Author Archives: Eben Upton

Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown

via Raspberry Pi

Over the last couple of days, there has been a lot of discussion about a pair of security vulnerabilities nicknamed Spectre and Meltdown. These affect all modern Intel processors, and (in the case of Spectre) many AMD processors and ARM cores. Spectre allows an attacker to bypass software checks to read data from arbitrary locations in the current address space; Meltdown allows an attacker to read arbitrary data from the operating system kernel’s address space (which should normally be inaccessible to user programs).

Both vulnerabilities exploit performance features (caching and speculative execution) common to many modern processors to leak data via a so-called side-channel attack. Happily, the Raspberry Pi isn’t susceptible to these vulnerabilities, because of the particular ARM cores that we use.

To help us understand why, here’s a little primer on some concepts in modern processor design. We’ll illustrate these concepts using simple programs in Python syntax like this one:

t = a+b
u = c+d
v = e+f
w = v+g
x = h+i
y = j+k

While the processor in your computer doesn’t execute Python directly, the statements here are simple enough that they roughly correspond to a single machine instruction. We’re going to gloss over some details (notably pipelining and register renaming) which are very important to processor designers, but which aren’t necessary to understand how Spectre and Meltdown work.

For a comprehensive description of processor design, and other aspects of modern computer architecture, you can’t do better than Hennessy and Patterson’s classic Computer Architecture: A Quantitative Approach.

What is a scalar processor?

The simplest sort of modern processor executes one instruction per cycle; we call this a scalar processor. Our example above will execute in six cycles on a scalar processor.

Examples of scalar processors include the Intel 486 and the ARM1176 core used in Raspberry Pi 1 and Raspberry Pi Zero.

What is a superscalar processor?

The obvious way to make a scalar processor (or indeed any processor) run faster is to increase its clock speed. However, we soon reach limits of how fast the logic gates inside the processor can be made to run; processor designers therefore quickly began to look for ways to do several things at once.

An in-order superscalar processor examines the incoming stream of instructions and tries execute more than one at once, in one of several “pipes”, subject to dependencies between the instructions. Dependencies are important: you might think that a two-way superscalar processor could just pair up (or dual-issue) the six instructions in our example like this:

t, u = a+b, c+d
v, w = e+f, v+g
x, y = h+i, j+k

But this doesn’t make sense: we have to compute v before we can compute w, so the third and fourth instructions can’t be executed at the same time. Our two-way superscalar processor won’t be able to find anything to pair with the third instruction, so our example will execute in four cycles:

t, u = a+b, c+d
v    = e+f                   # second pipe does nothing here
w, x = v+g, h+i
y    = j+k

Examples of superscalar processors include the Intel Pentium, and the ARM Cortex-A7 and Cortex-A53 cores used in Raspberry Pi 2 and Raspberry Pi 3 respectively. Raspberry Pi 3 has only a 33% higher clock speed than Raspberry Pi 2, but has roughly double the performance: the extra performance is partly a result of Cortex-A53’s ability to dual-issue a broader range of instructions than Cortex-A7.

What is an out-of-order processor?

Going back to our example, we can see that, although we have a dependency between v and w, we have other independent instructions later in the program that we could potentially have used to fill the empty pipe during the second cycle. An out-of-order superscalar processor has the ability to shuffle the order of incoming instructions (again subject to dependencies) in order to keep its pipelines busy.

An out-of-order processor might effectively swap the definitions of w and x in our example like this:

t = a+b
u = c+d
v = e+f
x = h+i
w = v+g
y = j+k

allowing it to execute in three cycles:

t, u = a+b, c+d
v, x = e+f, h+i
w, y = v+g, j+k

Examples of out-of-order processors include the Intel Pentium 2 (and most subsequent Intel and AMD x86 processors), and many recent ARM cores, including Cortex-A9, -A15, -A17, and -A57.

What is speculation?

Reordering sequential instructions is a powerful way to recover more instruction-level parallelism, but as processors become wider (able to triple- or quadruple-issue instructions) it becomes harder to keep all those pipes busy. Modern processors have therefore grown the ability to speculate. Speculative execution lets us issue instructions which might turn out not to be required (because they are branched over): this keeps a pipe busy, and if it turns out that the instruction isn’t executed, we can just throw the result away.

To demonstrate the benefits of speculation, let’s look at another example:

t = a+b
u = t+c
v = u+d
if v:
   w = e+f
   x = w+g
   y = x+h

Now we have dependencies from t to u to v, and from w to x to y, so a two-way out-of-order processor without speculation won’t ever be able to fill its second pipe. It spends three cycles computing t, u, and v, after which it knows whether the body of the if statement will execute, in which case it then spends three cycles computing w, x, and y. Assuming the if (a branch instruction) takes one cycle, our example takes either four cycles (if v turns out to be zero) or seven cycles (if v is non-zero).

Speculation effectively shuffles the program like this:

t = a+b
u = t+c
v = u+d
w_ = e+f
x_ = w_+g
y_ = x_+h
if v:
   w, x, y = w_, x_, y_

so we now have additional instruction level parallelism to keep our pipes busy:

t, w_ = a+b, e+f
u, x_ = t+c, w_+g
v, y_ = u+d, x_+h
if v:
   w, x, y = w_, x_, y_

Cycle counting becomes less well defined in speculative out-of-order processors, but the branch and conditional update of w, x, and y are (approximately) free, so our example executes in (approximately) three cycles.

What is a cache?

In the good old days*, the speed of processors was well matched with the speed of memory access. My BBC Micro, with its 2MHz 6502, could execute an instruction roughly every 2µs (microseconds), and had a memory cycle time of 0.25µs. Over the ensuing 35 years, processors have become very much faster, but memory only modestly so: a single Cortex-A53 in a Raspberry Pi 3 can execute an instruction roughly every 0.5ns (nanoseconds), but can take up to 100ns to access main memory.

At first glance, this sounds like a disaster: every time we access memory, we’ll end up waiting for 100ns to get the result back. In this case, this example:

a = mem[0]
b = mem[1]

would take 200ns.

In practice, programs tend to access memory in relatively predictable ways, exhibiting both temporal locality (if I access a location, I’m likely to access it again soon) and spatial locality (if I access a location, I’m likely to access a nearby location soon). Caching takes advantage of these properties to reduce the average cost of access to memory.

A cache is a small on-chip memory, close to the processor, which stores copies of the contents of recently used locations (and their neighbours), so that they are quickly available on subsequent accesses. With caching, the example above will execute in a little over 100ns:

a = mem[0]    # 100ns delay, copies mem[0:15] into cache
b = mem[1]    # mem[1] is in the cache

From the point of view of Spectre and Meltdown, the important point is that if you can time how long a memory access takes, you can determine whether the address you accessed was in the cache (short time) or not (long time).

What is a side channel?

From Wikipedia:

“… a side-channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system.”

Spectre and Meltdown are side-channel attacks which deduce the contents of a memory location which should not normally be accessible by using timing to observe whether another location is present in the cache.

Putting it all together

Now let’s look at how speculation and caching combine to permit the Meltdown attack. Consider the following example, which is a user program that sometimes reads from an illegal (kernel) address:

t = a+b
u = t+c
v = u+d
if v:
   w = kern_mem[address]   # if we get here crash
   x = w&0x100
   y = user_mem[x]

Now our out-of-order two-way superscalar processor shuffles the program like this:

t, w_ = a+b, kern_mem[address]
u, x_ = t+c, w_&0x100
v, y_ = u+d, user_mem[x_]

if v:
   # crash
   w, x, y = w_, x_, y_      # we never get here

Even though the processor always speculatively reads from the kernel address, it must defer the resulting fault until it knows that v was non-zero. On the face of it, this feels safe because either:

  • v is zero, so the result of the illegal read isn’t committed to w
  • v is non-zero, so the program crashes before the read is committed to w

However, suppose we flush our cache before executing the code, and arrange a, b, c, and d so that v is zero. Now, the speculative load in the third cycle:

v, y_ = u+d, user_mem[x_]

will read from either address 0x000 or address 0x100 depending on the eighth bit of the result of the illegal read. Because v is zero, the results of the speculative instructions will be discarded, and execution will continue. If we time a subsequent access to one of those addresses, we can determine which address is in the cache. Congratulations: you’ve just read a single bit from the kernel’s address space!

The real Meltdown exploit is more complex than this, but the principle is the same. Spectre uses a similar approach to subvert software array bounds checks.

Conclusion

Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly, while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve. Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality.

The lack of speculation in the ARM1176, Cortex-A7, and Cortex-A53 cores used in Raspberry Pi render us immune to attacks of the sort.

* days may not be that old, or that good

The post Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown appeared first on Raspberry Pi.

New product! Raspberry Pi Zero W joins the family

via Raspberry Pi

Today is Raspberry Pi’s fifth birthday: it’s five years since we launched the original Raspberry Pi, selling a hundred thousand units in the first day, and setting us on the road to a lifetime total (so far) of over twelve million units. To celebrate, we’re announcing a new product: meet Raspberry Pi Zero W, a new variant of Raspberry Pi Zero with wireless LAN and Bluetooth, priced at only $10.

Multum in parvo

So what’s the story?

In November 2015, we launched Raspberry Pi Zero, the diminutive $5 entry-level Raspberry Pi. This represented a fivefold reduction in cost over the original Model A: it was cheap enough that we could even stick it on the front cover of The MagPi, risking civil insurrection in newsagents throughout the land.

MagPi issue 40: causing trouble for WHSmith (credit: Adam Nicholls)

Over the ensuing fifteen months, Zero grew a camera connector and found its way into everything from miniature arcade cabinets to electric skateboards. Many of these use cases need wireless connectivity. The homebrew “People in Space” indicator in the lobby at Pi Towers is a typical example, with an official wireless dongle hanging off the single USB port: users often end up adding a USB hub to allow them to connect a keyboard, a mouse and a network adapter, and this hub can easily cost more than the Zero itself.

People in SPAAAAAACE

Zero W fixes this problem by integrating more functionality into the core product. It uses the same Cypress CYW43438 wireless chip as Raspberry Pi 3 Model B to provide 802.11n wireless LAN and Bluetooth 4.0 connectivity.

Pi Zero Announcement Video

Music: Orqestruh by SAFAKASH – https://soundcloud.com/safakash

To recap, here’s the full feature list for Zero W:

  • 1GHz, single-core CPU
  • 512MB RAM
  • Mini-HDMI port
  • Micro-USB On-The-Go port
  • Micro-USB power
  • HAT-compatible 40-pin header
  • Composite video and reset headers
  • CSI camera connector
  • 802.11n wireless LAN
  • Bluetooth 4.0

We imagine you’ll find all sorts of uses for Zero W. It makes a better general-purpose computer because you’re less likely to need a hub: if you’re using Bluetooth peripherals you might well end up with nothing at all plugged into the USB port. And of course it’s a great platform for experimenting with IoT applications.

Official case

To accompany Raspberry Pi Zero W, we’ve been working with our friends at Kinneir Dufort and T-Zero to create an official injection-moulded case. This shares the same design language as the official case for the Raspberry Pi 3, and features three interchangeable lids:

  • A blank one
  • One with an aperture to let you access the GPIOs
  • One with an aperture and mounting point for a camera

Three cases for the price of one

The case set also includes a short camera adapter flexi, and a set of rubber feet to make sure your cased Zero or Zero W doesn’t slide off the desk.

New distributors

You may have noticed that we’ve added several new Zero distributors recently: ModMyPi in the UK, pi3g in Germany, Samm Teknoloji in Turkey, Kubii in France, Spain, Italy and Portugal, and Kiwi Electronics in the Netherlands, Belgium and Luxembourg.

Raspberry Pi Zero W is available from all Zero distributors today, with the exception of Micro Center, who should have stock in stores by the end of this week. Check the icons below to find the stockist that’s best for you!

UK, Ireland

Pimoroni The Pi Hut

United States

Adafruit Canakit Microcenter

Canada

Canakit

Germany, Austria, Switzerland

France, Spain, Italy, Portugal

Netherlands, Belgium, Luxembourg

Turkey

Global

Pimoroni The Pi Hut Adafruit
Canakit

The post New product! Raspberry Pi Zero W joins the family appeared first on Raspberry Pi.

PIXEL for PC and Mac

via Raspberry Pi

Our vision in establishing the Raspberry Pi Foundation was that everyone should be able to afford their own programmable general-purpose computer. The intention has always been that the Raspberry Pi should be a full-featured desktop computer at a $35 price point. In support of this, and in parallel with our hardware development efforts, we’ve made substantial investments in our software stack. These culminated in the launch of PIXEL in September 2016.

PIXEL represents our best guess as to what the majority of users are looking for in a desktop environment: a clean, modern user interface; a curated suite of productivity software and programming tools, both free and proprietary; and the Chromium web browser with useful plugins, including Adobe Flash, preinstalled. And all of this is built on top of Debian, providing instant access to thousands of free applications.

Put simply, it’s the GNU/Linux we would want to use.

The PIXEL desktop on Raspberry Pi

Back in the summer, we asked ourselves one simple question: if we like PIXEL so much, why ask people to buy Raspberry Pi hardware in order to run it? There is a massive installed base of PC and Mac hardware out there, which can run x86 Debian just fine. Could we do something for the owners of those machines?

So, after three months of hard work from Simon and Serge, we have a Christmas treat for you: an experimental version of Debian+PIXEL for x86 platforms. Simply download the image, burn it onto a DVD or flash it onto a USB stick, and boot straight into the familiar PIXEL desktop environment on your PC or Mac. Or go out and buy this month’s issue of The MagPi magazine, in stores tomorrow, which has this rather stylish bootable DVD on the cover.

Our first ever covermount

You’ll find all the applications you’re used to, with the exception of Minecraft and Wolfram Mathematica (we don’t have a licence to put those on any machine that’s not a Raspberry Pi). Because we’re using the venerable i386 architecture variant it should run even on vintage machines like my ThinkPad X40, provided they have at least 512MB of RAM.

The finest laptop ever made, made finer

Why do we think this is worth doing? Two reasons:

  • A school can now run PIXEL on its existing installed base of PCs, just as a student can run PIXEL on her Raspberry Pi at home. She can move back and forth between her computing class or after-school club and home, using exactly the same productivity software and programming tools, in exactly the same desktop environment. There is no learning curve, and no need to tweak her schoolwork to run on two subtly different operating systems.
  • And bringing PIXEL to the PC and Mac keeps us honest. We don’t just want to create the best desktop environment for the Raspberry Pi: we want to create the best desktop environment, period. We know we’re not there yet, but by running PIXEL alongside Windows, Mac OS, and the established desktop GNU/Linux distros, we can more easily see where our weak points are, and work to fix them.

Remember that this is a prototype rather then a final release version. Due to the wide variety of PC and Mac hardware out there, there are likely to be minor issues on some hardware configurations. If we decide that this is something we want to commit to in the long run, we will do our best to address these as they come up. You can help us here – please let us know how you get on in the comments below!

Instructions

Download the image, and either burn it to a DVD or write it to a USB stick. For the latter, we recommend Etcher.

Etcher from resin.io

Insert the DVD or USB stick into your PC or Mac, and turn it on. On a PC, you will generally need to enable booting from optical drive or USB stick in the BIOS, and you will have to ensure that the optical drive or USB stick is ahead of all other drives in the boot order. On a Mac, you’ll need to hold down C during boot*.

If you’ve done that correctly, you will be greeted by a boot screen.

Boot screen

Here you can hit escape to access the boot menu, or do nothing to boot through to the desktop.

Spot the difference: the PIXEL desktop on a PC

* We are aware of an issue on some modern Macs (including, annoyingly, mine – but not Liz’s), where the machine fails to identify the image as bootable. We’ll release an updated image once we’ve got to the bottom of the issue.

Persistence

If you are running from DVD, any files you create, or modifications you make to the system, will of course be lost when you power off the machine. If you are running from a USB stick, the system will by default use any spare space on the device to create a persistence partition, which allows files to persist between sessions. The boot menu provides options to run with or without persistence, or to erase any persistence partition that has been created, allowing you to roll back to a clean install at any time.

Boot menu

Disclaimer

One of the great benefits of the Raspberry Pi is that it is a low-consequence environment for messing about: if you trash your SD card you can just flash another one. This is not always true of your PC or Mac. Consider backing up your system before trying this image.

Raspberry Pi can accept no liability for any loss of data or damage to computer systems from using the image.

The post PIXEL for PC and Mac appeared first on Raspberry Pi.

SUSE Linux Enterprise Server for Raspberry Pi

via Raspberry Pi

Raspberry Pi 3, with its quad-core ARM Cortex-A53 processor, is our first 64-bit product, supporting ARM’s A64 instruction set and the ARMv8-A architecture. However, we’ve not yet taken the opportunity to ship a 64-bit operating system: our Raspbian images are designed to run on every Raspberry Pi, including the 32-bit ARMv6 Raspberry Pi 1 and Raspberry Pi Zero, and the 32-bit ARMv7 Raspberry Pi 2. We use an ARMv6 userland with selected ARMv7 fast paths enabled at run time.

There’s been some great work done in the community. Thanks to some heroic work from forum user Electron752, we have a working 64-bit kernel, and both Ubuntu and Fedora userlands have been run successfully on top of this.

SUSE and ARM distributed these natty cased Raspberry Pi units at last week's SUSEcon

SUSE and ARM distributed these natty cased Raspberry Pi units at last week’s SUSEcon

Which brings us to last week’s announcement: that SUSE have released a version of their Linux Enterprise Server product that supports Raspberry Pi 3.

Why is this important? Because for the first time we have an official 64-bit operating system release from a major vendor, with support for our onboard wireless networking and Bluetooth. SUSE have kindly upstreamed the patches that they needed to make this work, so hopefully official support from other vendors won’t be far behind.

You can download an image here. Give it a spin and let us know what you think.

The post SUSE Linux Enterprise Server for Raspberry Pi appeared first on Raspberry Pi.

The Compute Module – now in an NEC display near you

via Raspberry Pi

Back in April 2014, we launched the Compute Module to provide hardware developers with a way to incorporate Raspberry Pi technology into their own products. Since then we’ve seen it used to build home media players, industrial control systems, and everything in between.

Earlier this week, NEC announced that they would be adding Compute Module support to their next-generation large-format displays, starting with 40″, 48″ and 55″ models in January 2017 and eventually scaling all the way up to a monstrous 98″ (!!) by the end of the year. These are commercial-grade displays designed for use in brightly-lit public spaces such as schools, offices, shops and railway stations.

Believe it or not these are the small ones

Believe it or not, these are the small ones.

NEC have already lined up a range of software partners in retail, airport information systems, education and corporate to provide presentation and signage software which runs on the Compute Module platform. You’ll be seeing these roll out in a lot of locations that you visit frequently.

Each display has an internal bay which accepts an adapter board loaded with either the existing Compute Module, or the upcoming Compute Module 3, which incorporates the BCM2837 application processor and 1GB of LPDDR2 memory found on the Raspberry Pi 3 Model B. We’re expecting to do a wider release of Compute Module 3 to everybody around the end of the year.

The Compute Module in situ

The Compute Module in situ

We’ve been working on this project with NEC for over a year now, and are very excited that it’s finally seeing the light of day. It’s an incredible vote of confidence in the Raspberry Pi Compute Module platform from a blue-chip hardware vendor, and will hopefully be the first of many.

Now, here’s some guy to tell you more about what’s going on behind the screens you walk past every day on your commute.

‘The Power to Surprise’ live stream at Display Trends Forum 2016 – NEC Teams Up With Raspberry Pi

NEC Display Solutions today announced that it will be sharing an open platform modular approach with Raspberry Pi, enabling a seamless integration of Raspberry Pi’s devices with NEC’s displays. NEC’s leading position in offering the widest product range of display solutions matches perfectly with the Raspberry Pi, the organisation responsible for developing the award-winning range of low-cost, high-performance computers.

The post The Compute Module – now in an NEC display near you appeared first on Raspberry Pi.

Ten millionth Raspberry Pi, and a new kit

via Raspberry Pi

When we started Raspberry Pi, we had a simple goal: to increase the number of people applying to study Computer Science at Cambridge. By putting cheap, programmable computers in the hands of the right young people, we hoped that we might revive some of the sense of excitement about computing that we had back in the 1980s with our Sinclair Spectrums, BBC Micros and Commodore 64s.

At the time, we thought our lifetime volumes might amount to ten thousand units – if we were lucky. There was was no expectation that adults would use Raspberry Pi, no expectation of commercial success, and certainly no expectation that four years later we would be manufacturing tens of thousands of units a day in the UK, and exporting Raspberry Pi all over the world.

Less than ten million Raspberry Pis

The first two thousand Raspberry Pis. Each Pi in this pallet now has 5000 siblings.

With this in mind, you can imagine how strange it feels to be able to announce that over the last four and a half years we’ve sold a grand total of ten million Raspberry Pis. Thanks to you, we’ve beaten our wildest dreams by three orders of magnitude, and we’re only just getting started. Every time you buy a Raspberry Pi, you help fund both our ongoing engineering work, and our educational outreach programs, including Code Club and Picademy.

Very early on, we decided that we would offer the bare-bones Raspberry Pi board without accessories: that way, cost-conscious customers get the lowest possible price, provided they can beg or borrow USB peripherals, a power supply and an SD card. Over the years, Raspberry Pi distributors have built on this, producing some fantastic bundles for people who would rather get everything they need from a single source.

To celebrate the ten millionth Raspberry Pi, for the first time we’ve put together our own idea of what the perfect bundle would look like, creating the official Raspberry Pi Starter Kit.

The starter kit, unboxed and ready to go

The starter kit, unboxed and ready to go

Inside the minimalist white box (like the official case, another beautiful Kinneir Dufort design), you’ll find:

  • A Raspberry Pi 3 Model B
  • An 8GB NOOBS SD card
  • An official case
  • An official 2.5A multi-region power supply
  • An official 1m HDMI cable
  • An optical mouse and a keyboard with high-quality scissor-switch action
  • A copy of Adventures in Raspberry Pi Foundation Edition

This is an unashamedly premium product: the latest Raspberry Pi, official accessories, the best USB peripherals we could find, and a copy of the highest-rated Raspberry Pi book. The kit is available to order online in the UK from our partners element14 and RS Components, priced at £99+VAT, and will be coming to the rest of the world, and to your favourite reseller, over the next few weeks.

The post Ten millionth Raspberry Pi, and a new kit appeared first on Raspberry Pi.