Call for testing: kernel 4.14.13-200.fc26 / 4.14.13-300.fc27 - initial Spectre mitigations
by Adam Williamson
Hi folks!
Kernel updates for Fedora 26 and Fedora 27 are now available with
initial mitigations for both Spectre variants. As the update
description states:
"This is also the first update to contain some spectre mitigations.
Some patches for variant 1 as well as the initial retpoline build for
variant 2. These variant 2 mitigations will improve with further
patches, and once compiler support is improved."
As for the Meltdown fix, the testing we're primarily interested here is
just to boot the kernel and verify that it doesn't break anything
unexpected. If the new kernel boots and works OK for you, please leave
positive feedback.
Thanks very much!
For extra credit, the kernel maintainers are also interested in seeing
some data from AMD users. They're interested in at least this output:
# dmesg | grep Spectre
# grep spectre /proc/cpuinfo
if you have an AMD CPU, it'd be great if you can post the output of
those commands on your system as a Bodhi comment.
F26: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e6fe35524d
F27: https://bodhi.fedoraproject.org/updates/FEDORA-2018-21a7ad920c
Both updates are currently 'pending' and have not yet reached updates-
testing; keen testers can get the package from Koji and update as I
suggested before: download the new versions of the important packages
(at least kernel, kernel-core, and kernel-modules) and run 'dnf update
kernel*.rpm'. Otherwise, the packages should reach the mirrors in a few
hours.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
5 years, 11 months
Re: Call for testing: updates to address today's CPU/kernel vulnerability
by Justin Forbes
tl;dr:
We are fixing things as quickly as we can safely do so. The fixes will
be ongoing, keep testing and installing new kernels as they appear!
On Sat, Jan 6, 2018 at 1:32 PM, Chris Adams <linux(a)cmadams.net> wrote:
> Once upon a time, Adam Williamson <adamwill(a)fedoraproject.org> said:
>> * If the fix does cause problems on your hardware, you can disable it
>> by booting with the kernel parameter 'nopti'.
>
> So, on RHEL/CentOS kernels, there are three new entries in
> /sys/kernel/debug/x86; ibpb_enabled, ibrs_enabled, and pti_enabled. I
> don't see these on the Fedora kernel.
>
> Are these variables something added by Red Hat to their kernel,
> something that will be added to Fedora, etc.? They are useful to see
> exactly what fix(es) are being applied, as well as to have a runtime way
> to enable/disable them.
These do not exist in Fedora yet. For KPTI, the feature is
implemented, but there isn't a debugfs entry. Variant 2 Spectre
mitigation has a couple of proposed solutions. IBRS and retpoline are
both being discussed upstream, and the end result will likely be a
combination of the 2. Unfortunately both have external requirements.
Retpoline requires GCC patches, and microcode updates for some CPUs.
IBRS requires microcode updates. While RHEL has done quite a bit of
testing with IBRS in their kernels, Fedora moves a lot quicker and
current Fedora kernels are substantially different from the current
RHEL kernels. Additionally, while RHEL was given microcode to ship
with these updates, Intel has not released them upstream (soon I am
told). It is entirely possible that the patches floating around
upstream have not been tested with the microcode that RHEL shipped.
Given that variant 2 is difficult (not impossible) to attack, we have
been waiting to see what we can ship, when microcode is available and
GCC updates are available. I can assure you that I have spending
pretty much all of my time tracking upstream, testing patch sets, and
doing what I can to make sure we have mitigations for all 3 variants
in place as quickly as possible.
Today's build of rawhide contains mitigation for variant 1 of spectre
and variant 3 (meltdown) for x86_64. Current stable Fedora kernels
contain mitigation for meltdown on x86_64 as well. Wednesday should
see a new kernel pushed to updates-testing with some bug fixes for the
meltdown mitigation (KPTI), and some mitigation for variant 1. I am
hoping to also get some meltdown coverage for other architectures in
that update. While I would love to see some variant 2 coverage as
well, it is unlikely in the Wednesday time frame. If it is possible,
I will include those as well, but even then, it will not be the final
solution. As soon as a solution is deemed ready, it will be pushed to
Fedora.
Justin
5 years, 11 months
2018-01-08 @ 16:00 UTC - Fedora QA Meeting
by Adam Williamson
# Fedora Quality Assurance Meeting
# Date: 2018-01-08
# Time: 16:00 UTC
(https://fedoraproject.org/wiki/Infrastructure/UTCHowto)
# Location: #fedora-meeting on irc.freenode.net
Greetings testers, and Happy New Year!
We haven't had a meeting for a little while, and it's Interesting Times
in the world right now, so let's get together and talk about a few
things.
If anyone has any other items for the agenda, please reply to this
email and suggest them! Thanks.
== Proposed Agenda Topics ==
1. Previous meeting follow-up
2. Meltdown / Spectre status / discussion
3. Fedora 28 Change review and status
4. Test Day status
5. Open floor
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
5 years, 11 months
Call for testing: updates to address today's CPU/kernel vulnerability
by Adam Williamson
Hi folks!
So you might have read some stories today about an issue that's being
described as a design flaw in some CPUs which makes it possible for
unprivileged users on an affected system to read from privileged memory
locations.
It seems like there are some complex questions still being figured out
about this (like exactly what CPUs are and are not affected, and what
practical consequences there are in various cases), but our kernel team
has decided that we should at least ship a preliminary fix for this
issue that should address it for x86_64 CPUs.
Accordingly, updates are now going out for Fedora 26 and Fedora 27:
* https://bodhi.fedoraproject.org/updates/FEDORA-2018-8ed5eff2c0 (Fedora 26)
* https://bodhi.fedoraproject.org/updates/FEDORA-2018-22d5fa8a90 (Fedora 27)
and it would be great if we can get these tested and karma filed as
soon as possible, so they can be pushed to stable.
The updates are kernel-4.14.11-200.fc26 and kernel-4.14.11-300.fc27,
respectively. As I write this, the Fedora 27 update has been pushed out
to updates-testing, while the Fedora 26 one has not but should soon.
You can get the packages directly from Koji for testing if you cannot
get them via updates-testing:
* https://koji.fedoraproject.org/koji/buildinfo?buildID=1012983 (Fedora 26)
* https://koji.fedoraproject.org/koji/buildinfo?buildID=1012982 (Fedora 27)
Download all the subpackages that are used on your system (usually
kernel, kernel-core, kernel-modules, and possibly kernel-modules-extra,
kernel-devel and/or kernel-headers) and run "dnf update *.rpm" to
update.
Here are some testing notes:
* The most useful feedback is just whether the kernel boots and works
correctly on all systems you have access to (assuming they worked OK
with the previous kernel, of course). If it does, please leave positive
karma on the relevant update.
* It's great if you can run some kind of proof of concept to verify
that the fix works, but not necessary. The kernel team is fairly
confident the fix is present and active.
* We know that the fix can lead to reduced performance in some cases
(this affects synthetic benchmarks rather more than real-world
performance). The kernel team thinks the fix is sufficiently important
that it should go out despite the performance impact. Accordingly,
please do not file negative karma for this reason. If the update
somehow results in such a significant performance impact that the
system becomes unusable, though, please report that.
* The fix is currently applied only to x86_64 kernels. No fix is yet
present for any other architecture, but of course all architectures are
rebuilt for the update.
* If the fix does cause problems on your hardware, you can disable it
by booting with the kernel parameter 'nopti'.
Thanks very much, everyone!
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
5 years, 11 months
