ATTN!...Intel CPU owners (Spectre,Meltdown,Foreshadow, flaws)
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
-
- Level 3
- Posts: 116
- Joined: Sun Jun 17, 2012 12:14 am
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
Site isolation - is still needed for chromium and firefox?
I read somewhere on linux mint forum maybe 7-10 days ago that the newest firefox had been patched and was ok and that site isolation for chromium was needed as a temporary measure until the next chromium update.
Since then, I have had firefox updated once and chromium updated once.
I read somewhere on linux mint forum maybe 7-10 days ago that the newest firefox had been patched and was ok and that site isolation for chromium was needed as a temporary measure until the next chromium update.
Since then, I have had firefox updated once and chromium updated once.
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
Firefox already has mitigation in place against Meltdown and Spectre. JavaScript malware on websites can't exploit these bugs on Firefox. Site isolation isn't needed for that.
Chromium explains here what site isolation is for and what issue you may have with it enabled: https://www.chromium.org/Home/chromium- ... -isolation
Chromium explains here what site isolation is for and what issue you may have with it enabled: https://www.chromium.org/Home/chromium- ... -isolation
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
http://sea.pcmag.com/news/19298/intel-c ... rrive-this (dated 26 Jan 2018)(Intel Chips With Meltdown, Spectre Protection to Arrive This Year)
8th-gen Intel CoffeeLake and KabyLake-Refresh silicons/CPUs have already just been released. This means the above likely refers to the coming 9th-gen Intel CannonLake and CoffeeLake-Refresh CPUs.
The above Intel CPUs will also have Meltdown & Spectre performance-hits built-in, eg 30% built-in performance-hit or degradation for most servers, especially Cloud servers. No wonder web-browsing seems slower nowadays. AMD silicons/CPUs should be a better choice.
.The first Intel chips with built-in protections against the Meltdown and Spectre threats will start arriving later this year.
The protections involve "silicon-based changes" to the company's future processors, Intel CEO Brian Krzanich said in a Thursday earnings call.
8th-gen Intel CoffeeLake and KabyLake-Refresh silicons/CPUs have already just been released. This means the above likely refers to the coming 9th-gen Intel CannonLake and CoffeeLake-Refresh CPUs.
The above Intel CPUs will also have Meltdown & Spectre performance-hits built-in, eg 30% built-in performance-hit or degradation for most servers, especially Cloud servers. No wonder web-browsing seems slower nowadays. AMD silicons/CPUs should be a better choice.
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
Google Chrome version 64 has the Meltdown and Spectre mitigation as well: https://www.phoronix.com/scan.php?page= ... 4-Released
- Arch_Enemy
- Level 6
- Posts: 1491
- Joined: Tue Apr 26, 2016 3:28 pm
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
Thanks, guys. Got it.
I have travelled 37629424162.9 miles in my lifetime
One thing I would suggest, create a partition as a 50G partition as /. Partition the rest as /Home. IF the system fails, reinstall and use the exact same username and all your 'stuff' comes back to you.
One thing I would suggest, create a partition as a 50G partition as /. Partition the rest as /Home. IF the system fails, reinstall and use the exact same username and all your 'stuff' comes back to you.
- Spearmint2
- Level 16
- Posts: 6900
- Joined: Sat May 04, 2013 1:41 pm
- Location: Maryland, USA
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
HAH! I wouldn't get one of those, considering how they messed up the past couple of "fixes" for Meltdown they've released.michael louwe wrote:http://sea.pcmag.com/news/19298/intel-c ... rrive-this (dated 26 Jan 2018)(Intel Chips With Meltdown, Spectre Protection to Arrive This Year).The first Intel chips with built-in protections against the Meltdown and Spectre threats will start arriving later this year.
The protections involve "silicon-based changes" to the company's future processors, Intel CEO Brian Krzanich said in a Thursday earnings call.
8th-gen Intel CoffeeLake and KabyLake-Refresh silicons/CPUs have already just been released. This means the above likely refers to the coming 9th-gen Intel CannonLake and CoffeeLake-Refresh CPUs.
The above Intel CPUs will also have Meltdown & Spectre performance-hits built-in, eg 30% built-in performance-hit or degradation for most servers, especially Cloud servers. No wonder web-browsing seems slower nowadays. AMD silicons/CPUs should be a better choice.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
Perhaps someone could translate this? There's a link to a Linus Torvalds rant, and a link that's included in that article.
https://www.theregister.co.uk/2018/01/2 ... fix_linux/
https://lkml.org/lkml/2018/1/22/598
Are they saying that Intel is "running away" from the problem?
https://www.theregister.co.uk/2018/01/2 ... fix_linux/
https://lkml.org/lkml/2018/1/22/598
Are they saying that Intel is "running away" from the problem?
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
What Linus is saying seems to be more that Intel is running away from liability.Pat D wrote:Are they saying that Intel is "running away" from the problem?
It appears that Intel is, according to Linus, not offering a realistic solution/mitigation of Spectre 2 with those patches. What's on the table in that thread is use of through microcode-updates provided opt-in CPU behaviour which when enabled "goes through the motions" but which is first according to him in some ways nonsensical and which will second not be enabled anyway due to high cost in terms of speed. He as such has a hard time believing that those patches are seriously trying to mitigate Spectre 2 rather than just mitigate liability --- and seems not fully pleased with such.
Only a bit further down-thread is a fairly good explanation/rebuttal by David Woodhouse though: https://lkml.org/lkml/2018/1/22/598. Let as such us, the peanut gallery, not immediately take Linus' "unmitigated" word for it; better, let us take his word exactly for what it is: an objection on technical grounds, even if with implied non-technical motivational suspicions, offered in no uncertain terms as is usual for the open Linux development model; as is usual for most any deeply technical discussion, either open or closed.
The Register seems to in the last few years come close to what I would find to be an IT equivalent of https://www.usmagazine.com/; not close to something you should refer to often.
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
Yea, I know, I just happened on it and followed the link to see if it was real. Sounds to me that Intel says that "their" problem is now "our" problem. (Expletive deleted. lol)The Register seems to in the last few years come close to what I would find to be an IT equivalent of https://www.usmagazine.com/; not close to something you should refer to often.
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
After reading David Woodhouse's above linked rebuttal a few more times I would myself actually more go with a "Linus is full of it" theory for now.Pat D wrote:Sounds to me that Intel says that "their" problem is now "our" problem. (Expletive deleted. lol)
The main stated technical objection from Linus is nonsensicallity of expensive MSR writes on kernel entry/exit that protect the kernel itself even though said kernel already has a low cost and fully software-implemented solution available in the form of retpoline; see https://security.googleblog.com/2018/01 ... cpu_4.html if interested. But David explains that, 1, the expensive method was developed before retpoline was even available; that, 2, said method covers kernels built without retpoline (for which specific compiler support is needed) and moreover, 3, covers Skylake which retpoline does not fully. That it is a fallback method for "for now" and for Skylake.
I find myself to be fairly peanut-convinced there; this to reflect worse on Intel than in fact seems called for. Which, once again, does not in fact matter as long as you take Linus' posts for what they are: parts of a technical discussion.
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
@ PatD, .......
Linus's 22 Jan comment that Intel's CPU patches for Spectre 2 are Garbage is quite true, as verified by what followed on 23 Jan ... http://www.zdnet.com/article/intel-stop ... er-notice/ (Intel: Stop firmware patching until further notice)
Spectre 2 requires both the OS kernel AND CPU microcode to be patched, ie they have to be made to work together in order to patch Spectre 2 with the IBRS and IBPB features.
... Linus is the main Linux kernel developer. So, he probably had some difficulties with the Intel developers trying to get the Linux kernel to work inSync with the Intel microcodes. He was likely proven right that the Intel developers were !@#$%^&.
Buggy BIOS firmware updates for Windows are downright nasty because they are mostly uninstallable or irreversible = can brick computers. Intel should compensate those who had applied their BIOS firmware update(Windows) or 20180108 microcode update(Linux) and ended up with bricked computers/servers.
P S - Intel's recent buggy CPU patches only applied to CPUs that are not more than 5 years old.
.PatD wrote:...
Linus's 22 Jan comment that Intel's CPU patches for Spectre 2 are Garbage is quite true, as verified by what followed on 23 Jan ... http://www.zdnet.com/article/intel-stop ... er-notice/ (Intel: Stop firmware patching until further notice)
Spectre 2 requires both the OS kernel AND CPU microcode to be patched, ie they have to be made to work together in order to patch Spectre 2 with the IBRS and IBPB features.
... Linus is the main Linux kernel developer. So, he probably had some difficulties with the Intel developers trying to get the Linux kernel to work inSync with the Intel microcodes. He was likely proven right that the Intel developers were !@#$%^&.
Buggy BIOS firmware updates for Windows are downright nasty because they are mostly uninstallable or irreversible = can brick computers. Intel should compensate those who had applied their BIOS firmware update(Windows) or 20180108 microcode update(Linux) and ended up with bricked computers/servers.
P S - Intel's recent buggy CPU patches only applied to CPUs that are not more than 5 years old.
-
- Level 6
- Posts: 1282
- Joined: Mon Nov 24, 2014 9:17 am
- Location: Chrząszczyżewoszyce, powiat Łękołody
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
Last millenium on each motheboard was the jumper "reset BIOS to default".michael louwe wrote:Buggy BIOS firmware updates for Windows are downright nasty because they are mostly uninstallable or irreversible = can brick computers.
Windows assumes I'm stupid but Linux demands proof of it
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
...so, Canonical's kernels do have backported / implemented IBRS since a couple of weeks...but if i've understood correctly, current upstream 4.15-final (released yesterday) doesn't enable full IBRS (yet) but uses retpoline mitigations instead?...
https://kernelnewbies.org/Linux_4.15#Meltdown.2FSpectre
https://kernelnewbies.org/Linux_4.15#Meltdown.2FSpectre
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
@ thx1138, .......
Linux kernel upgrades can be considered as cumulative, ie kernel 4.15 has changes added to kernel 4.14 and kernel 4.14 had changes added to kernel 4.13. At the same time, old or ancient changes may be removed, eg device drivers for 20 years old devices.
Linus Torvald/kernel.org's kernel 4.14 already has the patches for Meltdown(= KPTI) and Spectre(= IBRS and IBPB), mostly for amd64 or 64bit systems. According to your link, kernel.org are only adding the Meltdown patch for x86 or 32bit systems and the retpoline feature to kernel 4.15. IOW, retpoline supplements IBRS and IBPB.
... For the Intel microcode update to patch for Spectre 2, the Linux kernel must have the patch for Spectre 2 also, ie both patches have the IBRS and IBPB features and they work together to mitigate against Spectre 2, like husband and wife. They can't work alone.
.thx-1138 wrote:...so, Canonical's kernels do have backported / implemented IBRS since a couple of weeks...but if i've understood correctly, current upstream 4.15-final (released yesterday) doesn't enable full IBRS (yet) but uses retpoline mitigations instead?...
https://kernelnewbies.org/Linux_4.15#Meltdown.2FSpectre
Linux kernel upgrades can be considered as cumulative, ie kernel 4.15 has changes added to kernel 4.14 and kernel 4.14 had changes added to kernel 4.13. At the same time, old or ancient changes may be removed, eg device drivers for 20 years old devices.
Linus Torvald/kernel.org's kernel 4.14 already has the patches for Meltdown(= KPTI) and Spectre(= IBRS and IBPB), mostly for amd64 or 64bit systems. According to your link, kernel.org are only adding the Meltdown patch for x86 or 32bit systems and the retpoline feature to kernel 4.15. IOW, retpoline supplements IBRS and IBPB.
... For the Intel microcode update to patch for Spectre 2, the Linux kernel must have the patch for Spectre 2 also, ie both patches have the IBRS and IBPB features and they work together to mitigate against Spectre 2, like husband and wife. They can't work alone.
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
Thanks Michael. Reason i am confused is because Canonical had added IBRS (in their 4.4x / 4.13.x etc), while upstream the devs where still arguing if such should be added by default in 4.15.x (due to it's severe performance penalty)...
Somehow i had this hope (performance-wise) that maybe 4.15 & above will only do amends with retpoline instead...that IBRS won't be 'standardized'...
Somehow i had this hope (performance-wise) that maybe 4.15 & above will only do amends with retpoline instead...that IBRS won't be 'standardized'...
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
Michael's reply is unfortunately incorrect; indeed upstream 4.15 does not feature IBRS support. Status is that the IBRS kernel patches have been put "back on the slow track" (normal track rather) while retpoline offers kernel-side protection against Spectre 2.thx-1138 wrote:Reason i am confused is because Canonical had added IBRS (in their 4.4x / 4.13.x etc), while upstream the devs where still arguing if such should be added by default in 4.15.x [ ... ]
Note that CPU-side IBRS support, which is needed to have any use for kernel-side IBRS support, has at the moment in fact also been put on hold by Intel; they currently advise to not install their IBRS-supplying microcode due to instability. You are as such not missing out even if running vanilla 4.15. More to the point: as Spectre 2 mitigations go, IBRS blows small farm animals anyway; with retpoline (and RBS it seems) the problem is kernel-side "mostly" dealt with; the remainder can given its implications go through the normal review-and-tweak process; is as per my own reply above really relevant only for kernels compiled not by a retpoline-capable compiler and a few corner cases anyway.
Well, kernel-side. Given that not all of userspace is on existing systems going to be recompiled it would appear that for some users Ubuntu's backporting of the IBRS patchset may make the Ubuntu kernels a better option than running 4.15 vanilla, assuming they have or will have updated microcode as well. Still only some mind you and very few at that: we're at that point defending against userspace snooping on userspace, i.e., in multiple untrusted VM situations and the like; hardly a standard environment and definitely one where an admin will/should know what he's updating to and when to do so.
Anyone should of course feel free to install and run whichever level of mitigation he or she feels comfortable with, but I would note that IBRS not being featured in 4.15 vanilla does say something about the point of view of developers who in fact understand what this is all about.
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
rene, i owe you a beer for this (the mailing lists' back&forth extra-technical arguments made my head dizzy there) - thank you for detailed reply!
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
@ rene, .......
REFERENCE; https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown
If what you say is correct, ie the latest Linux kernel 4.15 has removed the IBRS feature for Spectre 2, then shouldn't affected LM users also have to remove Linux kernels 3.13.141, 4.4.112 and 4.13.31 or .32 which contain the patch for Spectre 2, namely the IBRS and IBPB features.?
Previously, on 9 Jan 2018, 64bit Linux kernels 3.13.139, 4.4.108 & 109 and 4.13.25 & 26 were released by Ubuntu to patch Meltdown, namely the KPTI feature. 32bit LM systems were not covered. Kernel 4.13.25 was found to be buggy and quickly replaced by 4.13.26.
64bit LM users who have installed and are running kernel 3.13.141, 4.4.112 or 4.13.32 are patched for both Meltdown and Spectre(1 & 2), ie the KPTI, IBRS and IBPB features = kernel upgrades/updates are cumulative-like.
... 32bit LM users were only patched for Spectre 1.
Please refer to ... http://news.softpedia.com/news/linux-ke ... 9215.shtml (dated 4 Jan 2018 - Linux Kernels 4.14.11, 4.9.74, 4.4.109, 3.16.52, and 3.2.97 Patch Meltdown Flaw)
http://news.softpedia.com/news/linux-ke ... 9427.shtml (dated 17 Jan 2018 - Linux Kernels 4.14.14, 4.9.77, 4.4.112, and 3.18.92 Released with Security Fixes)
http://news.softpedia.com/news/linux-ke ... 9579.shtml (dated 28 Jan 2018 - Linux Kernel 4.15 Officially Released, Includes Patches for Meltdown and Spectre)
UPDATE; http://lkml.iu.edu/hypermail/linux/kern ... 02794.html
Linus Torvald's Release statement for Linux kernel 4.15 does not mention anything about removing the IBRS feature for Spectre 2. He mentioned adding the Retpoline feature for Spectre 2.
.rene wrote:...
REFERENCE; https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown
If what you say is correct, ie the latest Linux kernel 4.15 has removed the IBRS feature for Spectre 2, then shouldn't affected LM users also have to remove Linux kernels 3.13.141, 4.4.112 and 4.13.31 or .32 which contain the patch for Spectre 2, namely the IBRS and IBPB features.?
Previously, on 9 Jan 2018, 64bit Linux kernels 3.13.139, 4.4.108 & 109 and 4.13.25 & 26 were released by Ubuntu to patch Meltdown, namely the KPTI feature. 32bit LM systems were not covered. Kernel 4.13.25 was found to be buggy and quickly replaced by 4.13.26.
64bit LM users who have installed and are running kernel 3.13.141, 4.4.112 or 4.13.32 are patched for both Meltdown and Spectre(1 & 2), ie the KPTI, IBRS and IBPB features = kernel upgrades/updates are cumulative-like.
... 32bit LM users were only patched for Spectre 1.
Please refer to ... http://news.softpedia.com/news/linux-ke ... 9215.shtml (dated 4 Jan 2018 - Linux Kernels 4.14.11, 4.9.74, 4.4.109, 3.16.52, and 3.2.97 Patch Meltdown Flaw)
http://news.softpedia.com/news/linux-ke ... 9427.shtml (dated 17 Jan 2018 - Linux Kernels 4.14.14, 4.9.77, 4.4.112, and 3.18.92 Released with Security Fixes)
.These new kernels come just one week after their previous releases to add more x86 updates to protect users against the Meltdown and Spectre security vulnerabilities disclosed earlier this month.
http://news.softpedia.com/news/linux-ke ... 9579.shtml (dated 28 Jan 2018 - Linux Kernel 4.15 Officially Released, Includes Patches for Meltdown and Spectre)
Maybe, your statement is incorrect. Let's wait for confirmation.Linux kernel 4.15 is the first kernel series to be fully patched against the Meltdown and Spectre security vulnerabilities, but only for the x86 and PowerPC (PPC) architectures.
UPDATE; http://lkml.iu.edu/hypermail/linux/kern ... 02794.html
Linus Torvald's Release statement for Linux kernel 4.15 does not mention anything about removing the IBRS feature for Spectre 2. He mentioned adding the Retpoline feature for Spectre 2.
Last edited by michael louwe on Mon Jan 29, 2018 2:34 pm, edited 1 time in total.
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
It is claimed in this article that Intel notified Chinese tech companies of Meltdown and Spectre prior to their notification to US authorities, and that therefore plausibly the Chinese government became aware before the US government...
I guess that explains the reason for some of the questions asked in the recent letter from Congress.
http://uk.pcmag.com/news/93088/timing-o ... es-concern
I guess that explains the reason for some of the questions asked in the recent letter from Congress.
http://uk.pcmag.com/news/93088/timing-o ... es-concern
Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)
The upstream 4.15 kernel has not removed IBRS support: IBRS support has up to now never been part of the upstream kernel. Note that Ubuntu kernels are not (generally) unmodified upstream kernels; in this case Ubuntu has backported the Intel IBRS patches to their supported kernels even though the upstream kernel has not merged them and likely will not in their current form.michael louwe wrote:If what you say is correct, ie the latest Linux kernel 4.15 has removed the IBRS feature for Spectre 2 [ ... ]
The source I can find that states this most clearly is https://www.phoronix.com/scan.php?page= ... re-Kernels but you of course don't have to rely on his, my or anyone else's word. Ubuntu makes it easy to install vanilla ("mainline") kernels and has 4.15 available at http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15/. If you install and boot it you will find to not have IBRS support available any more. Such as determined by for example that
spectre-meltdown-checker.sh
script or simply by noting that on a current standard Ubuntu kernel you have,Code: Select all
$ ls -l /proc/sys/kernel/ib*
-rw-r--r-- 1 root root 0 jan 29 20:48 /proc/sys/kernel/ibpb_enabled
-rw-r--r-- 1 root root 0 jan 29 20:48 /proc/sys/kernel/ibrs_dump
-rw-r--r-- 1 root root 0 jan 29 20:48 /proc/sys/kernel/ibrs_enabled
While distribution-kernels deviating from mainline is generally speaking a bit of a nuisance it's in this case also quite proper. As referred to above, retpoline is quite sufficient for an overwhelming majority of use cases --- assuming the kernel's built with a retpoline-enabled compiler and you don't do overly funky userspace things. Distribution kernels though have the widest target audience; need to just work.
Shall do my utmost to refrain from saying that this is true especially in the security context, with the truly absurd number of rebels-without-a-clue playing The Matrix around the edges, speaking of and loudly denouncing things they do not understand. Please don't underestimate that: that's very hard for me to refrain from...