET 2018 x86_64 GNU/Linux
And what is wrong with this? -- Joakim
On Sat, 10 Feb 2018 11:21:59 +0100, Joakim Hernberg wrote:
On Sat, 10 Feb 2018 11:10:08 +0100 Ralf Mardorf wrote:
Intel Spectre v2 broken microcode detected; disabling Speculation Control
And what is wrong with this?
Hi, it's not my domain, the hits I get by https://www.google.de/search?source=hp&ei=ucp-WpKfFIrhkgX_uI-oCQ&q=Intel+Spectre+v2+broken+microcode+detected%3B+disabling+Speculation+Control&oq=Intel+Spectre+v2+broken+microcode+detected%3B+disabling+Speculation+Control&gs_l=psy-ab.3...1303.6725.0.10760.4.4.0.0.0.0.62.237.4.4.0....0...1c.1.64.psy-ab..0.0.0....0.anug6P_zxF8 don't help me. Is it good? To me "broken microcode" in combination with "Spectre" sounds like a serious warning. -- $ pacman -Q linux{,-rt-securityink,-rt,-rt-pussytoes,-rt-cornflower} linux 4.15.2-2 linux-rt-securityink 4.14.18_rt15-1 linux-rt 4.14.12_rt10-1 linux-rt-pussytoes 4.14.8_rt9-2 linux-rt-cornflower 4.11.12_rt16-1
On Sat, 10 Feb 2018 11:39:40 +0100 Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
Is it good? To me "broken microcode" in combination with "Spectre" sounds like a serious warning.
I think that refers to the fact that you have ucode loaded that was determined to cause problems on some systems. To check if you have mitigations enabled, cat the files in /sys/devices/system/cpu/vulnerabilities, none ought to say vulnerable. -- Joakim
On Sat, 10 Feb 2018 15:49:45 +0100, Joakim Hernberg wrote:
I think that refers to the fact that you have ucode loaded that was determined to cause problems on some systems.
To check if you have mitigations enabled, cat the files in /sys/devices/system/cpu/vulnerabilities, none ought to say vulnerable.
Thank you, so... [rocketmouse@archlinux ~]$ ls -hAl /sys/devices/system/cpu/vulnerabilities/ total 0 -r--r--r-- 1 root root 4.0K Feb 10 15:52 meltdown -r--r--r-- 1 root root 4.0K Feb 10 15:52 spectre_v1 -r--r--r-- 1 root root 4.0K Feb 10 15:52 spectre_v2 [rocketmouse@archlinux ~]$ cat /sys/devices/system/cpu/vulnerabilities/* Mitigation: PTI Mitigation: __user pointer sanitization Mitigation: Full generic retpoline ...means that they are enabled? Regards, Ralf
On Sat, 10 Feb 2018 16:00:14 +0100 Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
cat /sys/devices/system/cpu/vulnerabilities/* Mitigation: PTI Mitigation: __user pointer sanitization Mitigation: Full generic retpoline
...means that they are enabled?
Yes, how well they protect the system is of course another question, and I'm not 100% sure where the Intel ucode fits in all this. But it seems fairly clear that Intel dropped the ball on all of this including firmware updates... -- Joakim
On Sat, 10 Feb 2018 16:09:17 +0100, Joakim Hernberg wrote:
On Sat, 10 Feb 2018 16:00:14 +0100 Ralf Mardorf wrote:
cat /sys/devices/system/cpu/vulnerabilities/* Mitigation: PTI Mitigation: __user pointer sanitization Mitigation: Full generic retpoline
...means that they are enabled?
Yes, how well they protect the system is of course another question, and I'm not 100% sure where the Intel ucode fits in all this. But it seems fairly clear that Intel dropped the ball on all of this including firmware updates...
I see. Apart from the µcode the kernel already includes the page-table isolation patch set. When booting with "nopti" the output for "meltdown" is "Vulnerable". [rocketmouse@archlinux ~]$ grep Securityink_nopti -B3 -A5 /boot/syslinux/syslinux.cfg # "KPTI was merged into Linux kernel version 4.15,[snip] and backported to Linux kernels 4.14.11, 4.9.75, 4.4.110." # - https://en.wikipedia.org/wiki/Kernel_page-table_isolation LABEL Securityink_nopti MENU LABEL Arch Linux Rt Securityink nopt^i LINUX ../vmlinuz-linux-rt-securityink APPEND root=LABEL=archlinux ro nopti INITRD ../intel-ucode.img,../initramfs-linux-rt-securityink.img [rocketmouse@archlinux ~]$ ls -hAl /sys/devices/system/cpu/vulnerabilities/ total 0 -r--r--r-- 1 root root 4.0K Feb 10 16:44 meltdown -r--r--r-- 1 root root 4.0K Feb 10 16:44 spectre_v1 -r--r--r-- 1 root root 4.0K Feb 10 16:44 spectre_v2 [rocketmouse@archlinux ~]$ cat /sys/devices/system/cpu/vulnerabilities/* Vulnerable Mitigation: __user pointer sanitization Mitigation: Full generic retpoline
Now that you bump to 4.14.18_rt15-1, too and since I read the diff https://aur.archlinux.org/cgit/aur.git/diff/?h=linux-rt&id=aee56edc0ffc7c315d462ae337f446b7ed8007c5 I notice that my config "suffers" from a spectre 2 "misconfiguration". [rocketmouse@archlinux ~]$ zgrep CONFIG_BPF_JIT_ALWAYS_ON /proc/config.gz # CONFIG_BPF_JIT_ALWAYS_ON is not set https://patchwork.ozlabs.org/patch/856694/ Apart from this they are identical kernels with equal patches. [rocketmouse@archlinux linux-rt]$ diff config config-4.14.18-rt15-1-rt-securityink 57c57 < CONFIG_LOCALVERSION="-rt" ---
CONFIG_LOCALVERSION="-1-rt-securityink" 227c227 < CONFIG_BPF_JIT_ALWAYS_ON=y
# CONFIG_BPF_JIT_ALWAYS_ON is not set [rocketmouse@archlinux linux-rt]$ diff . /usr/src/linux-rt-securityink/ [snip, apart from the config and name related diffs, not a single relevant diff]
On Sat, 10 Feb 2018 19:39:07 +0100 Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
Now that you bump to 4.14.18_rt15-1, too and since I read the diff
https://aur.archlinux.org/cgit/aur.git/diff/?h=linux-rt&id=aee56edc0ffc7c315d462ae337f446b7ed8007c5
I notice that my config "suffers" from a spectre 2 "misconfiguration".
[rocketmouse@archlinux ~]$ zgrep CONFIG_BPF_JIT_ALWAYS_ON /proc/config.gz # CONFIG_BPF_JIT_ALWAYS_ON is not set
It should be enabled, right? I followed upstream Archlinux on this. -- Joakim
On Sun, 11 Feb 2018 00:13:18 +0100, Joakim Hernberg wrote:
On Sat, 10 Feb 2018 19:39:07 +0100 Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
Now that you bump to 4.14.18_rt15-1, too and since I read the diff
https://aur.archlinux.org/cgit/aur.git/diff/?h=linux-rt&id=aee56edc0ffc7c315d462ae337f446b7ed8007c5
I notice that my config "suffers" from a spectre 2 "misconfiguration".
[rocketmouse@archlinux ~]$ zgrep CONFIG_BPF_JIT_ALWAYS_ON /proc/config.gz # CONFIG_BPF_JIT_ALWAYS_ON is not set
It should be enabled, right? I followed upstream Archlinux on this.
It's still not my domain. My guess is, that I made a mistake, IOW I think that your config is better than mine. However, when I run make oldconfig, there only was one item asking me what to do. The default was "N". I simply pushed enter, insted of "?" and/or googleing. I should consider to follow Arch upstrem, too. OTOH an unpatched kernel is not aimed for real-time purposes, so a new feature might have unwanted impact on DSP load. Actually I prefer using your tarballs to build my kernels, since you add all those patches. The kernels I build that aren't based upon you traballs, usually are vanilla kernels + the rt-patch, but no other patch, let alone the config. Regarding rt and audio drivers my own configs should be as good as yours, but anything else of my configs could be fishy. Thank you for maintaining linux-rt :) and thank you for the /sys/devices/system/cpu/vulnerabilities/ pointer :).
participants (2)
-
Joakim Hernberg
-
Ralf Mardorf