diff options
16 files changed, 277 insertions, 394 deletions
diff --git a/docs/csit_python2_to_python3_migration.md b/docs/csit_python2_to_python3_migration.md deleted file mode 100644 index 8263f7aabe..0000000000 --- a/docs/csit_python2_to_python3_migration.md +++ /dev/null @@ -1,182 +0,0 @@ -# FD.io CSIT migration Python 2.7 to Python 3 - -## Python 3 version - -There is a pre-agreement to migrate to Python 3 version used by -Ubuntu 18.04-LTS - currently it is version [3.6.8](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-8-final). - -CentOS7 version 1810 that is used in [FD.io](https://fd.io/) also contains -Python 3.6. - -## Dependency libs - -There was used *[caniusepython3](https://pypi.org/project/caniusepython3/)* -tool to check readiness of current version of csit external libraries for -Python 3. It identified one external library that needs to be updated to -support Python 3: - ``` - (env) vpp@vpp-VirtualBox:~/Documents/csit$ caniusepython3 -r requirements.txt - Finding and checking dependencies ... - You need 1 project to transition to Python 3. - Of that 1 project, 1 has no direct dependencies blocking its transition: - pypcap - (env) vpp@vpp-VirtualBox:~/Documents/csit$ caniusepython3 -r tox-requirements.txt - Finding and checking dependencies ... - You have 0 projects blocking you from using Python 3! - (env) vpp@vpp-VirtualBox:~/Documents/csit$ - ``` - -The latest released version of *[pypcap](https://pypi.org/project/pypcap/)* is -version 1.2.3 (Python 3 support implemented in version 1.2.0). - -Packages were checked for Python 3.6.8 support too and here are proposed -package versions: - -- directly needed packages - - ecdsa==0.13.3 - - paramiko==2.6.0 - - pycrypto==2.6.1 - - pypcap==1.2.3 # min. v1.2.0 for Python 3.6 support - - PyYAML==5.1 - - requests==2.22.0 # min. v2.14.0 for Python 3.6 support - - robotframework==3.1.2 - - scapy==2.4.3 # min. v2.4.0 for Python 3.6 support - - scp==0.13.2 - -- directly needed packages for PLRSearch - - dill==0.3.1.1 - - numpy==1.17.3 # v1.14.5 - compatibility with Python 3.6.2, possible - incompatibility with Python 3.6.8; v1.14.6 should be compatible with - Python 3.6.8 - - scipy==1.3.1 - -- directly needed packages for PAL - - hdrhistogram==0.6.1 - - pandas==0.25.3 - - plotly==4.1.1 - - PTable==0.9.2 - - Sphinx==2.2.1 - - sphinx-rtd-theme==0.4.0 - - sphinxcontrib-programoutput==0.15 - -- packages needed by paramiko package - - bcrypt==3.1.7 - - cffi==1.13.1 - - cryptography==2.8 - - pycparser==2.19 - - PyNaCl==1.3.0 - - six==1.12.0 - -- packages needed by request package - - certifi==2019.9.11 - - chardet==3.0.4 - - idna==2.8 - - urllib3==1.25.6 - -- not needed anymore - - aenum - enum module in Python 3.6 already contains needed enum types - - ipaddress - module already included in Python 3.6 - - pexpect - can be removed when corresponding unused code is removed from - ssh.py - - pykwalify + docpot + python-dateutil - can be removed if virl not used - anymore - -After discussion there is an agreement to use pip freeze for indirect -dependencies when all direct dependency versions are resolved - see example of -*[requirements.txt](https://gerrit.fd.io/r/c/csit/+/23207/17/requirements.txt)* -file in CSIT gerrit commit -[Python3: PIP requirement](https://gerrit.fd.io/r/c/csit/+/23207). - -## Required CSIT code changes - -There were identified following code changes that need to be addressed during -Python 2.7 to Python 3 migration in CSIT: -- imports relative to package - - `import submodul1` => `from . import submodule1` - - `from csv import my_csv` => `from .csv import my_csv` -- StringIO - - `import StringIO` => `from io import StringIO` -- `StandardError` -=> `Exception` -- raising exceptions - should be ready - - `raise ValueError, "wrong value"` => `raise ValueError("wrong value")` -- catching exceptions - should be ready - - `except ValueError, e:` => `except ValueError as e:` -- integers - - `long` => `int` -- strings and bytes - - `unicode` => `str` - - `basestring` => `str` - - `str` => `bytes` - not generally, only if bytes type really required - - use following string style conventions: - - `u"a unicode string literal"` - - `b"a bytes string literal"` - - `f"a formatted unicode string literal"` - `f"He said his name is {name}"` - instead of `"He said his name is {n}".format(n=name)` -- integer division with rounding down - - `2 / 3` => `2 // 3` -- metaclasses - use only new style - - `class Form(BaseForm, metaclass=FormType):` -- for-loop variables and the global namespace leak - - for-loop variables don't leak into the global namespace anymore -- returning iterable objects instead of lists - - `xrange` => `range` - - `range` => `list(range())` - - `map` => `list(map())` - - `zip` => `list(zip())` - - `filter` => `list(filter())` - - dictionaries - - `.iteritems()` => `.items()` - - `.iterkeys()` => `.keys()` - - `.itervalues()` => `.values()` - - `.viewitems()` => `.items()` - - `.viewkeys()` => `.keys()` - - `.viewvalues()` => `.values()` - - `.items()`=> `list(.items())` - - `.keys()` => `list(.keys())` - - `.values()` => `list(.values())` - - `dict.has_key(key)` => `key in dict` - - lists - - `L = list(some_iterable); L.sort()` => `L = sorted(some_iterable)` - - parenthesis in list comprehensions - - `[... for var in item1, item2, ...]` => `[... for var in (item1, item2, ...)]` -- file IO with `open` - - `f = open('myfile.txt') # f.read() returns byte string` => - `from io import open` plus - - `f = open('myfile.txt', 'rb') # f.read() should return bytes` - - `f = open('myfile.txt', 'rt') # f.read() should return unicode text` -- reduce() - - `reduce()` => `from functools import reduce; reduce()` - -- python files in following directories: - - resources/libraries/python - - resources/tools - - resources/traffic_profiles/trex - - resources/traffic_scripts - -- check python calls in bash files: - - resources/libraries/bash/ - - csit root directory - -## Migration steps - -1. Update all external libraries - week(s) before the week W -1. Install agreed Python 3 version to all servers used by CSIT for test - execution - week(s) before the week W - 1. vpp device servers - already done - 1. performance testbeds - already done - 1. jenkins executors - already done -1. Freeze the CSIT master branch for one week for commits other then Python 2 to - Python 3 migration - week W - 1. Create back up branch of actual master - 1. Migrate libraries - work split between all available CSIT developers. Each - one will submit separate commit for review - csit-vpp-xxx verify jobs will - be failing at this phase so committers will need to overwrite verify - voting to be able to merged these commits. - - TODO: provide separate spread sheet with listed libraries to be migrated - with the name of CSIT developer responsible for the migration of this - library. - 1. Run jobs and tests of all of types when all libraries migrated to confirm - functionality or to catch bugs that needs to be fixed - iterate until - successful execution of all tests. -1. Unfreeze the CSIT master branch. diff --git a/docs/report/introduction/methodology_trex_traffic_generator.rst b/docs/report/introduction/methodology_trex_traffic_generator.rst index 0e7049826b..0d19c2cf78 100644 --- a/docs/report/introduction/methodology_trex_traffic_generator.rst +++ b/docs/report/introduction/methodology_trex_traffic_generator.rst @@ -22,7 +22,7 @@ is: - TRex is started in the background mode :: - $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 > /tmp/trex.log 2>&1 &' > /dev/null + $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 --prefix $(hostname) --hdrh > /tmp/trex.log 2>&1 &' > /dev/null - There are traffic streams dynamically prepared for each test, based on traffic profiles. The traffic is sent and the statistics obtained using diff --git a/docs/report/introduction/physical_testbeds.rst b/docs/report/introduction/physical_testbeds.rst index 9babb5fb1f..8860638d43 100644 --- a/docs/report/introduction/physical_testbeds.rst +++ b/docs/report/introduction/physical_testbeds.rst @@ -26,7 +26,8 @@ Two physical server topology types are used: Current FD.io production testbeds are built with SUT servers based on the following processor architectures: -- Intel Xeon: Skylake Platinum 8180 and Haswell-SP E5-2699v3. +- Intel Xeon: Skylake Platinum 8180, Haswell-SP E5-2699v3, + Cascadelake Platinum 8280, Cascadelake 6252N. - Intel Atom: Denverton C3858. - ARM: TaiShan 2280, hip07-d05. @@ -40,6 +41,54 @@ https://git.fd.io/csit/tree/docs/lab/testbed_specifications.md. Following is the description of existing production testbeds. +2-Node Xeon Cascadelake (2n-clx) +-------------------------------- + +Three 2n-clx testbeds are in operation in FD.io labs. Each 2n-clx testbed +is built with two SuperMicro SYS-7049GP-TRT servers, SUTs are equipped with two +Intel Xeon Gold 6252N processors (35.75 MB Cache, 2.30 GHz, 24 cores). +TGs are equiped with Intel Xeon Cascadelake Platinum 8280 processors (38.5 MB +Cache, 2.70 GHz, 28 cores). 2n-clx physical topology is shown below. + +.. only:: latex + + .. raw:: latex + + \begin{figure}[H] + \centering + \graphicspath{{../_tmp/src/introduction/}} + \includegraphics[width=0.90\textwidth]{testbed-2n-clx} + \label{fig:testbed-2n-clx} + \end{figure} + +.. only:: html + + .. figure:: testbed-2n-clx.svg + :alt: testbed-2n-clx + :align: center + +SUT servers are populated with the following NIC models: + +#. NIC-1: x710-DA4 4p10GE Intel. +#. NIC-2: xxv710-DA2 2p25GE Intel. +#. NIC-3: mcx556a-edat ConnectX5 2p100GE Mellanox. (Only testbed t27, t28) +#. NIC-4: empty, future expansion. +#. NIC-5: empty, future expansion. +#. NIC-6: empty, future expansion. + +TG servers run T-Rex application and are populated with the following +NIC models: + +#. NIC-1: x710-DA4 4p10GE Intel. +#. NIC-2: xxv710-DA2 2p25GE Intel. +#. NIC-3: mcx556a-edat ConnectX5 2p100GE Mellanox. (Only testbed t27, t28) +#. NIC-4: empty, future expansion. +#. NIC-5: empty, future expansion. +#. NIC-6: x710-DA4 4p10GE Intel. (For self-tests.) + +All Intel Xeon Cascadelake servers run with Intel Hyper-Threading enabled, +doubling the number of logical cores exposed to Linux. + 2-Node Xeon Skylake (2n-skx) ---------------------------- diff --git a/docs/report/introduction/test_environment_intro.rst b/docs/report/introduction/test_environment_intro.rst index e0df3b64ff..b02520b99d 100644 --- a/docs/report/introduction/test_environment_intro.rst +++ b/docs/report/introduction/test_environment_intro.rst @@ -54,5 +54,4 @@ repeatable zero packet loss throughput measurements across multiple system instances. Generally they come useful as a background data for comparing data plane performance results across disparate servers. -Following sections include measured calibration data for Intel Xeon -Haswell and Intel Xeon Skylake testbeds. +Following sections include measured calibration data for testbeds. diff --git a/docs/report/introduction/test_environment_sut_calib_clx.rst b/docs/report/introduction/test_environment_sut_calib_clx.rst index 43e2f599ea..823346f079 100644 --- a/docs/report/introduction/test_environment_sut_calib_clx.rst +++ b/docs/report/introduction/test_environment_sut_calib_clx.rst @@ -15,7 +15,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/boot/vmlinuz-4.15.0-60-generic root=UUID=1d03969e-a2a0-41b2-a97e-1cc171b07e88 ro isolcpus=1-23,25-47,49-71,73-95 nohz_full=1-23,25-47,49-71,73-95 rcu_nocbs=1-23,25-47,49-71,73-95 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 + BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=1d03969e-a2a0-41b2-a97e-1cc171b07e88 ro isolcpus=1-23,25-47,49-71,73-95 nohz_full=1-23,25-47,49-71,73-95 rcu_nocbs=1-23,25-47,49-71,73-95 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 Linux uname ~~~~~~~~~~~ @@ -23,7 +23,7 @@ Linux uname :: $ uname -a - Linux s32-t27-sut1 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + Linux s32-t27-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux System-level Core Jitter diff --git a/docs/report/introduction/test_environment_sut_calib_dnv.rst b/docs/report/introduction/test_environment_sut_calib_dnv.rst index 7777792ca9..3365552bb2 100644 --- a/docs/report/introduction/test_environment_sut_calib_dnv.rst +++ b/docs/report/introduction/test_environment_sut_calib_dnv.rst @@ -4,8 +4,8 @@ Calibration Data - Denverton Following sections include sample calibration data measured on Denverton server at Intel SH labs. -And VPP-18.10 2-Node Atom Denverton testing took place at Intel Corporation -carefully adhering to FD.io CSIT best practices. +A 2-Node Atom Denverton testing took place at Intel Corporation carefully +adhering to FD.io CSIT best practices. Linux cmdline diff --git a/docs/report/introduction/test_environment_sut_calib_hsw.rst b/docs/report/introduction/test_environment_sut_calib_hsw.rst index 1dedcd8271..fe89d99028 100644 --- a/docs/report/introduction/test_environment_sut_calib_hsw.rst +++ b/docs/report/introduction/test_environment_sut_calib_hsw.rst @@ -14,7 +14,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/vmlinuz-4.15.0-36-generic root=UUID=5d2ecc97-245b-4e94-b0ae-c3548567de19 ro isolcpus=1-17,19-35 nohz_full=1-17,19-35 rcu_nocbs=1-17,19-35 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 + BOOT_IMAGE=/vmlinuz-4.15.0-72-generic root=UUID=c59ae603-8076-41f4-bb5d-bc3fc8dd3ea1 ro isolcpus=1-17,19-35 nohz_full=1-17,19-35 rcu_nocbs=1-17,19-35 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0console=ttyS0,115200n8 Linux uname @@ -23,7 +23,7 @@ Linux uname :: $ uname -a - Linux t1-tg1 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux + Linux t1-tg1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux System-level Core Jitter diff --git a/docs/report/introduction/test_environment_sut_calib_skx.rst b/docs/report/introduction/test_environment_sut_calib_skx.rst index a30a91d61c..16f7ae0762 100644 --- a/docs/report/introduction/test_environment_sut_calib_skx.rst +++ b/docs/report/introduction/test_environment_sut_calib_skx.rst @@ -15,7 +15,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/vmlinuz-4.15.0-23-generic root=UUID=759ad671-ad46-441b-a75b-9f54e81837bb ro isolcpus=1-27,29-55,57-83,85-111 nohz_full=1-27,29-55,57-83,85-111 rcu_nocbs=1-27,29-55,57-83,85-111 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 + BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=e05120bb-7127-43db-b1e3-a66edd4c43bd ro isolcpus=1-27,29-55,57-83,85-111 nohz_full=1-27,29-55,57-83,85-111 rcu_nocbs=1-27,29-55,57-83,85-111 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 Linux uname @@ -24,7 +24,7 @@ Linux uname :: $ uname -a - Linux s5-t22-sut1 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux + Linux s3-t21-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux System-level Core Jitter diff --git a/docs/report/introduction/test_environment_sut_conf_1.rst b/docs/report/introduction/test_environment_sut_conf_1.rst index afaaec4f2f..29baeab8b1 100644 --- a/docs/report/introduction/test_environment_sut_conf_1.rst +++ b/docs/report/introduction/test_environment_sut_conf_1.rst @@ -7,26 +7,14 @@ install and Below a subset of the running configuration: -1. Xeon Haswell - Ubuntu 18.04.1 LTS +1. Ubuntu 18.04.x LTS :: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu - Description: Ubuntu 18.04.1 LTS - Release: 18.04 - Codename: bionic - - -2. Xeon Skylake - Ubuntu 18.04 LTS - -:: - - $ lsb_release -a - No LSB modules are available. - Distributor ID: Ubuntu - Description: Ubuntu 18.04 LTS + Description: Ubuntu 18.04.3 LTS Release: 18.04 Codename: bionic @@ -76,23 +64,3 @@ Huge pages are namaged via sysctl configuration located in `/etc/sysctl.d/90-csit.conf` on each testbed. Default huge page size is 2M. The exact amount of huge pages depends on testbed. All the values are defined in `Ansible inventory - hosts` files. - - -Applied Boot Cmdline -~~~~~~~~~~~~~~~~~~~~ - -1. Xeon Haswell - Ubuntu 18.04.1 LTS - -:: - - $ cat /proc/cmdline - BOOT_IMAGE=/vmlinuz-4.15.0-36-generic root=UUID=5d2ecc97-245b-4e94-b0ae-c3548567de19 ro isolcpus=1-17,19-35 nohz_full=1-17,19-35 rcu_nocbs=1-17,19-35 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 - -2. Xeon Skylake - Ubuntu 18.04 LTS - -:: - - $ cat /proc/cmdline - BOOT_IMAGE=/vmlinuz-4.15.0-23-generic root=UUID=3fa246fd-1b80-4361-bb90-f339a6bbed51 ro isolcpus=1-27,29-55,57-83,85-111 nohz_full=1-27,29-55,57-83,85-111 rcu_nocbs=1-27,29-55,57-83,85-111 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 - - diff --git a/docs/report/introduction/test_environment_sut_meltspec_clx.rst b/docs/report/introduction/test_environment_sut_meltspec_clx.rst index 9056be839b..88400338a5 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_clx.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_clx.rst @@ -8,11 +8,12 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github :: - Spectre and Meltdown mitigation detection tool v0.42 + Spectre and Meltdown mitigation detection tool v0.43 + awk: fatal: cannot open file `bash for reading (No such file or directory) Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 - CPU is Intel(R) Xeon(R) Gold 6252N CPU @ 2.30GHz + Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 + CPU is Intel(R) Xeon(R) Platinum 8280 CPU @ 2.70GHz Hardware check * Hardware support (CPU microcode) for mitigation techniques @@ -30,7 +31,7 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * L1 data cache invalidation * FLUSH_CMD MSR is available: YES * CPU indicates L1D flush capability: YES (L1D flush feature bit) - * Microarchitecture Data Sampling + * Microarchitectural Data Sampling * VERW instruction is available: YES (MD_CLEAR feature bit) * Enhanced IBRS (IBRS_ALL) * CPU indicates ARCH_CAPABILITIES MSR availability: YES @@ -40,9 +41,15 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * CPU/Hypervisor indicates L1D flushing is not necessary on this system: YES * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): YES + * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO + * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO + * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): YES + * TSX_CTRL MSR indicates TSX RTM is disabled: YES + * TSX_CTRL MSR indicates TSX CPUID bit is cleared: YES + * CPU supports Transactional Synchronization Extensions (TSX): NO * CPU supports Software Guard Extensions (SGX): NO - * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x7 ucode 0x5000021 cpuid 0x50657) - * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash' for reading (No file or directory) + * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x7 ucode 0x500002c cpuid 0x50657) + * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash for reading (No such file or directory) UNKNOWN (latest microcode version for your CPU model is unknown) * CPU vulnerability to the speculative execution attack variants * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES @@ -51,23 +58,23 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO + * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES + * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO + * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES - CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass' - * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer saniation) - * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) - * Kernel has the Red Hat/Ubuntu patch: NO + CVE-2017-5753 aka Spectre Variant 1, bounds check bypass + * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) * Kernel has the Red Hat/Ubuntu patch: NO * Kernel has mask_nospec64 (arm64): NO > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) - CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' + CVE-2017-5715 aka Spectre Variant 2, branch target injection * Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling) * Mitigation 1 * Kernel is compiled with IBRS support: YES @@ -80,36 +87,36 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Kernel supports RSB filling: YES > STATUS: NOT VULNERABLE (Enhanced IBRS + IBPB are mitigating the vulnerability) - CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load' + CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports Page Table Isolation (PTI): YES - * PTI enabled and active: NO + * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script) * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) * Running as a Xen PV DomU: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-3640 aka 'Variant 3a, rogue system register read' + CVE-2018-3640 aka Variant 3a, rogue system register read * CPU microcode mitigates the vulnerability: YES > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability) - CVE-2018-3639 aka 'Variant 4, speculative store bypass' + CVE-2018-3639 aka Variant 4, speculative store bypass * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) * SSB mitigation is enabled and active: YES (per-thread through prctl) - * SSB mitigation currently active for selected processes: YES ((deleted) systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) + * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) - CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault' + CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault * CPU microcode mitigates the vulnerability: N/A > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault' + CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports PTE inversion: YES (found in kernel image) * PTE inversion enabled and active: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + > STATUS: NOT VULNERABLE (Not affected) - CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault' + CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault * Information from the /sys interface: Not affected * This system is a host running a hypervisor: NO * Mitigation 1 (KVM) @@ -118,37 +125,48 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) * L1D flush enabled: NO * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) - * Hyper-Threading (SMT) is enabled: YES - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + > STATUS: NOT VULNERABLE (your kernel reported your CPU model as not vulnerable) - CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' + CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' + CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' + CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' + CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Mitigation: TSX disabled) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: YES (Mitigation: TSX disabled) + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) + * This system is a host running a hypervisor: NO + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) + > STATUS: NOT VULNERABLE (this system is not running a hypervisor) + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK diff --git a/docs/report/introduction/test_environment_sut_meltspec_hsw.rst b/docs/report/introduction/test_environment_sut_meltspec_hsw.rst index 8634aa4cfa..fd66a8dfa3 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_hsw.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_hsw.rst @@ -8,10 +8,11 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github :: - Spectre and Meltdown mitigation detection tool v0.42 + Spectre and Meltdown mitigation detection tool v0.43 + awk: cannot open bash (No such file or directory) Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 + Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 CPU is Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz Hardware check @@ -30,8 +31,8 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * L1 data cache invalidation * FLUSH_CMD MSR is available: YES * CPU indicates L1D flush capability: YES (L1D flush feature bit) - * Microarchitecture Data Sampling - * VERW instruction is available: NO + * Microarchitectural Data Sampling + * VERW instruction is available: YES (MD_CLEAR feature bit) * Enhanced IBRS (IBRS_ALL) * CPU indicates ARCH_CAPABILITIES MSR availability: NO * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO @@ -40,8 +41,12 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO + * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO + * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO + * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO + * CPU supports Transactional Synchronization Extensions (TSX): NO * CPU supports Software Guard Extensions (SGX): NO - * CPU microcode is known to cause stability problems: NO (model 0x3f family 0x6 stepping 0x2 ucode 0x3d cpuid 0x306f2) + * CPU microcode is known to cause stability problems: NO (model 0x3f family 0x6 stepping 0x2 ucode 0x43 cpuid 0x306f2) * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory) UNKNOWN (latest microcode version for your CPU model is unknown) * CPU vulnerability to the speculative execution attack variants @@ -57,16 +62,18 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES + * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES CVE-2017-5753 aka Spectre Variant 1, bounds check bypass - * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) + * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) * Kernel has the Red Hat/Ubuntu patch: NO * Kernel has mask_nospec64 (arm64): NO - > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) + > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) CVE-2017-5715 aka Spectre Variant 2, branch target injection - * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW) + * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling) * Mitigation 1 * Kernel is compiled with IBRS support: YES * IBRS enabled and active: YES (for firmware code only) @@ -120,19 +127,44 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github > STATUS: NOT VULNERABLE (this system is not running a hypervisor) CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: YES + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: YES + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: YES + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: YES + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Not affected) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) + * This system is a host running a hypervisor: NO + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) + > STATUS: NOT VULNERABLE (this system is not running a hypervisor) - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK diff --git a/docs/report/introduction/test_environment_sut_meltspec_skx.rst b/docs/report/introduction/test_environment_sut_meltspec_skx.rst index 15b098a9ce..abba5804b3 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_skx.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_skx.rst @@ -8,82 +8,89 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github :: - Spectre and Meltdown mitigation detection tool v0.42 + Spectre and Meltdown mitigation detection tool v0.43 + awk: cannot open bash (No such file or directory) Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64 + Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 CPU is Intel(R) Xeon(R) Platinum 8180 CPU @ 2.50GHz Hardware check * Hardware support (CPU microcode) for mitigation techniques - * Indirect Branch Restricted Speculation (IBRS) - * SPEC_CTRL MSR is available: YES - * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit) - * Indirect Branch Prediction Barrier (IBPB) - * PRED_CMD MSR is available: YES - * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit) - * Single Thread Indirect Branch Predictors (STIBP) - * SPEC_CTRL MSR is available: YES - * CPU indicates STIBP capability: YES (Intel STIBP feature bit) - * Speculative Store Bypass Disable (SSBD) - * CPU indicates SSBD capability: YES (Intel SSBD) - * L1 data cache invalidation - * FLUSH_CMD MSR is available: YES - * CPU indicates L1D flush capability: YES (L1D flush feature bit) - * Microarchitecture Data Sampling - * VERW instruction is available: NO - * Enhanced IBRS (IBRS_ALL) - * CPU indicates ARCH_CAPABILITIES MSR availability: NO - * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO - * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO - * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO - * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO - * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO - * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO - * CPU supports Software Guard Extensions (SGX): NO - * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x4 ucode 0x200004d cpuid 0x50654) - * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory) + * Indirect Branch Restricted Speculation (IBRS) + * SPEC_CTRL MSR is available: YES + * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit) + * Indirect Branch Prediction Barrier (IBPB) + * PRED_CMD MSR is available: YES + * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit) + * Single Thread Indirect Branch Predictors (STIBP) + * SPEC_CTRL MSR is available: YES + * CPU indicates STIBP capability: YES (Intel STIBP feature bit) + * Speculative Store Bypass Disable (SSBD) + * CPU indicates SSBD capability: YES (Intel SSBD) + * L1 data cache invalidation + * FLUSH_CMD MSR is available: YES + * CPU indicates L1D flush capability: YES (L1D flush feature bit) + * Microarchitectural Data Sampling + * VERW instruction is available: YES (MD_CLEAR feature bit) + * Enhanced IBRS (IBRS_ALL) + * CPU indicates ARCH_CAPABILITIES MSR availability: NO + * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO + * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO + * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO + * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO + * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO + * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO + * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO + * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO + * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO + * CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit) + * CPU supports Software Guard Extensions (SGX): NO + * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x4 ucode 0x2000064 cpuid 0x50654) + * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory) UNKNOWN (latest microcode version for your CPU model is unknown) * CPU vulnerability to the speculative execution attack variants - * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES - * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES - * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES - * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES - * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES - * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES - * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES - * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES - * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES - * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES + * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES + * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES + * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES + * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES + * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES + * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES + * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES + * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES + * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES + * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES CVE-2017-5753 aka Spectre Variant 1, bounds check bypass - * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) + * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) * Kernel has the Red Hat/Ubuntu patch: NO * Kernel has mask_nospec64 (arm64): NO - > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) + > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) CVE-2017-5715 aka Spectre Variant 2, branch target injection - * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW) + * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) * Mitigation 1 - * Kernel is compiled with IBRS support: YES - * IBRS enabled and active: YES (for firmware code only) - * Kernel is compiled with IBPB support: YES - * IBPB enabled and active: YES + * Kernel is compiled with IBRS support: YES + * IBRS enabled and active: YES (for firmware code only) + * Kernel is compiled with IBPB support: YES + * IBPB enabled and active: YES * Mitigation 2 - * Kernel has branch predictor hardening (arm): NO - * Kernel compiled with retpoline option: YES - * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) - * Kernel supports RSB filling: YES + * Kernel has branch predictor hardening (arm): NO + * Kernel compiled with retpoline option: YES + * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) + * Kernel supports RSB filling: YES > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability) CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load * Mitigated according to the /sys interface: YES (Mitigation: PTI) * Kernel supports Page Table Isolation (PTI): YES - * PTI enabled and active: YES - * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) + * PTI enabled and active: YES + * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) * Running as a Xen PV DomU: NO > STATUS: NOT VULNERABLE (Mitigation: PTI) @@ -112,28 +119,53 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable * This system is a host running a hypervisor: NO * Mitigation 1 (KVM) - * EPT is disabled: NO + * EPT is disabled: NO * Mitigation 2 - * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) - * L1D flush enabled: YES (conditional flushes) - * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) - * Hyper-Threading (SMT) is enabled: YES + * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) + * L1D flush enabled: YES (conditional flushes) + * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) + * Hyper-Threading (SMT) is enabled: YES > STATUS: NOT VULNERABLE (this system is not running a hypervisor) CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + > STATUS: NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) + * This system is a host running a hypervisor: NO + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) + > STATUS: NOT VULNERABLE (this system is not running a hypervisor) - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK diff --git a/docs/report/introduction/test_environment_tg.rst b/docs/report/introduction/test_environment_tg.rst index d49ea825bd..38dfb90070 100644 --- a/docs/report/introduction/test_environment_tg.rst +++ b/docs/report/introduction/test_environment_tg.rst @@ -9,7 +9,7 @@ TG Version DPDK Version ~~~~~~~~~~~~ -DPDK v19.02 +DPDK v19.05 TG Build Script Used ~~~~~~~~~~~~~~~~~~~~ @@ -35,7 +35,7 @@ TG Startup Command :: - $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 > /tmp/trex.log 2>&1 &'> /dev/null + $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 --prefix $(hostname) --hdrh > /tmp/trex.log 2>&1 &'> /dev/null TG API Driver ~~~~~~~~~~~~~ diff --git a/docs/report/vpp_performance_tests/csit_release_notes.rst b/docs/report/vpp_performance_tests/csit_release_notes.rst index 361cbf3052..7aada35caf 100644 --- a/docs/report/vpp_performance_tests/csit_release_notes.rst +++ b/docs/report/vpp_performance_tests/csit_release_notes.rst @@ -7,44 +7,23 @@ Changes in |csit-release| #. VPP PERFORMANCE TESTS - **Service density 2n-skx tests**: Added higher NF density tests with - 802.1q (vlan) and VXLAN encapsulation from Traffic Generator. + IPSec encencryption between DUTs. - - **GBP tests**: Added GBP (Group Based Policy) routing test cases - with 802.1q (vlan) external traffic. - - - **AVF IPv4 scale tests**: Increased coverage of AVF IPv4 base and - scale test cases (Fortville NICs only). - - - **2n-skx tests**: Increased coverage of selected (COP, iACL, - Policer) test cases. - - - **IPsec scale tests**: Added IPsec interface mode scale tests with - 1, 40, 400, 1000, 5000, 10000, 20000, 40000, 60000 IPsec tunnels. - Removed DPDK backend dependency. Major IPsec test code - refactoring. + - **AVF tests**: Full test coveraged based on code changes in CSIT core + layer (driver/interface awareness) and generated by suite generator + (Fortville NICs only). - **Hoststack TCP/IP tests**: Major refactor of Hoststack TCP performance tests using WRK generator talking to the VPP HTTP static server plugin measuring connections per second and requests per second. - - **Changed methodology of dot1q tests in 2-Node testbeds**: dot1q - encapsulation is now used on both links of SUT. Previously dot1q - was used only on a single link with the other link carrying - untagged Ethernet frames. This change results in slightly lower - throughput in CSIT-1908 for all dot1q tests in all 2-Node - testbeds. - - - **KVM VM vhost-user tests**: completed move to Kernel-VM for all - tests. In addition to running DPDK Testpmd as VM workload, new - tests created with VPP as VM workload. VPP in VM is the same - version as the DUT VPP (acting as vSwitch) and its configuration - depends on the test type. For all L2 Ethernet Switching tests - it's vpp-l2xc (L2 cross-connect), for all IPv4 Routing tests it's - vpp-ip4 (VPP IPv4 routing). - #. TEST FRAMEWORK + - **CSIT Python3 Support**: Full migration of CSIT from Python2.7 to + Python3.6. This change includes library migration, PIP dependency upgrade, + CSIT container images, infrastructure packages ugrade/installation. + - **CSIT PAPI Support**: Finished conversion of CSIT VAT L1 keywords to PAPI L1 KWs in CSIT using VPP Python bindings (VPP PAPI). Redesign of key components of PAPI Socket Executor and PAPI @@ -82,37 +61,22 @@ List of known issues in |csit-release| for VPP performance tests: | 2 | `VPP-662 | 9000B packets not supported by NICs VIC1227 and VIC1387. | | | <https://jira.fd.io/browse/VPP-662>`_ | | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 3 | `CSIT-1503 | [`TRex-519 <https://trex-tgn.cisco.com/youtrack/issue/trex-519>`_] XL710/XXV710 with FW 6.0.1 will have | -| | <https://jira.fd.io/browse/CSIT-1503>`_ | Rx drop rate of 27MPPS. | -+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 4 | `CSIT-1498 | Memif tests are sporadically failing on initialization of memif connection. | +| 3 | `CSIT-1498 | Memif tests are sporadically failing on initialization of memif connection. | | | <https://jira.fd.io/browse/CSIT-1498>`_ | | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 5 | `CSIT-1499 | AVF tests are sporadically failing on initialization of AVF interface. | -| | <https://jira.fd.io/browse/CSIT-1499>`_ | | -+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 6 | `VPP-1676 | 9000B ip4 memif errors - ip4-input: ip4 length > l2 length. | -| | <https://jira.fd.io/browse/VPP-1676>`_ | IP4 jumbo frames (9000B) are dropped in case of tests with memif. | -+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 7 | `VPP-1677 | 9000B ip4 nat44: VPP crash + coredump. | +| 4 | `VPP-1677 | 9000B ip4 nat44: VPP crash + coredump. | | | <https://jira.fd.io/browse/VPP-1677>`_ | VPP crashes very often in case that NAT44 is configured and it has to process IP4 jumbo frames (9000B). | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 8 | `CSIT-1591 | All CSIT scale tests can not use PAPI due to much slower performance compared to VAT/CLI (it takes much | +| 5 | `CSIT-1591 | All CSIT scale tests can not use PAPI due to much slower performance compared to VAT/CLI (it takes much | | | <https://jira.fd.io/browse/CSIT-1499>`_ | longer to program VPP). This needs to be addressed on the PAPI side. | | +-----------------------------------------+ | | | `VPP-1763 | | | | <https://jira.fd.io/browse/VPP-1763>`_ | | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 9 | `CSIT-1592 | VPP memif API does not enable memif zero-copy, resulting in different memif configuration vs. previously | -| | <https://jira.fd.io/browse/CSIT-1592>`_ | tested VAT/CLI where memif zero-copy was enabled by default. Needs to be fixed in VPP. | -| +-----------------------------------------+ | -| | `VPP-1764 | | -| | <https://jira.fd.io/browse/VPP-1764>`_ | | -+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 10 | `VPP-1675 | IPv4 IPSEC 9000B packet tests are failing as no packet is forwarded. | +| 6 | `VPP-1675 | IPv4 IPSEC 9000B packet tests are failing as no packet is forwarded. | | | <https://jira.fd.io/browse/VPP-1675>`_ | Reason: chained buffers are not supported. | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 11 | `CSIT-1593 | IPv4 AVF 9000B packet tests are failing on 3n-skx while passing on 2n-skx. | +| 7 | `CSIT-1593 | IPv4 AVF 9000B packet tests are failing on 3n-skx while passing on 2n-skx. | | | <https://jira.fd.io/browse/CSIT-1593>`_ | | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ diff --git a/docs/report/vpp_performance_tests/documentation/containers.rst b/docs/report/vpp_performance_tests/documentation/containers.rst index 5766e75e9f..b15c899726 100644 --- a/docs/report/vpp_performance_tests/documentation/containers.rst +++ b/docs/report/vpp_performance_tests/documentation/containers.rst @@ -359,7 +359,7 @@ correct cpu placement. See documentation for the full reference. Kubernetes ~~~~~~~~~~ -For the future use, Kubernetes is implemented as separate library +For the future use, Kubernetes [k8sdoc]_ is implemented as separate library ``KubernetesUtils.py``, with a class with the same name. This utility provides an API for L2 Robot Keywords to control ``kubectl`` installed on each of DUTs. One time initialization script, ``resources/libraries/bash/k8s_setup.sh`` @@ -418,3 +418,4 @@ References .. [apparmor] `Ubuntu AppArmor <https://wiki.ubuntu.com/AppArmor>`_. .. [seccomp] `SECure COMPuting with filters <https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt>`_. .. [docker] `Docker <https://www.docker.com/what-docker>`_. +.. [k8sdoc] `Kubernetes documentation <https://kubernetes.io/docs/home/>`_. diff --git a/docs/report/vpp_performance_tests/test_environment.rst b/docs/report/vpp_performance_tests/test_environment.rst index 71db52fb16..e528150ab9 100644 --- a/docs/report/vpp_performance_tests/test_environment.rst +++ b/docs/report/vpp_performance_tests/test_environment.rst @@ -7,6 +7,8 @@ .. include:: ../introduction/test_environment_intro.rst +.. include:: ../introduction/test_environment_sut_calib_clx.rst + .. include:: ../introduction/test_environment_sut_calib_hsw.rst .. include:: ../introduction/test_environment_sut_calib_skx.rst |