diff options
Diffstat (limited to 'docs/report')
15 files changed, 277 insertions, 212 deletions
diff --git a/docs/report/introduction/methodology_trex_traffic_generator.rst b/docs/report/introduction/methodology_trex_traffic_generator.rst index 0e7049826b..0d19c2cf78 100644 --- a/docs/report/introduction/methodology_trex_traffic_generator.rst +++ b/docs/report/introduction/methodology_trex_traffic_generator.rst @@ -22,7 +22,7 @@ is: - TRex is started in the background mode :: - $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 > /tmp/trex.log 2>&1 &' > /dev/null + $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 --prefix $(hostname) --hdrh > /tmp/trex.log 2>&1 &' > /dev/null - There are traffic streams dynamically prepared for each test, based on traffic profiles. The traffic is sent and the statistics obtained using diff --git a/docs/report/introduction/physical_testbeds.rst b/docs/report/introduction/physical_testbeds.rst index 9babb5fb1f..8860638d43 100644 --- a/docs/report/introduction/physical_testbeds.rst +++ b/docs/report/introduction/physical_testbeds.rst @@ -26,7 +26,8 @@ Two physical server topology types are used: Current FD.io production testbeds are built with SUT servers based on the following processor architectures: -- Intel Xeon: Skylake Platinum 8180 and Haswell-SP E5-2699v3. +- Intel Xeon: Skylake Platinum 8180, Haswell-SP E5-2699v3, + Cascadelake Platinum 8280, Cascadelake 6252N. - Intel Atom: Denverton C3858. - ARM: TaiShan 2280, hip07-d05. @@ -40,6 +41,54 @@ https://git.fd.io/csit/tree/docs/lab/testbed_specifications.md. Following is the description of existing production testbeds. +2-Node Xeon Cascadelake (2n-clx) +-------------------------------- + +Three 2n-clx testbeds are in operation in FD.io labs. Each 2n-clx testbed +is built with two SuperMicro SYS-7049GP-TRT servers, SUTs are equipped with two +Intel Xeon Gold 6252N processors (35.75 MB Cache, 2.30 GHz, 24 cores). +TGs are equiped with Intel Xeon Cascadelake Platinum 8280 processors (38.5 MB +Cache, 2.70 GHz, 28 cores). 2n-clx physical topology is shown below. + +.. only:: latex + + .. raw:: latex + + \begin{figure}[H] + \centering + \graphicspath{{../_tmp/src/introduction/}} + \includegraphics[width=0.90\textwidth]{testbed-2n-clx} + \label{fig:testbed-2n-clx} + \end{figure} + +.. only:: html + + .. figure:: testbed-2n-clx.svg + :alt: testbed-2n-clx + :align: center + +SUT servers are populated with the following NIC models: + +#. NIC-1: x710-DA4 4p10GE Intel. +#. NIC-2: xxv710-DA2 2p25GE Intel. +#. NIC-3: mcx556a-edat ConnectX5 2p100GE Mellanox. (Only testbed t27, t28) +#. NIC-4: empty, future expansion. +#. NIC-5: empty, future expansion. +#. NIC-6: empty, future expansion. + +TG servers run T-Rex application and are populated with the following +NIC models: + +#. NIC-1: x710-DA4 4p10GE Intel. +#. NIC-2: xxv710-DA2 2p25GE Intel. +#. NIC-3: mcx556a-edat ConnectX5 2p100GE Mellanox. (Only testbed t27, t28) +#. NIC-4: empty, future expansion. +#. NIC-5: empty, future expansion. +#. NIC-6: x710-DA4 4p10GE Intel. (For self-tests.) + +All Intel Xeon Cascadelake servers run with Intel Hyper-Threading enabled, +doubling the number of logical cores exposed to Linux. + 2-Node Xeon Skylake (2n-skx) ---------------------------- diff --git a/docs/report/introduction/test_environment_intro.rst b/docs/report/introduction/test_environment_intro.rst index e0df3b64ff..b02520b99d 100644 --- a/docs/report/introduction/test_environment_intro.rst +++ b/docs/report/introduction/test_environment_intro.rst @@ -54,5 +54,4 @@ repeatable zero packet loss throughput measurements across multiple system instances. Generally they come useful as a background data for comparing data plane performance results across disparate servers. -Following sections include measured calibration data for Intel Xeon -Haswell and Intel Xeon Skylake testbeds. +Following sections include measured calibration data for testbeds. diff --git a/docs/report/introduction/test_environment_sut_calib_clx.rst b/docs/report/introduction/test_environment_sut_calib_clx.rst index 43e2f599ea..823346f079 100644 --- a/docs/report/introduction/test_environment_sut_calib_clx.rst +++ b/docs/report/introduction/test_environment_sut_calib_clx.rst @@ -15,7 +15,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/boot/vmlinuz-4.15.0-60-generic root=UUID=1d03969e-a2a0-41b2-a97e-1cc171b07e88 ro isolcpus=1-23,25-47,49-71,73-95 nohz_full=1-23,25-47,49-71,73-95 rcu_nocbs=1-23,25-47,49-71,73-95 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 + BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=1d03969e-a2a0-41b2-a97e-1cc171b07e88 ro isolcpus=1-23,25-47,49-71,73-95 nohz_full=1-23,25-47,49-71,73-95 rcu_nocbs=1-23,25-47,49-71,73-95 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 Linux uname ~~~~~~~~~~~ @@ -23,7 +23,7 @@ Linux uname :: $ uname -a - Linux s32-t27-sut1 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + Linux s32-t27-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux System-level Core Jitter diff --git a/docs/report/introduction/test_environment_sut_calib_dnv.rst b/docs/report/introduction/test_environment_sut_calib_dnv.rst index 7777792ca9..3365552bb2 100644 --- a/docs/report/introduction/test_environment_sut_calib_dnv.rst +++ b/docs/report/introduction/test_environment_sut_calib_dnv.rst @@ -4,8 +4,8 @@ Calibration Data - Denverton Following sections include sample calibration data measured on Denverton server at Intel SH labs. -And VPP-18.10 2-Node Atom Denverton testing took place at Intel Corporation -carefully adhering to FD.io CSIT best practices. +A 2-Node Atom Denverton testing took place at Intel Corporation carefully +adhering to FD.io CSIT best practices. Linux cmdline diff --git a/docs/report/introduction/test_environment_sut_calib_hsw.rst b/docs/report/introduction/test_environment_sut_calib_hsw.rst index 1dedcd8271..fe89d99028 100644 --- a/docs/report/introduction/test_environment_sut_calib_hsw.rst +++ b/docs/report/introduction/test_environment_sut_calib_hsw.rst @@ -14,7 +14,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/vmlinuz-4.15.0-36-generic root=UUID=5d2ecc97-245b-4e94-b0ae-c3548567de19 ro isolcpus=1-17,19-35 nohz_full=1-17,19-35 rcu_nocbs=1-17,19-35 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 + BOOT_IMAGE=/vmlinuz-4.15.0-72-generic root=UUID=c59ae603-8076-41f4-bb5d-bc3fc8dd3ea1 ro isolcpus=1-17,19-35 nohz_full=1-17,19-35 rcu_nocbs=1-17,19-35 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0console=ttyS0,115200n8 Linux uname @@ -23,7 +23,7 @@ Linux uname :: $ uname -a - Linux t1-tg1 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux + Linux t1-tg1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux System-level Core Jitter diff --git a/docs/report/introduction/test_environment_sut_calib_skx.rst b/docs/report/introduction/test_environment_sut_calib_skx.rst index a30a91d61c..16f7ae0762 100644 --- a/docs/report/introduction/test_environment_sut_calib_skx.rst +++ b/docs/report/introduction/test_environment_sut_calib_skx.rst @@ -15,7 +15,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/vmlinuz-4.15.0-23-generic root=UUID=759ad671-ad46-441b-a75b-9f54e81837bb ro isolcpus=1-27,29-55,57-83,85-111 nohz_full=1-27,29-55,57-83,85-111 rcu_nocbs=1-27,29-55,57-83,85-111 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 + BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=e05120bb-7127-43db-b1e3-a66edd4c43bd ro isolcpus=1-27,29-55,57-83,85-111 nohz_full=1-27,29-55,57-83,85-111 rcu_nocbs=1-27,29-55,57-83,85-111 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 Linux uname @@ -24,7 +24,7 @@ Linux uname :: $ uname -a - Linux s5-t22-sut1 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux + Linux s3-t21-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux System-level Core Jitter diff --git a/docs/report/introduction/test_environment_sut_conf_1.rst b/docs/report/introduction/test_environment_sut_conf_1.rst index afaaec4f2f..29baeab8b1 100644 --- a/docs/report/introduction/test_environment_sut_conf_1.rst +++ b/docs/report/introduction/test_environment_sut_conf_1.rst @@ -7,26 +7,14 @@ install and Below a subset of the running configuration: -1. Xeon Haswell - Ubuntu 18.04.1 LTS +1. Ubuntu 18.04.x LTS :: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu - Description: Ubuntu 18.04.1 LTS - Release: 18.04 - Codename: bionic - - -2. Xeon Skylake - Ubuntu 18.04 LTS - -:: - - $ lsb_release -a - No LSB modules are available. - Distributor ID: Ubuntu - Description: Ubuntu 18.04 LTS + Description: Ubuntu 18.04.3 LTS Release: 18.04 Codename: bionic @@ -76,23 +64,3 @@ Huge pages are namaged via sysctl configuration located in `/etc/sysctl.d/90-csit.conf` on each testbed. Default huge page size is 2M. The exact amount of huge pages depends on testbed. All the values are defined in `Ansible inventory - hosts` files. - - -Applied Boot Cmdline -~~~~~~~~~~~~~~~~~~~~ - -1. Xeon Haswell - Ubuntu 18.04.1 LTS - -:: - - $ cat /proc/cmdline - BOOT_IMAGE=/vmlinuz-4.15.0-36-generic root=UUID=5d2ecc97-245b-4e94-b0ae-c3548567de19 ro isolcpus=1-17,19-35 nohz_full=1-17,19-35 rcu_nocbs=1-17,19-35 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 - -2. Xeon Skylake - Ubuntu 18.04 LTS - -:: - - $ cat /proc/cmdline - BOOT_IMAGE=/vmlinuz-4.15.0-23-generic root=UUID=3fa246fd-1b80-4361-bb90-f339a6bbed51 ro isolcpus=1-27,29-55,57-83,85-111 nohz_full=1-27,29-55,57-83,85-111 rcu_nocbs=1-27,29-55,57-83,85-111 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 - - diff --git a/docs/report/introduction/test_environment_sut_meltspec_clx.rst b/docs/report/introduction/test_environment_sut_meltspec_clx.rst index 9056be839b..88400338a5 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_clx.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_clx.rst @@ -8,11 +8,12 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github :: - Spectre and Meltdown mitigation detection tool v0.42 + Spectre and Meltdown mitigation detection tool v0.43 + awk: fatal: cannot open file `bash for reading (No such file or directory) Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 - CPU is Intel(R) Xeon(R) Gold 6252N CPU @ 2.30GHz + Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 + CPU is Intel(R) Xeon(R) Platinum 8280 CPU @ 2.70GHz Hardware check * Hardware support (CPU microcode) for mitigation techniques @@ -30,7 +31,7 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * L1 data cache invalidation * FLUSH_CMD MSR is available: YES * CPU indicates L1D flush capability: YES (L1D flush feature bit) - * Microarchitecture Data Sampling + * Microarchitectural Data Sampling * VERW instruction is available: YES (MD_CLEAR feature bit) * Enhanced IBRS (IBRS_ALL) * CPU indicates ARCH_CAPABILITIES MSR availability: YES @@ -40,9 +41,15 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * CPU/Hypervisor indicates L1D flushing is not necessary on this system: YES * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): YES + * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO + * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO + * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): YES + * TSX_CTRL MSR indicates TSX RTM is disabled: YES + * TSX_CTRL MSR indicates TSX CPUID bit is cleared: YES + * CPU supports Transactional Synchronization Extensions (TSX): NO * CPU supports Software Guard Extensions (SGX): NO - * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x7 ucode 0x5000021 cpuid 0x50657) - * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash' for reading (No file or directory) + * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x7 ucode 0x500002c cpuid 0x50657) + * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash for reading (No such file or directory) UNKNOWN (latest microcode version for your CPU model is unknown) * CPU vulnerability to the speculative execution attack variants * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES @@ -51,23 +58,23 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO + * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES + * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO + * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES - CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass' - * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer saniation) - * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) - * Kernel has the Red Hat/Ubuntu patch: NO + CVE-2017-5753 aka Spectre Variant 1, bounds check bypass + * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) * Kernel has the Red Hat/Ubuntu patch: NO * Kernel has mask_nospec64 (arm64): NO > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) - CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' + CVE-2017-5715 aka Spectre Variant 2, branch target injection * Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling) * Mitigation 1 * Kernel is compiled with IBRS support: YES @@ -80,36 +87,36 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Kernel supports RSB filling: YES > STATUS: NOT VULNERABLE (Enhanced IBRS + IBPB are mitigating the vulnerability) - CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load' + CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports Page Table Isolation (PTI): YES - * PTI enabled and active: NO + * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script) * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) * Running as a Xen PV DomU: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-3640 aka 'Variant 3a, rogue system register read' + CVE-2018-3640 aka Variant 3a, rogue system register read * CPU microcode mitigates the vulnerability: YES > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability) - CVE-2018-3639 aka 'Variant 4, speculative store bypass' + CVE-2018-3639 aka Variant 4, speculative store bypass * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) * SSB mitigation is enabled and active: YES (per-thread through prctl) - * SSB mitigation currently active for selected processes: YES ((deleted) systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) + * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) - CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault' + CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault * CPU microcode mitigates the vulnerability: N/A > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault' + CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports PTE inversion: YES (found in kernel image) * PTE inversion enabled and active: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + > STATUS: NOT VULNERABLE (Not affected) - CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault' + CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault * Information from the /sys interface: Not affected * This system is a host running a hypervisor: NO * Mitigation 1 (KVM) @@ -118,37 +125,48 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) * L1D flush enabled: NO * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) - * Hyper-Threading (SMT) is enabled: YES - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + > STATUS: NOT VULNERABLE (your kernel reported your CPU model as not vulnerable) - CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' + CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' + CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' + CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' + CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Mitigation: TSX disabled) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: YES (Mitigation: TSX disabled) + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) + * This system is a host running a hypervisor: NO + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) + > STATUS: NOT VULNERABLE (this system is not running a hypervisor) + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK diff --git a/docs/report/introduction/test_environment_sut_meltspec_hsw.rst b/docs/report/introduction/test_environment_sut_meltspec_hsw.rst index 8634aa4cfa..fd66a8dfa3 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_hsw.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_hsw.rst @@ -8,10 +8,11 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github :: - Spectre and Meltdown mitigation detection tool v0.42 + Spectre and Meltdown mitigation detection tool v0.43 + awk: cannot open bash (No such file or directory) Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 + Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 CPU is Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz Hardware check @@ -30,8 +31,8 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * L1 data cache invalidation * FLUSH_CMD MSR is available: YES * CPU indicates L1D flush capability: YES (L1D flush feature bit) - * Microarchitecture Data Sampling - * VERW instruction is available: NO + * Microarchitectural Data Sampling + * VERW instruction is available: YES (MD_CLEAR feature bit) * Enhanced IBRS (IBRS_ALL) * CPU indicates ARCH_CAPABILITIES MSR availability: NO * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO @@ -40,8 +41,12 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO + * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO + * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO + * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO + * CPU supports Transactional Synchronization Extensions (TSX): NO * CPU supports Software Guard Extensions (SGX): NO - * CPU microcode is known to cause stability problems: NO (model 0x3f family 0x6 stepping 0x2 ucode 0x3d cpuid 0x306f2) + * CPU microcode is known to cause stability problems: NO (model 0x3f family 0x6 stepping 0x2 ucode 0x43 cpuid 0x306f2) * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory) UNKNOWN (latest microcode version for your CPU model is unknown) * CPU vulnerability to the speculative execution attack variants @@ -57,16 +62,18 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES + * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES CVE-2017-5753 aka Spectre Variant 1, bounds check bypass - * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) + * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) * Kernel has the Red Hat/Ubuntu patch: NO * Kernel has mask_nospec64 (arm64): NO - > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) + > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) CVE-2017-5715 aka Spectre Variant 2, branch target injection - * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW) + * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling) * Mitigation 1 * Kernel is compiled with IBRS support: YES * IBRS enabled and active: YES (for firmware code only) @@ -120,19 +127,44 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github > STATUS: NOT VULNERABLE (this system is not running a hypervisor) CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: YES + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: YES + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: YES + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: YES + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Not affected) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) + * This system is a host running a hypervisor: NO + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) + > STATUS: NOT VULNERABLE (this system is not running a hypervisor) - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK diff --git a/docs/report/introduction/test_environment_sut_meltspec_skx.rst b/docs/report/introduction/test_environment_sut_meltspec_skx.rst index 15b098a9ce..abba5804b3 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_skx.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_skx.rst @@ -8,82 +8,89 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github :: - Spectre and Meltdown mitigation detection tool v0.42 + Spectre and Meltdown mitigation detection tool v0.43 + awk: cannot open bash (No such file or directory) Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64 + Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 CPU is Intel(R) Xeon(R) Platinum 8180 CPU @ 2.50GHz Hardware check * Hardware support (CPU microcode) for mitigation techniques - * Indirect Branch Restricted Speculation (IBRS) - * SPEC_CTRL MSR is available: YES - * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit) - * Indirect Branch Prediction Barrier (IBPB) - * PRED_CMD MSR is available: YES - * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit) - * Single Thread Indirect Branch Predictors (STIBP) - * SPEC_CTRL MSR is available: YES - * CPU indicates STIBP capability: YES (Intel STIBP feature bit) - * Speculative Store Bypass Disable (SSBD) - * CPU indicates SSBD capability: YES (Intel SSBD) - * L1 data cache invalidation - * FLUSH_CMD MSR is available: YES - * CPU indicates L1D flush capability: YES (L1D flush feature bit) - * Microarchitecture Data Sampling - * VERW instruction is available: NO - * Enhanced IBRS (IBRS_ALL) - * CPU indicates ARCH_CAPABILITIES MSR availability: NO - * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO - * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO - * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO - * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO - * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO - * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO - * CPU supports Software Guard Extensions (SGX): NO - * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x4 ucode 0x200004d cpuid 0x50654) - * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory) + * Indirect Branch Restricted Speculation (IBRS) + * SPEC_CTRL MSR is available: YES + * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit) + * Indirect Branch Prediction Barrier (IBPB) + * PRED_CMD MSR is available: YES + * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit) + * Single Thread Indirect Branch Predictors (STIBP) + * SPEC_CTRL MSR is available: YES + * CPU indicates STIBP capability: YES (Intel STIBP feature bit) + * Speculative Store Bypass Disable (SSBD) + * CPU indicates SSBD capability: YES (Intel SSBD) + * L1 data cache invalidation + * FLUSH_CMD MSR is available: YES + * CPU indicates L1D flush capability: YES (L1D flush feature bit) + * Microarchitectural Data Sampling + * VERW instruction is available: YES (MD_CLEAR feature bit) + * Enhanced IBRS (IBRS_ALL) + * CPU indicates ARCH_CAPABILITIES MSR availability: NO + * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO + * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO + * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO + * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO + * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO + * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO + * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO + * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO + * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO + * CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit) + * CPU supports Software Guard Extensions (SGX): NO + * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x4 ucode 0x2000064 cpuid 0x50654) + * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory) UNKNOWN (latest microcode version for your CPU model is unknown) * CPU vulnerability to the speculative execution attack variants - * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES - * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES - * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES - * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES - * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES - * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES - * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES - * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES - * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES - * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES + * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES + * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES + * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES + * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES + * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES + * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES + * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES + * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES + * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES + * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES CVE-2017-5753 aka Spectre Variant 1, bounds check bypass - * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) + * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) * Kernel has the Red Hat/Ubuntu patch: NO * Kernel has mask_nospec64 (arm64): NO - > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) + > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) CVE-2017-5715 aka Spectre Variant 2, branch target injection - * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW) + * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) * Mitigation 1 - * Kernel is compiled with IBRS support: YES - * IBRS enabled and active: YES (for firmware code only) - * Kernel is compiled with IBPB support: YES - * IBPB enabled and active: YES + * Kernel is compiled with IBRS support: YES + * IBRS enabled and active: YES (for firmware code only) + * Kernel is compiled with IBPB support: YES + * IBPB enabled and active: YES * Mitigation 2 - * Kernel has branch predictor hardening (arm): NO - * Kernel compiled with retpoline option: YES - * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) - * Kernel supports RSB filling: YES + * Kernel has branch predictor hardening (arm): NO + * Kernel compiled with retpoline option: YES + * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) + * Kernel supports RSB filling: YES > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability) CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load * Mitigated according to the /sys interface: YES (Mitigation: PTI) * Kernel supports Page Table Isolation (PTI): YES - * PTI enabled and active: YES - * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) + * PTI enabled and active: YES + * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) * Running as a Xen PV DomU: NO > STATUS: NOT VULNERABLE (Mitigation: PTI) @@ -112,28 +119,53 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable * This system is a host running a hypervisor: NO * Mitigation 1 (KVM) - * EPT is disabled: NO + * EPT is disabled: NO * Mitigation 2 - * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) - * L1D flush enabled: YES (conditional flushes) - * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) - * Hyper-Threading (SMT) is enabled: YES + * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) + * L1D flush enabled: YES (conditional flushes) + * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) + * Hyper-Threading (SMT) is enabled: YES > STATUS: NOT VULNERABLE (this system is not running a hypervisor) CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) - * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + > STATUS: NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) + * This system is a host running a hypervisor: NO + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) + > STATUS: NOT VULNERABLE (this system is not running a hypervisor) - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK diff --git a/docs/report/introduction/test_environment_tg.rst b/docs/report/introduction/test_environment_tg.rst index d49ea825bd..38dfb90070 100644 --- a/docs/report/introduction/test_environment_tg.rst +++ b/docs/report/introduction/test_environment_tg.rst @@ -9,7 +9,7 @@ TG Version DPDK Version ~~~~~~~~~~~~ -DPDK v19.02 +DPDK v19.05 TG Build Script Used ~~~~~~~~~~~~~~~~~~~~ @@ -35,7 +35,7 @@ TG Startup Command :: - $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 > /tmp/trex.log 2>&1 &'> /dev/null + $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 --prefix $(hostname) --hdrh > /tmp/trex.log 2>&1 &'> /dev/null TG API Driver ~~~~~~~~~~~~~ diff --git a/docs/report/vpp_performance_tests/csit_release_notes.rst b/docs/report/vpp_performance_tests/csit_release_notes.rst index 361cbf3052..7aada35caf 100644 --- a/docs/report/vpp_performance_tests/csit_release_notes.rst +++ b/docs/report/vpp_performance_tests/csit_release_notes.rst @@ -7,44 +7,23 @@ Changes in |csit-release| #. VPP PERFORMANCE TESTS - **Service density 2n-skx tests**: Added higher NF density tests with - 802.1q (vlan) and VXLAN encapsulation from Traffic Generator. + IPSec encencryption between DUTs. - - **GBP tests**: Added GBP (Group Based Policy) routing test cases - with 802.1q (vlan) external traffic. - - - **AVF IPv4 scale tests**: Increased coverage of AVF IPv4 base and - scale test cases (Fortville NICs only). - - - **2n-skx tests**: Increased coverage of selected (COP, iACL, - Policer) test cases. - - - **IPsec scale tests**: Added IPsec interface mode scale tests with - 1, 40, 400, 1000, 5000, 10000, 20000, 40000, 60000 IPsec tunnels. - Removed DPDK backend dependency. Major IPsec test code - refactoring. + - **AVF tests**: Full test coveraged based on code changes in CSIT core + layer (driver/interface awareness) and generated by suite generator + (Fortville NICs only). - **Hoststack TCP/IP tests**: Major refactor of Hoststack TCP performance tests using WRK generator talking to the VPP HTTP static server plugin measuring connections per second and requests per second. - - **Changed methodology of dot1q tests in 2-Node testbeds**: dot1q - encapsulation is now used on both links of SUT. Previously dot1q - was used only on a single link with the other link carrying - untagged Ethernet frames. This change results in slightly lower - throughput in CSIT-1908 for all dot1q tests in all 2-Node - testbeds. - - - **KVM VM vhost-user tests**: completed move to Kernel-VM for all - tests. In addition to running DPDK Testpmd as VM workload, new - tests created with VPP as VM workload. VPP in VM is the same - version as the DUT VPP (acting as vSwitch) and its configuration - depends on the test type. For all L2 Ethernet Switching tests - it's vpp-l2xc (L2 cross-connect), for all IPv4 Routing tests it's - vpp-ip4 (VPP IPv4 routing). - #. TEST FRAMEWORK + - **CSIT Python3 Support**: Full migration of CSIT from Python2.7 to + Python3.6. This change includes library migration, PIP dependency upgrade, + CSIT container images, infrastructure packages ugrade/installation. + - **CSIT PAPI Support**: Finished conversion of CSIT VAT L1 keywords to PAPI L1 KWs in CSIT using VPP Python bindings (VPP PAPI). Redesign of key components of PAPI Socket Executor and PAPI @@ -82,37 +61,22 @@ List of known issues in |csit-release| for VPP performance tests: | 2 | `VPP-662 | 9000B packets not supported by NICs VIC1227 and VIC1387. | | | <https://jira.fd.io/browse/VPP-662>`_ | | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 3 | `CSIT-1503 | [`TRex-519 <https://trex-tgn.cisco.com/youtrack/issue/trex-519>`_] XL710/XXV710 with FW 6.0.1 will have | -| | <https://jira.fd.io/browse/CSIT-1503>`_ | Rx drop rate of 27MPPS. | -+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 4 | `CSIT-1498 | Memif tests are sporadically failing on initialization of memif connection. | +| 3 | `CSIT-1498 | Memif tests are sporadically failing on initialization of memif connection. | | | <https://jira.fd.io/browse/CSIT-1498>`_ | | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 5 | `CSIT-1499 | AVF tests are sporadically failing on initialization of AVF interface. | -| | <https://jira.fd.io/browse/CSIT-1499>`_ | | -+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 6 | `VPP-1676 | 9000B ip4 memif errors - ip4-input: ip4 length > l2 length. | -| | <https://jira.fd.io/browse/VPP-1676>`_ | IP4 jumbo frames (9000B) are dropped in case of tests with memif. | -+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 7 | `VPP-1677 | 9000B ip4 nat44: VPP crash + coredump. | +| 4 | `VPP-1677 | 9000B ip4 nat44: VPP crash + coredump. | | | <https://jira.fd.io/browse/VPP-1677>`_ | VPP crashes very often in case that NAT44 is configured and it has to process IP4 jumbo frames (9000B). | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 8 | `CSIT-1591 | All CSIT scale tests can not use PAPI due to much slower performance compared to VAT/CLI (it takes much | +| 5 | `CSIT-1591 | All CSIT scale tests can not use PAPI due to much slower performance compared to VAT/CLI (it takes much | | | <https://jira.fd.io/browse/CSIT-1499>`_ | longer to program VPP). This needs to be addressed on the PAPI side. | | +-----------------------------------------+ | | | `VPP-1763 | | | | <https://jira.fd.io/browse/VPP-1763>`_ | | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 9 | `CSIT-1592 | VPP memif API does not enable memif zero-copy, resulting in different memif configuration vs. previously | -| | <https://jira.fd.io/browse/CSIT-1592>`_ | tested VAT/CLI where memif zero-copy was enabled by default. Needs to be fixed in VPP. | -| +-----------------------------------------+ | -| | `VPP-1764 | | -| | <https://jira.fd.io/browse/VPP-1764>`_ | | -+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 10 | `VPP-1675 | IPv4 IPSEC 9000B packet tests are failing as no packet is forwarded. | +| 6 | `VPP-1675 | IPv4 IPSEC 9000B packet tests are failing as no packet is forwarded. | | | <https://jira.fd.io/browse/VPP-1675>`_ | Reason: chained buffers are not supported. | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ -| 11 | `CSIT-1593 | IPv4 AVF 9000B packet tests are failing on 3n-skx while passing on 2n-skx. | +| 7 | `CSIT-1593 | IPv4 AVF 9000B packet tests are failing on 3n-skx while passing on 2n-skx. | | | <https://jira.fd.io/browse/CSIT-1593>`_ | | +----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+ diff --git a/docs/report/vpp_performance_tests/documentation/containers.rst b/docs/report/vpp_performance_tests/documentation/containers.rst index 5766e75e9f..b15c899726 100644 --- a/docs/report/vpp_performance_tests/documentation/containers.rst +++ b/docs/report/vpp_performance_tests/documentation/containers.rst @@ -359,7 +359,7 @@ correct cpu placement. See documentation for the full reference. Kubernetes ~~~~~~~~~~ -For the future use, Kubernetes is implemented as separate library +For the future use, Kubernetes [k8sdoc]_ is implemented as separate library ``KubernetesUtils.py``, with a class with the same name. This utility provides an API for L2 Robot Keywords to control ``kubectl`` installed on each of DUTs. One time initialization script, ``resources/libraries/bash/k8s_setup.sh`` @@ -418,3 +418,4 @@ References .. [apparmor] `Ubuntu AppArmor <https://wiki.ubuntu.com/AppArmor>`_. .. [seccomp] `SECure COMPuting with filters <https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt>`_. .. [docker] `Docker <https://www.docker.com/what-docker>`_. +.. [k8sdoc] `Kubernetes documentation <https://kubernetes.io/docs/home/>`_. diff --git a/docs/report/vpp_performance_tests/test_environment.rst b/docs/report/vpp_performance_tests/test_environment.rst index 71db52fb16..e528150ab9 100644 --- a/docs/report/vpp_performance_tests/test_environment.rst +++ b/docs/report/vpp_performance_tests/test_environment.rst @@ -7,6 +7,8 @@ .. include:: ../introduction/test_environment_intro.rst +.. include:: ../introduction/test_environment_sut_calib_clx.rst + .. include:: ../introduction/test_environment_sut_calib_hsw.rst .. include:: ../introduction/test_environment_sut_calib_skx.rst |