SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
shrug,
if your processor was released in 2021/22 then the above will most likely not affect CPU performance. It is easy to check what affects cpu and which mitigations are needed.
Yep its pretty trivial. To see all vulnerabilities and if they are being mitigated -
If it's being mitigated and you dont like the performance drop, the option is always there to turn off retbleed mitigations with the "retbleed=off" kernel command line.
Just built 5.18.14
The build time went up from 6m19.851s to 6m36.141s, which is a 4.7% increase.
I'm curious to know your hardware
With my Ryzen 7:
make -j17 15124,96s user 1624,00s system 1536% cpu 18:10,43 total
It is a 32GB 12 cores AMD Ryzen 9 3900XT, which on cpubenchmark.net has a 32963 score.
Quote:
Originally Posted by Aeterna
shrug,
if your processor was released in 2021/22 then the above will most likely not affect CPU performance. It is easy to check what affects cpu and which mitigations are needed.
The CPU was released in 2020. As my kernel is a distribution type one all mitigations are needed.
Kernel 5.15.57 ( with RetBleed Mitigations ) on Slackware64 15.0
all --
Generic Kernel Version 5.15.57.kjh is running fine on my Slackware64 15.0 + Multilib LapTop.
Note that kernel 5.15.57 included the following new configs:
Code:
* Restart config...
*
* Mitigations for speculative execution vulnerabilities
*
Mitigations for speculative execution vulnerabilities (SPECULATION_MITIGATIONS) [Y/n/?] (NEW) Y
Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [Y/n/?] Y
Avoid speculative indirect branches in kernel (RETPOLINE) [Y/n/?] Y
Enable return-thunks (RETHUNK) [Y/n/?] (NEW) Y
Enable UNRET on kernel entry (CPU_UNRET_ENTRY) [Y/n/?] (NEW) Y
Enable IBPB on kernel entry (CPU_IBPB_ENTRY) [Y/n/?] (NEW) Y
Enable IBRS on kernel entry (CPU_IBRS_ENTRY) [Y/n/?] (NEW) Y
#
# configuration written to .config
The Latest Vulnerabilities and Mitigations are below my sig
Also note that I updated VMware WorkStation Pro from 16.2.3 to 16.2.4 from runlevel 3 like so:
Code:
# cd /dld/15.0/vmware
# sh ./VMware-Workstation-Full-16.2.4-20089737.x86_64.bundle --ignore-errors --console --custom
Finally, since my 11th Gen Intel(R) Core(TM) i9-11900K CPU SHOULD BE UNAFFECTED by RetBleed ( RATBleed ) I plan to build, install and boot 5.15.57.kjh-no-retbleed as soon as I have a little time ... will let you know how that goes ...
Distribution: Slackware64-current with "True Multilib" and KDE4Town.
Posts: 9,163
Original Poster
Rep:
An interesting (IMHO) article on the continuing problems with the "Retbleed" patches.
Quote:
.....There were follow-up fixes that came to address various issues with the Retbleed code and now today another round of Retbleed fallout is being bandaged for Linux 5.19-rc8. Nearly two weeks later, the Retbleed mitigations still haven't appeared in the Linux stable series as back-ports due to various issues coming up. But with the Retbleed fixes slowing down, it looks like the mitigation and all the fixes will premiere soon in the currently supported stable/LTS series.......
Distribution: Slackware64-current with "True Multilib" and KDE4Town.
Posts: 9,163
Original Poster
Rep:
Year 2022, Round 46.
Another batch of updates has been scheduled for release on Friday, 29 July 2022, at approximately 16:00 GMT. If no problems are found while testing the release candidates, they might be available sometime on Thursday (depending on your time zone).
If it's being mitigated and you dont like the performance drop, the option is always there to turn off retbleed mitigations with the "retbleed=off" kernel command line.
I have been doing "mitigations=off" for a while now, I don't care about the security implications on my home desktop. Does mitigations=off also cover retbleed or do I have add both "mitigations=off" and "retbleed=off" to the boot options now?
Distribution: VM Host: Slackware-current, VM Guests: Artix, Venom, antiX, Gentoo, FreeBSD, OpenBSD, OpenIndiana
Posts: 1,017
Rep:
Quote:
Originally Posted by Daedra
I have been doing "mitigations=off" for a while now, I don't care about the security implications on my home desktop. Does mitigations=off also cover retbleed or do I have add both "mitigations=off" and "retbleed=off" to the boot options now?
Quote:
grep -r . /sys/devices/system/cpu/vulnerabilities
this is wrong, it will only tell you if you compiled these options or not
so to see the list of cpu vulnerabilities run:
Quote:
lscpu
Quote:
mitigations=off
disables all mitigations including retbleed
Quote:
retbleed=off
disables retbleed only
either you can use kernel and disable when compiling or you can disable every mitigation individually in your boot loader config.
I think that if your cpu does not have specific vulnerability, disabling it does not fix cpu performance because... well cpu does not have this option enabled so it will be ignored.
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: N/A (not testable in offline mode)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: N/A (not testable in offline mode)
* Mitigation 2
* Kernel has branch predictor hardening (arm): UNKNOWN
* Kernel compiled with retpoline option: UNKNOWN (couldn't read your kernel configuration)
> STATUS: NOT VULNERABLE (offline mode: kernel supports IBRS + IBPB to mitigate the vulnerability)
CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Kernel supports disabling speculative store bypass (SSB): YES (found nospec_store_bypass_disable in kernel)
> STATUS: NOT VULNERABLE (your system provides the necessary tools for software mitigation)
CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
* Kernel has array_index_nospec (arm64): NO
> STATUS: NOT VULNERABLE (Kernel source has been patched to mitigate the vulnerability (x86 64 bits array_index_mask_nospec))
Based on this, it seems /sys/devices/system/cpu/vulnerabilities is accurate for at least 5.10 (which I would imagine would be at least anything 5.10 and newer).
Quote:
Originally Posted by Aeterna
so to see the list of cpu vulnerabilities run:
Quote:
lscpu
Maybe this is due to 14.2's util-linux (v2.27.1), but lscpu doesn't provide any information about potential vulnerabilities.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.