Hi Stas-
FSGSBASE support is queued up for Linux 5.9. Since you're one of the
more exotic users of segmentation on Linux, is there any chance you
could test it? The code is here:
https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/log/?h=x86/fsgsbase
There are two interesting cases to test:
1. FSGSBASE on. This is the default if you boot this kernel on Ivy
Bridge or newer hardware.
2. FSGSBASE off on a patched kernel. Boot the same kernel as in #1
but either pass nofsgsbase on the kernel command line or use pre-Ivy
Bridge hardware. You will *
You can tell you have FSGSBASE enabled for test #1 by running
tools/testing/selftests/x86/fsgsbase_64 -- the first line of output
will be :FSGSBASE instructions are enabled". You can build it by
cd-ing to tools/testing/selftests/x86 and running make.
If anything is broken for you, I'd like to know before this makes it
into a released kernel!
Thanks,
Andy
On Sat, Jun 20, 2020 at 8:59 AM Andy Lutomirski <[email protected]> wrote:
>
> 2. FSGSBASE off on a patched kernel. Boot the same kernel as in #1
> but either pass nofsgsbase on the kernel command line or use pre-Ivy
> Bridge hardware. You will *
You will not see fsgsbase in /proc/cpuinfo if you successfully
disabled fsgsbase.
On 6/20/20 11:59 AM, Andy Lutomirski wrote:
> Hi Stas-
>
> FSGSBASE support is queued up for Linux 5.9. Since you're one of the
> more exotic users of segmentation on Linux, is there any chance you
> could test it? The code is here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/log/?h=x86/fsgsbase
>
> There are two interesting cases to test:
>
> 1. FSGSBASE on. This is the default if you boot this kernel on Ivy
> Bridge or newer hardware.
>
> 2. FSGSBASE off on a patched kernel. Boot the same kernel as in #1
> but either pass nofsgsbase on the kernel command line or use pre-Ivy
> Bridge hardware. You will *
>
> You can tell you have FSGSBASE enabled for test #1 by running
> tools/testing/selftests/x86/fsgsbase_64 -- the first line of output
> will be :FSGSBASE instructions are enabled". You can build it by
> cd-ing to tools/testing/selftests/x86 and running make.
>
> If anything is broken for you, I'd like to know before this makes it
> into a released kernel!
>
> Thanks,
> Andy
>
FWIW, we tested this patch using Graphene under Case 1, both in our
standard CI pipelines, and with hand testing. Everything looks good on
our end - no suspicious dmesg, no application-level issues.
I also reran the stress test Andy suggested on a separate thread, which
also looks good:
* Graphene running nginx pinned to core 0
* infinite loop on core 0
* perf top running
* Exercised with non-SGX apache bench several times (~10 minutes of
testing time) also from core 0
All the best,
Don