View previous topic :: View next topic |
Author |
Message |
Atha Apprentice
Joined: 22 Sep 2004 Posts: 240
|
Posted: Wed Jul 31, 2019 5:38 pm Post subject: CPU Vulnerabilities PowerPC (Spectre, Meltdown, ...) |
|
|
Is this for real? I just booted a Gentoo installation media (autobuild, 2019-07-25) to get Gentoo on my PowerMac7,2. I noticed it is vulnerable to Spectre, which I know, and Meltdown, which I didn't know:
Code: | # grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable |
How is this possible? I thought that Meltdown was Intel-only while Spectre was more common for a lot of out-of-order-executing processors using speculative execution. And there are a lot of Spectre variants out there, all of them vulnerable to side channel attacks, like l1tf and mds, even when they aren't named "Spectre" also. But Meltdown is a different story, it's a cache based unclean parallel execution.
Also, is it a good idea to take some extra precautions due to Spectre being unfixed in firmware and add extra protection by specifying restrictive CFLAGS and LDFLAGS? The performance panelty would be there, and it may not be worth it. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20521
|
Posted: Wed Jul 31, 2019 7:21 pm Post subject: |
|
|
To answer the first part, short answer seems yes (emphasis added): https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/
Quote: | Consistent with previously announced end of service, IBM will not be releasing patches for POWER4, POWER5, POWER6 systems and recommends migrating to a more current generation of POWER technology. We are committed to helping our clients address these vulnerabilities and have introduced an offer for pre-POWER7 clients to upgrade their security profile and protect against Spectre and Meltdown through the purchase of POWER8 or POWER9 systems and available migration services, security support, and financing offers. |
For the second part, I'd implement any measures possible and then assess the performance impact. The risks will likely depend on how the system is used. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Atha Apprentice
Joined: 22 Sep 2004 Posts: 240
|
Posted: Wed Jul 31, 2019 10:01 pm Post subject: |
|
|
Thanks very much! The PowerPC isn't mentioned with Meltdown on most pages, so I totally overlooked this (e.g.here [highly recommended read]).
As for the CFLAGS, now COMMON_FLAGS in make.conf, would this be something like this?:
Code: | COMMON_FLAGS="-mcpu=970 -O2 -maltivec -mabi=altivec -pipe -mindirect-branch=thunk -fstack-protector-strong -fstack-check=specific -mindirect-branch=thunk -fno-plt -mfunction-return=thunk" |
And how about LD_FLAGS?
Code: | LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common -Wl,--hash-style=both -Wl,-z,-relro -Wl,-znow -fstack-protector-strong -fstack-check=specific -mindirect-branch=thunk -fno-plt -mfunction-return=thunk" |
I'm really not an expert. I use these settings on my Ryzen amd64 machine. On the PowerMac G5 I'd go with non-PIE/non-PIC to get the additional assembler optimizations for speed (where they are available).
Is no-plt a good idea?
BTW, those are all disabled optimizations and protections agains Spectre, not Meltdown. I've not yet seen compiler flags that would help a little to mitigate Meltdown.
[Update]
The above C*FLAGS fail early in ./configure of the packages with this line:
Code: | checking for C compiler default output... configure: error: C compiler cannot create executables |
Looks like PPC64 doesn't support all of those addtional flags...
[Update #2]
This is what I've come up with, works so far, for /etc/portage/make.conf:
Code: |
COMMON_FLAGS="-O2 -pipe"
COMMON_ARCH_FLAGS="-mcpu=970 -maltivec -mabi=altivec"
#COMMON_MITIGATION_FLAGS="-fstack-protector-strong -fstack-check=specific -fno-plt -mindirect-branch=thunk -mfunction-return=thunk"
COMMON_MITIGATION_FLAGS="-fno-plt -fstack-protector-strong -fstack-check=specific"
CFLAGS="${COMMON_ARCH_FLAGS} ${COMMON_FLAGS} ${COMMON_MITIGATION_FLAGS}"
CXXFLAGS="${COMMON_ARCH_FLAGS} ${COMMON_FLAGS} ${COMMON_MITIGATION_FLAGS}"
FCFLAGS="${COMMON_ARCH_FLAGS} ${COMMON_FLAGS} ${COMMON_MITIGATION_FLAGS}"
FFLAGS="${COMMON_ARCH_FLAGS} ${COMMON_FLAGS} ${COMMON_MITIGATION_FLAGS}"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common -Wl,--hash-style=both -Wl,-z,-relro -Wl,-znow ${COMMON_MITIGATION_FLAGS}"
|
[Update #3]
I'm seeing /usr/lib/gcc/powerpc64-unknown-linux-gnu/8.3.0/../../../../powerpc64-unknown-linux-gnu/bin/ld: warning: -z -relro ignored, so I guess it has to be:
Code: | LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common -Wl,--hash-style=both -Wl,-znow ${COMMON_MITIGATION_FLAGS}" |
|
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20521
|
Posted: Thu Aug 01, 2019 1:05 am Post subject: |
|
|
I generally stick with "safe" settings (CFLAGS="-O2 -pipe"). So, if it were me, I'd enable something like that and then the security features.
I'm not overly familiar with the specific flags, but there were some threads that covered mitigations, including kernel settings. I didn't go directly to gcc for details, so I'm not sure how well deliniated the mitigations are per architecture. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Atha Apprentice
Joined: 22 Sep 2004 Posts: 240
|
Posted: Thu Aug 01, 2019 9:36 am Post subject: |
|
|
Thanks. Yes, the safe "-O2 -pipe" are the best. My starting point was Safe CFLAGS in the Gentoo Wiki.
Interesting, the G4 7400 has "-fno-strict-aliasing" listed as safe CFLAGS...
Anyhow, if someone really knows their way around GCC, I'd be happy to see a page in the Wiki for that as well. Otherwise we all would have to either stick to the defaults and let the GCC developers figure it out for us, or we have to tweak the FLAGS ourselves, with the possibility that we do more harm than good because we don't fully understand what we're doing anyhow. I also think that, if the GCC devs incorporated mitigations already, that manually specifying them for older GCC versions would be a good idea, especially and specifically for Gentoo users who have the means (and the need) to compile their distro themselves. _________________ Think for yourself and let others enjoy the privilege of doing so too. – Voltaire |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|