ATTN!...Intel CPU owners (Spectre,Meltdown,Foreshadow, flaws)

Chat about just about anything else
h3rm35
Level 1
Level 1
Posts: 4
Joined: Mon Sep 13, 2010 3:20 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by h3rm35 » Mon Jan 08, 2018 2:44 pm

ArtGirl wrote: For any Waterfox (and Firefox) users who want to mitigate the slower page loads to some degree, this is what helped:

about:config
extensions.e10sBlockedByAddon ... set to false (double-click)
extensions.e10sMultiBlockedByAddons ... set to false
This forces multi-process.

right-click on the headings bar in about:config ... new ... boolean ... browser.tabs.remote.force-enable ... set to true
This force enables e10s, and is advised as an option by the Waterfox maintainer, so must be safe within the patched meltdown/spectre update.
You're the best! thank you!

User avatar
Spearmint2
Level 16
Level 16
Posts: 6116
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Spearmint2 » Mon Jan 08, 2018 2:49 pm

michael louwe wrote:
Instead, I will likely be able to mitigate against the Intel CPU vulnerability by not using Virtual memory [ ... ]
Maybe if running an encrypted swap.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

phil995511
Level 4
Level 4
Posts: 333
Joined: Sat Feb 01, 2014 4:06 am
Location: Geneva (Switzerland)

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by phil995511 » Mon Jan 08, 2018 2:55 pm

Hello,

The microcode patch for Debian is here :

https://debian.pkgs.org/sid/debian-nonf ... 4.deb.html

Best regards.
Linux Mint 19.2 Cinnamon 64 Bits on Dell XPS 9570 (i7-8750H) laptop / Debian 10 Buster Cinnamon 64 Bits on customized workstation (i7-5960X @ 3.8 Ghz) / Raspbian 10 Buster on Raspberry Pi 4

rene
Level 11
Level 11
Posts: 3603
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Mon Jan 08, 2018 3:14 pm

phil995511 wrote:The microcode patch for Debian is here
This one will be the interesting one to measure performance impact from. The kernel-side patch is anywhere from 1% to 5% for regular loads; the tests I've seen from Windows imply that this one might be a lot worse.

And in that sense: be sure to note that the problem requires a local attack; requires locally executing code. You are as such even without doing anything as safe against Meltdown and Spectre as you ever were on Linux against any form of malware --- very --- and after the patches to browsers eliminating themselves as a host for a meltdown/spectre attack, incredibly.

The microcode updates moreover protect against Spectre, an already exceedingly hard to exploit issue in the first place even if you were wide open to attacks. The kernel-side patches defend against Meltdown and I would not personally skip (indefinitely; note there's no need to rush) but this one I expect I'll not in fact myself install.
Last edited by rene on Mon Jan 08, 2018 3:33 pm, edited 2 times in total.

JohnML
Level 1
Level 1
Posts: 26
Joined: Sat Mar 20, 2010 1:13 pm
Location: frankfurt, germany

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by JohnML » Mon Jan 08, 2018 3:24 pm


Harfud
Level 2
Level 2
Posts: 58
Joined: Tue Dec 05, 2017 3:38 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Harfud » Mon Jan 08, 2018 4:02 pm

I have six PCs running a mix of Mint 17.3 and LMDE2, five affected Intel CPUs one AMD A4.

With the AMD I've applied the Firefox update and the 4.14.12 x86 PTI disabled (AMD friendly) kernel.

The five Intel machines will have to take the hit, I've updated Firefox on all of them and will apply the patched kernels when they come in.

What I'm uncertain about are CPU microcode updates, Intel say through OEM sources, does anybody know more ?

rene
Level 11
Level 11
Posts: 3603
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Mon Jan 08, 2018 4:23 pm

Harfud wrote:What I'm uncertain about are CPU microcode updates, Intel say through OEM sources, does anybody know more ?
Microcode is volatile in the sense of not surviving a (hard) reset of the CPU; of needing to be applied on every cold boot. CPU vendors therefore supply microcode updates to BIOS / motherboard vendors to be applied by the BIOS; this is what Intel refers to by "OEM sources" i.e., you being referred to your motherboard vendor for a BIOS-update.

Linux can also update microcode though without needing the BIOS to have done so (and I rather expect there to be Windows tools to do the same). If you stay up to date with the microcode update that will arrive with your regular updates -- although probably level 4 or 5 on Mint -- you don't need a with the new microcode patched new BIOS; can and will just have Linux update microcode when booting -- assuming you use the microcode "driver" in the first place of course; Mint makes it easy to enable/disable it in Driver Manager.

For those that agree with my above described strategy of likely/perhaps not updating their microcode: note that you can right-click the microcode update once it appears for you in Update Manager and set "Ignore updates for this package" even if you do want to use the microcode that's been released previously. You can undo that later again as well.

[EDIT] edited in the Mint-specific "Driver Manager" bit.
Last edited by rene on Mon Jan 08, 2018 4:58 pm, edited 1 time in total.

User avatar
ArtGirl
Level 4
Level 4
Posts: 388
Joined: Sat Apr 15, 2017 1:16 pm
Location: UK

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by ArtGirl » Mon Jan 08, 2018 4:28 pm

h3rm35 wrote: You're the best! thank you!
Thanks so much; very glad it helped! :-)

EDIT: I've just found some more tweaks, thanks to Linux user Herell1991 on Reddit's Waterfox page ...
switch all the following to true:
gfx.webrender.enabled
gfx.webrendest.enabled
gfx.webrender.layers-free
layers.async-pan-zoom.enabled
layers.acceleration.force-enabled
and tick the checkbox for performance, in Preferences - General - Performance :)
18.3 Mate 64bit
Radeon R9 255, Mesa 17.2.8, 4.15.0-13,
Lenovo x310, intel i7-4790, 16 ram,
Ugee 2150


For any advice I've been able to add, eg re graphics tablets, please search forum.

Image

DAMIEN1307
Level 7
Level 7
Posts: 1910
Joined: Tue Feb 21, 2017 8:13 pm
Location: Alamogordo, New Mexico, USA

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by DAMIEN1307 » Mon Jan 08, 2018 7:43 pm

hi phil995511...you said "The microcode patch for Debian is here :"
you are a little "tardy to the party"...lol...i posted this and other minor little fixes in a cumulative fashion 3 days ago on page 5 of this forum thread...i have had no performance hits at all that would be noticable and have already installed these on 20 plus computers so far...no problems...DAMIEN
ORDO AB CHAO

User avatar
Arch_Enemy
Level 6
Level 6
Posts: 1362
Joined: Tue Apr 26, 2016 3:28 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Arch_Enemy » Mon Jan 08, 2018 10:13 pm

Spearmint2 wrote:
It's the 2 externally powered USB drives I keep the bulk of my photos on. They dismount, power off for 2-3 seconds, power back on and remount.
That's the fault of whatever external devices you have those HDD or SSD installed to.
Works fine with PCLinuxOS and worked with Mint 17.1 and Arch/Manjaro.

After loading kernel 4.2 it works with Mint 17.3 There is a specific entry in the changelog for one of the kernels (4.2 or 4.4) pertaining to USB HDDs.
I have travelled 35629424162.9 miles in my lifetime

One thing I would suggest, create a partition a ~28G partition as /. Partition the rest as /Home.
When the system fails, reinstall and use the exact same username and all your 'stuff' comes back to you.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4207
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Fred Barclay » Mon Jan 08, 2018 10:26 pm

rene wrote:
chrisuk wrote:However, the patched Firefox (57.0.4) has been released by Mozilla, but not in Manjaro repos yet. All this doesn't mitigate "Spectre" though... nothing does/will AFAIK (although I'm guessing firejail helps).
What does not help is firejail...
A bit late to the party here :D but as far as I'm aware, firejail doesn't protect against this. We've got a discussion going on at https://github.com/netblue30/firejail/issues/1712.

Technically, the memory-deny-write-execute option in firejail could help protect against this, but we can't use this option for most browsers (and that's the likeliest attack surface anyhow)...
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
smurphos
Level 12
Level 12
Posts: 4045
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by smurphos » Tue Jan 09, 2018 1:03 am

The Ubuntu Security Team page has been updated regarding progress towards releasing supported patched kernels.... only 4.4 and 4.13 are in testing (available via a PPA for the brave/inpatient). Confirms that 4.10 won't be patched and will be made EOL earlier than planned. Doesn't look like they have done any work on 3.13 yet for any 17.x users whose hardware isn't supported by 4.4.

Initial kernel releases will only target Meltdown - Spectre to be addressed in a later round of updates.

https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown

Edit to add - the changelog for the proposed 4.13 confirms that PTI will be disabled for AMD processors as they are not vulnerable to Meltdown.

https://launchpad.net/ubuntu/+source/li ... 28~16.04.1
Last edited by smurphos on Tue Jan 09, 2018 1:21 am, edited 1 time in total.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

all41
Level 15
Level 15
Posts: 5546
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by all41 » Tue Jan 09, 2018 1:17 am

The sky is falling!

Regarding the meltdown/spectre issue is the following true?

The attacker must either have physical access--or
the relevant code must be invited by the user.

User avatar
smurphos
Level 12
Level 12
Posts: 4045
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by smurphos » Tue Jan 09, 2018 1:40 am

The vulnerabilities are theoretically exploitable remotely via untrusted code (javascript) run by your web-browser - so dodgy sites and probably a greater risk code injected via malvertising. Having said that both Firefox and Chrome have issued initial patches/advice to mitigate but not eliminate the vulnerability and further patches can be expected on that front as-well as via ongoing Kernel security updates.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
michael louwe
Level 10
Level 10
Posts: 3295
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Tue Jan 09, 2018 2:37 am

https://www.theregister.co.uk/2018/01/0 ... _slowdown/ (dated 9 Jan 2018)
Meltdown, Spectre bug patch slowdown gets real – and what you can do about it
Chip flaw fixes not so insignificant after all
While most casual desktop users and gamers won't notice any prolonged slowdown, or any performance hit at all, people running IO or system-call intensive software, such as databases on backend servers, may notice the difference.
= Internet/Cloud/Web services can be significantly hit in performance.

User avatar
catweazel
Level 19
Level 19
Posts: 9181
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by catweazel » Tue Jan 09, 2018 3:00 am

michael louwe wrote:
While most casual desktop users and gamers won't notice any prolonged slowdown, or any performance hit at all, people running IO or system-call intensive software, such as databases on backend servers, may notice the difference.
= Internet/Cloud/Web services can be significantly hit in performance.
"IO or system-call intensive software, such as databases on backend servers" doesn't necessarily entail internet.
¡uʍop ǝpısdn sı buıɥʇʎɹǝʌǝ os ɐıןɐɹʇsnɐ ɯoɹɟ ɯ,ı

Harfud
Level 2
Level 2
Posts: 58
Joined: Tue Dec 05, 2017 3:38 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Harfud » Tue Jan 09, 2018 6:33 am

With regard to CPU Microcode Intel are talking in terms of 'processor products introduced within the past five years'.

'...By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years.

No mention of CPUs over five years old.

Are they starting with newer CPUs which would make sense, but in which case why no mention of older CPUs ?

Or am I overly cynical in suspecting that there won't be CPU microcode updates for CPUs over five years old.

User avatar
catweazel
Level 19
Level 19
Posts: 9181
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by catweazel » Tue Jan 09, 2018 6:34 am

Harfud wrote:Are they starting with newer CPUs which would make sense, but in which case why no mention of older CPUs ?
Money. Cost to implement and revenue from upgrades.
Harfud wrote:Or am I overly cynical in suspecting that there won't be CPU microcode updates for CPUs over five years old.
No.
¡uʍop ǝpısdn sı buıɥʇʎɹǝʌǝ os ɐıןɐɹʇsnɐ ɯoɹɟ ɯ,ı

Harfud
Level 2
Level 2
Posts: 58
Joined: Tue Dec 05, 2017 3:38 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Harfud » Tue Jan 09, 2018 6:42 am

catweazel wrote:
Harfud wrote:Are they starting with newer CPUs which would make sense, but in which case why no mention of older CPUs ?
Money. Cost to implement and revenue from upgrades.
Harfud wrote:Or am I overly cynical in suspecting that there won't be CPU microcode updates for CPUs over five years old.
No.
Then perhaps the only hope is that the class action lawsuits already taken out and more undoubtedly yet to be can sting them into changing their view.

It's bad enough that they design intrinsically vulnerable products in the first place, to not do all that is reasonably possible to ameliorate the problem is inexcusable.

User avatar
Sir Charles
Level 7
Level 7
Posts: 1897
Joined: Thu Jan 04, 2018 1:00 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Sir Charles » Tue Jan 09, 2018 6:53 am

Harfud wrote: Or am I overly cynical in suspecting that there won't be CPU microcode updates for CPUs over five years old.
To do everything and anything in a death_ game competition just for the sake of increasing profit margin and keeping the ssshhhareholders happy, that's cynical!
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.

Post Reply

Return to “Open chat”