Messages

1

Hardware and Performance / Re: PC Engines - about Spectre and Meltdown vulnerabilities

« on: April 17, 2018, 02:42:13 pm »

ok, just to answer my own question:

backup old microcode
copy new microcode to /usr/local/share/cpucontrol/microcode_amd_fam16h.bin

Code: [Select]

pkg install devcpu-data
echo 'microcode_update_enable="YES"' >>/etc/rc.conf
service microcode_update start
cpucontrol -v -u /dev/cpuctl0
cpucontrol -v -u /dev/cpuctl1
cpucontrol -v -u /dev/cpuctl2
cpucontrol -v -u /dev/cpuctl3


2

Hardware and Performance / Re: PC Engines - about Spectre and Meltdown vulnerabilities

« on: April 17, 2018, 02:09:46 pm »

There actually is new microcode in the wild, which applies successfully to the apu2.

https://github.com/platomav/CPUMicrocodes/blob/master/AMD/cpu00730F01_ver07030106_2018-02-09_88EDFAA0.bin

I have so far managed to load the microcode in my debian installation.

How would I load this in OPNsense?

Code: [Select]

[435975.155078] platform microcode: firmware: direct-loading firmware amd-ucode/microcode_amd_fam16h.bin
[435975.167741] microcode: CPU0: new patch_level=0x07030106
[435975.176174] microcode: CPU1: new patch_level=0x07030106
[435975.184785] microcode: CPU2: new patch_level=0x07030106
[435975.193171] microcode: CPU3: new patch_level=0x07030106

The spectre-meltdown-checker reflects that new microcode accordingly:

Code: [Select]

Spectre and Meltdown mitigation detection tool v0.35                                                                                                                   
                                                                                                                                                                       
Checking for vulnerabilities on current system                                                                                                                         
Kernel is Linux 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64                                                                                       
CPU is AMD GX-412TC SOC                                                                                                                                               
                                                                                                                                                                       
Hardware check                                                                                                                                                         
* Hardware support (CPU microcode) for mitigation techniques                                                                                                           
  * Indirect Branch Restricted Speculation (IBRS)                                                                                                                     
    * SPEC_CTRL MSR is available:  NO                                                                                                                                 
    * CPU indicates IBRS capability:  NO                                                                                                                               
  * Indirect Branch Prediction Barrier (IBPB)                                                                                                                         
    * PRED_CMD MSR is available:  YES                                                                                                                                 
    * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)                                                                                                 
  * Single Thread Indirect Branch Predictors (STIBP)                                                                                                                   
    * SPEC_CTRL MSR is available:  NO                                                                                                                                 
    * CPU indicates STIBP capability:  NO                                                                                                                             
  * Enhanced IBRS (IBRS_ALL)                                                                                                                                           
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO                                                                                                           
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO                                                                                                       
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO                                                                                           
  * CPU microcode is known to cause stability problems:  NO                                                                                                           
* CPU vulnerability to the three speculative execution attacks variants                                                                                               
  * Vulnerable to Variant 1:  YES                                                                                                                                     
  * Vulnerable to Variant 2:  YES                                                                                                                                     
  * Vulnerable to Variant 3:  NO                                                                                                                                       
                                                                                                                                                                       
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'                                                                                                           
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that your CPU is unaffected)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  NO
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)


3

Hardware and Performance / Re: APU2 Bios

« on: February 20, 2018, 08:23:55 pm »

Try an older BIOS Version. For me 4.5.5 or older did the trick.

4

Hardware and Performance / Re: APU2 Bios

« on: February 20, 2018, 12:38:14 pm »

I am comiling anyhow to have the default console output on COM3. Background: I am trying to build a dual APU2 box with COM3/COM4 internally crossconnected. COM1 is then free to connect switches or other serial stuff.

Other than that i think the occasional USB errors are gone with 4.6.6

I mitigated the reboot hang problem with a simple usb-hid based watchdog [1] - my apu2 with self-compiled 4.6.6 booted reliably ~600 times over night - with the help of that watchdog.


[1] https://www.ebay.de/itm/Interne-USB-Watchdog-Reset-Controller-PC-Stick-Crash-Blue-Screen-automatisch/263490474653

5

Hardware and Performance / Re: APU2 Bios

« on: February 17, 2018, 12:32:43 pm »

I have also managed to compile the recent BIOS versions 4.6.5 and 4.6.6.

I have 2 issues with these:

a) memtest does beep when it is entered, but there is no console output - have you tested the memtest feature in 4.6.5 or 4.6.6? Did I miss something when I compiled this?

b) the apu2 does sporadically hang during reboot - sometimes the first time, sometimes it takes 20 reboots to hang. The original 4.6.1 also shows this behaviour. 4.5.5 seems to reboot reliably. I have contacted pcengines' support for this. I am interested in your experience regarding this issue.

Cheers

Martin