Mailing List Archive

On Mon, Dec 17, 2012 at 02:45:46PM -0800, Grant wrote:
> I noticed the Processor Family list is much smaller in hardened-sources
> than in other kernels, even with CONFIG_GRKERNSEC disabled. Is that an
> unavoidable side-effect of the patches, or can I enable/disable something
> to bring the full list back?
>
> - Grant

Hi Grant,

what exactly do you mean? If I compare hardened sources and latest git
(from Linus) I get the same 5 options with an x86_64. It's much less
compared to make ARCH=x86 menuconfig but I don't think that that's
depending on hardened or not but on a guess by menuconfig (or better the
Kconfig stuff) that if I use a 64 bit userland I'll need a 64 bit kernel
to support it.

Hope that helps..

WKR
Hinnerk

> > I noticed the Processor Family list is much smaller in hardened-sources
> > than in other kernels, even with CONFIG_GRKERNSEC disabled. Is that an
> > unavoidable side-effect of the patches, or can I enable/disable
something
> > to bring the full list back?
> >
> > - Grant
>
> Hi Grant,
>
> what exactly do you mean? If I compare hardened sources and latest git
> (from Linus) I get the same 5 options with an x86_64. It's much less
> compared to make ARCH=x86 menuconfig but I don't think that that's
> depending on hardened or not but on a guess by menuconfig (or better the
> Kconfig stuff) that if I use a 64 bit userland I'll need a 64 bit kernel
> to support it.
>
> Hope that helps..
>
> WKR
> Hinnerk

You're right, I tested a few more kernels and I only get the long list of
processor families when I use geek-sources from the init6 overlay. So
geek-sources doesn't know I'm using a 64-bit CPU and the other kernels do?
Can I fix geek-sources in this regard?

- Grant

On Wed, Dec 19, 2012 at 01:22:21PM -0800, Grant wrote:
> > > I noticed the Processor Family list is much smaller in hardened-sources
> > > than in other kernels, even with CONFIG_GRKERNSEC disabled. Is that an
> > > unavoidable side-effect of the patches, or can I enable/disable
> something
> > > to bring the full list back?
> > >
> > > - Grant
> >
> > Hi Grant,
> >
> > what exactly do you mean? If I compare hardened sources and latest git
> > (from Linus) I get the same 5 options with an x86_64. It's much less
> > compared to make ARCH=x86 menuconfig but I don't think that that's
> > depending on hardened or not but on a guess by menuconfig (or better the
> > Kconfig stuff) that if I use a 64 bit userland I'll need a 64 bit kernel
> > to support it.
> >
> > Hope that helps..
> >
> > WKR
> > Hinnerk
>
> You're right, I tested a few more kernels and I only get the long list of
> processor families when I use geek-sources from the init6 overlay. So
> geek-sources doesn't know I'm using a 64-bit CPU and the other kernels do?
> Can I fix geek-sources in this regard?
>
> - Grant

I don't know geek-sources. I'd guess it will have a "hacked" buildsystem
that takes aleast some of the "autodetection" of the normal buildsystem
away. You could try to make a diff to see differences (especially the
Kconfig files). The easiest way will most likely be to contact the
author of geek-sources and try to find out, if the geek-part may be that
you have to configure such things manually instead of autoconfig... ;)

WKR
Hinnerk

> > > > I noticed the Processor Family list is much smaller in
hardened-sources
> > > > than in other kernels, even with CONFIG_GRKERNSEC disabled. Is
that an
> > > > unavoidable side-effect of the patches, or can I enable/disable
> > something
> > > > to bring the full list back?
> > > >
> > > > - Grant
> > >
> > > Hi Grant,
> > >
> > > what exactly do you mean? If I compare hardened sources and latest git
> > > (from Linus) I get the same 5 options with an x86_64. It's much less
> > > compared to make ARCH=x86 menuconfig but I don't think that that's
> > > depending on hardened or not but on a guess by menuconfig (or better
the
> > > Kconfig stuff) that if I use a 64 bit userland I'll need a 64 bit
kernel
> > > to support it.
> > >
> > > Hope that helps..
> > >
> > > WKR
> > > Hinnerk
> >
> > You're right, I tested a few more kernels and I only get the long list
of
> > processor families when I use geek-sources from the init6 overlay. So
> > geek-sources doesn't know I'm using a 64-bit CPU and the other kernels
do?
> > Can I fix geek-sources in this regard?
> >
> > - Grant
>
> I don't know geek-sources. I'd guess it will have a "hacked" buildsystem
> that takes aleast some of the "autodetection" of the normal buildsystem
> away. You could try to make a diff to see differences (especially the
> Kconfig files). The easiest way will most likely be to contact the
> author of geek-sources and try to find out, if the geek-part may be that
> you have to configure such things manually instead of autoconfig... ;)
>
> WKR
> Hinnerk

Thanks Hinnerk, I'm looking into this.

- Grant

>> > > I noticed the Processor Family list is much smaller in hardened-sources
>> > > than in other kernels, even with CONFIG_GRKERNSEC disabled. Is that an
>> > > unavoidable side-effect of the patches, or can I enable/disable
>> something
>> > > to bring the full list back?
>> > >
>> > > - Grant
>> >
>> > Hi Grant,
>> >
>> > what exactly do you mean? If I compare hardened sources and latest git
>> > (from Linus) I get the same 5 options with an x86_64. It's much less
>> > compared to make ARCH=x86 menuconfig but I don't think that that's
>> > depending on hardened or not but on a guess by menuconfig (or better the
>> > Kconfig stuff) that if I use a 64 bit userland I'll need a 64 bit kernel
>> > to support it.
>> >
>> > Hope that helps..
>> >
>> > WKR
>> > Hinnerk
>>
>> You're right, I tested a few more kernels and I only get the long list of
>> processor families when I use geek-sources from the init6 overlay. So
>> geek-sources doesn't know I'm using a 64-bit CPU and the other kernels do?
>> Can I fix geek-sources in this regard?
>>
>> - Grant
>
> I don't know geek-sources. I'd guess it will have a "hacked" buildsystem
> that takes aleast some of the "autodetection" of the normal buildsystem
> away. You could try to make a diff to see differences (especially the
> Kconfig files). The easiest way will most likely be to contact the
> author of geek-sources and try to find out, if the geek-part may be that
> you have to configure such things manually instead of autoconfig... ;)
>
> WKR
> Hinnerk

It turns out the extra choices are due to this patch:

https://github.com/init6/init_6/blob/master/sys-kernel/geek-sources/files/3.7.1/fix/kernel-37-gcc47-1.patch

I'm sorry to have bothered the hardened list with this.

- Grant

El 21/12/12 22:05, Grant escribió:
> It turns out the extra choices are due to this patch:
> https://github.com/init6/init_6/blob/master/sys-kernel/geek-sources/files/3.7.1/fix/kernel-37-gcc47-1.patch
> I'm sorry to have bothered the hardened list with this. - Grant
Actually looks like a quite interesting patch on the Gentoo spirit of
letting the user choose an it doesn't imply big changes to the source
(since only config seems to be changed), have you thought bringing it up
to the kernel team? I'm CCing them here so they can share what they think.

Patch needs a minor modification for a single hunk in order to get it
applied on 3.6.7-hardened to 3.7.0-hardened. MCORE2 has also specified for
X86_ALIGNMENT_16 and X86_P6_NOP, but the patch would not introduce COREI7*
for those options. Also there are two instances of CORE2 in
security/Kconfig. I've applied a modified patch on hardened sources 3.7.0
and compiled it on two machines using corei7 (E5620) and corei7-avx
(2630QM). Both kernels are seem to do fine, I notice nothing unusual.

However I have to also add, that on the png images mentioned in the git
entry showing the result of the ANOVA analysis I notice only P values over
0.05, not below. So for me it seems all these optimizations are
non-significant. Despite of the clear tendency, even for core2 compared to
generic_x86. Also I don't see the comparison between core2 and corei7*.
Which would be the most important. Since most users would start changing
from core2 to corei7* and not from generic_x86. Although it's highly
possible, that I'm reading the results wrong. So please confirm.

Merry Christmas:
Dwokfur
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.December 21.(P) 23:42 időpontban Francisco Blas Izquierdo Riera
(klondike) ezt írta:
> El 21/12/12 22:05, Grant escribió:
>> It turns out the extra choices are due to this patch:
>> https://github.com/init6/init_6/blob/master/sys-kernel/geek-sources/files/3.7.1/fix/kernel-37-gcc47-1.patch
>> I'm sorry to have bothered the hardened list with this. - Grant
> Actually looks like a quite interesting patch on the Gentoo spirit of
> letting the user choose an it doesn't imply big changes to the source
> (since only config seems to be changed), have you thought bringing it up
> to the kernel team? I'm CCing them here so they can share what they think.
>
>
>

> Patch needs a minor modification for a single hunk in order to get it
> applied on 3.6.7-hardened to 3.7.0-hardened. MCORE2 has also specified for
> X86_ALIGNMENT_16 and X86_P6_NOP, but the patch would not introduce COREI7*
> for those options. Also there are two instances of CORE2 in
> security/Kconfig. I've applied a modified patch on hardened sources 3.7.0
> and compiled it on two machines using corei7 (E5620) and corei7-avx
> (2630QM). Both kernels are seem to do fine, I notice nothing unusual.
>
> However I have to also add, that on the png images mentioned in the git
> entry showing the result of the ANOVA analysis I notice only P values over
> 0.05, not below. So for me it seems all these optimizations are
> non-significant. Despite of the clear tendency, even for core2 compared to
> generic_x86. Also I don't see the comparison between core2 and corei7*.
> Which would be the most important. Since most users would start changing
> from core2 to corei7* and not from generic_x86. Although it's highly
> possible, that I'm reading the results wrong. So please confirm.

I'm not the author of the patch so I'm not sure how to proceed with
this. Which is the correct way to move this forward?

- Grant


>>> It turns out the extra choices are due to this patch:
>>> https://github.com/init6/init_6/blob/master/sys-kernel/geek-sources/files/3.7.1/fix/kernel-37-gcc47-1.patch
>>> I'm sorry to have bothered the hardened list with this. - Grant
>> Actually looks like a quite interesting patch on the Gentoo spirit of
>> letting the user choose an it doesn't imply big changes to the source
>> (since only config seems to be changed), have you thought bringing it up
>> to the kernel team? I'm CCing them here so they can share what they think.