ATTN!...Intel CPU owners (Spectre,Meltdown,Foreshadow, flaws)

Chat about just about anything else
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
Locked
buffest_overflow

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by buffest_overflow »

It is meant to say cpu_insecure and that is what it will say so from now on in patched kernels when running under affected processors. It won't say such on: 1) unpatched kernels & 2) corrected processors if / when they appear in the market...
Thank you! This thread has cleared up many things for me. I appreciate the help.
michael louwe

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe »

To recap AFAIK;

BIOS firmware updates for CPUs apply to Windows and MacOS, while Linux may use microcode software updates.
… If the BIOS firmware for your computer’s CPU has been updated through Windows or MacOS, you do not need to apply the Linux microcode software update, eg for those who dual-boot.

Wrt Meltdown & Spectre, the BIOS firmware or microcode software updates for Intel and AMD CPUs are to patch Spectre 2(= CVE-2017-5715), for both 32bit and 64bit systems.

Wrt the Spectre 2 vulnerability, Intel has announced that they are beginning to only patch CPUs that are not more than 5 years old, ie 3rd-gen Ivy Town(= Xeon) and 4th-gen Haswell or newer = released BIOS firmware updates to the OEMs and microcode software updates(= 20180108) to Linux developers. These updates have proven to be buggy, have been pulled by Intel and replaced by a new reverting update.
… Patches for 3rd-gen Ivy Bridge or older will be released by Intel later.

Meltdown(= CVE-2017-5754) is patched by the OS kernels, ie the kpti feature.

Spectre 1(= CVE-2017-5753) is patched by the OS kernels(= binary code recompiler) or updates to apps/programs, eg browsers.

Spectre 2(= CVE-2017-5715) is patched by the OS kernels and CPU, ie the ibrs and ibpb features.

On 4 Jan 2018, M$ have issued Windows kernel updates for Meltdown, Spectre 1 and Spectre 2. But M$’s Meltdown patch does not yet cover 32bit Windows.
… As of today, Ubuntu have already released 64bit kernel updates for Meltdown, Spectre 2 and Spectre 1. 32bit Ubuntu/LM kernels are only patched for Spectre 1. They will have to wait their turn since 32bit systems are in the minority.
... Most browsers have been patched for Spectre 1.
Last edited by michael louwe on Wed Jan 24, 2018 8:54 am, edited 5 times in total.
Harfud
Level 2
Level 2
Posts: 90
Joined: Tue Dec 05, 2017 3:38 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Harfud »

I have to share this email to a friend...

https://www.slashgear.com/intel-messed- ... -23516849/

Forget the questions regarding the initial design of the chips and start from the moment that Intel were informed that there was a problem...

Forget the large scale sale of stock as that's a non technical matter, although it may betray attitudes...

The Intel response to this has been hopeless.

Debian, Red Hat, (not sure about Slackware) M$, Canonical, Mozilla, Chromium, Linux kernel devs, have all done their part - They have all patched the product that they're responsible for.

Yet Intel instruct to withdraw their new microcode which patched only a percentage of under five year old processors anyhow, after a balls up, to arrive at a situation where nothing Intel is patched at all - Most people probably don't realise that their latest microcode update is a regression to the pre Meltdown / Spectre version.

Anybody who has applied all patches is protected against Meltdown and Spectre 1 no thanks at all to Intel.

Nobody is protected against Spectre 2 despite everybody but Intel having done all that they can, the fact that nobody is protected is due entirely to Intel who as things stand have withdrawn even the limited amount of microcode that they have produced.

No wonder Linus Torvalds was up in arms, Intel have been hopeless.
BigEasy
Level 6
Level 6
Posts: 1282
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by BigEasy »

Harfud wrote:Debian, Red Hat, (not sure about Slackware) M$, Canonical, Mozilla, Chromium, Linux kernel devs, have all done their part - They have all patched the product that they're responsible for.
Mistake of Canonical:https://askubuntu.com/questions/994067/ ... 08-generic
Mistake of Microsoft: https://www.theverge.com/2018/1/9/16867 ... pcs-issues
Yet Intel instruct to withdraw their new microcode which patched only a percentage of under five year old processors anyhow, after a balls up, to arrive at a situation where nothing Intel is patched at all - Most people probably don't realise that their latest microcode update is a regression to the pre Meltdown / Spectre version.
Intel made mistake too.
Windows assumes I'm stupid but Linux demands proof of it
ArtGirl

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by ArtGirl »

Harfud wrote: ... Intel instruct to withdraw their new microcode which patched only a percentage of under five year old processors anyhow, after a balls up, to arrive at a situation where nothing Intel is patched at all - Most people probably don't realise that their latest microcode update is a regression to the pre Meltdown / Spectre version.
Anybody who has applied all patches is protected against Meltdown and Spectre 1 no thanks at all to Intel.
No wonder Linus Torvalds was up in arms, Intel have been hopeless.
Had just regressed the microcode, presuming it contained the patches, and thinking there'd be more included (will need to use the deb file to correct the regression). I entirely agree; Intel seem to just be sitting back enjoying the deliberate chaos, while everyone else works at making systems as safe as possible.
Last edited by ArtGirl on Thu Jan 25, 2018 7:04 am, edited 1 time in total.
norm.h
Level 5
Level 5
Posts: 690
Joined: Tue Mar 23, 2010 11:45 am
Location: Oxfordshire, UK

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by norm.h »

Puts me in mind of the "Dad's Army" saying: "Don't panic Mr Mainwaring"
But haven't many of us done just that?
User avatar
Moem
Level 22
Level 22
Posts: 16226
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Moem »

Panicked? Nahh.
Applied patches, or so we thought? Sure.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Harfud
Level 2
Level 2
Posts: 90
Joined: Tue Dec 05, 2017 3:38 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Harfud »

US Congress are asking Meltdown and Spectre questions...

https://energycommerce.house.gov/wp-con ... etters.pdf
User avatar
xenopeek
Level 25
Level 25
Posts: 29509
Joined: Wed Jul 06, 2011 3:58 am

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by xenopeek »

Harfud wrote:US Congress are asking Meltdown and Spectre questions...

https://energycommerce.house.gov/wp-con ... etters.pdf
CEOs of Apple, Amazon, AMD, ARM, Google, Intel and Microsoft all tasked to answer why they kept knowledge about Meltdown and Spectre bugs under wraps for 6 months. Wow.
Image
michael louwe

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe »

http://news.softpedia.com/news/linux-ke ... 9537.shtml (Linux Kernels 4.14.15, 4.9.78, and 4.4.113 Bring x86 and PowerPC Security Fixes to mitigate the severe Meltdown and Spectre vulnerabilities. )
= Canonical-Ubuntu will soon release Linux kernel updates to patch Meltdown and Spectre 2 for x86 or 32bit systems.

http://www.zdnet.com/article/linux-and- ... tre-patch/ (Linux and Intel slowly hack their way to a Spectre patch)
= Windows and MacOS do not need to do as Linux because Intel CPU patches come as BIOS firmware updates, ie not software updates.

Fyi, CPU microcode software updates for Linux are cumulative but not mandatory, ie unlike Win 10's mandatory cumulative updates. Presently, the Intel microcode 20180108 update tar.gz file is 3.51MB in size. After extraction/decompression = 6.5MB. In another 10 years, will it double in size.?
User avatar
thx-1138
Level 8
Level 8
Posts: 2092
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 »

michael louwe wrote:Fyi, CPU microcode software updates for Linux are cumulative but not mandatory, ie unlike Win 10's mandatory cumulative updates. Presently, the Intel microcode 20180108 update tar.gz file is 3.51MB in size. After extraction/decompression = 6.5MB. In another 10 years, will it double in size.?
$ iucode_tool -L microcode-20080220.dat
148 signatures, 1.1mb in total

$ iucode_tool -L microcode-20180108.dat
164 signatures, 4.6mb in total
Or...
20150121 - intel-ucode directory:
44 items, totalling 491,0 KiB

20171117 - intel-ucode directory:
94 items, totalling 1,5 MiB
The more crap that they (need to) fix, the bigger it will become, yes...
(unless they decide to drop altogether distributing microcodes for older processors or similar...)
Harfud
Level 2
Level 2
Posts: 90
Joined: Tue Dec 05, 2017 3:38 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Harfud »

xenopeek wrote: CEOs of Apple, Amazon, AMD, ARM, Google, Intel and Microsoft all tasked to answer why they kept knowledge about Meltdown and Spectre bugs under wraps for 6 months. Wow.
That's not quite how I see the letter...

Firstly I see it as an opener, a list of initial questions pending further congressional activity.

I also see it as a query as to why those companies knowledge of Meltdown and Spectre was kept quite as under wraps as it was. There are intimations that a slightly wider distribution base might have been better, and that earlier notification to computer security agencies might have been better too - The handling of the matter is definitely under question.

Oddly when I took another look at the letter this morning page three in every copy of the letter (the page of questions) was blank, that strikes me as odd due to it being only the same page in all seven letters that is blank for me.

I've since noticed missing only if I download and view the pdf, not if I simply view it.
michael louwe

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe »

Looking ahead; ...

All CPU models still in use or in production in Jan 2018 are affected by the Meltdown and Spectre bugs, eg 8th-gen Intel Coffeelake and Kabylake-Refresh CPUs = need to be patched. The future or coming 9th-gen Intel Cannonlake and Coffeelake-Refresh CPUs should be free of the bugs. ie no need any relevant BIOS firmware or microcode software updates for the CPUs.
... It would be a good idea for Intel and AMD to mark their coming generations of CPUs as Meltdown and Spectre bugs-free(eg MS-free), so as to clear any confusion for computer buyers.

All OS versions still in use in Jan 2018 are affected by the Meltdown and Spectre bugs, eg Win 10 1709 and LM 18.3 = need to be patched. The future or coming OS versions should be free of the bugs, ie no need any relevant kernel updates for the OS, eg Win 10 1803 and LM 19.0.

All app/program versions(especially browsers) still in use in Jan 2018 are affected by the Spectre 1 bug, eg Firefox 57 = need to be patched. FF 58 should be free of the bug = no need to be patched with the relevant update, ie the Spectre 1 patch will be built-in.
User avatar
thx-1138
Level 8
Level 8
Posts: 2092
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 »

earthlingkc
Level 3
Level 3
Posts: 128
Joined: Fri Oct 14, 2016 2:22 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by earthlingkc »

I haven't been following thread closely lately and it's grown quite a bit with more links I can get to. What's the bottom line at this point? I've seen a lot of firmware/kernel Mint updates recently and have applied them - am on 4.13.26 on all laptops. Is this about as reasonably secure as we can expect so far with Mint Update Mgr supplied patches or are there other recommended actions to take?
JohnFrumm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by JohnFrumm »

Harfud wrote:US Congress are asking Meltdown and Spectre questions...

https://energycommerce.house.gov/wp-con ... etters.pdf
The same congress that just extended the unconstitutional NSA surveillance program for another six years?
https://www.eff.org/deeplinks/2018/01/h ... rveillance

Amazing. They are probably upset that some backdoors will be closed. What really galls me is the audacity to include Apple's Tim Cook in that distribution list demanding to know why they were not kept more in the loop about these vulnerabilities just a year after the NSA declined to inform Apple of an exploit in the iPhone so the NSA can continue exploiting it.

There is a very real possibility (or even likelihood, given the NSA budget) that the NSA has been exploiting meltdown for years.
DAMIEN1307

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by DAMIEN1307 »

hi earthlingkc...i am re-posting here what is the most that can be done at this time...the original post is on page 5 of this thread...under the microcode portion of this post i am also adding the microcode download pages i use to also include the microcode page for amd processors along with the one already in the post for intel processors...the easiest microcode downloads for us to use at least on Mint as well as peppermint are the .deb download... for intel its the jan 22nd amd64.deb for 64 bit and 1386 for 32 bit systems...for AMD it is the same but note the latest date for AMD is jan 10th...below is the page 5 post with the aforementioned edit...DAMIEN

This is cumulative of what i have found thus far

Number 1 - it may be of interest to note that INTEL has released a new microcode today...the link provided here is from the oregon state university repository...i have applied it to my back up system, a dell laptop, which is an INTEL core i5 chip from which im typing on right now... http://ftp.us.debian.org/debian/pool/no ... microcode/ ...4th from the bottom is the amd64.deb for 64 bit and 3rd from the bottom is amdi386.deb for the 32 bit...

[ EDIT ]...the AMD microcode update page is... http://ftp.us.debian.org/debian/pool/no ... microcode/ ...2nd from bottom is amd.64.deb for 64 bit and bottom is i386.deb for 32 bit...

both these pages are from oregon state university repositories of microcodes...

Number 2 - the reason i found for updating the microcode though it is only a partial help requireing also the kernel fix that is forthcoming is found in this article... https://www.theregister.co.uk/2018/01/0 ... explained/ ...

a few key paragraphs keyed in on this part of the issue

"On pre-Skylake CPUs, kernel countermeasures – and on Skylake and later, a combination of a microcode updates and kernel countermeasures known as Indirect Branch Restricted Speculation, aka IBRS – to kill Spectre Variant 2 attacks that steal data from kernels and hypervisors."

and

"Fixing the bounds bypass check attack requires analysis and recompilation of vulnerable code; addressing the branch target injection attack can be dealt with via a CPU microcode update, such as Intel's IBRS microcode, or through a software patch like "retpoline" to the operating system kernel, the hypervisor, and applications."

and

"In other words: to protect yourself from Spectre Variant 1 attacks, you need to rebuild your applications with countermeasures. These defense mechanisms are not generally available yet. To protect yourself from Spectre Variant 2 attacks, you have to use a kernel with countermeasures, and if you're on a Skylake or newer core, a microcode update, too. That microcode is yet to ship. It's not particularly clear, through all the noise and spin this week, which kernels have been built and released with countermeasures, if any. A disassembly of latest Windows releases suggests Microsoft is, for one, on the case."

and

"Wagner observed that software fixes aren't enough. "Ultimately, this is a problem with the processor and addressing it in the browser requires removing useful functionality and degrading performance," he said. "We hope the future microprocessor improvements would allow less drastic measures in the browser while still maintaining safety."

it is a 2 page article but appears to me (i could be wrong) that this is only a part of a total fix down the road...just waiting now for the kernel security update to follow...

Number 3 - this article has some work arounds for chrome/chromium based browsers and to a lesser extent firefox browsers to harden up their isolation capabilities that should help until the kernel/ microcode fixes become finalised...DAMIEN

http://www.linuxandubuntu.com/home/how- ... h-solution

To enable Site Isolation in Chrome/Chromium, copy the following URL in URL bar -

chrome://flags/#enable-site-per-process


To enable First-Party Isolation in Firefox

type about:config in the url bar. Search for site isolation and you'll get the following options -
enable first-party isolation in firefox
As you can see the value of privacy.firstparty.isolate is set to false. Double click to set it to true.

restart the browsers for isolation to take effect...

i have applied these workarounds until the real security update fixes become available on all four of my home systems and all is working fine here and am really hoping these workarounds along with their explainations as described in the articles will be of some real value and use to the community...DAMIEN
Last edited by DAMIEN1307 on Sat Jan 06, 2018 4:14 am, edited 5 times in total.
User avatar
Arch_Enemy
Level 6
Level 6
Posts: 1491
Joined: Tue Apr 26, 2016 3:28 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Arch_Enemy »

I have nothing called "site isolation" in my about:config page...
I have travelled 37629424162.9 miles in my lifetime

One thing I would suggest, create a partition as a 50G partition as /. Partition the rest as /Home. IF the system fails, reinstall and use the exact same username and all your 'stuff' comes back to you.
sammiev

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by sammiev »

Arch_Enemy wrote:I have nothing called "site isolation" in my about:config page...
If you are talking about firefox, try searching for:

privacy.firstparty.isolate

As you can see the value of privacy.firstparty.isolate is set to false. Double click to set it to true.
DAMIEN1307

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by DAMIEN1307 »

hi arch_enemy...ok...just copied and pasted the last part here for you again with the complete instructions for 1st off, the chrome/chromium based browsers and next is the firefox...DAMIEN

To enable Site Isolation in Chrome/Chromium, copy the following URL in URL bar -

chrome://flags/#enable-site-per-process


To enable First-Party Isolation in Firefox

type about:config in the url bar. SEACH FOR SITE ISOLATION and you'll get the following options - [it doesnt say "site isolation" in firefox]...it says
ENABLE FIRST PARTY ISOLATION in firefox
As you can see the value of privacy.firstparty.isolate is set to false. DOUBLE CLICK TO SET IT TO TRUE.

RESTART THE BROWSERS for isolation to take effect...

i have applied these workarounds until the real security update fixes become available on all four of my home systems and all is working fine here and am really hoping these workarounds along with their explainations as described in the articles will be of some real value and use to the community...DAMIEN
Last edited by DAMIEN1307 on Sat Jan 06, 2018 4:14 am, edited 5 times in total.
Locked

Return to “Open Chat”