Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Vulnérabilités CPU : que faire de bien ?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index French
View previous topic :: View next topic  
Author Message
pti-rem
Guru
Guru


Joined: 14 Oct 2011
Posts: 489

PostPosted: Tue Mar 23, 2021 10:50 am    Post subject: Vulnérabilités CPU : que faire de bien ? Reply with quote

Bonjour,

Je constate que ma machine est vulnérable pour certaines failles du CPU :

Code:
rem@n73sm ~ $ uname -r
4.19.97-gentoo
rem@n73sm ~ $ lscpu | grep -e CPU -e Vulnerability
Nom de modèle :                         Intel(R) Core(TM) i7-2670QM CPU @ 2.20GHz
Vulnerability Itlb multihit:            KVM: Mitigation: Split huge pages
Vulnerability L1tf:                     Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds:                      Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
Vulnerability Meltdown:                 Mitigation; PTI
Vulnerability Spec store bypass:        Vulnerable
Vulnerability Spectre v1:               Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:               Mitigation; Full generic retpoline, STIBP disabled, RSB filling
Vulnerability Tsx async abort:          Not affected
rem@n73sm ~ $

Code:
rem@n73sm ~ $ cat /sys/devices/system/cpu/vulnerabilities/mds
Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
rem@n73sm ~ $

Est-ce que je peux faire quelque chose pour améliorer cette situation ?

J'ai lu rapidement https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
et je me demande si c'est une bonne chose de désactiver SMT avec l'option d'amorçage mds=full,nosmt ?

Je n'ai rien lu encore sur Spec store bypass.

Merci
Back to top
View user's profile Send private message
xaviermiller
Bodhisattva
Bodhisattva


Joined: 23 Jul 2004
Posts: 8722
Location: ~Brussels - Belgique

PostPosted: Tue Mar 23, 2021 11:02 am    Post subject: Reply with quote

Bonjour,

As-tu intégré le microcode à jour dans ton noyau ?
voir https://wiki.gentoo.org/wiki/Intel-microcode

Ensuite, relance le test pour voir si toutes les failles ont été corrigées.
_________________
Kind regards,
Xavier Miller
Back to top
View user's profile Send private message
pti-rem
Guru
Guru


Joined: 14 Oct 2011
Posts: 489

PostPosted: Tue Mar 23, 2021 11:39 am    Post subject: Reply with quote

Les options du noyau étaient bien mises pour sys-firmware/intel-microcode

Code:
rem@n73sm ~ $ zcat /proc/config.gz | grep -e CONFIG_BLK_DEV_INITRD -e CONFIG_MICROCODE -e CONFIG_MICROCODE_INTEL
CONFIG_BLK_DEV_INITRD=y
CONFIG_MICROCODE=y
CONFIG_MICROCODE_INTEL=y
CONFIG_MICROCODE_AMD=y
CONFIG_MICROCODE_OLD_INTERFACE=y
rem@n73sm ~ $

Je n'avais pas mis le drapeau initramfs pour sys-firmware/intel-microcode
Le microcode /boot/intel-uc.img a été automatiquement détecté lors de l'exécution de grub-mkconfig

Code:
rem@n73sm ~ $ dmesg | head -n 1
[    0.000000] microcode: microcode updated early to revision 0x2f, date = 2019-02-17
rem@n73sm ~ $ lscpu | grep Vulnerability
Vulnerability Itlb multihit:            KVM: Mitigation: Split huge pages
Vulnerability L1tf:                     Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds:                      Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Meltdown:                 Mitigation; PTI
Vulnerability Spec store bypass:        Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:               Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:               Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP conditional, RSB filling
Vulnerability Tsx async abort:          Not affected
rem@n73sm ~ $

Code:
rem@n73sm ~ $ cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable
rem@n73sm ~ $

J'ai bien envie de désactiver SMT !
Ça va ralentir la machine ?

Merci Xavier :-)
Back to top
View user's profile Send private message
pti-rem
Guru
Guru


Joined: 14 Oct 2011
Posts: 489

PostPosted: Tue Mar 23, 2021 11:54 am    Post subject: Reply with quote

Code:
rem@n73sm ~ $ dmesg | head -n 3
[    0.000000] microcode: microcode updated early to revision 0x2f, date = 2019-02-17
[    0.000000] Linux version 4.19.97-gentoo (root@n73sm) (gcc version 9.2.0 (Gentoo 9.2.0-r2 p3)) #2 SMP Mon Feb 3 07:13:03 CET 2020
[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.97-gentoo root=UUID=b56ef48b-982a-499d-b02d-4442ac784b8a ro acpi_osi=Linux mds=full,nosmt quiet
rem@n73sm ~ $

Code:
rem@n73sm ~ $ lscpu | grep Vulnerability
Vulnerability Itlb multihit:            KVM: Mitigation: Split huge pages
Vulnerability L1tf:                     Mitigation; PTE Inversion; VMX conditional cache flushes, SMT disabled
Vulnerability Mds:                      Mitigation; Clear CPU buffers; SMT disabled
Vulnerability Meltdown:                 Mitigation; PTI
Vulnerability Spec store bypass:        Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:               Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:               Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, RSB filling
Vulnerability Tsx async abort:          Not affected
rem@n73sm ~ $

Code:
rem@n73sm ~ $ cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT disabled
rem@n73sm ~ $

Je verrai bien à l'usage.
Je me sens plus détendu tout d'un coup !
Comment j'ai pu passer à côté de ça, depuis le temps...
Back to top
View user's profile Send private message
Skwal
Apprentice
Apprentice


Joined: 07 Jun 2019
Posts: 154

PostPosted: Mon Mar 29, 2021 1:33 pm    Post subject: Reply with quote

Bonjour,

Merci pti-rem ! :mrgreen:
Suite à ton message je découvre le microcode, je ne m'y était pas spécialement intérresssé, et suis en train de le mettre en place.
Ca pourrait expliquer et réparer certains problèmes:

Code:
╰─ lscpu | grep -e CPU -e Vulnerability                                                                             
Nom de modèle :                         Intel(R) Core(TM) i5-6400T CPU @ 2.20GHz
Vulnerability Itlb multihit:            Processor vulnerable
Vulnerability L1tf:                     Mitigation; PTE Inversion
Vulnerability Mds:                      Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
Vulnerability Meltdown:                 Mitigation; PTI
Vulnerability Spec store bypass:        Vulnerable
Vulnerability Spectre v1:               Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:               Mitigation; Full generic retpoline, STIBP disabled, RSB filling
Vulnerability Srbds:                    Vulnerable: No microcode
Vulnerability Tsx async abort:          Not affected




Cordialement, Skwal.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index French All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum