ATTN!...Intel CPU owners (Spectre,Meltdown,Foreshadow, flaws)

[smurphos]

.

Hopefully, Ubuntu/LM will also provide downstream Linux kernel 4.19 in the Update Manager of 32 bit LM 18.x and 17.x.

I'd be surprised if they didn't backport the 32Bit patches once confirmed as 'stable' to their supported LTS kernels (3.13, 4.4, 4.15). That's how they dealt with the original 64bit Spectre patches.

[DAMIEN1307]

you might notice that ive added "foreshadow" into the spectre/meltdown title in the subject bar...at this point, i dont see that any of these flaws can ever truly be "fixed"...but for many years, i have told people that i personally know, (the majority of which did not listen). to never store their passwords, credit card numbers, bank acct. numbers, social security numbers, etc. on their computers...quote from article, "In the wrong hands, speculative execution could give hackers a new way to steal confidential data, such as passwords, from your computer via a piece of malware or even through the browser."...though not any easy target to hit, it can still be done...these friends have always said what i asked them to cease doing this,that it is just too inconvenient for them not to store these type of things on their computers...well thats my rant for the morning, and in case you might ask ?...no, i have never, ever stored anything on my own computers except the OS...everything else i need, including pics, videos, movies, documents etc., i have always stored over the years on floppies, CDs, DVDs, flash fobs etc...with no exceptions...enjoy the article below...DAMIEN

https://www.pcmag.com/news/363105/new-f ... l-protecte

[michael louwe]

Like I said before, anything speculative should not have been put into the CPUs. The faster speed performance was a "FAKE".! Now, Intel reaps what she has sown or karma is her beetch.

Buy AMD CPUs.

[xenopeek]

Another source for the Foreshadow vulnerabilities affecting Intel processors: https://www.kitguru.net/components/cpu/ ... abilities/

• Malicious applications may be able to infer the values of data in the OS memory, or data from other applications.
• A malicious guest VM may be able to infer the values of data in the VM manager’s memory, or values of data in the memory of other guest VMs.
• Malicious software running outside of SMM (system management mode) may be able to infer values of data in SMM memory.
• Malicious software running outside of an Intel SGX enclave or within an enclave may be able to infer data from within another Intel SGX enclave

They note:
"This presents numerous problems for those running cloud systems and data centres running their own virtualised hardware and software, as guest operating systems will also require the mitigations in order to remain safe. Sadly, there is a potential performance hit from these mitigations, but it’s almost a non-negotiable trade-off given the security implications."

Ouch. Rumor is Intel's upcoming next processor generation will have hardware fixes for speculative execution bugs. They've postponed their 10nm processors till late 2019/mid 2020 and continue on 14nm till then. Perhaps related.

[thx-1138]

...SGX exists only on 6th-gen & afterwards Intel processors, ie. after 2015 - earlier ones don't have such.
But even on those newer ones, it's totally non-existent in any Linux 'desktop' so far
(personally, i also kinda doubt it will gain considerable attraction any time soon, but who knows...)

...ehhm, no, it's not a "I told you so..." - quite the contrary, it's a mere 2 clicks away in your favorite search engine:
https://software.intel.com/en-us/articl ... plications
1) Feature needs to be explicitly enabled in BIOS...
2) Feature needs the 'secured' apps to be explicitly linked / compiled against Intel's SGX SDK...

To keep it short, something that simple common users shouldn't bother themselves at all
(as such stuff does NOT exist on Mint or other Linux distros so far...)

No comment for the outrageous claims such as that 'speculative execution' should have never been included in cpus, hah!
Even more when such 'statements' have been explained & discarded before:
viewtopic.php?p=1410027#p1410027
&
viewtopic.php?p=1450260#p1450260

[rene]

Even more when such 'statements' have been explained & discarded before

Thank you so much for that. I was busy typing the basically same thing yesterday but ending with a request to Michael to stop abusing the Linux Mint forums for stock manipulation (i.e., he almost must be sitting on a neat stack of AMD stock) when xenopeek posted, making me take the opportunity to think "oh, sod this".

[michael louwe]

https://news.softpedia.com/news/ubuntu- ... 2335.shtml (ubuntu-debian-rhel-and-centos-linux-now-patched-against-foreshadow-attacks - 16 Aug 2018)

[xenopeek]

For the upcoming "Cascade Lake" CPUs Intel adds mitigation in hardware for half the variants, which should have much less performance impact than the mitigation in firmware/OS previously used.

AnandTech have the full story: https://www.anandtech.com/show/13239/in ... scade-lake

[michael louwe]

https://www.zdnet.com/article/intel-gag ... e-patches/ (Intel 'gags' Linux distros from revealing performance hit from Spectre patches; You can test performance after using our patches, but don't publish the results, say Intel's new license terms. By Liam Tung | August 23, 2018 )

Looks like the performance hit must be pretty bad for Intel to issue a gag order.

[xenopeek]

https://www.zdnet.com/article/intel-gag ... e-patches/ (Intel 'gags' Linux distros from revealing performance hit from Spectre patches; You can test performance after using our patches, but don't publish the results, say Intel's new license terms. By Liam Tung | August 23, 2018 )

Intel has already amended their license and the above is no longer the case. See: https://www.kitguru.net/components/cpu/ ... g-its-tcs/. Probably somebody got overzealous... The license is now a trivial "include this copyright, don't use our name to promote your product and don't reverse engineer the binary".

[Spearmint2]

https://www.zdnet.com/article/intel-gag ... e-patches/ (Intel 'gags' Linux distros from revealing performance hit from Spectre patches; You can test performance after using our patches, but don't publish the results, say Intel's new license terms. By Liam Tung | August 23, 2018 )

Looks like the performance hit must be pretty bad for Intel to issue a gag order.

I don't even think that would be legally acceptable. Just because something is written into a "license" doesn't by itself mean it's based on something that when challenged would prove to be legal in a court of law. Benchmarking of computer components has a long legal history. Anyone doing the benchmarking isn't testing the "software" per se, but the performance of the CPU itself under a different condition than previously existed. All this "statement" does is further put us on notice that Intel has a BIG reduced performance problem dealing with these potential exploits. That's not the fault of the users of such processors, nor of the benchmarking sites which explore the difference in performance, but is the fault of Intel's CPU and "fixes".

[Spearmint2]

Intel has already amended their license and the above is no longer the case. See: https://www.kitguru.net/components/cpu/ ... g-its-tcs/. Probably somebody got overzealous... The license is now a trivial "include this copyright, don't use our name to promote your product and don't reverse engineer the binary".

And the Lawsuits begin.

https://www.cnet.com/news/class-action- ... aws-surge/

Intel says that since the beginning of January it has been hit with 30 consumer and two securities-related class-action suits over the Spectre and Meltdown vulnerabilities in its processors revealed in 2017.
In the section "Litigation related to Security Vulnerabilities" of the 10-K statement Intel released this week the chipmaker states:

[Arch_Enemy]

Intel has already amended their license and the above is no longer the case. See: https://www.kitguru.net/components/cpu/ ... g-its-tcs/. Probably somebody got overzealous... The license is now a trivial "include this copyright, don't use our name to promote your product and don't reverse engineer the binary".

And the Lawsuits begin.

https://www.cnet.com/news/class-action- ... aws-surge/

Intel says that since the beginning of January it has been hit with 30 consumer and two securities-related class-action suits over the Spectre and Meltdown vulnerabilities in its processors revealed in 2017.
In the section "Litigation related to Security Vulnerabilities" of the 10-K statement Intel released this week the chipmaker states:

I got my cpu for nothing from a server that had been decommissioned, so I don't suppose I'm entitled to anything...