1 |
On Thursday, 18 July 2019 13:33:36 BST Corbin wrote: |
2 |
> On 7/17/19 3:51 PM, Ian Zimmerman wrote: |
3 |
> > pti=0 ibrs=0 ibpb=1 retp=1 -> fix variant #1 #2 if the microcode |
4 |
> > update is applied pti=0 ibrs=2 ibpb=1 retp=1 -> fix variant #1 #2 on |
5 |
> > older processors that can disable indirect branch prediction without |
6 |
> > microcode updates |
7 |
> > |
8 |
> > Note: A microcode patch provided by the vendor must be applied in |
9 |
> > order for the tunables to be visible.> |
10 |
> > which of course is self-contradictory, so not a full answer but maybe a |
11 |
> > clue. |
12 |
|
13 |
I did read this but wasn't sure what to deduce from it. I took it to mean |
14 |
earlier CPUs won't receive a microcode patch, but will still have spectre |
15 |
mitigated, presumably using a different method. Later CPUs will receive a |
16 |
patch. My AMD APUs are later fam15h models and if the above is to be believed |
17 |
they probably ought to have received a patch - but none is observable. :-/ |
18 |
|
19 |
Then I thought the note in the RHL article may need to be taken literally, to |
20 |
mean a microcode patch will just make tunables *visible*, rather than present. |
21 |
|
22 |
|
23 |
> > Are those settings meant to go on a boot command line? |
24 |
> |
25 |
> As for what Red Hat / Fedora is doing, no idea. |
26 |
> |
27 |
> The parameters I used came from the kernel documentation. |
28 |
> |
29 |
> |
30 |
> Corbin |
31 |
|
32 |
According to kernel-4.19.57 docs at least, all CPU vulnerabilities and spectre |
33 |
related mitigations are automatically switched on, without the need to specify |
34 |
anything on the kernel line. In addition, the selection of individual |
35 |
spectre_v2 mitigation methods is determined dynamically "... at run time |
36 |
according to the CPU, the available microcode, the setting of the |
37 |
CONFIG_RETPOLINE configuration option, and the compiler with which the kernel |
38 |
was built." |
39 |
|
40 |
Anyway, selecting 'spectre_v2=on' "... will also enable the mitigation against |
41 |
user space to user space task attacks", so this is a useful option to use. |
42 |
|
43 |
Regarding ibpb not being displayed under my /sys fs the docs say: |
44 |
|
45 |
Default mitigation: |
46 |
If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl" |
47 |
|
48 |
Therefore, I am not sure if ibpb is meant to show up unless it has been |
49 |
specified on the kernel line as a spectre_v2_user mitigation method. |
50 |
|
51 |
-- |
52 |
Regards, |
53 |
|
54 |
Mick |