Welcome to the Linux Foundation Forum!

LFS201 - Chapter 11 - /sys/devices/system/cpu/vulnerabilities

Chapter 11 doesn't sound good. Joke aside, there is this folder in the /sys pseudo filesystem:
/sys/devices/system/cpu/vulnerabilities

I wonder if we can use that to check for vulnerability mitigations that are available/active in the running system?

It becomes even more relevant when running the OS in a VM. Some mitigations need to be enabled in the hypervisor to be available to the VM. This would make it easy to see if the hypervisor/VM is correctly configured.

Just an idea.

Comments

  • coop
    coop Posts: 916

    It also shows how your kernel is configured, as in:

    c8:/sys/devices/system>ls -lF cpu/vulnerabilities/
    total 0
    -r--r--r-- 1 root root 4096 Jun 23 08:05 itlb_multihit
    -r--r--r-- 1 root root 4096 Jun 23 08:05 l1tf
    -r--r--r-- 1 root root 4096 Jun 23 08:05 mds
    -r--r--r-- 1 root root 4096 Jun 23 08:05 meltdown
    -r--r--r-- 1 root root 4096 Jun 23 08:05 spec_store_bypass
    -r--r--r-- 1 root root 4096 Jun 23 08:05 spectre_v1
    -r--r--r-- 1 root root 4096 Jun 23 08:05 spectre_v2
    -r--r--r-- 1 root root 4096 Jun 23 08:05 srbds
    -r--r--r-- 1 root root 4096 Jun 23 08:05 tsx_async_abort
    c8:/sys/devices/system>
    

    Looking at individual entries you can see how the system is dealing with them, as in:

    c8:/sys/devices/system/cpu/vulnerabilities>cat srbds
    Vulnerable: No microcode
    c8:/sys/devices/system/cpu/vulnerabilities>cat meltdown
    Mitigation: PTI
    c8:/sys/devices/system/cpu/vulnerabilities>
    

    Interpretation of the information requires some work :) I'm not sure when this
    entry was put in /sys but systems running "old" kernels probably won't have it.

  • heiko_s
    heiko_s Posts: 99

    Thanks coop! Very helpful.

  • moulinath
    moulinath Posts: 24

    LFS 201 - Lab 11.1

    I am getting the following error while trying to install stress-ng :

    [mc75@localhost git-test]$ git clone git://kernel.ubuntu.com/cking/stress-ng.git
    Cloning into 'stress-ng'...
    remote: Counting objects: 31600, done.
    remote: Compressing objects: 100% (12911/12911), done.
    remote: Total 31600 (delta 24533), reused 24974 (delta 18660)
    Receiving objects: 100% (31600/31600), 6.11 MiB | 2.52 MiB/s, done.
    Resolving deltas: 100% (24533/24533), done.
    [mc75@localhost git-test]$ cd stress-ng
    [mc75@localhost stress-ng]$ make
    bash: make: command not found...
    Failed to search for file: Cannot update read-only repo

    Any feedback ?

  • coop
    coop Posts: 916

    Your system is missing development tools. (says there is no make). I don't know what distribution you are on, but you can do

    apt-get install make (or yum install make) etc.

    Even better, do ./ready-for.sh --install LFS201 after you download the script from https://training.linuxfoundation.org/cm/prep

    It's likely you are missing other packages you may need later. (Note on most distributions you do not need to install from the git repo; you can do apt-get (or yum) install stress-ng

  • moulinath
    moulinath Posts: 24

    I have installed the script, thanks.

  • moulinath
    moulinath Posts: 24

    Though I was able to install stress-ng as evinced by :

    [mc75@localhost /]$ cd stress-ng
    [mc75@localhost stress-ng]$ make
    make makeconfig
    make[1]: Entering directory '/stress-ng'
    make[1]: Leaving directory '/stress-ng'
    make stress-ng
    make[1]: Entering directory '/stress-ng'
    make[1]: 'stress-ng' is up to date.
    make[1]: Leaving directory '/stress-ng'

    I am not being able to execute stress-ng

    bash: stress-ng: command not found...
    Failed to search for file: Cannot update read-only repo

    What am I doing wrong ?

  • coop
    coop Posts: 916

    you need to type ./stress-ng (to put it in the path) and even better do "make install" and then you should be able to run it from anywhere.

  • luisviveropena
    luisviveropena Posts: 1,246

    Hi @moulinath , what distro and version are you running? It may be easier to install the package using apt or yum/dnf.

    Regards,
    Luis.

  • moulinath
    moulinath Posts: 24

    I could finally run it, thanks.

  • luisviveropena
    luisviveropena Posts: 1,246

    I'm glad you make it work :)

    Luis.

Categories

Upcoming Training