SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Check it out ( re AMD is no longer 'guilty until proven innocent' ) !
-- kjh
From the 4.4.113 ChangeLog
Code:
<<snip>>--------------------------------------------------------------------
commit 6b1c99e275c034e4650044a7bb1a0bc274e1eb45
Author: Tom Lendacky <thomas.lendacky@amd.com>
Date: Tue Dec 26 23:43:54 2017 -0600
x86/cpu, x86/pti: Do not enable PTI on AMD processors
commit 694d99d40972f12e59a3696effee8a376b79d7c8 upstream.
AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.
Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set.
<<snip>>--------------------------------------------------------------------
In case you are unaware, AMD cpus are vulnerable to spectre which are associated with the retpoline patches. They are not vulnerable to meltdown which are the PTI patches that commit talks about. Intel is vulnerable to both.
Check it out ( re AMD is no longer 'guilty until proven innocent' ) !
-- kjh
From the 4.4.113 ChangeLog
Code:
<<snip>>--------------------------------------------------------------------
commit 6b1c99e275c034e4650044a7bb1a0bc274e1eb45
Author: Tom Lendacky <thomas.lendacky@amd.com>
Date: Tue Dec 26 23:43:54 2017 -0600
x86/cpu, x86/pti: Do not enable PTI on AMD processors
commit 694d99d40972f12e59a3696effee8a376b79d7c8 upstream.
AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.
Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set.
<<snip>>--------------------------------------------------------------------
This was actually included in 4.14.12 (4.14.11 was the initial kernel with PTI), but I guess it may have taken a bit for them to backport it to the 4.4 series. But as orbea mentioned, PTI is only used to mitigate against Meltdown, which AMD is not susceptible to. However, PTI can also be used to prevent KASLR bypass, which means AMD would be vulnerable to that (but AFAIK, this is not a hardware bug, but software related and I assume they're looking for a fix that won't be as performance hurting as PTI is).
Just compiled 4.4.113 on current with gcc-7.3, CONFIG_RETPOLINE=y and installed it on 14.2. No problems so far.
Code:
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
> STATUS: VULNERABLE (Vulnerable)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Retpoline enabled: YES
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
Just compiled 4.4.113 on current with gcc-7.3, CONFIG_RETPOLINE=y and installed it on 14.2. No problems so far.
Code:
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
> STATUS: VULNERABLE (Vulnerable)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Retpoline enabled: YES
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
This was actually included in 4.14.12 (4.14.11 was the initial kernel with PTI), but I guess it may have taken a bit for them to backport it to the 4.4 series. But as orbea mentioned, PTI is only used to mitigate against Meltdown, which AMD is not susceptible to. However, PTI can also be used to prevent KASLR bypass, which means AMD would be vulnerable to that (but AFAIK, this is not a hardware bug, but software related and I assume they're looking for a fix that won't be as performance hurting as PTI is).
your wrong. prove me right. your wrong. did my home work now read read code.
You do realize that I was not responding to you, right? So I don't know how I am supposed to prove you right since I wasn't saying you were wrong about anything (at least with that post... I don't remember what we were discussing previously -- and if that's what you're referencing, you really should quote that so we have a reference). The burden should be on you to explain why I am wrong. I'm all for people correcting my mistakes so myself and others can learn. But if you just say I'm wrong without any indication on what I'm wrong about and what is actually correct, it doesn't help anyone. Please provide the forum with your knowledge so we can all benefit.
After a release cycle that was unusual in so many (bad) ways, this
last week was really pleasant. Quiet and small, and no last-minute
panics, just small fixes for various issues. I never got a feeling
that I'd need to extend things by yet another week, and 4.15 looks
fine to me.
Half the changes in the last week were misc driver stuff (gpu, input,
networking) with the other half being a mix of networking, core kernel
and arch updates (mainly x86). But all of it is tiny.
So at least we had one good week. This obviously was not a pleasant
release cycle, with the whole meltdown/spectre thing coming in in the
middle of the cycle and not really gelling with our normal release
cycle. The extra two weeks were obviously mainly due to that whole
timing issue.
Also, it is worth pointing out that it's not like we're "done" with
spectre/meltdown. There is more work pending (arm, spectre-v1, misc
details), and perhaps equally importantly, to actually get the biggest
fix for the indirect branch mitigations, you need not just the kernel
updates, you need to have a compiler with support for the "retpoline"
indirect branch model.
and if you don't have a compiler that supports the retpoline
mitigations, you'll get:
Vulnerable: Minimal generic ASM retpoline
because only the assembly code (not the C code) will have the
retpoline mitigation. So keep that in mind.
Anyway, while spectre/meltdown has obviously been the big news this
release cycle, it's worth noting that we obviously had all the
*normal* updates going on too, and the work everywhere else didn't
just magically stop, even if some developers have been distracted by
CPU issues. In the *big* picture, 4.15 looks perfectly normal, with
two thirds of the full 4.15 patch being about drivers, and even the
arch updates are dominated by the arm DTS diffs, not by CPU bug
mitigation.
So the news cycle notwithstanding, the bulk of the 4.15 work is all
the regular plodding "boring" stuff. And I mean that in the best
possible way. It may not be glamorous and get the headlines, but it's
the bread and butter of kernel development, and is in many ways the
really important stuff.
Go forth and play with it, things actually look pretty good despite everything.
And obviously this also means that the merge window for 4.16 is open.
I already have a number of pull requests pending that I will start
merging tomorrow. Hopefully we'll have a _normal_ and entirely boring
release cycle for 4.16. Because boring really is good.
Linus
---
Last edited by cwizardone; 01-28-2018 at 05:04 PM.
Distribution: Slackware64-current with "True Multilib" and KDE4Town.
Posts: 9,109
Original Poster
Rep:
About an hour ago I installed the DUSK* 4.15.0 kernel from Board Member 55020.
Other than having to update to the latest version of VirtualBox, it has been running perfectly. I've ran every application I use daily, and a few others, and there hasn't been a single problem.
This has been a much better experience than the first release of 4.14.
(YMMV)
About an hour ago I installed the DUSK* 4.15.0 kernel from Board Member 55020.
Other than having to update to the latest version of VirtualBox, it has been running perfectly. I've ran every application I use daily, and a few others, and there hasn't been a single problem.
This has been a much better experience than the first release of 4.14.
(YMMV)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
