[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#887061: marked as done (linux-image-4.9.0-5-amd64: KPTI (kaiser.c): please, no silent disable for Xen guests)

Your message dated Sun, 14 Jan 2018 19:52:13 +0000
with message-id <1515959533.13978.149.camel@decadent.org.uk>
and subject line Re: Bug#887061: linux-image-4.9.0-5-amd64: KPTI (kaiser.c): please, no silent disable for Xen guests
has caused the Debian Bug report #887061,
regarding linux-image-4.9.0-5-amd64: KPTI (kaiser.c): please, no silent disable for Xen guests
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
887061: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887061
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: src:linux
Version: 4.9.65-3+deb9u2
Severity: wishlist

Hi,

My VM is a Xen guest, and I was confused not to find any information
about KPTI in the kernel logs. This is due to the silent_disable
case here:

In arch/x86/mm/kaiser.c:

void __init kaiser_check_boottime_disable(void)
{
[...]
        if (boot_cpu_has(X86_FEATURE_XENPV))
                goto silent_disable;
[...]
disable:
        pr_info("disabled\n");

silent_disable:
        kaiser_enabled = 0;
        setup_clear_cpu_cap(X86_FEATURE_KAISER);
}

It would be better to have some logs, saying that it is disabled and
why (Xen PV).

-- Package-specific info:
** Version:
Linux version 4.9.0-5-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04)

** Command line:
root=UUID=2ae1ff60-aeb0-4d39-8a98-ff98d5f63f7e ro console=ttyS0 console=hvc0 nomce loglevel=5 net.ifnames=0

** Not tainted

** Kernel log:
Unable to read kernel log; any relevant messages should be attached

** Model information

** Loaded modules:
ipt_REJECT
nf_reject_ipv4
xt_multiport
iptable_filter
evdev
pcspkr
intel_rapl
sb_edac
edac_core
x86_pkg_temp_thermal
coretemp
crct10dif_pclmul
crc32_pclmul
ghash_clmulni_intel
intel_rapl_perf
ip_tables
x_tables
autofs4
ext4
crc16
jbd2
crc32c_generic
fscrypto
ecb
mbcache
crc32c_intel
aesni_intel
xen_netfront
xen_blkfront
aes_x86_64
glue_helper
lrw
gf128mul
ablk_helper
cryptd

** PCI devices:
not available

** USB devices:
not available


-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/1 CPU core)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-image-4.9.0-5-amd64 depends on:
ii  initramfs-tools [linux-initramfs-tool]  0.130
ii  kmod                                    23-2
ii  linux-base                              4.5

Versions of packages linux-image-4.9.0-5-amd64 recommends:
ii  firmware-linux-free  3.4
ii  irqbalance           1.1.0-2.3

Versions of packages linux-image-4.9.0-5-amd64 suggests:
pn  debian-kernel-handbook  <none>
ii  grub-efi-amd64          2.02~beta3-5
pn  linux-doc-4.9           <none>

Versions of packages linux-image-4.9.0-5-amd64 is related to:
pn  firmware-amd-graphics     <none>
pn  firmware-atheros          <none>
pn  firmware-bnx2             <none>
pn  firmware-bnx2x            <none>
pn  firmware-brcm80211        <none>
pn  firmware-cavium           <none>
pn  firmware-intel-sound      <none>
pn  firmware-intelwimax       <none>
pn  firmware-ipw2x00          <none>
pn  firmware-ivtv             <none>
pn  firmware-iwlwifi          <none>
pn  firmware-libertas         <none>
pn  firmware-linux-nonfree    <none>
pn  firmware-misc-nonfree     <none>
pn  firmware-myricom          <none>
pn  firmware-netxen           <none>
pn  firmware-qlogic           <none>
pn  firmware-realtek          <none>
pn  firmware-samsung          <none>
pn  firmware-siano            <none>
pn  firmware-ti-connectivity  <none>
pn  xen-hypervisor            <none>

-- no debconf information

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

--- End Message ---
--- Begin Message --- 
On Sat, 2018-01-13 at 10:32 +0100, Vincent Lefevre wrote:
> Package: src:linux
> Version: 4.9.65-3+deb9u2
> Severity: wishlist
> 
> Hi,
> 
> My VM is a Xen guest, and I was confused not to find any information
> about KPTI in the kernel logs. This is due to the silent_disable
> case here:
> 
> In arch/x86/mm/kaiser.c:
> 
> void __init kaiser_check_boottime_disable(void)
> {
> [...]
>         if (boot_cpu_has(X86_FEATURE_XENPV))
>                 goto silent_disable;
> [...]
> disable:
>         pr_info("disabled\n");
> 
> silent_disable:
>         kaiser_enabled = 0;
>         setup_clear_cpu_cap(X86_FEATURE_KAISER);
> }
> 
> It would be better to have some logs, saying that it is disabled and
> why (Xen PV).

The intent here is that the state of KPTI is only mentioned in
configurations where it is actually possible to turn it on or off.

amd64 only has 2 privilege levels (vs 4 on i386), so it has never been
possible to share page tables between kernel and user mode in a PV
domain.  As I understand it, this means KPTI is not needed.

Ask upstream if you want this to be changed.

Ben.

-- 
Ben Hutchings
The generation of random numbers is too important to be left to chance.
                                                       - Robert Coveyou

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
Reply to: