search for: ibpb

...ript to test for spectre & meltdown I get this result for variant 2: Variant #2 (Spectre): Vulnerable CVE-2017-5715 - speculative execution branch target injection - Kernel with mitigation patches: OK - HW support / updated microcode: NO - IBRS: Not disabled on kernel commandline - IBPB: Not disabled on kernel commandline and when I run the one from github I get this: CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable) * Mitigation 1 * Kernel is compiled with IBRS...

...I get this result for variant 2: > > Variant #2 (Spectre): Vulnerable > CVE-2017-5715 - speculative execution branch target injection > - Kernel with mitigation patches: OK > - HW support / updated microcode: NO > - IBRS: Not disabled on kernel commandline > - IBPB: Not disabled on kernel commandline > > > and when I run the one from github I get this: > > CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' > * Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable) > * Mitigation...

...<feature policy="require" name="ssbd"/> > > <feature policy="require" name="xsaves"/> > > <feature policy="require" name="pdpe1gb"/> > > <feature policy="require" name="ibpb"/> > > <feature policy="require" name="amd-ssbd"/> > > <feature policy="require" name="skip-l1dfl-vmentry"/> > > <feature policy="require" name="mpx"/> > > </cpu > >...

v2: https://www.redhat.com/archives/libguestfs/2018-December/msg00039.html v2 -> v3: - Fix all the issues raised in Eric's review. - Precompute some numbers to make the calculations easier. - Calculations now use bitshifts and masks in preference to division and modulo. - Clear existing bits before setting (which fixes a bug in the cache filter). Rich.

...but not supported by the compiler. Compiler update recomended. Stop." I tried using scl gcc7 and 8 but get the same issue. I checked that retpoline is related to Spectre but checking on centos with: cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 I get: Mitigation: IBRS (kernel), IBPB and RETPOLINE seems disabled (I'm wrong?). I ridden in a blog post that I can disable this check commenting out some lines starting from N. 166 of arch/Makefile but I don't think this is the best approach. At this point I can't understand what means the previous error and why I ge...

...shing) , but saw variant 2 Spectre mitigation with the 20180108 microcode, will lose full mitigation until Intel gets its ducks into a row. *eye roll* > Linus Torvalds agrees: > http://tcrn.ch/2n2mEcA His comments aren't about microcode though. And it also looks like he got IBRS and IBPB confused. The better post on this front is https://lkml.org/lkml/2018/1/22/598 As far as I know, there still is no mitigation for Spectre variant 1. -- Chris Murphy _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listin...

Does anyone know if Red Hat are working on backporting improved mitigation techniques and features from newer, 4.14.14+ kernels? $ grep . /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable /sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline

...tile ("call __x86_indirect_thunk_%V[thunk_target]" : : > [thunk_target] "r" (the_function)); > > Other than that, I get the following errors with LLVM+Clang master, and > my tree at > http://git.infradead.org/users/dwmw2/linux-retpoline.git/shortlog/refs/heads/ibpb > I tried ToT clang with Linux upstream as well as chromeos-4.14, with 'defconfig'. I don't see any errors when building x86_64. Lots and lots of warnings, though. When trying to build for ARCH=i386, I get arch/x86/events/intel/../perf_event.h:767:21: error: invalid output size...

...>> I tried using scl gcc7 and 8 but get the same issue. >> >> I checked that retpoline is related to Spectre but checking on centos with: >> >> cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 >> >> I get: >> >> Mitigation: IBRS (kernel), IBPB >> >> and RETPOLINE seems disabled (I'm wrong?). >> >> I ridden in a blog post that I can disable this check commenting out >> some lines starting from N. 166 of arch/Makefile but I don't think this >> is the best approach. >> >> At this point...

...e syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm cpuid_fault epb pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms xsaveopt dtherm ida arat pln pts flush_l1d bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf This results on my cpu being detected, if I allow host copy, as AMD chip and the guest becomes unbearably slow. The mode...

...33..80fd5e4 100644 --- a/common/bitmap/bitmap.h +++ b/common/bitmap/bitmap.h @@ -165,4 +165,10 @@ bitmap_set (const struct bitmap *bm, uint64_t offset, unsigned v) #define bitmap_for(bm, /* uint64_t */ blknum) \ for ((blknum) = 0; (blknum) < (bm)->size * (bm)->ibpb; ++(blknum)) +/* Find the next non-zero block in the bitmap, starting at ?blk?. + * Returns -1 if the bitmap is all zeroes from blk to the end of the + * bitmap. + */ +extern int64_t bitmap_next (const struct bitmap *bm, uint64_t blk); + #endif /* NBDKIT_BITMAP_H */ diff --git a/common/include/i...

...lude <stdint.h> +#include <assert.h> + +#include "ispowerof2.h" + +/* This is the bitmap structure. */ +struct bitmap { + unsigned blksize; /* Block size. */ + unsigned bpb; /* Bits per block (1, 2, 4, 8 only). */ + /* bpb = 1 << bitshift ibpb = 8/bpb + 1 0 8 + 2 1 4 + 4 2 2 + 8 3 1 + */ + unsigned bitshift, ibpb; + + uint8_t *bitmap; /* The bitmap. */ + size_t size; /* Size of bitmap in bytes. */ +}; + +static inline...

...direct_thunk_%V[thunk_target]" : : > > [thunk_target] "r" (the_function));  > > > > Other than that, I get the following errors with LLVM+Clang master, and > > my tree at > > http://git.infradead.org/users/dwmw2/linux-retpoline.git/shortlog/refs/heads/ibpb > > > I tried ToT clang with Linux upstream as well as chromeos-4.14, > with 'defconfig'. I don't see any errors when building x86_64. > Lots and lots of warnings, though. The defconfig doesn't build here either; it still includes the cpuidle bits which don't bu...

On 01/22/2018 10:06 AM, Valeri Galtsev wrote: > > > On 01/22/18 09:08, Johnny Hughes wrote: >> On 01/18/2018 09:42 AM, Valeri Galtsev wrote: >>> >>> >>> On 01/18/18 03:41, Pete Biggs wrote: >>>> >>>>> Look at: >>>>> >>>>> https://t.co/6fT61xgtGH >>>>> >>>>> Get the

...shing) , but saw variant 2 Spectre mitigation with the 20180108 microcode, will lose full mitigation until Intel gets its ducks into a row. *eye roll* > Linus Torvalds agrees: > http://tcrn.ch/2n2mEcA His comments aren't about microcode though. And it also looks like he got IBRS and IBPB confused. The better post on this front is https://lkml.org/lkml/2018/1/22/598 As far as I know, there still is no mitigation for Spectre variant 1. -- Chris Murphy

...te > recomended. Stop." > > I tried using scl gcc7 and 8 but get the same issue. > > I checked that retpoline is related to Spectre but checking on centos with: > > cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 > > I get: > > Mitigation: IBRS (kernel), IBPB > > and RETPOLINE seems disabled (I'm wrong?). > > I ridden in a blog post that I can disable this check commenting out > some lines starting from N. 166 of arch/Makefile but I don't think this > is the best approach. > > At this point I can't understand what mea...

...ut get the same issue. > >> > >> I checked that retpoline is related to Spectre but checking on centos with: > >> > >> cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 > >> > >> I get: > >> > >> Mitigation: IBRS (kernel), IBPB > >> > >> and RETPOLINE seems disabled (I'm wrong?). > >> > >> I ridden in a blog post that I can disable this check commenting out > >> some lines starting from N. 166 of arch/Makefile but I don't think this > >> is the best approach. &...

...puid extd_apicid aperfmperf pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw skinit wdt tce topoext perfctr_core perfctr_nb bpext perfctr_llc mwaitx cpb hw_pstate sme ssbd sev ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xgetbv1 xsaves clzero irperf xsaveerptr arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists pausefilter pfthreshold avic v_vmsave_vmload vgif overflow_recov succor smca flags...

On Sat, Apr 08, 2023 at 11:25:18 +0200, lejeczek wrote: > Hi guys. > > I've have a guest and that guest differs from all other guest by: > > ? <os> > ??? <type arch='x86_64' machine='pc-q35-rhel9.0.0'>hvm</type> > ??? <loader readonly='yes' secure='yes' >

...?? <vmport state='off'/> ??? <smm state='on'/> ? </features> ? <cpu mode='custom' match='exact' check='partial'> ??? <model fallback='forbid'>EPYC-Rome</model> ??? <feature policy='require' name='ibpb'/> ??? <feature policy='require' name='ssbd'/> ??? <feature policy='require' name='virt-ssbd'/> ??? <feature policy='require' name='x2apic'/> ??? <feature policy='require' name='hypervisor'/> ??? &lt...