Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
CPU Vulnerabilities PowerPC (Spectre, Meltdown, ...)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo on PPC
View previous topic :: View next topic  
Author Message
Atha
Apprentice
Apprentice


Joined: 22 Sep 2004
Posts: 184

PostPosted: Wed Jul 31, 2019 5:38 pm    Post subject: CPU Vulnerabilities PowerPC (Spectre, Meltdown, ...) Reply with quote

Is this for real? I just booted a Gentoo installation media (autobuild, 2019-07-25) to get Gentoo on my PowerMac7,2. I noticed it is vulnerable to Spectre, which I know, and Meltdown, which I didn't know:

Code:
# grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable


How is this possible? I thought that Meltdown was Intel-only while Spectre was more common for a lot of out-of-order-executing processors using speculative execution. And there are a lot of Spectre variants out there, all of them vulnerable to side channel attacks, like l1tf and mds, even when they aren't named "Spectre" also. But Meltdown is a different story, it's a cache based unclean parallel execution.

Also, is it a good idea to take some extra precautions due to Spectre being unfixed in firmware and add extra protection by specifying restrictive CFLAGS and LDFLAGS? The performance panelty would be there, and it may not be worth it.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18545

PostPosted: Wed Jul 31, 2019 7:21 pm    Post subject: Reply with quote

To answer the first part, short answer seems yes (emphasis added): https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Quote:
Consistent with previously announced end of service, IBM will not be releasing patches for POWER4, POWER5, POWER6 systems and recommends migrating to a more current generation of POWER technology. We are committed to helping our clients address these vulnerabilities and have introduced an offer for pre-POWER7 clients to upgrade their security profile and protect against Spectre and Meltdown through the purchase of POWER8 or POWER9 systems and available migration services, security support, and financing offers.


For the second part, I'd implement any measures possible and then assess the performance impact. The risks will likely depend on how the system is used.
_________________
Your lips move, but I can't hear what you're saying.
Back to top
View user's profile Send private message
Atha
Apprentice
Apprentice


Joined: 22 Sep 2004
Posts: 184

PostPosted: Wed Jul 31, 2019 10:01 pm    Post subject: Reply with quote

Thanks very much! The PowerPC isn't mentioned with Meltdown on most pages, so I totally overlooked this (e.g.here [highly recommended read]).

As for the CFLAGS, now COMMON_FLAGS in make.conf, would this be something like this?:
Code:
COMMON_FLAGS="-mcpu=970 -O2 -maltivec -mabi=altivec -pipe -mindirect-branch=thunk -fstack-protector-strong -fstack-check=specific -mindirect-branch=thunk -fno-plt -mfunction-return=thunk"


And how about LD_FLAGS?
Code:
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common -Wl,--hash-style=both -Wl,-z,-relro -Wl,-znow -fstack-protector-strong -fstack-check=specific -mindirect-branch=thunk -fno-plt -mfunction-return=thunk"


I'm really not an expert. I use these settings on my Ryzen amd64 machine. On the PowerMac G5 I'd go with non-PIE/non-PIC to get the additional assembler optimizations for speed (where they are available).

Is no-plt a good idea?

BTW, those are all disabled optimizations and protections agains Spectre, not Meltdown. I've not yet seen compiler flags that would help a little to mitigate Meltdown.

[Update]
The above C*FLAGS fail early in ./configure of the packages with this line:
Code:
checking for C compiler default output... configure: error: C compiler cannot create executables

Looks like PPC64 doesn't support all of those addtional flags...

[Update #2]
This is what I've come up with, works so far, for /etc/portage/make.conf:
Code:

COMMON_FLAGS="-O2 -pipe"
COMMON_ARCH_FLAGS="-mcpu=970 -maltivec -mabi=altivec"
#COMMON_MITIGATION_FLAGS="-fstack-protector-strong -fstack-check=specific -fno-plt -mindirect-branch=thunk -mfunction-return=thunk"
COMMON_MITIGATION_FLAGS="-fno-plt -fstack-protector-strong -fstack-check=specific"

CFLAGS="${COMMON_ARCH_FLAGS} ${COMMON_FLAGS} ${COMMON_MITIGATION_FLAGS}"
CXXFLAGS="${COMMON_ARCH_FLAGS} ${COMMON_FLAGS} ${COMMON_MITIGATION_FLAGS}"
FCFLAGS="${COMMON_ARCH_FLAGS} ${COMMON_FLAGS} ${COMMON_MITIGATION_FLAGS}"
FFLAGS="${COMMON_ARCH_FLAGS} ${COMMON_FLAGS} ${COMMON_MITIGATION_FLAGS}"

LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common -Wl,--hash-style=both -Wl,-z,-relro -Wl,-znow ${COMMON_MITIGATION_FLAGS}"


[Update #3]
I'm seeing /usr/lib/gcc/powerpc64-unknown-linux-gnu/8.3.0/../../../../powerpc64-unknown-linux-gnu/bin/ld: warning: -z -relro ignored, so I guess it has to be:
Code:
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common -Wl,--hash-style=both -Wl,-znow ${COMMON_MITIGATION_FLAGS}"
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18545

PostPosted: Thu Aug 01, 2019 1:05 am    Post subject: Reply with quote

I generally stick with "safe" settings (CFLAGS="-O2 -pipe"). So, if it were me, I'd enable something like that and then the security features.

I'm not overly familiar with the specific flags, but there were some threads that covered mitigations, including kernel settings. I didn't go directly to gcc for details, so I'm not sure how well deliniated the mitigations are per architecture.
_________________
Your lips move, but I can't hear what you're saying.
Back to top
View user's profile Send private message
Atha
Apprentice
Apprentice


Joined: 22 Sep 2004
Posts: 184

PostPosted: Thu Aug 01, 2019 9:36 am    Post subject: Reply with quote

Thanks. Yes, the safe "-O2 -pipe" are the best. My starting point was Safe CFLAGS in the Gentoo Wiki.

Interesting, the G4 7400 has "-fno-strict-aliasing" listed as safe CFLAGS...

Anyhow, if someone really knows their way around GCC, I'd be happy to see a page in the Wiki for that as well. Otherwise we all would have to either stick to the defaults and let the GCC developers figure it out for us, or we have to tweak the FLAGS ourselves, with the possibility that we do more harm than good because we don't fully understand what we're doing anyhow. I also think that, if the GCC devs incorporated mitigations already, that manually specifying them for older GCC versions would be a good idea, especially and specifically for Gentoo users who have the means (and the need) to compile their distro themselves.
_________________
Think for yourself and let others enjoy the privilege of doing so too. Voltaire
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo on PPC All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum