ATTN!...Intel CPU owners (Spectre,Meltdown,Foreshadow, flaws)

[rene]

What will happen to this OS bug fix when we buy a non-vulnerable new 9th-gen Intel-based computer one or two years from now.?

It will live on for older CPU's but will be disabled for any new CPU not affected by the issue it fixes in the same manner as 4.15 has it disabled for AMD CPU's -- perhaps unless those new CPU's also invent a new feature to keep kernel pagetable isolation (kpti) in place without the performance impact but that seems unlikely. Very fast syscalls was always one of the major technical successes of the Linux kernel and a major selling point versus for example BSD on web servers and the like; this issue mostly undoes that, so I can assure you people will want to disable it whenever possible.

I think what has been happening is that Linus Torvald has included this KPTI bug fix in the latest Linux kernels, ie from kernel 4.14.11 onward, which are mostly meant for Alpha-testers and Beta-testers.

Note that Linus only (directly) manages the 4.x kernel, 4.15 at this point. His current release is 4.15-rc6 which includes the fix but which is still a release candidate rather than a real release. The 4.x.y kernels are managed by Greg Kroah Hartman and consist of Linus' 4.x together with backported fixes from later Linus kernels, with the rule that for a patch to live in 4.x.y it must also already be accepted into Linus' kernel.

4.15-rc6, 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91 and 3.2.97 are all patched, although AMD users should note that the AMD exception only made it in a few hours ago; is not yet in any of those. AMD users may as such want to avoid this first wave seeing as how they'd suffer a performance degradation for no reason.

Of these kernels, 4.15-rc6 is the tester-kernel but 4.x.y kernels are in fact also known as "the stable branch" and are not generally unsuitable for end users, even though general advise would indeed be for end users to wait for a patched distribution kernel.

Many computer users multi-task or run multi-processes at the same time, eg downloading stuffs, sending emails/comments, reading news, opening stored files, etc during the same session. So, I think, when applied, this KPTI bug fix will degrade performance considerably for many users.

Also note that multitasking is not the issue. The performance degradation happens at syscall entry/exit, i.e., when a process calls into the kernel to service some request, not when switching between processes. It is as such not multi-processing loads that are affected but user mode loads that call in to the kernel a lot; loads that read/write lots of small files for example.

[michael louwe]

Seems, the KPTI bug fix released by Linux and M$ only mitigates against the Meltdown vulnerability, which mostly affects Intel processors and not AMD processors.

Seems, there may be no preventive bug fix on the OS and CPU side for the Spectre vulnerability, ie it is mostly fixed by the software/program developers and/or can only be fixed by the computer users after detection.

Since Spectre represents a whole class of attacks, there most likely cannot be a singular patch for it. While work is already being done to address special cases of the vulnerability, even the original website devoted to Spectre and Meltdown states: "As [Spectre] is not easy to fix, it will haunt us for a long time."

.

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.

.

The Spectre vulnerability can be resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.

Mozilla has released an advisory stating that Firefox could be susceptible to these attacks. Mozilla is mitigating these attacks in all release channels starting with Firefox 57.

[xenopeek]

Patches to the Linux kernel and GCC for Spectre vulnerability are in active development: https://www.phoronix.com/scan.php?page= ... ne-Patches

Good summary of Meltdown and Spectre vulnerabilities here: https://meltdownattack.com/

Anybody like me that is thinking about building a new PC: wait at least a week as CES is next week and expected AMD will show Ryzen 2nd generation with release of new Ryzen 7 processors in February. Allegedly these are the new processors:

• Ryzen 7 2700: 10C/20T @ 4.0/4.5GHz (replaces Ryzen 7 1700)
• Ryzen 7 2800: 12C/24T @ 4.4/4.9GHz (replaces Ryzen 7 1700X)
• Ryzen 7 2800X: 12C/24T @ 4.6/5.1GHz (replaces Ryzen 7 1800X)

And unlike Intel (new processor requires new motherboards), these should work with current Ryzen motherboards.

[Cool Mint]

What the Linux Mint position on that? When will we receive that update?

When the patch becomes available what is the procedure for receiving the security update to block these "Meltdown" and "Spectre" problems?

Will it install via the Linux Mint "Update Manager" automatically when the "Install Updates" button is clicked?

Will the update be available at the "Level 3" setting "Safe Updates. Not tested but believed to be safe." or will levels 4 or 5 be required?

If your system was installed with Linux Mint 18.1 do you need to re-install from a disc with 18.3 before the update can be applied, or will it be available for all versions of Linux Mint?

I've been slowly learning how to use Linux Mint over the last few months, it appears I may need to accelerate my education.

[michael louwe]

Bear in mind that a successful Spectre attack through the Internet allows the hackers to read secret data that are stored in the kernel memory address space of RAM, afaik. This means the hackers can capture usernames, passwords, encryption keys, etc that had been used by the computer users. The hackers may then be able to read the users' emails, credit card data, bank account data, website log-in credentials, etc = do further phishing, financial fraud, etc.

IOW, the Spectre bug may expose the users' private data to hackers, which can then be further exploited. In comparison, the EternalBlue SMB1 bug only allows the hackers to plant ransomware on users' computers, eg WannaCry and Petya.

[michael louwe]

What the Linux Mint position on that? When will we receive that update?

When the patch becomes available what is the procedure for receiving the security update to block these "Meltdown" and "Spectre" problems?

Will it install via the Linux Mint "Update Manager" automatically when the "Install Updates" button is clicked?

Will the update be available at the "Level 3" setting "Safe Updates. Not tested but believed to be safe." or will levels 4 or 5 be required?

If your system was installed with Linux Mint 18.1 do you need to re-install from a disc with 18.3 before the update can be applied, or will it be available for all versions of Linux Mint?

I've been slowly learning how to use Linux Mint over the last few months, it appears I may need to accelerate my education.

.
Please refer to this link ... viewtopic.php?t=214607 = LM users will have to manually upgrade their kernels to the patched one, eg 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91 and 3.2.97.(kernel info, courtesy of 'rene')

[thx-1138]

https://www.youtube.com/watch?v=RCJfsuGIDcU

Intel & the...Spectre of Xmas...

Cool Tech

/sarcasm off

[xenopeek]

Please refer to this link ... viewtopic.php?t=214607 = LM users will have to manually upgrade their kernels to the patched one, eg 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91 and 3.2.97.(kernel info, courtesy of 'rene')

I think you put in the wrong link? That's from 2 years ago and not applicable to today's situation.

[JoeFootball]

Another informative article for review.

Joe

[xenopeek]

Kernel on Linux Mint comes from Ubuntu or Debian (depending on your Linux Mint edition). The security teams are working on releasing the fixes. Original release date was planned for after the weekend, coinciding with the planned disclosure date. As the vulnerabilities have been disclosed earlier they have accelerated their work.

The updates for these will arrive as security updates in Update Manager to all users, unless a user has manually overridden their update policy to not always show security updates.

Mind that Mozilla (and other web browser developers) are mitigating the risk of these vulnerabilities already in their web browser: https://blog.mozilla.org/security/2018/ ... ng-attack/. So even with a vulnerable kernel, once your web browser has the mitigation, the risk is reduced significantly if not removed.

Meltdown CVE on Ubuntu: https://people.canonical.com/~ubuntu-se ... -5754.html
Spectre CVEs on Ubuntu:
https://people.canonical.com/~ubuntu-se ... -5753.html
https://people.canonical.com/~ubuntu-se ... -5715.html
Ubuntu security team overview page for Meltdown and Spectre: https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown

Meltdown CVE on Debian: https://security-tracker.debian.org/tra ... -2017-5754
Spectre CVE on Debian:
https://security-tracker.debian.org/tra ... -2017-5753
https://security-tracker.debian.org/tra ... -2017-5715

[michael louwe]

@ xenopeek, .......

Please refer to this link ... viewtopic.php?t=214607 = LM users will have to manually upgrade their kernels to the patched one, eg 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91 and 3.2.97.(kernel info, courtesy of 'rene')

I think you put in the wrong link? That's from 2 years ago and not applicable to today's situation.

.
I am running LM 17.3 Cinnamon 32bit since more than 1 year ago. I do not think I have gotten any security updates for my Linux kernel 3.13.0-107 LTS or for the default kernel 3.19 via Update Manager. Maybe, Update Manager display security updates for Linux kernels as Level 5 updates only for LM 18.x onward. Please confirm.

According to this link ... http://news.softpedia.com/news/linux-ke ... 9215.shtml , the above Linux kernels that have the KPTI patch have to be downloaded & installed from kernel.org. IOW, LM users have to wait for the LM developers for the actual release.
... My LM 17.3 system only has kernel 3.16.0-52 available. Not sure whether it has the KPTI patch. But ain't kernel 3.16 non-LTS, as per Canonical's Ubuntu.?

[thx-1138]

https://newsroom.intel.com/news-release ... -exploits/

[AJG]

Current reports are that Meltdown and clearly Spectre are not unique to Intel chipsets. AMD and ARM, IBM System Z, Power8, Power9 possibly affected to some extent.

https://access.redhat.com/security/vuln ... eexecution

https://lwn.net/Articles/742745/

https://newsroom.intel.com/news/intel-r ... -findings/

https://meltdownattack.com/meltdown.pdf

[carum carvi]

Linus Torvalds reaction on meltdown:

I think somebody inside of Intel needs to really take a long hard look at their CPU's, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.

..... and that really means that all these mitigation patches should be written with "not all CPU's are crap" in mind.

Or is Intel basically saying "we are committed to selling you sh*t forever and ever, and never fixing anything"?

Because if that's the case, maybe we should start looking towards the ARM64 people more.

[carum carvi]

My question is IF I have to update my kernel or not when I have an AMD procesor because according to the current news Meltdown does not affect Amd processors.
Spectre unfortunately seems to effect everything but it is very difficult to abuse without very experienced knowledge. Is that correct? So Spectre does not seem a direct threat. Meltdown could be executed by any script kiddie according to what I read ! So Meltdown is a possible near future threat for anyone with linux and an Intel procesor ?

[xenopeek]

I am running LM 17.3 Cinnamon 32bit since more than 1 year ago. I do not think I have gotten any security updates for my Linux kernel 3.13.0-107 LTS or for the default kernel 3.19 via Update Manager. Maybe, Update Manager display security updates for Linux kernels as Level 5 updates only for LM 18.x onward. Please confirm.

According to this link ... http://news.softpedia.com/news/linux-ke ... 9215.shtml , the above Linux kernels that have the KPTI patch have to be downloaded & installed from kernel.org. IOW, LM users have to wait for the LM developers for the actual release.
... My LM 17.3 system only has kernel 3.16.0-52 available. Not sure whether it has the KPTI patch. But ain't kernel 3.16 non-LTS, as per Canonical's Ubuntu.?

As I said, kernels come from Ubuntu for your edition. Ubuntu kernel team and security team are readying kernel security update for release (as Ubuntu doesn't use upstream kernel releases, they'll backport the fixes to the kernel version they maintain). On Linux Mint 18.3 all users see security updates for the kernel in Update Manager unless they disabled that themselves by editing configuration.

As for Linux Mint 17.3, yes you manually install kernel updates there through the View > Linux kernels menu of Update Manager.. You must use either kernel 3.13.x or 4.4.x series on Linux Mint 17,x. All other kernel releases are no longer maintained by Ubuntu kernel team. Easiest is to just scroll to the very end of the kernel list and install the newest 4.4.x version.

The risks with these vulnerabilities for home users is first in their web browser (as that runs untrusted software, JavaScript from websites for example) and web browser developers are mitigating these risks in the web browsers themselves so that they are also safe on unpatched kernels.

[Mintster]

News and updates from the Project Zero team at Google
Wednesday, January 3, 2018
Reading privileged memory with a side-channel
https://googleprojectzero.blogspot.com/ ... -side.html

[xenopeek]

Links from yesterday aren't really news

[xenopeek]

My question is IF I have to update my kernel or not when I have an AMD procesor because according to the current news Meltdown does not affect Amd processors.
Spectre unfortunately seems to effect everything but it is very difficult to abuse without very experienced knowledge. Is that correct? So Spectre does not seem a direct threat. Meltdown could be executed by any script kiddie according to what I read ! So Meltdown is a possible near future threat for anyone with linux and an Intel procesor ?

You're recommended to always install all security updates.

As for Spectre (and also Meltdown), web browser developers are mitigating the risk of these vulnerabilities already in the web browser itself. For example Mozilla about Firefox mitigations: https://blog.mozilla.org/security/2018/ ... ng-attack/. So even with a vulnerable kernel, once your web browser has the mitigation, the risk is reduced significantly if not removed.

[Mintster]

That wasn't intended as news. It was to supply the Google Project Zero if someone was interested.