Re: [lfs-support] binutils-2.20 and grub
Am Freitag, den 02.02.2018, 15:03 -0600 schrieb Bruce Dubbs: > Thomas Seeling wrote: > > Hallo, > > > > > > I rebuilt LFS from SVN with kernel 4.15 gcc 7.3 on i686. > > > > # head -n7 /proc/cpuinfo > > processor : 0 > > vendor_id : GenuineIntel > > cpu family : 15 > > model : 4 > > model name : Intel(R) Pentium(R) 4 CPU 3.20GHz > > stepping: 9 > > microcode : 0x3 > > > > > PTI offers mitigation against Meltdown, retpoline against Spectre > > > v2. > > > > Basic LFS compiles fine with book settings, apart from grub where a > > minimal change was required in the final build of binutils 2.30. I > > admit > > I simply hacked the script 082-binutils in lfs-commands to achieve > > that. > > > > configure needs the following switch on 32 bit systems: > > --enable-64-bit-bfd > > Thomas, Have you tested you built grub? When I investigate the > enable-64-bit-bfd option, the comment I see is "64-bit support (on > hosts > with narrower word sizes)" I am thinking about adding this > unconditionally, but am a bit concerned that grub will try to run 64- > bit > code on a 32-bit system (and crash). I'm not sure that adding the > option > to a normal 64-bit build will hurt anyting, but I'll test that. > > Yes, got that hint from Pierre. It works pretty fine with this switch. Indeed, it seems to be a bit strange that 64bit code is generated on a 32bit system. Unfortunatly I'm not that deep in grub to see whether that code will ever be executed (or at least tried to). Would be cool if that switch could make it into the book as it wouldn't no longer require the build scripts to be patched every time. I'm just finishing building a new i686-system with thew new binutils, glibc and such. Will see whether grub still works (but i assume it as it allways did). Thank you all! -- Thomas -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] systemd compile error - SOLVED
On February 2, 2018 2:15:21 AM CST, Frans de Boer wrote: >On 02-02-18 09:05, Frans de Boer wrote: >> LS, >> >> Now that the issue of the undocumented two dots in the meson command >> line are clear, I encountered the next error: >> >> Meson encountered an error in file src/resolve/meson.build, line 178, > >> column 10: >> Expecting rbracket got eof. >> tests += [ >> ^^ >> >> Any suggestion? >> >> Regards, >> Frans. > >Ok, two digits neede to be changed 179,223 => 178,222. > >SOLVED. >-- >http://lists.linuxfromscratch.org/listinfo/lfs-support >FAQ: http://www.linuxfromscratch.org/blfs/faq.html >Unsubscribe: See the above information page > >Do not top post on this list. > >A: Because it messes up the order in which people normally read text. >Q: Why is top-posting such a bad thing? >A: Top-posting. >Q: What is the most annoying thing in e-mail? > >http://en.wikipedia.org/wiki/Posting_style Why are you using systemd-227 if you are using the 8.1 book? Don't do that. If you want latest and greatest, use the SVN book. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] binutils-2.20 and grub
Thomas Seeling wrote: Hallo, I rebuilt LFS from SVN with kernel 4.15 gcc 7.3 on i686. # head -n7 /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 4 model name : Intel(R) Pentium(R) 4 CPU 3.20GHz stepping: 9 microcode : 0x3 PTI offers mitigation against Meltdown, retpoline against Spectre v2. Basic LFS compiles fine with book settings, apart from grub where a minimal change was required in the final build of binutils 2.30. I admit I simply hacked the script 082-binutils in lfs-commands to achieve that. configure needs the following switch on 32 bit systems: --enable-64-bit-bfd Thomas, Have you tested you built grub? When I investigate the enable-64-bit-bfd option, the comment I see is "64-bit support (on hosts with narrower word sizes)" I am thinking about adding this unconditionally, but am a bit concerned that grub will try to run 64-bit code on a 32-bit system (and crash). I'm not sure that adding the option to a normal 64-bit build will hurt anyting, but I'll test that. -- Bruce -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Full retpoline mitigation on older systems
On Fri, Feb 02, 2018 at 10:00:45AM -0800, Paul Rogers wrote: > > The compile went fine, and when I patched the kernel I agreed to the > "retpoline" option. But when I use a version of my usual kern-build script > modified with the PATH change as Ken used it, going first through menuconfig > (there *was* some change that prompted a rebuild, right?) > PAGE_TABLE_ISOLATION was missing from Security Options, so apparently the > Meltdown mitigation hasn't made its way into 4.4 i686 kernels yet. > > No use building Spectre mitigation if Meltdown is wide open, so I bailed out > at that point. I'm still hoping for Meltdown patches! Paul, I thought I said yesterday that i686 PTI was still being developed. First, it has to get to a stage where its developer feels confident it works (his initial post to lkml was when it booted in qemu, at that point he had not tried real hardware). Then it will get reviewed, probably with some changes requested, and eventually it will get into an -rc kernel. After that it can be backported - 4.15 (assuming this all happens before 4.16 is released) and 4.14, then (with luck) backports to 4.9 and 4.4. ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Full retpoline mitigation on older systems
On Fri, Feb 2, 2018, at 10:00 AM, Paul Rogers wrote: ... > installed this system with the original kernel on a 1 MHz low-power > (~10W) VIA C7 "Esther" (P3 equivalent) system, but while compatible the > CPU can be painfully slow. Not today, Esther. I worked on my > "development box", on a 2.66 MHz Core-2 Duo "Conroe" 6700. Brain f**t. My systems are old and slow, but not THAT slow! -- Paul Rogers paulgrog...@fastmail.fm Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Full retpoline mitigation on older systems
The most recent i686 system I have running (and want to still consider runnable) is an LFS-7.7 with gcc-4.9.2. I had already patched the kernel to 4.1.42, then recently 4.4.110. The most recent patch level I saw today is 4.4.114, which I suppose has "nicer" patches. I've installed this system with the original kernel on a 1 MHz low-power (~10W) VIA C7 "Esther" (P3 equivalent) system, but while compatible the CPU can be painfully slow. Not today, Esther. I worked on my "development box", on a 2.66 MHz Core-2 Duo "Conroe" 6700. I generally followed Ken's path, with the excption that in compiling gcc-7.3 I added --target=i686-pc-linux-gnu to make double sure there was no confusion on this x86-64 capable CPU to build i686 code. The compile went fine, and when I patched the kernel I agreed to the "retpoline" option. But when I use a version of my usual kern-build script modified with the PATH change as Ken used it, going first through menuconfig (there *was* some change that prompted a rebuild, right?) PAGE_TABLE_ISOLATION was missing from Security Options, so apparently the Meltdown mitigation hasn't made its way into 4.4 i686 kernels yet. No use building Spectre mitigation if Meltdown is wide open, so I bailed out at that point. I'm still hoping for Meltdown patches! -- Paul Rogers paulgrog...@fastmail.fm Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] systemd configuration
William Harrington wrote: On Thu, February 1, 2018 06:57, Frans de Boer wrote: Chapter 6.53 contains the following instruction: LANG=en_US.UTF-8 \ meson --prefix=/usr\ --sysconfdir=/etc\ --localstatedir=/var \ -Dblkid=true \ -Dbuildtype=release \ -Ddefault-dnssec=no \ -Dfirstboot=false\ -Dinstall-tests=false\ -Dkill-path=/bin/kill\ -Dkmod-path=/bin/kmod\ -Dldconfig=false \ -Dmount-path=/bin/mount \ -Drootprefix=\ -Drootlibdir=/lib\ -Dsplit-usr=true \ -Dsulogin-path=/sbin/sulogin \ -Dsysusers=false \ -Dumount-path=/bin/umount\ -Db_lto=false\ .. So, what is comming after the two dots? Regards, Frans. Hello Frans, I think this means that Meson will be looking for ../meson.build while running in the build/ directory. Correct, $ meson --help usage: meson [-h] [--prefix PREFIX] [--libdir LIBDIR] [directories [directories ...]] How else would you point to the parent directory? It's just like cmake in this regard. -- Bruce -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Full retpoline mitigation on older systems
On 01/31/2018 10:43 PM, Ken Moffat wrote: If anybody wants to add full retpoline mitigation (against Spectre v2) to an older system, the following works on x86_64 (I no longer have i686 systems to test on). I have tested this on my oldest available system (LFS-7.6, using gcc-4.9.1 and which had used a 3.18 kernel) to prove the approach. That system will never be used to connect to anything external (too many vulnerabilities, in particular its version of openssl is no longer maintained), it is only there in case I want to see if such an old system can build current LFS. So, if it works there it will also work on newer systems! What I do is build a minimal gcc-7.3 in /opt/kgcc and then use that to compile a supported kernel. On that oldest system I used the latest 4.4 kernel, on a less old system I have used the latest 4.9 kernel, and for more recent systems I either use the latest 4.14 or (recent test systems) 4.5.0. If anybody used the HJL gcc patches I posted at the start of the month, using gcc-7.3 provides no benefit. But for everybody else, it will help reduce the attack surface for Spectre v2. 1. gcc-7.3 I based my build on what is in BLFS for gcc-7.2, with the following variations: 1.1 In the configure I changed the prefix and languages to --prefix=/opt/kgc --enable-languages=c and added --disable-bootstrap. Some of the other things can probably be turned off (compare LFS gcc pass 2, e.g. libssp), but this is minimal enough for my purpose. 1.2 Do NOT run the tests - the proof of the pudding is in the eating, either it will compile your kernel successfully, or it won't. 2. The kernel 2.1 Fix up the config (normally, make oldconfig - I keep my configs in the kernel, in /proc/config.gz so I can initialise .config for this). Ensure that retpoline support is selected (it defaults to Y, like PTI). 2.2 If you have configured this source tree before (e.g. for an earlier point release of the same minor version), make clean so that the build-system files where compiler lack of support for retpoline was recorded will be cleared out. 2.3 build the kernel using PATH=/opt/kgcc/bin:$PATH make -jN (N for numbner of cores). 2.4 install modules, if used, and the kernel, add it to grub.cfg so that you can revert to an older kernel if problems. 3. Reboot. You should be able to see the result by running cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 Assuming it worked, run your usual acceptance tests to check that everything you rely on still works. That just leaves Spectre v1 to be addressed. Thanks a million times, my systems are not that old, but a full upgrade of system gcc to 7.3.0 is still too painful for me. Did your proposed /opt/kcc installation and worked like a charm for 4.14.16. I now can relax a bit, as all my system now have at least two of the three vulnerabilities mitigated. Bye Tim -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Full retpoline mitigation on older systems
Thomas Seeling wrote: Hallo, I rebuilt LFS from SVN with kernel 4.15 gcc 7.3 on i686. # head -n7 /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 4 model name : Intel(R) Pentium(R) 4 CPU 3.20GHz stepping: 9 microcode : 0x3 PTI offers mitigation against Meltdown, retpoline against Spectre v2. Basic LFS compiles fine with book settings, apart from grub where a minimal change was required in the final build of binutils 2.30. I admit I simply hacked the script 082-binutils in lfs-commands to achieve that. configure needs the following switch on 32 bit systems: --enable-64-bit-bfd Thanks for the report. The new glibc was released yesterday so I will be making a full build shortly. I will add a note to Chapter 6 binutils to add --enable-64-bit-bfd on 32-bit systems when I update the book. I suspect it is automatically set (or the equivalent) on 64-bit systems. I'll look for that. -- Bruce The build fails if the "target" switch is used (as was suggested here on the list). I then compiled some minimal tools I always like to have - openssl, openssh, libtirpc, lsof, rpcbind, nfs-utils, cpio. I was able to compile that with only some minor patches on the way due to gcc 7.3 abiding to the latest C and C++ standards (things like stdint.h, sysmacros.h etc.). As it is i686 does not contain PTI yet. # uname -rm 4.15.0 i686 # cat /sys/devices/system/cpu/vulnerabilities/* Vulnerable Vulnerable Mitigation: Full generic retpoline Tschau...Thomas -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] systemd configuration
On Thu, February 1, 2018 06:57, Frans de Boer wrote: > Chapter 6.53 contains the following instruction: > > LANG=en_US.UTF-8 \ > meson --prefix=/usr\ >--sysconfdir=/etc\ >--localstatedir=/var \ >-Dblkid=true \ >-Dbuildtype=release \ >-Ddefault-dnssec=no \ >-Dfirstboot=false\ >-Dinstall-tests=false\ >-Dkill-path=/bin/kill\ >-Dkmod-path=/bin/kmod\ >-Dldconfig=false \ >-Dmount-path=/bin/mount \ >-Drootprefix=\ >-Drootlibdir=/lib\ >-Dsplit-usr=true \ >-Dsulogin-path=/sbin/sulogin \ >-Dsysusers=false \ >-Dumount-path=/bin/umount\ >-Db_lto=false\ >.. > > So, what is comming after the two dots? > > Regards, > Frans. Hello Frans, I think this means that Meson will be looking for ../meson.build while running in the build/ directory. Sincerely, William -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Insecure email communication
On February 1, 2018 22:27:15 Frans de Boer wrote: LS, I just had to downgrade my email security in order to be able to send messages to the list. Just because the email server used for the list does not support TLS. It's 2018, and no TLS support? Maybe you should get some help in setting up your MTA, as usual configurations allow for both TLS and non-TLS delivery. Also, I fail to see any real security problem for a largely public list server not doing TLS. Can yoy maybe explain whar exactly your problem is, apart from strict buzzword compliance? Bye Tim Hope that linuxfromscratch gets an security upgrade soon. Regards, Frans. -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] Full retpoline mitigation on older systems
Hallo, I rebuilt LFS from SVN with kernel 4.15 gcc 7.3 on i686. # head -n7 /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 4 model name : Intel(R) Pentium(R) 4 CPU 3.20GHz stepping: 9 microcode : 0x3 > PTI offers mitigation against Meltdown, retpoline against Spectre v2. Basic LFS compiles fine with book settings, apart from grub where a minimal change was required in the final build of binutils 2.30. I admit I simply hacked the script 082-binutils in lfs-commands to achieve that. configure needs the following switch on 32 bit systems: --enable-64-bit-bfd The build fails if the "target" switch is used (as was suggested here on the list). I then compiled some minimal tools I always like to have - openssl, openssh, libtirpc, lsof, rpcbind, nfs-utils, cpio. I was able to compile that with only some minor patches on the way due to gcc 7.3 abiding to the latest C and C++ standards (things like stdint.h, sysmacros.h etc.). As it is i686 does not contain PTI yet. # uname -rm 4.15.0 i686 # cat /sys/devices/system/cpu/vulnerabilities/* Vulnerable Vulnerable Mitigation: Full generic retpoline Tschau...Thomas -- "Do you wanna be a legend or a passing footprint on the sands of time?" signature.asc Description: OpenPGP digital signature -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
Re: [lfs-support] systemd compile error - SOLVED
On 02-02-18 09:05, Frans de Boer wrote: LS, Now that the issue of the undocumented two dots in the meson command line are clear, I encountered the next error: Meson encountered an error in file src/resolve/meson.build, line 178, column 10: Expecting rbracket got eof. tests += [ ^^ Any suggestion? Regards, Frans. Ok, two digits neede to be changed 179,223 => 178,222. SOLVED. -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
[lfs-support] systemd compile error
LS, Now that the issue of the undocumented two dots in the meson command line are clear, I encountered the next error: Meson encountered an error in file src/resolve/meson.build, line 178, column 10: Expecting rbracket got eof. tests += [ ^^ Any suggestion? Regards, Frans. -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style