Skip to content

IBRS kernel reported active even if sysfs has "IBRS_FW" only (#275) #276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
speed47 merged 1 commit into from
Apr 20, 2019
Merged

IBRS kernel reported active even if sysfs has "IBRS_FW" only (#275) #276

speed47 merged 1 commit into from
Apr 20, 2019

Conversation

@dfaggioli
Copy link
Contributor

@dfaggioli dfaggioli commented Apr 18, 2019

On a (pre-SkyLake) system, where /sys/.../vulnerabilities/spectre_v2 is
"Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling"

the tool, incorrectly, reports, a couple of lines above:

  • IBRS enabled and active: YES (for kernel and firmware code)

Use '<IBRS>', as suggested by @jirislaby, in issue #275 when
checking whether IBRS is enabled/active for the kernel.

With that, the output becomes:

  • IBRS enabled and active: YES (for firmware code only)

which is actually the case.

I double checked that, if the same kernel is used on a post-SkyLake
hardware, which on openSUSE uses IBRS as, even with this change, the
tool (this time correctly) reports:

  • IBRS enabled and active: YES (for kernel and firmware code)

@dfaggioli
IBRS kernel reported active even if sysfs has "IBRS_FW" only (speed47…
9065624 
…#275)

On a (pre-SkyLake) system, where /sys/.../vulnerabilities/spectre_v2 is
"Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling"

the tool, incorrectly, reports, a couple of lines above:
* IBRS enabled and active:  YES  (for kernel and firmware code)

Use '\<IBRS\>', as suggested by @jirislaby, in upstream issue speed47#275
(speed47#275) when
checking whether IBRS is enabled/active for the kernel.

With that, the output becomes:
* IBRS enabled and active:  YES  (for firmware code only)

which is actually the case.

I double checked that, if the same kernel is used on a post-SkyLake
hardware, which on openSUSE uses IBRS as, even with this change, the
tool (this time correctly) reports:
* IBRS enabled and active:  YES  (for kernel and firmware code)
@speed47
Copy link
Owner

speed47 commented Apr 19, 2019

Indeed, now that IBRS_FW also exists, grepping for just IBRS catches it where it shouldn't.
However, I don't get the <IBRS> fix, I don't see any occurence of <IBRS> in the (vanilla) source code, so I'm not sure where it comes from?

Under OpenSUSE it works, as you noticed, because they don't use the vanilla code here, and so they don't use the IBRS tag but the full "Indirect Branch Restricted Speculation" text in the spectre_v2 sysfs file.

Simply adding -w in the grep options should do the trick however, selecting IBRS without IBRS_FW. Can you modify your PR accordingly if this seems right for you too?

@jirislaby
Copy link

jirislaby commented Apr 20, 2019
edited
Loading

they don't use the vanilla code here,

There is no vanilla code for IBRS. It was never merged and most likely never will. Linus wants to push on Intel by this to fix it in their CPUs instead of slowing the code down AFAIU.

FYI currently, SUSE is in the process of dropping the patches from all their branches too.

I don't get the fix,

\<IBRS\> means whole word, the same as -w, but you use multiple -es on that line, so -w would apply to all of them.

@speed47
Copy link
Owner

speed47 commented Apr 20, 2019

they don't use the vanilla code here,

There is no vanilla code for IBRS. It was never merged and most likely never will. Linus wants to push on Intel by this to fix it in their CPUs instead of slowing the code down AFAIU.

I remember seeing several patches on the LKML floating around the days/weeks after the disclosure, but I'm not sure they were ever merged indeed, due to catastrophic performance on non-very-recent Intel CPUs. I think even Intel advised against it after things started to quiet down. The grep IBRS comes from those patches. I'll still leave it in case people run some custom kernel version with those.

FYI currently, SUSE is in the process of dropping the patches from all their branches too.

I don't get the fix,

\<IBRS\> means whole word, the same as -w, but you use multiple -es on that line, so -w would apply to all of them.

Never stumbled upon this syntax before, I think I'm too used to PCRE-style regexes! But it works as you say, including under BSD, so it's good for me.

@speed47 speed47 merged commit c4bae6e into speed47:master Apr 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dfaggioli @speed47 @jirislaby