lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 28 Jun 2021 02:52:03 +0200
From:   Marcos Del Sol Vives <marcos@...a.pet>
To:     David Laight <David.Laight@...LAB.COM>,
        "x86@...nel.org" <x86@...nel.org>
Cc:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v3] x86: add NOPL and CMOV emulation

El 27/06/2021 a las 12:57, David Laight escribió:
> From: Marcos Del Sol Vives
>> Sent: 26 June 2021 14:03
>>
>> NOPL and CMOV are a set of instructions that were introduced to the
>> x86 architecture with the i686 ISA in 1995, first implemented in the
>> Intel Pentium Pro and Pentium II processors.
>>
>> While virtually all desktop and server systems are modern enough to
>> support these instructions, in the embedded market things are a little
>> bit different: DM&P is still manufacturing their i586-only Vortex86
>> SoCs, and many embedded devices still in use are stuck on legacy SoCs
>> that either are i586-only (AMD Elan, AMD Geode GX1) or implement i686
>> but lack the NOPL instructions (Transmeta devices, AMD Geode LX).
>>
>> This is a problem because most modern Linux distributions, such as
>> Debian and all its derivatives, have started compiling targeting i686,
>> leaving old embedded devices using binary distributions without an
>> easy upgrade path.
>>
>> This ultimately results in most of these embedded devices running
>> years old, insecure and obsolete installations, and this itself can be
>> seen on the DM&P's own supported OS page where the newest supported
>> desktop Linux distro is Ubuntu 18.04, already three years old.
>>
>> The emulation of these instructions thus allow upgrading to newer
>> distributions just by replacing the kernel, keeping all precompiled
>> binaries intact.
> ...
> 
> Does this really help?
> 1) Trapping and emulating the instructions will be slow.

This is true. An emulated CMOV is almost 50 times slower than 
conditional branch on my Vortex86MX.

However, in practice this results in very little slowdown - GCC seems to 
really avoid emitting CMOVs, preferring conditional branches instead, so 
applications are still completely useable.

> 2) All 64bit cpus support these instructions - so these must be 32bit.
>     I believe the main distributions are about to drip 32bit support.

While it is true that Ubuntu has dropped support for 32 bit devices, 
Debian, OpenSUSE and many others don't seem to plan on doing so anytime 
soon.

> It also has to be said that using Ubuntu in an embedded device
> is about as sensible as running windows.
> There is far too much 'crud' running that you don't need and
> is only likely to result in security breaches.
> 
> Much better is something based on busybox+buildroot where you
> have (almost) complete control of the system userspace and
> can easily build a kernel that only has support for the required
> hardware from one of the LTS kernel trees.

These SoCs are not the average ARM-based SoC used in very high volume 
products such as WiFi routers where you want a million of units all 
executing the same thing. For those I totally agree you'd use a fully 
customized operating system on a build root image.

Vortex86 devices are on the other hand used generally in low-volume, 
niche applications, where the premium of a x86-compatible Vortex86 
device that can boot any standard x86 operating systems and applications 
is preferrable to the cost of developing a fully customized operating 
system image.

I've seen such devices used by small companies to develop point of sale 
machines, information screen, kiosks, etc... where they benefit from 
being easy to set up and, being a standard operating system, allow 
easily tweaking to the customer's needs.

Myself, I am using an eBox 3350MX-AP (which sports a Vortex86MX with 
512MB of RAM) as a small, low-power web server running Debian sid. If I 
were to use buildroot, I'd lose completely the ability to install new 
features or apply updates without having to rebuild the entire image, 
which is a complex and time-consuming task.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ