Right, finally Linux is getting something similar and useful to DTrace, see bpftrace. However for it to be useful in enterprise it has to be included in RedHat - I wonder how long it will take though... but maybe around 2020 this will finally happen and then Linux will truly have an equivalent of DTrace, even if 15 years later.
Friday, October 12, 2018
Tuesday, October 02, 2018
Solaris: Spectre v2 & Meltdown fixes
Solaris 11.4 includes fixes for Meltdown and Spectre v2 (fixes for v1 were delievered few months ago for 11.3 via SRU and are also included in 111.4). What I really like about them is that you can turn them on or off via sxadm. The sxadm command will also report if your HW requires the fixes and if they are enabled or not. Additionally there is an FMA alert generated if you HW should have fixes enabled but due to old microcode it can't be done - so this way you also get alerting. Very nice intergration indeed.
Example output with Solaris running in Virtual Box:# sxadm status EXTENSION STATUS FLAGS aslr enabled (tagged-files) u-c-- nxstack enabled (all) u-c-- nxheap enabled (tagged-files) u-c-- kpti enabled -kcr- ibpb not supported ----- ibrs not supported ----- smap not supported -----
The kpti is fix for Meltdow and it is active, while ibpb and ibrs are mitigations for Spectre v2 and are not enabled as these are not supported on this HW.
Let's see how FMA is reporting an old version of microcode:
# fmadm faulty --------------- ------------------------------------ -------------- --------- TIME EVENT-ID MSG-ID SEVERITY --------------- ------------------------------------ -------------- --------- Oct 02 14:19:24 383538f1-9268-4a07-9ff8-86be48c02e72 SUNOS-8000-LG Major Problem Status : open Diag Engine : software-diagnosis / 0.2 System Manufacturer : unknown Name : unknown Part_Number : unknown Serial_Number : unknown System Component Manufacturer : innotek GmbH Name : VirtualBox Part_Number : Serial_Number : 0 Firmware_Manufacturer : innotek GmbH Firmware_Version : (BIOS)VirtualBox Firmware_Release : (BIOS)12.01.2006 Host_ID : 00482293 Server_Name : solaris ---------------------------------------- Suspect 1 of 1 : Problem class : alert.oracle.solaris.cpu.firmware.security Certainty : 100% FRU Status : Active Location : "/SYS/MB" Manufacturer : unknown Name : unknown Part_Number : unknown Revision : unknown Serial_Number : unknown Chassis Manufacturer : Oracle Corporation Name : VirtualBox Part_Number : Serial_Number : 0 Resource Status : Active Response : No automated response available Impact : Oracle Solaris is not running with Spectre Vulnerability Mitigation Enabled Action : Update the CPU with Spectre capable microcode. Please refer to the associated reference document at http://support.oracle.com/msg/SUNOS-8000-LG for the latest service procedures and policies regarding this diagnosis.