ATTN!...Intel CPU owners (Spectre,Meltdown,Foreshadow, flaws)

Chat about just about anything else
h3rm35
Level 1
Level 1
Posts: 4
Joined: Mon Sep 13, 2010 3:20 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by h3rm35 »

ArtGirl wrote: For any Waterfox (and Firefox) users who want to mitigate the slower page loads to some degree, this is what helped:

about:config
extensions.e10sBlockedByAddon ... set to false (double-click)
extensions.e10sMultiBlockedByAddons ... set to false
This forces multi-process.

right-click on the headings bar in about:config ... new ... boolean ... browser.tabs.remote.force-enable ... set to true
This force enables e10s, and is advised as an option by the Waterfox maintainer, so must be safe within the patched meltdown/spectre update.
You're the best! thank you!
User avatar
Spearmint2
Level 16
Level 16
Posts: 6893
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Spearmint2 »

michael louwe wrote:
Instead, I will likely be able to mitigate against the Intel CPU vulnerability by not using Virtual memory [ ... ]
Maybe if running an encrypted swap.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....
phil995511
Level 4
Level 4
Posts: 361
Joined: Sat Feb 01, 2014 4:06 am
Location: Geneva (Switzerland)

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by phil995511 »

Hello,

The microcode patch for Debian is here :

https://debian.pkgs.org/sid/debian-nonf ... 4.deb.html

Best regards.
Debian 10 Buster Cinnamon 64 Bits (dvd iso including-firmware) on my workstation & with Mate on my laptop / Win 10 Pro 64 bits for hardware & software compatibility with some products / Raspbian 10 Buster on RPi4.
rene
Level 16
Level 16
Posts: 6689
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene »

phil995511 wrote:The microcode patch for Debian is here
This one will be the interesting one to measure performance impact from. The kernel-side patch is anywhere from 1% to 5% for regular loads; the tests I've seen from Windows imply that this one might be a lot worse.

And in that sense: be sure to note that the problem requires a local attack; requires locally executing code. You are as such even without doing anything as safe against Meltdown and Spectre as you ever were on Linux against any form of malware --- very --- and after the patches to browsers eliminating themselves as a host for a meltdown/spectre attack, incredibly.

The microcode updates moreover protect against Spectre, an already exceedingly hard to exploit issue in the first place even if you were wide open to attacks. The kernel-side patches defend against Meltdown and I would not personally skip (indefinitely; note there's no need to rush) but this one I expect I'll not in fact myself install.
Last edited by rene on Mon Jan 08, 2018 3:33 pm, edited 2 times in total.
JohnML
Level 1
Level 1
Posts: 32
Joined: Sat Mar 20, 2010 1:13 pm
Location: frankfurt, germany

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by JohnML »

Harfud
Level 2
Level 2
Posts: 74
Joined: Tue Dec 05, 2017 3:38 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Harfud »

I have six PCs running a mix of Mint 17.3 and LMDE2, five affected Intel CPUs one AMD A4.

With the AMD I've applied the Firefox update and the 4.14.12 x86 PTI disabled (AMD friendly) kernel.

The five Intel machines will have to take the hit, I've updated Firefox on all of them and will apply the patched kernels when they come in.

What I'm uncertain about are CPU microcode updates, Intel say through OEM sources, does anybody know more ?
rene
Level 16
Level 16
Posts: 6689
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene »

Harfud wrote:What I'm uncertain about are CPU microcode updates, Intel say through OEM sources, does anybody know more ?
Microcode is volatile in the sense of not surviving a (hard) reset of the CPU; of needing to be applied on every cold boot. CPU vendors therefore supply microcode updates to BIOS / motherboard vendors to be applied by the BIOS; this is what Intel refers to by "OEM sources" i.e., you being referred to your motherboard vendor for a BIOS-update.

Linux can also update microcode though without needing the BIOS to have done so (and I rather expect there to be Windows tools to do the same). If you stay up to date with the microcode update that will arrive with your regular updates -- although probably level 4 or 5 on Mint -- you don't need a with the new microcode patched new BIOS; can and will just have Linux update microcode when booting -- assuming you use the microcode "driver" in the first place of course; Mint makes it easy to enable/disable it in Driver Manager.

For those that agree with my above described strategy of likely/perhaps not updating their microcode: note that you can right-click the microcode update once it appears for you in Update Manager and set "Ignore updates for this package" even if you do want to use the microcode that's been released previously. You can undo that later again as well.

[EDIT] edited in the Mint-specific "Driver Manager" bit.
Last edited by rene on Mon Jan 08, 2018 4:58 pm, edited 1 time in total.
ArtGirl

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by ArtGirl »

h3rm35 wrote: You're the best! thank you!
Thanks so much; very glad it helped! :-)

EDIT: I've just found some more tweaks, thanks to Linux user Herell1991 on Reddit's Waterfox page ...
switch all the following to true:
gfx.webrender.enabled
gfx.webrendest.enabled
gfx.webrender.layers-free
layers.async-pan-zoom.enabled
layers.acceleration.force-enabled
and tick the checkbox for performance, in Preferences - General - Performance :)
DAMIEN1307
Level 10
Level 10
Posts: 3216
Joined: Tue Feb 21, 2017 8:13 pm
Location: Alamogordo, New Mexico, USA

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by DAMIEN1307 »

hi phil995511...you said "The microcode patch for Debian is here :"
you are a little "tardy to the party"...lol...i posted this and other minor little fixes in a cumulative fashion 3 days ago on page 5 of this forum thread...i have had no performance hits at all that would be noticable and have already installed these on 20 plus computers so far...no problems...DAMIEN
ORDO AB CHAO
"I refuse to be assimilated, I refuse to become one with the Borg Collective"
User avatar
Arch_Enemy
Level 6
Level 6
Posts: 1389
Joined: Tue Apr 26, 2016 3:28 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Arch_Enemy »

Spearmint2 wrote:
It's the 2 externally powered USB drives I keep the bulk of my photos on. They dismount, power off for 2-3 seconds, power back on and remount.
That's the fault of whatever external devices you have those HDD or SSD installed to.
Works fine with PCLinuxOS and worked with Mint 17.1 and Arch/Manjaro.

After loading kernel 4.2 it works with Mint 17.3 There is a specific entry in the changelog for one of the kernels (4.2 or 4.4) pertaining to USB HDDs.
I have travelled 35629424162.9 miles in my lifetime

One thing I would suggest, create a partition a ~28G partition as /. Partition the rest as /Home.
When the system fails, reinstall and use the exact same username and all your 'stuff' comes back to you.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4221
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Fred Barclay »

rene wrote:
chrisuk wrote:However, the patched Firefox (57.0.4) has been released by Mozilla, but not in Manjaro repos yet. All this doesn't mitigate "Spectre" though... nothing does/will AFAIK (although I'm guessing firejail helps).
What does not help is firejail...
A bit late to the party here :D but as far as I'm aware, firejail doesn't protect against this. We've got a discussion going on at https://github.com/netblue30/firejail/issues/1712.

Technically, the memory-deny-write-execute option in firejail could help protect against this, but we can't use this option for most browsers (and that's the likeliest attack surface anyhow)...
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
User avatar
smurphos
Level 17
Level 17
Posts: 7332
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by smurphos »

The Ubuntu Security Team page has been updated regarding progress towards releasing supported patched kernels.... only 4.4 and 4.13 are in testing (available via a PPA for the brave/inpatient). Confirms that 4.10 won't be patched and will be made EOL earlier than planned. Doesn't look like they have done any work on 3.13 yet for any 17.x users whose hardware isn't supported by 4.4.

Initial kernel releases will only target Meltdown - Spectre to be addressed in a later round of updates.

https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown

Edit to add - the changelog for the proposed 4.13 confirms that PTI will be disabled for AMD processors as they are not vulnerable to Meltdown.

https://launchpad.net/ubuntu/+source/li ... 28~16.04.1
Last edited by smurphos on Tue Jan 09, 2018 1:21 am, edited 1 time in total.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
User avatar
all41
Level 16
Level 16
Posts: 6377
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by all41 »

The sky is falling!

Regarding the meltdown/spectre issue is the following true?

The attacker must either have physical access--or
the relevant code must be invited by the user.
Light travels faster than sound.
That's why some people appear smart until you hear what they are saying.
User avatar
smurphos
Level 17
Level 17
Posts: 7332
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by smurphos »

The vulnerabilities are theoretically exploitable remotely via untrusted code (javascript) run by your web-browser - so dodgy sites and probably a greater risk code injected via malvertising. Having said that both Firefox and Chrome have issued initial patches/advice to mitigate but not eliminate the vulnerability and further patches can be expected on that front as-well as via ongoing Kernel security updates.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
User avatar
michael louwe
Level 10
Level 10
Posts: 3295
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe »

https://www.theregister.co.uk/2018/01/0 ... _slowdown/ (dated 9 Jan 2018)
Meltdown, Spectre bug patch slowdown gets real – and what you can do about it
Chip flaw fixes not so insignificant after all
While most casual desktop users and gamers won't notice any prolonged slowdown, or any performance hit at all, people running IO or system-call intensive software, such as databases on backend servers, may notice the difference.
= Internet/Cloud/Web services can be significantly hit in performance.
User avatar
catweazel
Level 19
Level 19
Posts: 9884
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by catweazel »

michael louwe wrote:
While most casual desktop users and gamers won't notice any prolonged slowdown, or any performance hit at all, people running IO or system-call intensive software, such as databases on backend servers, may notice the difference.
= Internet/Cloud/Web services can be significantly hit in performance.
"IO or system-call intensive software, such as databases on backend servers" doesn't necessarily entail internet.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Harfud
Level 2
Level 2
Posts: 74
Joined: Tue Dec 05, 2017 3:38 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Harfud »

With regard to CPU Microcode Intel are talking in terms of 'processor products introduced within the past five years'.

'...By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years.

No mention of CPUs over five years old.

Are they starting with newer CPUs which would make sense, but in which case why no mention of older CPUs ?

Or am I overly cynical in suspecting that there won't be CPU microcode updates for CPUs over five years old.
User avatar
catweazel
Level 19
Level 19
Posts: 9884
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by catweazel »

Harfud wrote:Are they starting with newer CPUs which would make sense, but in which case why no mention of older CPUs ?
Money. Cost to implement and revenue from upgrades.
Harfud wrote:Or am I overly cynical in suspecting that there won't be CPU microcode updates for CPUs over five years old.
No.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Harfud
Level 2
Level 2
Posts: 74
Joined: Tue Dec 05, 2017 3:38 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Harfud »

catweazel wrote:
Harfud wrote:Are they starting with newer CPUs which would make sense, but in which case why no mention of older CPUs ?
Money. Cost to implement and revenue from upgrades.
Harfud wrote:Or am I overly cynical in suspecting that there won't be CPU microcode updates for CPUs over five years old.
No.
Then perhaps the only hope is that the class action lawsuits already taken out and more undoubtedly yet to be can sting them into changing their view.

It's bad enough that they design intrinsically vulnerable products in the first place, to not do all that is reasonably possible to ameliorate the problem is inexcusable.
User avatar
Sir Charles
Level 7
Level 7
Posts: 1895
Joined: Thu Jan 04, 2018 1:00 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Sir Charles »

Harfud wrote: Or am I overly cynical in suspecting that there won't be CPU microcode updates for CPUs over five years old.
To do everything and anything in a death_ game competition just for the sake of increasing profit margin and keeping the ssshhhareholders happy, that's cynical!
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.
Post Reply

Return to “Open chat”