LFS201 - Chapter 11 - /sys/devices/system/cpu/vulnerabilities

heiko_s

Chapter 11 doesn't sound good. Joke aside, there is this folder in the /sys pseudo filesystem:
/sys/devices/system/cpu/vulnerabilities

I wonder if we can use that to check for vulnerability mitigations that are available/active in the running system?

It becomes even more relevant when running the OS in a VM. Some mitigations need to be enabled in the hypervisor to be available to the VM. This would make it easy to see if the hypervisor/VM is correctly configured.

Just an idea.

coop

It also shows how your kernel is configured, as in:

c8:/sys/devices/system>ls -lF cpu/vulnerabilities/
total 0
-r--r--r-- 1 root root 4096 Jun 23 08:05 itlb_multihit
-r--r--r-- 1 root root 4096 Jun 23 08:05 l1tf
-r--r--r-- 1 root root 4096 Jun 23 08:05 mds
-r--r--r-- 1 root root 4096 Jun 23 08:05 meltdown
-r--r--r-- 1 root root 4096 Jun 23 08:05 spec_store_bypass
-r--r--r-- 1 root root 4096 Jun 23 08:05 spectre_v1
-r--r--r-- 1 root root 4096 Jun 23 08:05 spectre_v2
-r--r--r-- 1 root root 4096 Jun 23 08:05 srbds
-r--r--r-- 1 root root 4096 Jun 23 08:05 tsx_async_abort
c8:/sys/devices/system>

Looking at individual entries you can see how the system is dealing with them, as in:

c8:/sys/devices/system/cpu/vulnerabilities>cat srbds
Vulnerable: No microcode
c8:/sys/devices/system/cpu/vulnerabilities>cat meltdown
Mitigation: PTI
c8:/sys/devices/system/cpu/vulnerabilities>

Interpretation of the information requires some work I'm not sure when this
entry was put in /sys but systems running "old" kernels probably won't have it.

heiko_s

Thanks coop! Very helpful.

moulinath

LFS 201 - Lab 11.1

I am getting the following error while trying to install stress-ng :

[mc75@localhost git-test]$ git clone git://kernel.ubuntu.com/cking/stress-ng.git
Cloning into 'stress-ng'...
remote: Counting objects: 31600, done.
remote: Compressing objects: 100% (12911/12911), done.
remote: Total 31600 (delta 24533), reused 24974 (delta 18660)
Receiving objects: 100% (31600/31600), 6.11 MiB | 2.52 MiB/s, done.
Resolving deltas: 100% (24533/24533), done.
[mc75@localhost git-test]$ cd stress-ng
[mc75@localhost stress-ng]$ make
bash: make: command not found...
Failed to search for file: Cannot update read-only repo

Any feedback ?

coop

Your system is missing development tools. (says there is no make). I don't know what distribution you are on, but you can do

apt-get install make (or yum install make) etc.

Even better, do ./ready-for.sh --install LFS201 after you download the script from https://training.linuxfoundation.org/cm/prep

It's likely you are missing other packages you may need later. (Note on most distributions you do not need to install from the git repo; you can do apt-get (or yum) install stress-ng

moulinath

I have installed the script, thanks.

moulinath

Though I was able to install stress-ng as evinced by :

[mc75@localhost /]$ cd stress-ng
[mc75@localhost stress-ng]$ make
make makeconfig
make[1]: Entering directory '/stress-ng'
make[1]: Leaving directory '/stress-ng'
make stress-ng
make[1]: Entering directory '/stress-ng'
make[1]: 'stress-ng' is up to date.
make[1]: Leaving directory '/stress-ng'

I am not being able to execute stress-ng

bash: stress-ng: command not found...
Failed to search for file: Cannot update read-only repo

What am I doing wrong ?

coop

you need to type ./stress-ng (to put it in the path) and even better do "make install" and then you should be able to run it from anywhere.

luisviveropena

Hi @moulinath , what distro and version are you running? It may be easier to install the package using apt or yum/dnf.

Regards,
Luis.

moulinath

I could finally run it, thanks.

luisviveropena

I'm glad you make it work

Luis.