![\"An](\"https:\/\/nocoffei.com\/wp-content\/uploads\/2023\/09\/Screenshot_20230917_113522-1024x570.png\")
<\/figure>\n\n\n\n![\"An](\"https:\/\/nocoffei.com\/wp-content\/uploads\/2023\/09\/Screenshot_20230917_113611-1024x570.png\")
<\/figure>\n\n\n\n![\"Example](\"https:\/\/nocoffei.com\/wp-content\/uploads\/2023\/09\/Screenshot_20230917_113636-1024x570.png\")
<\/figure>\n\n\n\n![\"Image](\"https:\/\/nocoffei.com\/wp-content\/uploads\/2023\/09\/Screenshot_20230917_113712-1.png\")
<\/figure>\n\n\n\n![\"Image](\"https:\/\/nocoffei.com\/wp-content\/uploads\/2023\/09\/Screenshot_20230917_113836.png\")
Notice that this is much<\/em> less work for the silicon of the device. The compiler<\/em> is the entity responsible for generating parallelism. So instead of carefully analyzing and tracking instructions while they\u2019re in flight, the CPU just has to do dumb execution of the program, knowing that it\u2019s getting massive speedups by executing code in parallel!<\/p>\n Now I must point out that Itanium and its ideas were a failure. This should be obvious, given that it required significant introduction. It struggled to take off in the server space early on, then AMDs 64-bit extensions to x86 killed off any remaining chance of success it had. More importantly, however, the fundamental idea of Itanium\u2013 parallel instruction decoding\u2013 does not work<\/em>. There are two main reasons for this:<\/p>\n Itanium has been dead and forgotten to most for almost 20 years. Obviously, I need to dig it up and making something cool with it. But what? How about a shellcoding challenge?<\/p>\n\n\n\n If I want to make a shellcoding challenge, I\u2019ll have to spin up an environment where I can develop and run code for Itanium.<\/p>\n\n\n\n This ended up taking longer than actually writing the challenge.<\/p>\n\n\n\n The obvious first step is finding a working Itanium system. After all, The Register wrote an article<\/a> about finding many hundreds of Itanium CPUs on eBay. This is true! You too can own your very own Itanium CPU for a mere $30 in the U.S. However, that silicon won\u2019t be especially useful without a motherboard to put it in.<\/p>\n\n\n\n It is not currently possible to purchase a standalone Itanium motherboard.<\/p>\n\n\n\n The next step was looking at purchasing blades for an Itanium server. (Itanium primarily targeted the server market.) With a fair amount of effort searching on eBay, it was possible in April 2022 to find an Itanium blade for $300.<\/p>\n\n\n\n Thankfully, before I dropped $300 on one of these things (quite a lot of money for me to spend on anything, let alone a side project) an IT friend who I was discussing this asinine project with pointed out an important issue to me\u2013 blades typically use bizarre, proprietary power supply connections and fit into a blade chassis which delivers that power. Without a blade chassis ($1500) I would be purchasing a very heavy and expensive paperweight. Thanks, Travis!<\/p>\n\n\n\n As an aside, it seems that at the time of writing (May 2023) it\u2019s become easier to find those blades at that price or even slightly lower (there\u2019s one at $145 right now.) I\u2019m also seeing a single listing for a complete Itanium 2 server (with a standard power supply jack) that was probably released around 2003 at $425. Either way, this wasn\u2019t the case last year, so I moved on to emulation.<\/p>\n\n\n\n A resource I stumbled upon early on was Sergei Trofimovich\u2019s post on the Ski emulator<\/a>, which described how he used it to fix a bug in the kernel. Ski was an emulator developed by HP back when they were building Itanium to test the software they were making on their \u201clegacy\u201d x86 machines. Ski was made in an era when multi-core processors didn\u2019t exist and the Pentium brand name was still the gold standard for quality\u2013 so naturally, it\u2019s a little dated. Thankfully, Trofi had managed to get a version working on modern Linux, and Ski is good enough to bring up an entire OS image! I was able to compile and boot it on my Fedora desktop.<\/p>\n\n\n\n The next step was to get a working OS image. I needed something good enough to develop my shellcoding challenge\u2013 it needed Vim, GCC and GDB. Trofi suggested cross-compiling Gentoo for this task in his article\u2026 But I didn\u2019t have a working knowledge of Gentoo, so I turned to digging through old archives for OS images. I found some CentOS and Debian ISOs, but there was a big problem with them\u2013 Ski has no understanding of ISO images. It can only boot a kernel binary with a raw hard disk image attached, so these DVDs aren\u2019t useful. I ended up reaching out to him and got some excellent, highly detailed instructions on how exactly<\/em> to build the system by creating a Gentoo chroot and setting up environment within it, including some updates for 2022 that would have otherwise caused the finished build to fail to boot. One particular piece of advice is that support for Ski was removed from the kernel in 2019<\/a>, so we\u2019ll have to build a kernel before that time\u2013 4.19.241 will do.<\/p>\n\n\n\n Out of the box, the image that Gentoo built for me had Another friend who had been following along with this story, xxc3nsoredxx<\/a> was a full-time Gentoo user and was able to within minutes point out to me that one of Gentoos strengths is cross-compilation for obscure architectures. A quick tutorial on \n
objdump<\/code> of libc:<\/li>\n<\/ol>\n<\/div>\n<\/main><\/div>\n\n\n\n000000000002e580 <.plt>:\n 2e580: 0b 10 00 1c 00 21 [MMI] mov r2=r14;;\n 2e586: e0 60 28 63 4a 00 addl r14=1218700,r2\n 2e58c: 00 00 04 00 nop.i 0x0;;\n 2e590: 0b 80 20 1c 18 14 [MMI] ld8 r16=[r14],8;;\n 2e596: 10 41 38 30 28 00 ld8 r17=[r14],8\n 2e59c: 00 00 04 00 nop.i 0x0;;\n 2e5a0: 11 08 00 1c 18 10 [MIB] ld8 r1=[r14]\n 2e5a6: 60 88 04 80 03 00 mov b6=r17\n 2e5ac: 60 00 80 00 br.few b6;;\n 2e5b0: 11 78 00 00 00 24 [MIB] mov r15=0\n 2e5b6: 00 00 00 02 00 00 nop.i 0x0\n 2e5bc: d0 ff ff 48 br.few 2e580 <__h_errno@@GLIBC_PRIVATE+0x2e50c>;;\n 2e5c0: 11 78 04 00 00 24 [MIB] mov r15=1\n 2e5c6: 00 00 00 02 00 00 nop.i 0x0\n 2e5cc: c0 ff ff 48 br.few 2e580 <__h_errno@@GLIBC_PRIVATE+0x2e50c>;;<\/code><\/pre>\n\n\n\n\n
\n
You simply can\u2019t know how long your data accesses will take because the interaction of multiple cores running multiple processes which all need to access data, and a modern OS scheduling those processes based on incredibly detailed minutiae, makes it so that data could be anywhere<\/em> in that massive hierarchy. Out of Order CPUs can absorb unexpected massive latency by tracking another execution stream where data is<\/em> ready and executing that instead. The Itanium approach can\u2019t do this. It instead stalls on all<\/em> execution until one<\/em> load in a bundle is finished, even if successive bundles don\u2019t depend on that load.<\/li>\n<\/ul>\n\n\n\nDredging Up The Itanic<\/h2>\n\n\n\n
Ski<\/h2>\n\n\n\n
gcc<\/code> but no other tooling, so I set out to build the tools myself. Ski is, as to be expected, very slow, and building vim<\/code> for starters didn\u2019t go so well. On a Zen 2 desktop, I set it to compile\u2026 and after six hours<\/em> attempting to compile a single file it ran out of memory. Attempting to add more memory to the emulated processor made it lock up, and I had no idea why, but it was clear that \u201cnative\u201d compilation wasn\u2019t the way to go anyway.<\/p>\n\n\n\nemerge<\/code> later, and I was able to successfully build vim<\/code> and gdb<\/code> and run it within Ski.<\/p>\n\n\n\n
\n