Power ISA improvements in 5.2 (and a Raptor tease)

I'm catching up on all the stuff while I was semi-off-grid, and among them is kernel 5.2, which was declared released on July 7 and should be reaching your distribution soooooon (though Fedora 30 on this Talos II is still at 5.1.x as of this writing). Big general improvements are Sound Open Firmware, which is not an audio player for the ok prompt but rather open source firmware for audio devices, a (hopefully better) new mount(2) interface with new syscalls, performance improvements to the Budget Fair Queuing (BFQ) I/O scheduler, and additional CPU information leak protections using an architecture-independent mitigations= command line argument (it works on Power machines too, as well as x86, x86_64, ARM64 and s390). On PowerPC and 64-bit Power, mitigations=off sets nopti,nospectre_v1,nospectre_v2,spec_store_bypass_disable=off which respectively disable mitigations for user/kernel page table isolation (i.e., Meltdown), Spectre versions 1 and 2, and speculative storage bypass. If set to auto, the default, then these mitigations are enabled in the kernel along with (on POWER8 and POWER9) mitigating SSB by inserting a store-forwarding barrier when entering and leaving kernel context. The particularly paranoid can set auto,nosmt to take the hit against L1TF and MDS attacks, but currently this disables SMT only on x86, because Power doesn't suck. ;)

Power-specific changes include the long-awaited (at least by me) YOLO DAWR support on POWER9, as well as support for Kernel Userspace Access/Execution Prevention (KUAP and KUEP). KUP features collectively are analogous to Intel Supervisor Mode Access Prevention (though I like this SMAP better) and prevent the kernel from accidentally accessing userspace outside copy_to/from_user() and/or executing code in userspace. Support is somewhat varied: most 32-bit CPUs except the 400, 440 and e500 series support both KUAP and KUEP (though the poor old PowerPC 601 lacks an NX segment bit, so no KUEP), but KUP on 64-bit Power currently requires the radix MMU, meaning only POWER9 CPUs in radix mode. You can see if your CPU is supported in this list, looking for CPU_HAVE_KUAP and CPU_HAVE_KUEP.

Meanwhile, who says 32-bit PowerPC is dead? 5.2 also adds 32-bit support for the Kernel Address Sanitizer (KASAN), further improving security, and some significant performance improvements to 32-bit syscall overhead (up to 12-17% improvement on the the null_syscall benchmark).

Although I won't be able to make OpenPOWER this year in San Diego, Raptor is going, and is teasing a new POWER9 product announcement. However, I will be at Vintage Computer Festival West exhibiting some of my PowerPC, PA-RISC and SPARC laptops and portable workstations. If you're going to be near the Computer History Museum in Mountain View (near the Google Death Star) on August 3 or 4, drop by, say hi, and play with the toys.

One big happy Void

The PowerPC Void Linux project has officially merged its 32-bit and 64-bit Power offerings, though to be fair this was expected for awhile and just makes good sense. Meanwhile, substantial progress is being made on the ports and it looks like most packages are buildable, but actual package availability for the big-endian (32-bit and 64-bit) and musl flavours still lags ppc64le at least right now, so that G5 under your desk may have to wait a bit. Live CDs are still available.

OCC is the sound you make when throttled

Back from distant climes to find an interesting tweet from Raptor relating to the POWER9 OCC. The OCC, or On-Chip Controller, monitors power usage and thermal stability, and can surface this information to the kernel via cpufreq. Raptor is asking users who get throttling warnings in dmesg to report them, though I haven't seen any such issues on my thermally constrained Blackbird or on this cool-running Talos II, and it's not clear how widespread the issue actually is.

Meanwhile, users who get weird OCC-related crashes when the POWER9 is in a stop state are encouraged to upgrade to the latest firmware release candidate to pick up this fix. This apparently is being triggered by recent kernel versions that enable deep power saving modes.

FreeBSD on POWER

We haven't covered BSD a great deal in this blog even though I personally run NetBSD on three systems myself (two of which are in regular service), mostly because my system and I suspect the majority of the OpenPOWER install base is on Linux. However, FreeBSD 11.3 is now officially released and has fairly good support for 32-bit and 64-bit PowerPC on Power Mac hardware, so it's worth pointing out that 12.0 (and 13.0) has also been tested on the Blackbird and thus should also work on the Talos II. However, on the PowerPC wiki page -CURRENT is recommended for Blackbird, 12.0 is mandatory for OpenPOWER (thus 11.x won't work and presumably won't ever work), and X11 is currently listed "on Power8/Power9 [as] still a work in progress." Nevertheless, POWER8 systems also work, hardware support is improving and the OS offers another big-endian option for people preferring to run their systems that way, so hopefully Justin or Mark who are more versed in the FreeBSD world than I am have some comments about how well it works for others to explore.

Firefox 68 on POWER

Firefox 68 is out. I haven't had a chance to exhaustively test it on my ppc64le Talos II due to business trips and some family obligations, but on cursory testing the browser seems to function normally. Unfortunately our last minute latest workaround for (what is now clearly) a compiler bug in bug 1512162 did not make release, so you'll need to add it if you build from source; without it, some optimization levels may crash or behave adversely. We have not yet narrowed down the issue in gcc and on my last check clang still can't build the browser fully. Fortunately the fix did land on the new Extended Support Release 68, so individuals who prefer the ESR should be able to build as-is from there, and the fix also does not appear to be necessary on big-endian. Thanks to Dan Horák's usual quick work, the patch is also in the standard Fedora packages. The configurations I'm using are unchanged from Firefox 67.

DIAF, Amazon Music (and DRM)

It used to be that Amazon Music was a decent choice for playing the music you purchased. Not only did the AutoRip feature mean you had an automatic digital copy of participating CDs you purchased, playable from any web browser (I used TenFourFox for this purpose up until recently), but you still had the physical disc and discs you bought before got automatically added to your AutoRip library if Amazon got rights to do so. It was cool to watch my music library just fill in over the years from past purchases and still have the original CD if I needed it.

Well, turns out I'll need those CDs after all, because guess what Amazon Music does now?

"Amazon Music Unlimited" my pasty sculpted white butt. The message is almost intentionally misleading. What I've "disabled" in my browser is the Google Widevine EME component, because it doesn't exist for ppc64le, and while Amazon's community staff are as useless as ever that "deficiency" appears to be the real reason it won't work. Amazon, in fact, is claiming Linux on any platform isn't supported for the browser version or the dedicated client at all.

I wasn't going to take no for an answer. I used uBlock Origin to remove as many of the elements as I could. I couldn't get the blurring away easily but I was able to get into my old albums library and try to play something. It looked like it was starting, but no music issued forth. In the Browser console was this damning message:

No, you lying sack of filth. I didn't pref anything off. I didn't do anything. You did.

How did this work before? Amazon Music would say it required Flash, but it actually didn't (TenFourFox hasn't supported NPAPI plugins for years). The music files were just MP3. You could stream them or download them, and while some of the tracks were watermarked, I considered that a reasonable tradeoff for the convenience. Now it won't even let you in to download them.

I'm no Stallmanite. I could live with a compromise where music I don't own requires some sort of DRM, because I'll just preview it (at least for as long as they'll still allow it, which currently they still seem to), and I'll buy it if I want it. The problem is that Amazon has now effectively defined everything I've ever bought from them (and I have, in fact, bought a few tracks that I don't have a disc for) as "music I don't own." You can't even download them again despite Amazon's instructions because the browser client doesn't let you get there, even if you block the restraining elements. I'm not going to stop buying CDs from Amazon if they have a decent price, but I won't consider AutoRip as part of the value calculation anymore, and I certainly won't buy any form of digital music from them until this changes.

If there's going to be choices in computing, then this kind of crap has to stop. DRM isn't compatible with open source by definition. Worse, locking down a service that previously didn't enforce DRM is not only a still greater sin, but it's even potentially actionable. When DRM like Widevine is the only choice for playing content, then that means the only computers that can are the ones they control, and I wouldn't run some potentially untrustworthy blob on my Talos II anyway even if a ppc64le version were one day offered. Amazon Music can die in a fire.