1812 Posted May 19, 2019 Share Posted May 19, 2019 26 minutes ago, limetech said: Nice work! Right, I think a better place would be in the Security Board. If you want to add the post there, I'll make it 'sticky'. Also, thanks to all testing this out. We have no choice but to keep marching on with new kernel releases. What about toggles like for acs override? Quote Link to comment
dk4dk4 Posted May 19, 2019 Share Posted May 19, 2019 I can confirm this also works after reboot: Vulnerable, IBPB: disabled, STIBP: disabled Ver 6.7.0 (on-trial still) Quote Link to comment
cybrnook Posted May 19, 2019 Share Posted May 19, 2019 @limetech Thread posted: 2 Quote Link to comment
ximian Posted May 19, 2019 Share Posted May 19, 2019 (edited) 23 hours ago, jonathanm said: Unfortunately performance isn't the only metric. General compatibility and ease of implementation with various advanced functions like hardware pass through and such also tip on intel's side. I would say that you can eventually see progress and things get worked out, like the Ryzen and Threadripper issues, but it seems like by the time everything settles out and works well, the products are stale, and it's time to start the cycle of incompatibility and fixes again. "Maybe next time it will be different" isn't a comfortable way to approach tech. I'd rather spend the extra $/performance on a platform I don't have as much support time invested. If you love tinkering with it, fine. I'd rather buy it and stay hands off as much as possible. I am curios, to which incompatibility issues are you referring too? If you do your homework before purchasing you remove any incompatibility issues. I have been running servers/workstations with Intel and with AMD and never ran into incompatibility issues both from an operating system and application standpoint. I have two unraid servers, one running Intel and the other AMD and both run without flaws.. both with native hardware. Edited May 19, 2019 by ximian Quote Link to comment
glennv Posted May 19, 2019 Share Posted May 19, 2019 Updated my post [mention=1110]BRiT[/mention] and [mention=82016]glennv[/mention] , got it workingGreat stuff man. Thanks for you efford in figuring this out for us. Quote Link to comment
BRiT Posted May 19, 2019 Share Posted May 19, 2019 Just look at the various forum threads on building an AMD Ryzen systems. They chronicle the journey many have had to go through to get AMD systems to last more than an hour. 1 Quote Link to comment
SavageAUS Posted May 21, 2019 Share Posted May 21, 2019 Running the new 6.7.1-rc1 so far no issues. Results below. root@Tower~# uname -a Linux Tower 4.19.43-Unraid #1 SMP Wed May 15 14:51:41 PDT 2019 x86_64 Intel(R) Xeon(R) CPU E3-1230 v5 @ 3.40GHz GenuineIntel GNU/Linux root@Tower:~# cat /sys/devices/system/cpu/vulnerabilities/* Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable Mitigation: Clear CPU buffers; SMT vulnerable Mitigation: PTI Mitigation: Speculative Store Bypass disabled via prctl and seccomp Mitigation: __user pointer sanitization Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling Spectre and Meltdown mitigation detection tool v0.41 Checking for vulnerabilities on current system Kernel is Linux 4.19.43-Unraid #1 SMP Wed May 15 14:51:41 PDT 2019 x86_64 CPU is Intel(R) Xeon(R) CPU E3-1230 v5 @ 3.40GHz We're missing some kernel info (see -v), accuracy might be reduced Hardware check * Hardware support (CPU microcode) for mitigation techniques * Indirect Branch Restricted Speculation (IBRS) * SPEC_CTRL MSR is available: YES * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit) * Indirect Branch Prediction Barrier (IBPB) * PRED_CMD MSR is available: YES * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit) * Single Thread Indirect Branch Predictors (STIBP) * SPEC_CTRL MSR is available: YES * CPU indicates STIBP capability: YES (Intel STIBP feature bit) * Speculative Store Bypass Disable (SSBD) * CPU indicates SSBD capability: YES (Intel SSBD) * L1 data cache invalidation * FLUSH_CMD MSR is available: YES * CPU indicates L1D flush capability: YES (L1D flush feature bit) * Microarchitecture Data Sampling * VERW instruction is available: YES (MD_CLEAR feature bit) * Enhanced IBRS (IBRS_ALL) * CPU indicates ARCH_CAPABILITIES MSR availability: NO * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDC_NO): NO * CPU supports Software Guard Extensions (SGX): YES * CPU microcode is known to cause stability problems: NO (model 0x5e family 0x6 stepping 0x3 ucode 0xcc cpuid 0x506e3) * CPU microcode is the latest known available version: YES (latest version is 0xcc dated 2019/04/01 according to builtin MCExtractor DB v110 - 2019/05/11) * CPU vulnerability to the speculative execution attack variants * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): YES * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass' * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) * Kernel has array_index_mask_nospec: UNKNOWN (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package)) * Kernel has the Red Hat/Ubuntu patch: UNKNOWN (missing 'strings' tool, please install it, usually it's in the binutils package) * Kernel has mask_nospec64 (arm64): UNKNOWN (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package)) * Checking count of LFENCE instructions following a jump in kernel... UNKNOWN (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package)) > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) * Mitigation 1 * Kernel is compiled with IBRS support: YES * IBRS enabled and active: YES (for firmware code only) * Kernel is compiled with IBPB support: YES * IBPB enabled and active: YES * Mitigation 2 * Kernel has branch predictor hardening (arm): NO * Kernel compiled with retpoline option: UNKNOWN (couldn't read your kernel configuration) * Kernel supports RSB filling: UNKNOWN (missing 'strings' tool, please install it, usually it's in the binutils package) > STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability) CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load' * Mitigated according to the /sys interface: YES (Mitigation: PTI) * Kernel supports Page Table Isolation (PTI): NO * PTI enabled and active: YES * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) * Running as a Xen PV DomU: NO > STATUS: NOT VULNERABLE (Mitigation: PTI) CVE-2018-3640 aka 'Variant 3a, rogue system register read' * CPU microcode mitigates the vulnerability: YES > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability) CVE-2018-3639 aka 'Variant 4, speculative store bypass' * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) * SSB mitigation is enabled and active: YES (per-thread through prctl) * SSB mitigation currently active for selected processes: YES (bash busybox cron lighttpd mono-sgen nginx php-cgi7.0 php-fpm7 php7 pihole-FTL python2.7 python3.7 s6-supervise s6-svscan tini transmission-daemon watchtower) > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault' * CPU microcode mitigates the vulnerability: YES > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability) CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault' * Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable) * Kernel supports PTE inversion: * PTE inversion enabled and active: YES > STATUS: NOT VULNERABLE (Mitigation: PTE Inversion) CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault' * Information from the /sys interface: VMX: conditional cache flushes, SMT vulnerable * This system is a host running a hypervisor: NO * Mitigation 1 (KVM) * EPT is disabled: NO * Mitigation 2 * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) * L1D flush enabled: YES (conditional flushes) * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) * Hyper-Threading (SMT) is enabled: YES > STATUS: NOT VULNERABLE (this system is not running a hypervisor) CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) * CPU supports the MD_CLEAR functionality: YES * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: YES * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable) CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) * CPU supports the MD_CLEAR functionality: YES * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: YES * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable) CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) * CPU supports the MD_CLEAR functionality: YES * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: YES * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable) CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) * CPU supports the MD_CLEAR functionality: YES * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: YES * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable) > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK Quote Link to comment
JasonJoel Posted May 22, 2019 Share Posted May 22, 2019 On 5/19/2019 at 8:47 AM, ximian said: I am curios, to which incompatibility issues are you referring too? If you do your homework before purchasing you remove any incompatibility issues. I have been running servers/workstations with Intel and with AMD and never ran into incompatibility issues both from an operating system and application standpoint. I have two unraid servers, one running Intel and the other AMD and both run without flaws.. both with native hardware. My Supermicro / AMD EPYC 3251 based server seems to be perfectly compatible. 1 Quote Link to comment
Alphahelix Posted May 23, 2019 Share Posted May 23, 2019 Hi Lime Tech. Thank you for taking these security updates seriously... I makes me feel safe to know that unRAID is safe to use out of the box. Also to know IF you choose to lower the security you have to make an active change, that makes unRAID versatile OS with a ton of possibilities... Keep up the good work. /Alphahelix 1 Quote Link to comment
LammeN3rd Posted May 23, 2019 Share Posted May 23, 2019 upgraded to 6.7.1-rc1 this morning, no issues so far! really appreciate the quick inclusion of this patch! Quote Link to comment
rix Posted May 30, 2019 Share Posted May 30, 2019 Working fine in my intel soc. Uptime 1+ day Quote Link to comment
DisplayNerd Posted May 31, 2019 Share Posted May 31, 2019 Just chiming in, would like to disable as well. I doubt I will ever get this attack, especially since my server does not usually connect to the internet and when it does, only through secure channels to specific sources. I don't use my server as a PC or surf the internet with it, therefore I see no reason why I need these vulnerabilities protected against. It seems like a lot of people agree. 1 Quote Link to comment
SimonF Posted June 1, 2019 Share Posted June 1, 2019 @limetech are you still looking for testers for SAS spindown? 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.