[blfs-support] Speculative Store Bypass

Ken Moffat zarniwhoop at ntlworld.com
Mon Jun 4 13:55:35 PDT 2018


If you arerunning a current kernel, in
/sys/devices/system/cpu/vulnerabilities you will see there is now an
entry for spec_store_bypass.

On intel machines, you will need updated firmware to be able to fix
that.  So, I looked at the latest (20180425) firmware for my
haswell.  There _is_ a new version there (0x24, dated from January)
but that is NOT enough, that file still says 'Vulnerable'.

On AMD, new firmware is apparently not needed.

With linux-4.17.0 on my ryzen that file contains

Mitigation: Speculative Store Bypass disabled via prctl and seccomp

but that actually means soemthing like "only a program which uses
seccomp, for the new prctl for this, will be mitigated".

I found the documentation hard to grok (too many negatives), but
apparently adding a bootarg of spec_store_bypass_disable=on does
turn it on all the time on suitable machines.

The reason it is not normally enabled all the time is that it will
apparently slow things down a lot.  I hope to do _some_ tests with
it set, but for the moemnt I don't have time.

ĸen
-- 
              Keyboard not found, Press F1 to continue


More information about the blfs-support mailing list