| 1 |
On Thursday, 18 July 2019 13:33:36 BST Corbin wrote: |
| 2 |
> On 7/17/19 3:51 PM, Ian Zimmerman wrote: |
| 3 |
> > pti=0 ibrs=0 ibpb=1 retp=1 -> fix variant #1 #2 if the microcode |
| 4 |
> > update is applied pti=0 ibrs=2 ibpb=1 retp=1 -> fix variant #1 #2 on |
| 5 |
> > older processors that can disable indirect branch prediction without |
| 6 |
> > microcode updates |
| 7 |
> > |
| 8 |
> > Note: A microcode patch provided by the vendor must be applied in |
| 9 |
> > order for the tunables to be visible.> |
| 10 |
> > which of course is self-contradictory, so not a full answer but maybe a |
| 11 |
> > clue. |
| 12 |
|
| 13 |
I did read this but wasn't sure what to deduce from it. I took it to mean |
| 14 |
earlier CPUs won't receive a microcode patch, but will still have spectre |
| 15 |
mitigated, presumably using a different method. Later CPUs will receive a |
| 16 |
patch. My AMD APUs are later fam15h models and if the above is to be believed |
| 17 |
they probably ought to have received a patch - but none is observable. :-/ |
| 18 |
|
| 19 |
Then I thought the note in the RHL article may need to be taken literally, to |
| 20 |
mean a microcode patch will just make tunables *visible*, rather than present. |
| 21 |
|
| 22 |
|
| 23 |
> > Are those settings meant to go on a boot command line? |
| 24 |
> |
| 25 |
> As for what Red Hat / Fedora is doing, no idea. |
| 26 |
> |
| 27 |
> The parameters I used came from the kernel documentation. |
| 28 |
> |
| 29 |
> |
| 30 |
> Corbin |
| 31 |
|
| 32 |
According to kernel-4.19.57 docs at least, all CPU vulnerabilities and spectre |
| 33 |
related mitigations are automatically switched on, without the need to specify |
| 34 |
anything on the kernel line. In addition, the selection of individual |
| 35 |
spectre_v2 mitigation methods is determined dynamically "... at run time |
| 36 |
according to the CPU, the available microcode, the setting of the |
| 37 |
CONFIG_RETPOLINE configuration option, and the compiler with which the kernel |
| 38 |
was built." |
| 39 |
|
| 40 |
Anyway, selecting 'spectre_v2=on' "... will also enable the mitigation against |
| 41 |
user space to user space task attacks", so this is a useful option to use. |
| 42 |
|
| 43 |
Regarding ibpb not being displayed under my /sys fs the docs say: |
| 44 |
|
| 45 |
Default mitigation: |
| 46 |
If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl" |
| 47 |
|
| 48 |
Therefore, I am not sure if ibpb is meant to show up unless it has been |
| 49 |
specified on the kernel line as a spectre_v2_user mitigation method. |
| 50 |
|
| 51 |
-- |
| 52 |
Regards, |
| 53 |
|
| 54 |
Mick |
Archives