The Latest Kernel Release.

kjhambrick · 07-30-2022, 04:57 AM

all --

Generic Kernel Version 5.15.58.kjh is running fine on my Slackware64 15.0 + Multilib LapTop.

I've got a big pile of work to finish this weekend so I'll have to tackle the no-retbleed kernel later.

But then again, maybe booting with the mitigations=no commandline flag would be sufficient for me ?

-- kjh

Code:

uname -msrpn: Linux kjhlt7.kjh.home 5.15.58.kjh x86_64 11th Gen Intel(R) Core(TM) i9-11900K @ 3.50GHz
firmware ...: kernel-firmware-20220725_150864a-noarch-1
NVidia Blob : NVIDIA-Linux-x86_64-515.57.run
VMWare Blob : VMware-Workstation-Full-16.2.3-19376536.x86_64.bundle

For the record, these are my vulnerabilities and mitigations ( no changes to retbleed since 5.15.57 )

Code:

Sat Jul 30 04:44:16 CDT 2022

  Linux kjhlt7.kjh.home 5.15.58.kjh #1 SMP PREEMPT Fri Jul 29 20:22:12 CDT 2022 x86_64 11th Gen Intel(R) Core(TM) i9-11900K @ 3.50GHz GenuineIntel GNU/Linux

  dmesg
    microcode: microcode updated early to revision 0x53, date = 2022-03-09
    Linux version 5.15.58.kjh (root@kjhlt7.kjh.home) (gcc (GCC) 11.2.0, GNU ld version 2.37-slack15) #1 SMP PREEMPT Fri Jul 29 20:22:12 CDT 2022
    Command line: BOOT_IMAGE=/boot/vmlinuz-generic-5.15.58.kjh root=UUID=6c71cd77-2463-408e-a992-ad6064b0651b ro nvidia-drm.modeset=1
    DMI: Notebook X170KM-G/X170KM-G, BIOS 1.07.06LS1 01/11/2020

  cpuinfo
    CPU Name:   11th Gen Intel(R) Core(TM) i9-11900K @ 3.50GHz
    Microcode:  0x53
    CPU FMS:    06-a7-01
    UCode Pkg:  intel-microcode-20220510-noarch-1_SBo_kjh  ( updated May 18 13:20 )
    UCode File: /lib/firmware/intel-ucode/06-a7-01         ( updated May 18 13:19 )
    UCode Info: 001/001: sig 0x000a0671, pf_mask 0x02, 2022-03-09, rev 0x0053, size 103424
    CPU bugs:   spectre_v1, spectre_v2, spec_store_bypass, swapgs, mmio_stale_data, retbleed

  vulnerability and mitigation files in /sys/devices/system/cpu/vulnerabilities/
    itlb_multihit:       Not affected
    l1tf:                Not affected
    mds:                 Not affected
    meltdown:            Not affected
    mmio_stale_data:     Mitigation: Clear CPU buffers; SMT vulnerable
    retbleed:            Mitigation: Enhanced IBRS
    spec_store_bypass:   Mitigation: Speculative Store Bypass disabled via prctl and seccomp
    spectre_v1:          Mitigation: usercopy/swapgs barriers and __user pointer sanitization
    spectre_v2:          Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling
    srbds:               Not affected
    tsx_async_abort:     Not affected

avian · 07-31-2022, 08:52 AM

Quote:

Originally Posted by kjhambrick

all --

Generic Kernel Version 5.15.58.kjh is running fine on my Slackware64 15.0 + Multilib LapTop.

I've got a big pile of work to finish this weekend so I'll have to tackle the no-retbleed kernel later.

But then again, maybe booting with the mitigations=no commandline flag would be sufficient for me ?

If all you want to experiment with is turning off retbleed mitigations, boot with retbleed=off.

If you wanted to turn off a few other mitigations that have crept in lately that effect performance, you could try something like "srbds=off mmio_stale_data=off retbleed=off". Doing mitigations=off might be a bit overkill. In the end it'll be up to you to weigh the performance vs risk.

avian · 07-31-2022, 10:20 AM

Quote:

Originally Posted by Aeterna

this is wrong, it will only tell you if you compiled these options or not

Are you sure I'm wrong? Have you tried it? It clearly states all the vulnerabilities the kernel knows about, next to those if the CPU is vulnerable or not, and next to that if mitigations are in place. Below is an example of a vulnerability mitigated, one not mitigated, and one that doesnt affect the cpu. This from a 5.18.x series kernel.

Like bassmadrigal, I've compared it to spectre-meltdown-checker, and received the same results.

Code:

/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Vulnerable
/sys/devices/system/cpu/vulnerabilities/mds:Not affected

You suggested to use lscpu instead, so lets see the same lines that lscpu returns -

Code:

  Spectre v2:            Mitigation; Enhanced IBRS, IBPB conditional, RSB filling
  Mmio stale data:       Vulnerable
  Mds:                   Not affected

Ummm, doesnt look all that different. Although granted lscpu output is formatted nicer and an easier command to type and remember.

kjhambrick · 07-31-2022, 02:56 PM

Thanks avian.

I looked this up last weekend at The kernel’s command-line parameters

Below is the text from the mitigations section (

I added bold and color=red LQ Tags to hilight the scary text for full disclosure

)

I don't have an opinion on `lscpu` -vs- `cat /sys/devices/system/cpu/vulnerabilities` -vs- `spectre-meltdown-checker.sh`.

I would think that `lscpu` and `cat /sys/devices/system/cpu/vulnerabilities` will be as up-to-date as your kernel

I do see that spectre-meltdown-checker.sh v0.45 code was released 2022, Mar 27 ... reasonably up-to-date but does it know about the latest vulnerabilities ( ??? mmio and retbleeed ??? ) ?

But then-again, I don't see the retbleed=off Kernel CommandLine Option among the mitigations= section ... while there is a section specific to retbleed ...( edit: Thank you for the head's up, avian )

-- kjh

Code:

mitigations=
            [X86,PPC,S390,ARM64] Control optional mitigations for
            CPU vulnerabilities.  This is a set of curated,
            arch-independent options, each of which is an
            aggregation of existing arch-specific options.

            off
                    Disable all optional CPU mitigations.  This
                    improves system performance, but it may also
                    expose users to several CPU vulnerabilities.
                    Equivalent to: nopti [X86,PPC]
                                   kpti=0 [ARM64]
                                   nospectre_v1 [X86,PPC]
                                   nobp=0 [S390]
                                   nospectre_v2 [X86,PPC,S390,ARM64]
                                   spectre_v2_user=off [X86]
                                   spec_store_bypass_disable=off [X86,PPC]
                                   ssbd=force-off [ARM64]
                                   l1tf=off [X86]
                                   mds=off [X86]
                                   tsx_async_abort=off [X86]
                                   kvm.nx_huge_pages=off [X86]
                                   srbds=off [X86,INTEL]
                                   no_entry_flush [PPC]
                                   no_uaccess_flush [PPC]
                                   mmio_stale_data=off [X86]

                    Exceptions:
                                   This does not have any effect on
                                   kvm.nx_huge_pages when
                                   kvm.nx_huge_pages=force.

            auto (default)
                    Mitigate all CPU vulnerabilities, but leave SMT
                    enabled, even if it's vulnerable.  This is for
                    users who don't want to be surprised by SMT
                    getting disabled across kernel upgrades, or who
                    have other ways of avoiding SMT-based attacks.
                    Equivalent to: (default behavior)

            auto,nosmt
                    Mitigate all CPU vulnerabilities, disabling SMT
                    if needed.  This is for users who always want to
                    be fully mitigated, even if it means losing SMT.
                    Equivalent to: l1tf=flush,nosmt [X86]
                                   mds=full,nosmt [X86]
                                   tsx_async_abort=full,nosmt [X86]
                                   mmio_stale_data=full,nosmt [X86]

This is the explicit entry for retbleed

Code:

retbleed=
            [X86] Control mitigation of RETBleed (Arbitrary
            Speculative Code Execution with Return Instructions)
            vulnerability.
  
            off          - no mitigation
            auto         - automatically select a migitation
            auto,nosmt   - automatically select a mitigation,
                           disabling SMT if necessary for
                           the full mitigation (only on Zen1
                           and older without STIBP).
            ibpb         - mitigate short speculation windows on
                           basic block boundaries too. Safe, highest
                           perf impact.
            unret        - force enable untrained return thunks,
                           only effective on AMD f15h-f17h
                           based systems.
            unret,nosmt  - like unret, will disable SMT when STIBP
                           is not available.
  
            Selecting 'auto' will choose a mitigation method at run
            time according to the CPU.
  
            Not specifying this option is equivalent to retbleed=auto.

cwizardone · 07-31-2022, 04:25 PM

5.19.0
The newest Stable kernel, version 5.19.0, has been released.

The tarball, https://git.kernel.org/pub/scm/linux...ux-5.19.tar.gz

Mr. Torvalds' announcement, https://lkml.iu.edu/hypermail/linux/...7.3/07437.html

There is some interesting arm64 news and then this,

Quote:

....Anyway, regardless of all that, this obviously means that the merge window (*) will open tomorrow. But please give this a good test run before you get all excited about a new development kernel.

Linus

(*) I'll likely call it 6.0 since I'm starting to worry about getting
confused by big numbers again.

cwizardone · 08-01-2022, 12:09 AM

FWIW, the new 5.19.0 kernel has been built and installed and running as it should on a first generation Zen CPU with a
Nvidia GPU using the nvidia-legacy470-driver-470.129.06_multilib-x86_64-1 (Sbo).
VirtualBox-6.1.36-152435-Linux_amd64 is working perfectly.

3rensho · 08-01-2022, 03:07 AM

5.19.0 built without problems taking default change values. Runs fine and Nvidia-515.57 built as well

marav · 08-01-2022, 03:37 AM

Quote:

Originally Posted by 3rensho

5.19.0 built without problems taking default change values. Runs fine and Nvidia-515.57 built as well

Ditto here

bathory · 08-01-2022, 07:17 AM

Quote:

Originally Posted by cwizardone

FWIW, the new 5.19.0 kernel has been built and installed and running as it should on a first generation Zen CPU with a
Nvidia GPU using the nvidia-legacy470-driver-470.129.06_multilib-x86_64-1 (Sbo).
VirtualBox-6.1.36-152435-Linux_amd64 is working perfectly.

FYI, I had to apply this patch because the nvidia-470.129.06 64bit module could not be compiled with the new 5.19 kernel.

cwizardone · 08-01-2022, 08:24 AM

Year 2022, Round 47.

Another batch of updates has been scheduled for release on Wednesday, 3 August 2022, at approximately 11:00 GMT. If no problems are found while testing the release candidates, they might be available sometime on Tuesday (depending on your time zone).

The details:

5.18.16-rc1, with 88 patches, https://lkml.iu.edu/hypermail/linux/...8.0/00517.html

5.15.59-rc1, with 69 patches, https://lkml.iu.edu/hypermail/linux/...8.0/00427.html

5.10.135-rc1, with 65 patches, https://lkml.iu.edu/hypermail/linux/...8.0/00386.html

5.4.209-rc1, with 34 patches, https://lkml.iu.edu/hypermail/linux/...8.0/00352.html

cwizardone · 08-01-2022, 09:06 AM

Quote:

Originally Posted by bathory

FYI, I had to apply this patch because the nvidia-470.129.06 64bit module could not be compiled with the new 5.19 kernel.

In the past I have always used the blob directly from Nvidia, but I got tired of waiting for them to update the 470 series and about ten or eleven days ago I downloaded this script from Slackbuild.org,
http://www.slackbuilds.org/repositor...acy470-driver/
By following the directions on that page, the driver built (after building and installing the Nvidia kernel) and has worked just fine. I did see what looked like numerous errors during the build process, but once installed, it, as I said, it has worked just fine. Of course, you have to rebuild both of them every time you change the Linux kernel.

cwizardone · 08-01-2022, 03:59 PM

The new 5.19.0 stable kernel has been added to -current.

Quote:

Mon Aug 1 19:55:53 UTC 2022
...........
a/kernel-generic-5.19.0-x86_64-1.txz: Upgraded.
a/kernel-huge-5.19.0-x86_64-1.txz: Upgraded.
a/kernel-modules-5.19.0-x86_64-1.txz: Upgraded.
...........
d/kernel-headers-5.19.0-x86-1.txz: Upgraded.
...........
k/kernel-source-5.19.0-noarch-1.txz: Upgraded.
...........

http://slackware.oregonstate.edu/sla.../ChangeLog.txt

http://slackware.oregonstate.edu/sla...t/slackware64/

garpu · 08-01-2022, 05:49 PM

OK, having problems booting 5.19 on current (new kernel today). elilo, huge kernel, not using an initrd. No error message or panic that I could see, just got the "done" message, then it popped me back to BIOS. (I'm using uefi.) runlevel 3

Here's my boot params:

Code:

image=vmlinuz-huge-5.19.0
label=5.19.0
read-only
append="root=/dev/sda2 vga=normal ro pti=off rcu_nocbs=0-11 threadirqs preempt=full"

Chuck56 · 08-01-2022, 06:35 PM

Quote:

Originally Posted by garpu

OK, having problems booting 5.19 on current (new kernel today). elilo, huge kernel, not using an initrd. No error message or panic that I could see, just got the "done" message, then it popped me back to BIOS. (I'm using uefi.) runlevel 3

Here's my boot params:

Code:

image=vmlinuz-huge-5.19.0
label=5.19.0
read-only
append="root=/dev/sda2 vga=normal ro pti=off rcu_nocbs=0-11 threadirqs preempt=full"

ELILO problems on -current here too! I can still boot 5.18.15 with ELILO but not 5.19.0. Just reboots when it should load the initrd. I use mkinitrd.conf to generate the initrd.

GRUB boots 5.19.0 like a champ on the same machine. Odd for sure!

Here's my elilo.conf:

Code:

prompt
timeout=50
default=Gen5.19.0
image=vmlinuz-generic-5.18.15
  label=Gen5.18.15
  initrd=initrd-5.18.15.gz
  append="root=/dev/sda2 resume=/dev/mapper/desktop-swap fbcon=font:VGA8x16"
  read-only
image=vmlinuz-generic-5.19.0
  label=Gen5.19.0
  initrd=initrd-5.19.0.gz
  append="root=/dev/sda2 resume=/dev/mapper/desktop-swap fbcon=font:VGA8x16"
  read-only

Didier Spaier · 08-01-2022, 06:36 PM

Quote:

Originally Posted by garpu

OK, having problems booting 5.19 on current (new kernel today). elilo, huge kernel, not using an initrd. No error message or panic that I could see, just got the "done" message, then it popped me back to BIOS. (I'm using uefi.) runlevel 3

Already reported.