Ubuntu
linux package

x86/pti: 32-bit x86 systems support already available.

Bug #1790688 reported by daniel CURTIS
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Triaged
High
Unassigned

Bug Description

Hello.

This is a very good news: 'PTI' support for x86-32 architecture is available. Linux kernel v4.19 release candidate, finally have Kernel Page-Table Isolation ('PTI', previously known as 'KAISER') support. As we know, 'PTI' provides protection against attack, known as the "Meltdown" (CVE-2017-5754), that breaks isolation between user applications and the operating system etc. However, this protection - needed for "Meltdown" mitigation - wasn't available on 32-bit x86 systems. Until now.

So, I would like to ask a question: are there any plans to backport Kernel Page-Table Isolation patches for Linux kernels available in "Trusty"/14.04, "Xenial"/16.04 and "Bionic"/18.04 releases etc.? I'm asking, because it seems, that pretty much no developers run 32-bit any more. However, there still are many 32-bit users out there.

For more informations about how 'PTI' was implemented, created for 32 bit x86 architecture, please check - for example - commit '7757d607c6b31' ("x86/pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32") and these messages on lkml mailing list and lwn.net website (which contains summary of the first half of the 4.19 kernel merge window):

http://lkml.iu.edu/hypermail/linux/kernel/1807.2/02790.html ('PTI' on x86-32; PATCH v.8)
https://lwn.net/Articles/762566/ (See "Architecture-specific" changes)

I would like to send a big "Thank You" to Mr Joerg Roedel (and Others, of course) for his amazing work - a whole raft of measures and patches to make this possible - to enable 'PTI' mitigation on x86-32 architecture etc.

Thanks, best regards.

See original description
daniel CURTIS (anoda)
description: updated
description: updated
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1790688

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
daniel CURTIS (anoda)
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
daniel CURTIS (anoda) wrote :

Hello.

One more thing: since kernel page-table isolation is already available on 32-Bit x86 systems (see Bug Description), maybe "SpectreAndMeltdown" information page (see 1.) should be updated, because of such a statement (see "Current Status"):

"No fix is currently available for Meltdown on 32-bit x86; moving to a 64-bit kernel is the currently recommended mitigation."

Maybe, it could be changed to note, that: "32-bit x86 finally have kernel page-table isolation support to mitigate "Meltdown". It is already available in Linux kernel v4.19". Or above statement, available on "SpectreAndMeltdown" page, could be changed to:

"Fix/mitigation for Meltdown on 32-bit x86 is already available in Linux v4.19 kernel".

But that's just my opinion.

Best regards.
______________
1. https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown#Current_Status

Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
importance: Undecided → High
status: Confirmed → Incomplete
status: Incomplete → Triaged
daniel CURTIS (anoda)
description: updated
summary: - x86/pti: 32-Bit x86 systems support already available.
+ x86/pti: 32-bit x86 systems support already available.
Revision history for this message
daniel CURTIS (anoda) wrote :

Hello. I would like to note, that "Meltdown" mitigation - for i386 architecture - among others improvements, is already available in OpenBSD 6.4 release (see "Security improvements" section [in:] https://www.openbsd.org/64.html).

Best regards.

Revision history for this message
H Buus (faginbagin) wrote :

PTI makes my 2 32 bit laptops unstable. I have lubuntu 18.04 installed on both and they both started having trouble after the linux-image upgrade from 4.15.0-46/47 to 4.15.0-50/51. They either fail to boot without locking up or fail to shut down cleanly. I rarely get any useful logs or messages on the screen, although if the machines do boot without locking up, I have seen messages like this when they fail to shut down:
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [systemd:1]

I did manage to recover some BUGs with call traces from kern.log when I tried the ubuntu mainline kernel build, 4.19.31-041931-generic #201903231635. Here are typical BUG stmts:
Apr 22 10:16:04 mikedell kernel: [ 43.339955] BUG: unable to handle kernel NULL pointer dereference at 00000008
Apr 22 10:16:04 mikedell kernel: [ 43.484957] BUG: unable to handle kernel paging request at eef4817c
Unfortunately, I think it's the only kernel that's given me this much info. I'd be happy to share the full call traces I have captured if anyone is interested.

Neither laptop has a serial port and I'm not a kernel developer, so I don't feel I've got the means to properly diagnose the problem. Howver, I have since found that when I compile the kernel from:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
and change only one config parameter, CONFIG_PAGE_TABLE_ISOLATION, the kernel with the param enabled is unstable, but the kernel with the param disabled is stable. I have found this to be the case with kernels 4.19.50 and 5.1.9.

The two laptops are:
Dell Inspiron B130 with an Intel Celeron M 1.50GHz (family: 0x6, model: 0xd, stepping: 0x8)
IBM Thinkpad R51 1836HAU with Intel Pentium M processor 725 (1.6 GHz)

The Thinkpad's Pentium M 725 is a Dothan processor that supports PAE, but lies about it, so it requires the forcepae kernel parameter. The Dell's Celeron M does not requre the forcepae parameter.

I've been trying to figure out if this is a known problem. THere's so little love for 32 bt hardware these days. Then I saw this bug report and thought it might be a good place to start.

Should I post this info on the linux-kernel mailing list?

Revision history for this message
daniel CURTIS (anoda) wrote :

Hello H Buus.

Thank You for a comment. According to BUGs with call traces from 'kern.log' file (I mean especially 'unable to handle kernel NULL pointer dereference at 00000008' messages etc.) I think you should report all these informations on the linux-kernel mailing list (please see 1). Also, I think, that the kernel-team mailing list is a good place -maybe even better than 'lkml' - to report, because this mailing list is used to coordinate and plan kernel uploads for Ubuntu (please see 2).

I hope, that 'PTI' will be backported soon, to the Linux kernel used in 16.04 LTS Release and x86_32/i386 architecture.

Thanks, best regards.
_____________________
1.: https://lkml.org/
2.: https://lists.ubuntu.com/archives/kernel-team/

Brad Figg (brad-figg)
tags: added: cscc
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.