search for: ibr

...ore CPU. I note that when I run the redhat script to test for spectre & meltdown I get this result for variant 2: Variant #2 (Spectre): Vulnerable CVE-2017-5715 - speculative execution branch target injection - Kernel with mitigation patches: OK - HW support / updated microcode: NO - IBRS: Not disabled on kernel commandline - IBPB: Not disabled on kernel commandline and when I run the one from github I get this: CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)...

...eproduce libvirt bug. The strange thing is that after playing with the XML generated by virt-manager, using [x] Copy host CPU configuration Creating this XML: <cpu mode='custom' match='exact' check='full'> <model fallback='forbid'>Skylake-Client-IBRS</model> <vendor>Intel</vendor> <feature policy='require' name='ss'/> <feature policy='require' name='vmx'/> <feature policy='require' name='pdcm'/> <feature policy='require' name='...

...e the thread at > https://lkml.org/lkml/2018/2/4/147 I'm strongly of the opinion that I think Arjan expressed: - retpoline alone is probably fine with sufficient RSB stuffing patches in the kernel - if some folks are worried about the security risk here and running on SKX, they should use IBRS. Given the speed of IBRS on SKX and the complexity & runtime hit of thunking ret, I really don't see a good motivation for us teaching the compiler how to do this. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/...

Hi, According to virsh capabilities I only have the following cpu features: <cpu> <arch>x86_64</arch> <model>IvyBridge-IBRS</model> <vendor>Intel</vendor> <microcode version='32'/> <topology sockets='1' cores='4' threads='1'/> <feature name='ds'/> <feature name='acpi'/> <feature name='ss&...

On Wed, 2018-02-07 at 00:36 +0000, Chandler Carruth wrote: > > > > That would be __x86_indirect_thunk but the kernel doesn't use it. > > We use -mindirect-branch-register and only ever expect the compiler > > to use the register versions which are CET-compatible. > > > > However, in at least one case in the 32-bit kernel we do emit the > > old

...edhat script to test for spectre & meltdown > I get this result for variant 2: > > Variant #2 (Spectre): Vulnerable > CVE-2017-5715 - speculative execution branch target injection > - Kernel with mitigation patches: OK > - HW support / updated microcode: NO > - IBRS: Not disabled on kernel commandline > - IBPB: Not disabled on kernel commandline > > > and when I run the one from github I get this: > > CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' > * Mitigated according to the /sys interface: NO (kernel...

.../lkml/2018/2/4/147 > > > I'm strongly of the opinion that I think Arjan expressed: > > - retpoline alone is probably fine with sufficient RSB stuffing patches in > the kernel > - if some folks are worried about the security risk here and running on > SKX, they should use IBRS. > > Given the speed of IBRS on SKX and the complexity & runtime hit of > thunking ret, I really don't see a good motivation for us teaching the > compiler how to do this. > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm...

...> >> I'm strongly of the opinion that I think Arjan expressed: >> >> - retpoline alone is probably fine with sufficient RSB stuffing patches >> in the kernel >> - if some folks are worried about the security risk here and running on >> SKX, they should use IBRS. >> >> Given the speed of IBRS on SKX and the complexity & runtime hit of >> thunking ret, I really don't see a good motivation for us teaching the >> compiler how to do this. >> > -------------- next part -------------- An HTML attachment was scrubbed... U...

Hello, Peter and others! there are some issues regarding the tftp-hpa server: 1. Running as Windows service seems to require that the application does not detach (otherwise "net start" says smth. like "could not start, the service didn't report any errors"). The attached patch adds the option "-n", which can be used to have tftpd run in foreground.

...e4_1 sse4_2 popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm fsgsbase erms xsaveopt dtherm ida arat pln pts bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds You will note that there is a lack of flags for ssbd, spec_ctrl, intel_stibp, flush_l1d, ibrs, etc. # for i in /sys/devices/system/cpu/vulnerabilities/* ; do echo -n "$i : "; cat $i ; done /sys/devices/system/cpu/vulnerabilities/l1tf : Mitigation: PTE Inversion /sys/devices/system/cpu/vulnerabilities/mds : Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unk...

...with libvirt using qemu+kvm, however I observed that <cpu mode='host-model'> is not exposing avx and avx2 instruction set to the guest Linux instance. Google Cloud platform claims the CPU model of the host compute instance is Broadwell, however libvirt capabilities maps it to Westmere-IBRS and it has avx and avx2 features, yet host-model is not exposing those. As a workaround, I am using <cpu mode='host-passthrough'>, but I would like to know what is going wrong here? I can also share the output of cpuid of the host system, if that helps. I am not sure whether it...

...FIG_RETPOLINE=y but not supported by the compiler. Compiler update recomended. Stop." I tried using scl gcc7 and 8 but get the same issue. I checked that retpoline is related to Spectre but checking on centos with: cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 I get: Mitigation: IBRS (kernel), IBPB and RETPOLINE seems disabled (I'm wrong?). I ridden in a blog post that I can disable this check commenting out some lines starting from N. 166 of arch/Makefile but I don't think this is the best approach. At this point I can't understand what means the previous err...

...m for crashing) , but saw variant 2 Spectre mitigation with the 20180108 microcode, will lose full mitigation until Intel gets its ducks into a row. *eye roll* > Linus Torvalds agrees: > http://tcrn.ch/2n2mEcA His comments aren't about microcode though. And it also looks like he got IBRS and IBPB confused. The better post on this front is https://lkml.org/lkml/2018/1/22/598 As far as I know, there still is no mitigation for Spectre variant 1. -- Chris Murphy _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mail...

Hi list, in virt-manager ver. 2.2.1 (fully upgraded CentOS 8.1), the CPU model list only shows ancient CPU (the most recent is Nehalem-IBRS). On the other hand, in virt-manager 1.5.x (fully upgraded CentOS 7.8) we have a rich selection of CPU (as recent as Icelake). Why was the list in newer virt-manager so much trimmed? Is it possible to enlarge it? Thanks. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it [1]...

Does anyone know if Red Hat are working on backporting improved mitigation techniques and features from newer, 4.14.14+ kernels? $ grep . /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable /sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline

..." >> >> I tried using scl gcc7 and 8 but get the same issue. >> >> I checked that retpoline is related to Spectre but checking on centos with: >> >> cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 >> >> I get: >> >> Mitigation: IBRS (kernel), IBPB >> >> and RETPOLINE seems disabled (I'm wrong?). >> >> I ridden in a blog post that I can disable this check commenting out >> some lines starting from N. 166 of arch/Makefile but I don't think this >> is the best approach. >> >&g...

Hi Xiantao, Some more nit-picking, though some of this is a bit more important to fixup. Cheers, Jes > +typedef struct thash_data { Urgh! argh! Please avoid typedefs unless you really need them, see Chapter 5 of Documentation/CodingStyle for details. > diff --git a/include/asm-ia64/kvm_host.h b/include/asm-ia64/kvm_host.h > new file mode 100644 > index 0000000..522bde0 > ---

Hi Xiantao, Some more nit-picking, though some of this is a bit more important to fixup. Cheers, Jes > +typedef struct thash_data { Urgh! argh! Please avoid typedefs unless you really need them, see Chapter 5 of Documentation/CodingStyle for details. > diff --git a/include/asm-ia64/kvm_host.h b/include/asm-ia64/kvm_host.h > new file mode 100644 > index 0000000..522bde0 > ---

On 01/18/18 11:31, Matthew Miller wrote: > On Thu, Jan 18, 2018 at 11:01:18AM -0500, Pete Geenhuizen wrote: >> Do we update the microcode now or do we wait until the latest >> microcode_ctl rpm is available and then tackle this issue? > Check with your hardware vendor for BIOS/EFI firmware updates. Apply > those. > > > Thanks for the reply, but you missed what I was

...y VM config look reasonable for the latest releases of windows? Are there features I should be using that will help performance? > 2. Why does the hypervclock timer make so much performance difference in windows VMs? > 3. Does my virtualized CPU model make sense? I defined Haswell-noTSX-IBRS and libvirt added the features. > 4. Which kernel branch offers the best stability and performance? > 5. Are there performance gains in using UEFI booting the windows guest and defining ?<blockio logical_block_size='4096' physical_block_size='4096'/>?? Perhaps bett...