+++ /dev/null
-# FD.io CSIT migration Python 2.7 to Python 3
-
-## Python 3 version
-
-There is a pre-agreement to migrate to Python 3 version used by
-Ubuntu 18.04-LTS - currently it is version [3.6.8](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-8-final).
-
-CentOS7 version 1810 that is used in [FD.io](https://fd.io/) also contains
-Python 3.6.
-
-## Dependency libs
-
-There was used *[caniusepython3](https://pypi.org/project/caniusepython3/)*
-tool to check readiness of current version of csit external libraries for
-Python 3. It identified one external library that needs to be updated to
-support Python 3:
- ```
- (env) vpp@vpp-VirtualBox:~/Documents/csit$ caniusepython3 -r requirements.txt
- Finding and checking dependencies ...
- You need 1 project to transition to Python 3.
- Of that 1 project, 1 has no direct dependencies blocking its transition:
- pypcap
- (env) vpp@vpp-VirtualBox:~/Documents/csit$ caniusepython3 -r tox-requirements.txt
- Finding and checking dependencies ...
- You have 0 projects blocking you from using Python 3!
- (env) vpp@vpp-VirtualBox:~/Documents/csit$
- ```
-
-The latest released version of *[pypcap](https://pypi.org/project/pypcap/)* is
-version 1.2.3 (Python 3 support implemented in version 1.2.0).
-
-Packages were checked for Python 3.6.8 support too and here are proposed
-package versions:
-
-- directly needed packages
- - ecdsa==0.13.3
- - paramiko==2.6.0
- - pycrypto==2.6.1
- - pypcap==1.2.3 # min. v1.2.0 for Python 3.6 support
- - PyYAML==5.1
- - requests==2.22.0 # min. v2.14.0 for Python 3.6 support
- - robotframework==3.1.2
- - scapy==2.4.3 # min. v2.4.0 for Python 3.6 support
- - scp==0.13.2
-
-- directly needed packages for PLRSearch
- - dill==0.3.1.1
- - numpy==1.17.3 # v1.14.5 - compatibility with Python 3.6.2, possible
- incompatibility with Python 3.6.8; v1.14.6 should be compatible with
- Python 3.6.8
- - scipy==1.3.1
-
-- directly needed packages for PAL
- - hdrhistogram==0.6.1
- - pandas==0.25.3
- - plotly==4.1.1
- - PTable==0.9.2
- - Sphinx==2.2.1
- - sphinx-rtd-theme==0.4.0
- - sphinxcontrib-programoutput==0.15
-
-- packages needed by paramiko package
- - bcrypt==3.1.7
- - cffi==1.13.1
- - cryptography==2.8
- - pycparser==2.19
- - PyNaCl==1.3.0
- - six==1.12.0
-
-- packages needed by request package
- - certifi==2019.9.11
- - chardet==3.0.4
- - idna==2.8
- - urllib3==1.25.6
-
-- not needed anymore
- - aenum - enum module in Python 3.6 already contains needed enum types
- - ipaddress - module already included in Python 3.6
- - pexpect - can be removed when corresponding unused code is removed from
- ssh.py
- - pykwalify + docpot + python-dateutil - can be removed if virl not used
- anymore
-
-After discussion there is an agreement to use pip freeze for indirect
-dependencies when all direct dependency versions are resolved - see example of
-*[requirements.txt](https://gerrit.fd.io/r/c/csit/+/23207/17/requirements.txt)*
-file in CSIT gerrit commit
-[Python3: PIP requirement](https://gerrit.fd.io/r/c/csit/+/23207).
-
-## Required CSIT code changes
-
-There were identified following code changes that need to be addressed during
-Python 2.7 to Python 3 migration in CSIT:
-- imports relative to package
- - `import submodul1` => `from . import submodule1`
- - `from csv import my_csv` => `from .csv import my_csv`
-- StringIO
- - `import StringIO` => `from io import StringIO`
-- `StandardError` -=> `Exception`
-- raising exceptions - should be ready
- - `raise ValueError, "wrong value"` => `raise ValueError("wrong value")`
-- catching exceptions - should be ready
- - `except ValueError, e:` => `except ValueError as e:`
-- integers
- - `long` => `int`
-- strings and bytes
- - `unicode` => `str`
- - `basestring` => `str`
- - `str` => `bytes` - not generally, only if bytes type really required
- - use following string style conventions:
- - `u"a unicode string literal"`
- - `b"a bytes string literal"`
- - `f"a formatted unicode string literal"` - `f"He said his name is {name}"`
- instead of `"He said his name is {n}".format(n=name)`
-- integer division with rounding down
- - `2 / 3` => `2 // 3`
-- metaclasses - use only new style
- - `class Form(BaseForm, metaclass=FormType):`
-- for-loop variables and the global namespace leak
- - for-loop variables don't leak into the global namespace anymore
-- returning iterable objects instead of lists
- - `xrange` => `range`
- - `range` => `list(range())`
- - `map` => `list(map())`
- - `zip` => `list(zip())`
- - `filter` => `list(filter())`
- - dictionaries
- - `.iteritems()` => `.items()`
- - `.iterkeys()` => `.keys()`
- - `.itervalues()` => `.values()`
- - `.viewitems()` => `.items()`
- - `.viewkeys()` => `.keys()`
- - `.viewvalues()` => `.values()`
- - `.items()`=> `list(.items())`
- - `.keys()` => `list(.keys())`
- - `.values()` => `list(.values())`
- - `dict.has_key(key)` => `key in dict`
- - lists
- - `L = list(some_iterable); L.sort()` => `L = sorted(some_iterable)`
- - parenthesis in list comprehensions
- - `[... for var in item1, item2, ...]` => `[... for var in (item1, item2, ...)]`
-- file IO with `open`
- - `f = open('myfile.txt') # f.read() returns byte string` =>
- `from io import open` plus
- - `f = open('myfile.txt', 'rb') # f.read() should return bytes`
- - `f = open('myfile.txt', 'rt') # f.read() should return unicode text`
-- reduce()
- - `reduce()` => `from functools import reduce; reduce()`
-
-- python files in following directories:
- - resources/libraries/python
- - resources/tools
- - resources/traffic_profiles/trex
- - resources/traffic_scripts
-
-- check python calls in bash files:
- - resources/libraries/bash/
- - csit root directory
-
-## Migration steps
-
-1. Update all external libraries - week(s) before the week W
-1. Install agreed Python 3 version to all servers used by CSIT for test
- execution - week(s) before the week W
- 1. vpp device servers - already done
- 1. performance testbeds - already done
- 1. jenkins executors - already done
-1. Freeze the CSIT master branch for one week for commits other then Python 2 to
- Python 3 migration - week W
- 1. Create back up branch of actual master
- 1. Migrate libraries - work split between all available CSIT developers. Each
- one will submit separate commit for review - csit-vpp-xxx verify jobs will
- be failing at this phase so committers will need to overwrite verify
- voting to be able to merged these commits.
-
- TODO: provide separate spread sheet with listed libraries to be migrated
- with the name of CSIT developer responsible for the migration of this
- library.
- 1. Run jobs and tests of all of types when all libraries migrated to confirm
- functionality or to catch bugs that needs to be fixed - iterate until
- successful execution of all tests.
-1. Unfreeze the CSIT master branch.
- TRex is started in the background mode
::
- $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 > /tmp/trex.log 2>&1 &' > /dev/null
+ $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 --prefix $(hostname) --hdrh > /tmp/trex.log 2>&1 &' > /dev/null
- There are traffic streams dynamically prepared for each test, based on traffic
profiles. The traffic is sent and the statistics obtained using
Current FD.io production testbeds are built with SUT servers based on
the following processor architectures:
-- Intel Xeon: Skylake Platinum 8180 and Haswell-SP E5-2699v3.
+- Intel Xeon: Skylake Platinum 8180, Haswell-SP E5-2699v3,
+ Cascadelake Platinum 8280, Cascadelake 6252N.
- Intel Atom: Denverton C3858.
- ARM: TaiShan 2280, hip07-d05.
Following is the description of existing production testbeds.
+2-Node Xeon Cascadelake (2n-clx)
+--------------------------------
+
+Three 2n-clx testbeds are in operation in FD.io labs. Each 2n-clx testbed
+is built with two SuperMicro SYS-7049GP-TRT servers, SUTs are equipped with two
+Intel Xeon Gold 6252N processors (35.75 MB Cache, 2.30 GHz, 24 cores).
+TGs are equiped with Intel Xeon Cascadelake Platinum 8280 processors (38.5 MB
+Cache, 2.70 GHz, 28 cores). 2n-clx physical topology is shown below.
+
+.. only:: latex
+
+ .. raw:: latex
+
+ \begin{figure}[H]
+ \centering
+ \graphicspath{{../_tmp/src/introduction/}}
+ \includegraphics[width=0.90\textwidth]{testbed-2n-clx}
+ \label{fig:testbed-2n-clx}
+ \end{figure}
+
+.. only:: html
+
+ .. figure:: testbed-2n-clx.svg
+ :alt: testbed-2n-clx
+ :align: center
+
+SUT servers are populated with the following NIC models:
+
+#. NIC-1: x710-DA4 4p10GE Intel.
+#. NIC-2: xxv710-DA2 2p25GE Intel.
+#. NIC-3: mcx556a-edat ConnectX5 2p100GE Mellanox. (Only testbed t27, t28)
+#. NIC-4: empty, future expansion.
+#. NIC-5: empty, future expansion.
+#. NIC-6: empty, future expansion.
+
+TG servers run T-Rex application and are populated with the following
+NIC models:
+
+#. NIC-1: x710-DA4 4p10GE Intel.
+#. NIC-2: xxv710-DA2 2p25GE Intel.
+#. NIC-3: mcx556a-edat ConnectX5 2p100GE Mellanox. (Only testbed t27, t28)
+#. NIC-4: empty, future expansion.
+#. NIC-5: empty, future expansion.
+#. NIC-6: x710-DA4 4p10GE Intel. (For self-tests.)
+
+All Intel Xeon Cascadelake servers run with Intel Hyper-Threading enabled,
+doubling the number of logical cores exposed to Linux.
+
2-Node Xeon Skylake (2n-skx)
----------------------------
system instances. Generally they come useful as a background data for
comparing data plane performance results across disparate servers.
-Following sections include measured calibration data for Intel Xeon
-Haswell and Intel Xeon Skylake testbeds.
+Following sections include measured calibration data for testbeds.
::
$ cat /proc/cmdline
- BOOT_IMAGE=/boot/vmlinuz-4.15.0-60-generic root=UUID=1d03969e-a2a0-41b2-a97e-1cc171b07e88 ro isolcpus=1-23,25-47,49-71,73-95 nohz_full=1-23,25-47,49-71,73-95 rcu_nocbs=1-23,25-47,49-71,73-95 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8
+ BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=1d03969e-a2a0-41b2-a97e-1cc171b07e88 ro isolcpus=1-23,25-47,49-71,73-95 nohz_full=1-23,25-47,49-71,73-95 rcu_nocbs=1-23,25-47,49-71,73-95 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8
Linux uname
~~~~~~~~~~~
::
$ uname -a
- Linux s32-t27-sut1 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+ Linux s32-t27-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
System-level Core Jitter
Following sections include sample calibration data measured on
Denverton server at Intel SH labs.
-And VPP-18.10 2-Node Atom Denverton testing took place at Intel Corporation
-carefully adhering to FD.io CSIT best practices.
+A 2-Node Atom Denverton testing took place at Intel Corporation carefully
+adhering to FD.io CSIT best practices.
Linux cmdline
::
$ cat /proc/cmdline
- BOOT_IMAGE=/vmlinuz-4.15.0-36-generic root=UUID=5d2ecc97-245b-4e94-b0ae-c3548567de19 ro isolcpus=1-17,19-35 nohz_full=1-17,19-35 rcu_nocbs=1-17,19-35 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8
+ BOOT_IMAGE=/vmlinuz-4.15.0-72-generic root=UUID=c59ae603-8076-41f4-bb5d-bc3fc8dd3ea1 ro isolcpus=1-17,19-35 nohz_full=1-17,19-35 rcu_nocbs=1-17,19-35 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0console=ttyS0,115200n8
Linux uname
::
$ uname -a
- Linux t1-tg1 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+ Linux t1-tg1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
System-level Core Jitter
::
$ cat /proc/cmdline
- BOOT_IMAGE=/vmlinuz-4.15.0-23-generic root=UUID=759ad671-ad46-441b-a75b-9f54e81837bb ro isolcpus=1-27,29-55,57-83,85-111 nohz_full=1-27,29-55,57-83,85-111 rcu_nocbs=1-27,29-55,57-83,85-111 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8
+ BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=e05120bb-7127-43db-b1e3-a66edd4c43bd ro isolcpus=1-27,29-55,57-83,85-111 nohz_full=1-27,29-55,57-83,85-111 rcu_nocbs=1-27,29-55,57-83,85-111 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8
Linux uname
::
$ uname -a
- Linux s5-t22-sut1 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+ Linux s3-t21-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
System-level Core Jitter
Below a subset of the running configuration:
-1. Xeon Haswell - Ubuntu 18.04.1 LTS
+1. Ubuntu 18.04.x LTS
::
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
- Description: Ubuntu 18.04.1 LTS
- Release: 18.04
- Codename: bionic
-
-
-2. Xeon Skylake - Ubuntu 18.04 LTS
-
-::
-
- $ lsb_release -a
- No LSB modules are available.
- Distributor ID: Ubuntu
- Description: Ubuntu 18.04 LTS
+ Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic
`/etc/sysctl.d/90-csit.conf` on each testbed. Default huge page size is 2M.
The exact amount of huge pages depends on testbed. All the values are defined
in `Ansible inventory - hosts` files.
-
-
-Applied Boot Cmdline
-~~~~~~~~~~~~~~~~~~~~
-
-1. Xeon Haswell - Ubuntu 18.04.1 LTS
-
-::
-
- $ cat /proc/cmdline
- BOOT_IMAGE=/vmlinuz-4.15.0-36-generic root=UUID=5d2ecc97-245b-4e94-b0ae-c3548567de19 ro isolcpus=1-17,19-35 nohz_full=1-17,19-35 rcu_nocbs=1-17,19-35 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8
-
-2. Xeon Skylake - Ubuntu 18.04 LTS
-
-::
-
- $ cat /proc/cmdline
- BOOT_IMAGE=/vmlinuz-4.15.0-23-generic root=UUID=3fa246fd-1b80-4361-bb90-f339a6bbed51 ro isolcpus=1-27,29-55,57-83,85-111 nohz_full=1-27,29-55,57-83,85-111 rcu_nocbs=1-27,29-55,57-83,85-111 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8
-
-
::
- Spectre and Meltdown mitigation detection tool v0.42
+ Spectre and Meltdown mitigation detection tool v0.43
+ awk: fatal: cannot open file `bash for reading (No such file or directory)
Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-60-generic #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 x86_64
- CPU is Intel(R) Xeon(R) Gold 6252N CPU @ 2.30GHz
+ Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64
+ CPU is Intel(R) Xeon(R) Platinum 8280 CPU @ 2.70GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* L1 data cache invalidation
* FLUSH_CMD MSR is available: YES
* CPU indicates L1D flush capability: YES (L1D flush feature bit)
- * Microarchitecture Data Sampling
+ * Microarchitectural Data Sampling
* VERW instruction is available: YES (MD_CLEAR feature bit)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: YES
* CPU/Hypervisor indicates L1D flushing is not necessary on this system: YES
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
* CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): YES
+ * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
+ * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
+ * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): YES
+ * TSX_CTRL MSR indicates TSX RTM is disabled: YES
+ * TSX_CTRL MSR indicates TSX CPUID bit is cleared: YES
+ * CPU supports Transactional Synchronization Extensions (TSX): NO
* CPU supports Software Guard Extensions (SGX): NO
- * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x7 ucode 0x5000021 cpuid 0x50657)
- * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash' for reading (No file or directory)
+ * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x7 ucode 0x500002c cpuid 0x50657)
+ * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash for reading (No such file or directory)
UNKNOWN (latest microcode version for your CPU model is unknown)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
* Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
* Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
* Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
+ * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
+ * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
* Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
* Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
* Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
* Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
+ * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
+ * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
- CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
- * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer saniation)
- * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
- * Kernel has the Red Hat/Ubuntu patch: NO
+ CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
+ * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
> STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
- CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
+ CVE-2017-5715 aka Spectre Variant 2, branch target injection
* Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* Kernel supports RSB filling: YES
> STATUS: NOT VULNERABLE (Enhanced IBRS + IBPB are mitigating the vulnerability)
- CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
+ CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports Page Table Isolation (PTI): YES
- * PTI enabled and active: NO
+ * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script)
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-3640 aka 'Variant 3a, rogue system register read'
+ CVE-2018-3640 aka Variant 3a, rogue system register read
* CPU microcode mitigates the vulnerability: YES
> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
- CVE-2018-3639 aka 'Variant 4, speculative store bypass'
+ CVE-2018-3639 aka Variant 4, speculative store bypass
* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
* SSB mitigation is enabled and active: YES (per-thread through prctl)
- * SSB mitigation currently active for selected processes: YES ((deleted) systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
+ * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
- CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
+ CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
* CPU microcode mitigates the vulnerability: N/A
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
+ CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports PTE inversion: YES (found in kernel image)
* PTE inversion enabled and active: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+ > STATUS: NOT VULNERABLE (Not affected)
- CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
+ CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
* Information from the /sys interface: Not affected
* This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
* L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
* L1D flush enabled: NO
* Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
-
* Hyper-Threading (SMT) is enabled: YES
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+ > STATUS: NOT VULNERABLE (your kernel reported your CPU model as not vulnerable)
- CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
+ CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
+ CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
+ CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
+ CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
+ CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
+ * Mitigated according to the /sys interface: YES (Mitigation: TSX disabled)
+ * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
+ * TAA mitigation enabled and active: YES (Mitigation: TSX disabled)
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+ * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
+ * This system is a host running a hypervisor: NO
+ * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
+ * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)
+ > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
+ > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK
::
- Spectre and Meltdown mitigation detection tool v0.42
+ Spectre and Meltdown mitigation detection tool v0.43
+ awk: cannot open bash (No such file or directory)
Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64
+ Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz
Hardware check
* L1 data cache invalidation
* FLUSH_CMD MSR is available: YES
* CPU indicates L1D flush capability: YES (L1D flush feature bit)
- * Microarchitecture Data Sampling
- * VERW instruction is available: NO
+ * Microarchitectural Data Sampling
+ * VERW instruction is available: YES (MD_CLEAR feature bit)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
* CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
+ * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
+ * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
+ * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
+ * CPU supports Transactional Synchronization Extensions (TSX): NO
* CPU supports Software Guard Extensions (SGX): NO
- * CPU microcode is known to cause stability problems: NO (model 0x3f family 0x6 stepping 0x2 ucode 0x3d cpuid 0x306f2)
+ * CPU microcode is known to cause stability problems: NO (model 0x3f family 0x6 stepping 0x2 ucode 0x43 cpuid 0x306f2)
* CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory)
UNKNOWN (latest microcode version for your CPU model is unknown)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
* Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
* Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
+ * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
+ * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
- * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
+ * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
- > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
+ > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
CVE-2017-5715 aka Spectre Variant 2, branch target injection
- * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
+ * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for firmware code only)
> STATUS: NOT VULNERABLE (this system is not running a hypervisor)
CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
- * Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: YES
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
- * Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: YES
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
- * Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: YES
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
- * Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: YES
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
+
+ CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
+ * TAA mitigation enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+ * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
+ * This system is a host running a hypervisor: NO
+ * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
+ * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)
+ > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
- > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO
+ > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK
::
- Spectre and Meltdown mitigation detection tool v0.42
+ Spectre and Meltdown mitigation detection tool v0.43
+ awk: cannot open bash (No such file or directory)
Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
+ Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64
CPU is Intel(R) Xeon(R) Platinum 8180 CPU @ 2.50GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
- * Indirect Branch Restricted Speculation (IBRS)
- * SPEC_CTRL MSR is available: YES
- * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
- * Indirect Branch Prediction Barrier (IBPB)
- * PRED_CMD MSR is available: YES
- * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
- * Single Thread Indirect Branch Predictors (STIBP)
- * SPEC_CTRL MSR is available: YES
- * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
- * Speculative Store Bypass Disable (SSBD)
- * CPU indicates SSBD capability: YES (Intel SSBD)
- * L1 data cache invalidation
- * FLUSH_CMD MSR is available: YES
- * CPU indicates L1D flush capability: YES (L1D flush feature bit)
- * Microarchitecture Data Sampling
- * VERW instruction is available: NO
- * Enhanced IBRS (IBRS_ALL)
- * CPU indicates ARCH_CAPABILITIES MSR availability: NO
- * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
- * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
- * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
- * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
- * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
- * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
- * CPU supports Software Guard Extensions (SGX): NO
- * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x4 ucode 0x200004d cpuid 0x50654)
- * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory)
+ * Indirect Branch Restricted Speculation (IBRS)
+ * SPEC_CTRL MSR is available: YES
+ * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
+ * Indirect Branch Prediction Barrier (IBPB)
+ * PRED_CMD MSR is available: YES
+ * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
+ * Single Thread Indirect Branch Predictors (STIBP)
+ * SPEC_CTRL MSR is available: YES
+ * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
+ * Speculative Store Bypass Disable (SSBD)
+ * CPU indicates SSBD capability: YES (Intel SSBD)
+ * L1 data cache invalidation
+ * FLUSH_CMD MSR is available: YES
+ * CPU indicates L1D flush capability: YES (L1D flush feature bit)
+ * Microarchitectural Data Sampling
+ * VERW instruction is available: YES (MD_CLEAR feature bit)
+ * Enhanced IBRS (IBRS_ALL)
+ * CPU indicates ARCH_CAPABILITIES MSR availability: NO
+ * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
+ * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
+ * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
+ * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
+ * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
+ * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
+ * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
+ * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
+ * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
+ * CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit)
+ * CPU supports Software Guard Extensions (SGX): NO
+ * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x4 ucode 0x2000064 cpuid 0x50654)
+ * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory)
UNKNOWN (latest microcode version for your CPU model is unknown)
* CPU vulnerability to the speculative execution attack variants
- * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
- * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
- * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
- * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
- * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
- * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
- * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
- * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
- * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
+ * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
+ * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
+ * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
+ * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
+ * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
+ * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
+ * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
+ * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
+ * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES
+ * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
- * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
+ * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
- > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
+ > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
CVE-2017-5715 aka Spectre Variant 2, branch target injection
- * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
+ * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
- * Kernel is compiled with IBRS support: YES
- * IBRS enabled and active: YES (for firmware code only)
- * Kernel is compiled with IBPB support: YES
- * IBPB enabled and active: YES
+ * Kernel is compiled with IBRS support: YES
+ * IBRS enabled and active: YES (for firmware code only)
+ * Kernel is compiled with IBPB support: YES
+ * IBPB enabled and active: YES
* Mitigation 2
- * Kernel has branch predictor hardening (arm): NO
- * Kernel compiled with retpoline option: YES
- * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
- * Kernel supports RSB filling: YES
+ * Kernel has branch predictor hardening (arm): NO
+ * Kernel compiled with retpoline option: YES
+ * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
+ * Kernel supports RSB filling: YES
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
- * PTI enabled and active: YES
- * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
+ * PTI enabled and active: YES
+ * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
* This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
- * EPT is disabled: NO
+ * EPT is disabled: NO
* Mitigation 2
- * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
- * L1D flush enabled: YES (conditional flushes)
- * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
- * Hyper-Threading (SMT) is enabled: YES
+ * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
+ * L1D flush enabled: YES (conditional flushes)
+ * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
+ * Hyper-Threading (SMT) is enabled: YES
> STATUS: NOT VULNERABLE (this system is not running a hypervisor)
CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
- * Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
- * Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
- * Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
- * Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
+
+ CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
+ * TAA mitigation enabled and active: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ > STATUS: NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable)
+
+ CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+ * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
+ * This system is a host running a hypervisor: NO
+ * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
+ * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)
+ > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
- > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO
+ > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK
DPDK Version
~~~~~~~~~~~~
-DPDK v19.02
+DPDK v19.05
TG Build Script Used
~~~~~~~~~~~~~~~~~~~~
::
- $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 > /tmp/trex.log 2>&1 &'> /dev/null
+ $ sh -c 'cd <t-rex-install-dir>/scripts/ && sudo nohup ./t-rex-64 -i -c 7 --prefix $(hostname) --hdrh > /tmp/trex.log 2>&1 &'> /dev/null
TG API Driver
~~~~~~~~~~~~~
#. VPP PERFORMANCE TESTS
- **Service density 2n-skx tests**: Added higher NF density tests with
- 802.1q (vlan) and VXLAN encapsulation from Traffic Generator.
+ IPSec encencryption between DUTs.
- - **GBP tests**: Added GBP (Group Based Policy) routing test cases
- with 802.1q (vlan) external traffic.
-
- - **AVF IPv4 scale tests**: Increased coverage of AVF IPv4 base and
- scale test cases (Fortville NICs only).
-
- - **2n-skx tests**: Increased coverage of selected (COP, iACL,
- Policer) test cases.
-
- - **IPsec scale tests**: Added IPsec interface mode scale tests with
- 1, 40, 400, 1000, 5000, 10000, 20000, 40000, 60000 IPsec tunnels.
- Removed DPDK backend dependency. Major IPsec test code
- refactoring.
+ - **AVF tests**: Full test coveraged based on code changes in CSIT core
+ layer (driver/interface awareness) and generated by suite generator
+ (Fortville NICs only).
- **Hoststack TCP/IP tests**: Major refactor of Hoststack TCP
performance tests using WRK generator talking to the VPP HTTP
static server plugin measuring connections per second and
requests per second.
- - **Changed methodology of dot1q tests in 2-Node testbeds**: dot1q
- encapsulation is now used on both links of SUT. Previously dot1q
- was used only on a single link with the other link carrying
- untagged Ethernet frames. This change results in slightly lower
- throughput in CSIT-1908 for all dot1q tests in all 2-Node
- testbeds.
-
- - **KVM VM vhost-user tests**: completed move to Kernel-VM for all
- tests. In addition to running DPDK Testpmd as VM workload, new
- tests created with VPP as VM workload. VPP in VM is the same
- version as the DUT VPP (acting as vSwitch) and its configuration
- depends on the test type. For all L2 Ethernet Switching tests
- it's vpp-l2xc (L2 cross-connect), for all IPv4 Routing tests it's
- vpp-ip4 (VPP IPv4 routing).
-
#. TEST FRAMEWORK
+ - **CSIT Python3 Support**: Full migration of CSIT from Python2.7 to
+ Python3.6. This change includes library migration, PIP dependency upgrade,
+ CSIT container images, infrastructure packages ugrade/installation.
+
- **CSIT PAPI Support**: Finished conversion of CSIT VAT L1 keywords
to PAPI L1 KWs in CSIT using VPP Python bindings (VPP PAPI).
Redesign of key components of PAPI Socket Executor and PAPI
| 2 | `VPP-662 | 9000B packets not supported by NICs VIC1227 and VIC1387. |
| | <https://jira.fd.io/browse/VPP-662>`_ | |
+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+
-| 3 | `CSIT-1503 | [`TRex-519 <https://trex-tgn.cisco.com/youtrack/issue/trex-519>`_] XL710/XXV710 with FW 6.0.1 will have |
-| | <https://jira.fd.io/browse/CSIT-1503>`_ | Rx drop rate of 27MPPS. |
-+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+
-| 4 | `CSIT-1498 | Memif tests are sporadically failing on initialization of memif connection. |
+| 3 | `CSIT-1498 | Memif tests are sporadically failing on initialization of memif connection. |
| | <https://jira.fd.io/browse/CSIT-1498>`_ | |
+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+
-| 5 | `CSIT-1499 | AVF tests are sporadically failing on initialization of AVF interface. |
-| | <https://jira.fd.io/browse/CSIT-1499>`_ | |
-+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+
-| 6 | `VPP-1676 | 9000B ip4 memif errors - ip4-input: ip4 length > l2 length. |
-| | <https://jira.fd.io/browse/VPP-1676>`_ | IP4 jumbo frames (9000B) are dropped in case of tests with memif. |
-+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+
-| 7 | `VPP-1677 | 9000B ip4 nat44: VPP crash + coredump. |
+| 4 | `VPP-1677 | 9000B ip4 nat44: VPP crash + coredump. |
| | <https://jira.fd.io/browse/VPP-1677>`_ | VPP crashes very often in case that NAT44 is configured and it has to process IP4 jumbo frames (9000B). |
+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+
-| 8 | `CSIT-1591 | All CSIT scale tests can not use PAPI due to much slower performance compared to VAT/CLI (it takes much |
+| 5 | `CSIT-1591 | All CSIT scale tests can not use PAPI due to much slower performance compared to VAT/CLI (it takes much |
| | <https://jira.fd.io/browse/CSIT-1499>`_ | longer to program VPP). This needs to be addressed on the PAPI side. |
| +-----------------------------------------+ |
| | `VPP-1763 | |
| | <https://jira.fd.io/browse/VPP-1763>`_ | |
+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+
-| 9 | `CSIT-1592 | VPP memif API does not enable memif zero-copy, resulting in different memif configuration vs. previously |
-| | <https://jira.fd.io/browse/CSIT-1592>`_ | tested VAT/CLI where memif zero-copy was enabled by default. Needs to be fixed in VPP. |
-| +-----------------------------------------+ |
-| | `VPP-1764 | |
-| | <https://jira.fd.io/browse/VPP-1764>`_ | |
-+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+
-| 10 | `VPP-1675 | IPv4 IPSEC 9000B packet tests are failing as no packet is forwarded. |
+| 6 | `VPP-1675 | IPv4 IPSEC 9000B packet tests are failing as no packet is forwarded. |
| | <https://jira.fd.io/browse/VPP-1675>`_ | Reason: chained buffers are not supported. |
+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+
-| 11 | `CSIT-1593 | IPv4 AVF 9000B packet tests are failing on 3n-skx while passing on 2n-skx. |
+| 7 | `CSIT-1593 | IPv4 AVF 9000B packet tests are failing on 3n-skx while passing on 2n-skx. |
| | <https://jira.fd.io/browse/CSIT-1593>`_ | |
+----+-----------------------------------------+----------------------------------------------------------------------------------------------------------+
Kubernetes
~~~~~~~~~~
-For the future use, Kubernetes is implemented as separate library
+For the future use, Kubernetes [k8sdoc]_ is implemented as separate library
``KubernetesUtils.py``, with a class with the same name. This utility provides
an API for L2 Robot Keywords to control ``kubectl`` installed on each of DUTs.
One time initialization script, ``resources/libraries/bash/k8s_setup.sh``
.. [apparmor] `Ubuntu AppArmor <https://wiki.ubuntu.com/AppArmor>`_.
.. [seccomp] `SECure COMPuting with filters <https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt>`_.
.. [docker] `Docker <https://www.docker.com/what-docker>`_.
+.. [k8sdoc] `Kubernetes documentation <https://kubernetes.io/docs/home/>`_.
.. include:: ../introduction/test_environment_intro.rst
+.. include:: ../introduction/test_environment_sut_calib_clx.rst
+
.. include:: ../introduction/test_environment_sut_calib_hsw.rst
.. include:: ../introduction/test_environment_sut_calib_skx.rst
Code Review / csit.git / commitdiff