ATTN!...Intel CPU owners (Spectre,Meltdown,Foreshadow, flaws)

Chat about just about anything else
blueredgreen
Level 2
Level 2
Posts: 79
Joined: Sun Jun 17, 2012 12:14 am

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by blueredgreen » Fri Jan 26, 2018 11:58 am

Site isolation - is still needed for chromium and firefox?

I read somewhere on linux mint forum maybe 7-10 days ago that the newest firefox had been patched and was ok and that site isolation for chromium was needed as a temporary measure until the next chromium update.

Since then, I have had firefox updated once and chromium updated once.
Image

User avatar
xenopeek
Level 24
Level 24
Posts: 22755
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by xenopeek » Fri Jan 26, 2018 12:53 pm

Firefox already has mitigation in place against Meltdown and Spectre. JavaScript malware on websites can't exploit these bugs on Firefox. Site isolation isn't needed for that.

Chromium explains here what site isolation is for and what issue you may have with it enabled: https://www.chromium.org/Home/chromium- ... -isolation
Image

User avatar
michael louwe
Level 9
Level 9
Posts: 2644
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Fri Jan 26, 2018 4:06 pm

http://sea.pcmag.com/news/19298/intel-c ... rrive-this (dated 26 Jan 2018)(Intel Chips With Meltdown, Spectre Protection to Arrive This Year)
The first Intel chips with built-in protections against the Meltdown and Spectre threats will start arriving later this year.

The protections involve "silicon-based changes" to the company's future processors, Intel CEO Brian Krzanich said in a Thursday earnings call.
.
8th-gen Intel CoffeeLake and KabyLake-Refresh silicons/CPUs have already just been released. This means the above likely refers to the coming 9th-gen Intel CannonLake and CoffeeLake-Refresh CPUs.

The above Intel CPUs will also have Meltdown & Spectre performance-hits built-in, eg 30% built-in performance-hit or degradation for most servers, especially Cloud servers. No wonder web-browsing seems slower nowadays. AMD silicons/CPUs should be a better choice.

User avatar
xenopeek
Level 24
Level 24
Posts: 22755
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by xenopeek » Fri Jan 26, 2018 4:25 pm

Google Chrome version 64 has the Meltdown and Spectre mitigation as well: https://www.phoronix.com/scan.php?page= ... 4-Released
Image

User avatar
Arch_Enemy
Level 6
Level 6
Posts: 1150
Joined: Tue Apr 26, 2016 3:28 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Arch_Enemy » Fri Jan 26, 2018 10:48 pm

Thanks, guys. Got it.
I have travelled 35629424162.9 miles in my lifetime

One thing I would suggest, create a partition a ~28G partition as /. Partition the rest as /Home.
When the system fails, reinstall and use the exact same username and all your 'stuff' comes back to you.

User avatar
Spearmint2
Level 15
Level 15
Posts: 5719
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Spearmint2 » Sat Jan 27, 2018 12:30 pm

michael louwe wrote:http://sea.pcmag.com/news/19298/intel-c ... rrive-this (dated 26 Jan 2018)(Intel Chips With Meltdown, Spectre Protection to Arrive This Year)
The first Intel chips with built-in protections against the Meltdown and Spectre threats will start arriving later this year.

The protections involve "silicon-based changes" to the company's future processors, Intel CEO Brian Krzanich said in a Thursday earnings call.
.
8th-gen Intel CoffeeLake and KabyLake-Refresh silicons/CPUs have already just been released. This means the above likely refers to the coming 9th-gen Intel CannonLake and CoffeeLake-Refresh CPUs.

The above Intel CPUs will also have Meltdown & Spectre performance-hits built-in, eg 30% built-in performance-hit or degradation for most servers, especially Cloud servers. No wonder web-browsing seems slower nowadays. AMD silicons/CPUs should be a better choice.
HAH! I wouldn't get one of those, considering how they messed up the past couple of "fixes" for Meltdown they've released.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

Pat D
Level 4
Level 4
Posts: 360
Joined: Thu Jul 14, 2016 2:31 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Pat D » Sun Jan 28, 2018 9:10 pm

Perhaps someone could translate this? There's a link to a Linus Torvalds rant, and a link that's included in that article.

https://www.theregister.co.uk/2018/01/2 ... fix_linux/

https://lkml.org/lkml/2018/1/22/598

Are they saying that Intel is "running away" from the problem?

rene
Level 8
Level 8
Posts: 2068
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Sun Jan 28, 2018 10:31 pm

Pat D wrote:Are they saying that Intel is "running away" from the problem?
What Linus is saying seems to be more that Intel is running away from liability.

It appears that Intel is, according to Linus, not offering a realistic solution/mitigation of Spectre 2 with those patches. What's on the table in that thread is use of through microcode-updates provided opt-in CPU behaviour which when enabled "goes through the motions" but which is first according to him in some ways nonsensical and which will second not be enabled anyway due to high cost in terms of speed. He as such has a hard time believing that those patches are seriously trying to mitigate Spectre 2 rather than just mitigate liability --- and seems not fully pleased with such.

Only a bit further down-thread is a fairly good explanation/rebuttal by David Woodhouse though: https://lkml.org/lkml/2018/1/22/598. Let as such us, the peanut gallery, not immediately take Linus' "unmitigated" word for it; better, let us take his word exactly for what it is: an objection on technical grounds, even if with implied non-technical motivational suspicions, offered in no uncertain terms as is usual for the open Linux development model; as is usual for most any deeply technical discussion, either open or closed.

The Register seems to in the last few years come close to what I would find to be an IT equivalent of https://www.usmagazine.com/; not close to something you should refer to often.

Pat D
Level 4
Level 4
Posts: 360
Joined: Thu Jul 14, 2016 2:31 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Pat D » Sun Jan 28, 2018 10:41 pm

The Register seems to in the last few years come close to what I would find to be an IT equivalent of https://www.usmagazine.com/; not close to something you should refer to often.
Yea, I know, I just happened on it and followed the link to see if it was real. Sounds to me that Intel says that "their" problem is now "our" problem. (Expletive deleted. lol)

rene
Level 8
Level 8
Posts: 2068
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Sun Jan 28, 2018 11:04 pm

Pat D wrote:Sounds to me that Intel says that "their" problem is now "our" problem. (Expletive deleted. lol)
After reading David Woodhouse's above linked rebuttal a few more times I would myself actually more go with a "Linus is full of it" theory for now.

The main stated technical objection from Linus is nonsensicallity of expensive MSR writes on kernel entry/exit that protect the kernel itself even though said kernel already has a low cost and fully software-implemented solution available in the form of retpoline; see https://security.googleblog.com/2018/01 ... cpu_4.html if interested. But David explains that, 1, the expensive method was developed before retpoline was even available; that, 2, said method covers kernels built without retpoline (for which specific compiler support is needed) and moreover, 3, covers Skylake which retpoline does not fully. That it is a fallback method for "for now" and for Skylake.

I find myself to be fairly peanut-convinced there; this to reflect worse on Intel than in fact seems called for. Which, once again, does not in fact matter as long as you take Linus' posts for what they are: parts of a technical discussion.

User avatar
michael louwe
Level 9
Level 9
Posts: 2644
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Mon Jan 29, 2018 1:59 am

@ PatD, .......
PatD wrote:...
.
Linus's 22 Jan comment that Intel's CPU patches for Spectre 2 are Garbage is quite true, as verified by what followed on 23 Jan ... http://www.zdnet.com/article/intel-stop ... er-notice/ (Intel: Stop firmware patching until further notice)

Spectre 2 requires both the OS kernel AND CPU microcode to be patched, ie they have to be made to work together in order to patch Spectre 2 with the IBRS and IBPB features.
... Linus is the main Linux kernel developer. So, he probably had some difficulties with the Intel developers trying to get the Linux kernel to work inSync with the Intel microcodes. He was likely proven right that the Intel developers were !@#$%^&.

Buggy BIOS firmware updates for Windows are downright nasty because they are mostly uninstallable or irreversible = can brick computers. Intel should compensate those who had applied their BIOS firmware update(Windows) or 20180108 microcode update(Linux) and ended up with bricked computers/servers.

P S - Intel's recent buggy CPU patches only applied to CPUs that are not more than 5 years old.

User avatar
BigEasy
Level 6
Level 6
Posts: 1152
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by BigEasy » Mon Jan 29, 2018 3:29 am

michael louwe wrote:Buggy BIOS firmware updates for Windows are downright nasty because they are mostly uninstallable or irreversible = can brick computers.
Last millenium on each motheboard was the jumper "reset BIOS to default".
Windows assumes I'm stupid but Linux demands proof of it

User avatar
thx-1138
Level 6
Level 6
Posts: 1085
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 » Mon Jan 29, 2018 9:22 am

...so, Canonical's kernels do have backported / implemented IBRS since a couple of weeks...but if i've understood correctly, current upstream 4.15-final (released yesterday) doesn't enable full IBRS (yet) but uses retpoline mitigations instead?...
https://kernelnewbies.org/Linux_4.15#Meltdown.2FSpectre

User avatar
michael louwe
Level 9
Level 9
Posts: 2644
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Mon Jan 29, 2018 11:32 am

@ thx1138, .......
thx-1138 wrote:...so, Canonical's kernels do have backported / implemented IBRS since a couple of weeks...but if i've understood correctly, current upstream 4.15-final (released yesterday) doesn't enable full IBRS (yet) but uses retpoline mitigations instead?...
https://kernelnewbies.org/Linux_4.15#Meltdown.2FSpectre
.
Linux kernel upgrades can be considered as cumulative, ie kernel 4.15 has changes added to kernel 4.14 and kernel 4.14 had changes added to kernel 4.13. At the same time, old or ancient changes may be removed, eg device drivers for 20 years old devices.

Linus Torvald/kernel.org's kernel 4.14 already has the patches for Meltdown(= KPTI) and Spectre(= IBRS and IBPB), mostly for amd64 or 64bit systems. According to your link, kernel.org are only adding the Meltdown patch for x86 or 32bit systems and the retpoline feature to kernel 4.15. IOW, retpoline supplements IBRS and IBPB.
... For the Intel microcode update to patch for Spectre 2, the Linux kernel must have the patch for Spectre 2 also, ie both patches have the IBRS and IBPB features and they work together to mitigate against Spectre 2, like husband and wife. They can't work alone.

User avatar
thx-1138
Level 6
Level 6
Posts: 1085
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 » Mon Jan 29, 2018 12:06 pm

Thanks Michael. Reason i am confused is because Canonical had added IBRS (in their 4.4x / 4.13.x etc), while upstream the devs where still arguing if such should be added by default in 4.15.x (due to it's severe performance penalty)... :?
Somehow i had this hope (performance-wise) that maybe 4.15 & above will only do amends with retpoline instead...that IBRS won't be 'standardized'...

rene
Level 8
Level 8
Posts: 2068
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Mon Jan 29, 2018 1:12 pm

thx-1138 wrote:Reason i am confused is because Canonical had added IBRS (in their 4.4x / 4.13.x etc), while upstream the devs where still arguing if such should be added by default in 4.15.x [ ... ]
Michael's reply is unfortunately incorrect; indeed upstream 4.15 does not feature IBRS support. Status is that the IBRS kernel patches have been put "back on the slow track" (normal track rather) while retpoline offers kernel-side protection against Spectre 2.

Note that CPU-side IBRS support, which is needed to have any use for kernel-side IBRS support, has at the moment in fact also been put on hold by Intel; they currently advise to not install their IBRS-supplying microcode due to instability. You are as such not missing out even if running vanilla 4.15. More to the point: as Spectre 2 mitigations go, IBRS blows small farm animals anyway; with retpoline (and RBS it seems) the problem is kernel-side "mostly" dealt with; the remainder can given its implications go through the normal review-and-tweak process; is as per my own reply above really relevant only for kernels compiled not by a retpoline-capable compiler and a few corner cases anyway.

Well, kernel-side. Given that not all of userspace is on existing systems going to be recompiled it would appear that for some users Ubuntu's backporting of the IBRS patchset may make the Ubuntu kernels a better option than running 4.15 vanilla, assuming they have or will have updated microcode as well. Still only some mind you and very few at that: we're at that point defending against userspace snooping on userspace, i.e., in multiple untrusted VM situations and the like; hardly a standard environment and definitely one where an admin will/should know what he's updating to and when to do so.

Anyone should of course feel free to install and run whichever level of mitigation he or she feels comfortable with, but I would note that IBRS not being featured in 4.15 vanilla does say something about the point of view of developers who in fact understand what this is all about.

User avatar
thx-1138
Level 6
Level 6
Posts: 1085
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 » Mon Jan 29, 2018 1:24 pm

rene, i owe you a beer for this (the mailing lists' back&forth extra-technical arguments made my head dizzy there) - thank you for detailed reply! :)

User avatar
michael louwe
Level 9
Level 9
Posts: 2644
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Mon Jan 29, 2018 2:17 pm

@ rene, .......
rene wrote:...
.
REFERENCE; https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown

If what you say is correct, ie the latest Linux kernel 4.15 has removed the IBRS feature for Spectre 2, then shouldn't affected LM users also have to remove Linux kernels 3.13.141, 4.4.112 and 4.13.31 or .32 which contain the patch for Spectre 2, namely the IBRS and IBPB features.?

Previously, on 9 Jan 2018, 64bit Linux kernels 3.13.139, 4.4.108 & 109 and 4.13.25 & 26 were released by Ubuntu to patch Meltdown, namely the KPTI feature. 32bit LM systems were not covered. Kernel 4.13.25 was found to be buggy and quickly replaced by 4.13.26.

64bit LM users who have installed and are running kernel 3.13.141, 4.4.112 or 4.13.32 are patched for both Meltdown and Spectre(1 & 2), ie the KPTI, IBRS and IBPB features = kernel upgrades/updates are cumulative-like.
... 32bit LM users were only patched for Spectre 1.

Please refer to ... http://news.softpedia.com/news/linux-ke ... 9215.shtml (dated 4 Jan 2018 - Linux Kernels 4.14.11, 4.9.74, 4.4.109, 3.16.52, and 3.2.97 Patch Meltdown Flaw)
http://news.softpedia.com/news/linux-ke ... 9427.shtml (dated 17 Jan 2018 - Linux Kernels 4.14.14, 4.9.77, 4.4.112, and 3.18.92 Released with Security Fixes)
These new kernels come just one week after their previous releases to add more x86 updates to protect users against the Meltdown and Spectre security vulnerabilities disclosed earlier this month.
.
http://news.softpedia.com/news/linux-ke ... 9579.shtml (dated 28 Jan 2018 - Linux Kernel 4.15 Officially Released, Includes Patches for Meltdown and Spectre)
Linux kernel 4.15 is the first kernel series to be fully patched against the Meltdown and Spectre security vulnerabilities, but only for the x86 and PowerPC (PPC) architectures.
Maybe, your statement is incorrect. Let's wait for confirmation.

UPDATE; http://lkml.iu.edu/hypermail/linux/kern ... 02794.html
Linus Torvald's Release statement for Linux kernel 4.15 does not mention anything about removing the IBRS feature for Spectre 2. He mentioned adding the Retpoline feature for Spectre 2.
Last edited by michael louwe on Mon Jan 29, 2018 2:34 pm, edited 1 time in total.

Harfud
Level 2
Level 2
Posts: 53
Joined: Tue Dec 05, 2017 3:38 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Harfud » Mon Jan 29, 2018 2:25 pm

It is claimed in this article that Intel notified Chinese tech companies of Meltdown and Spectre prior to their notification to US authorities, and that therefore plausibly the Chinese government became aware before the US government...

I guess that explains the reason for some of the questions asked in the recent letter from Congress.

http://uk.pcmag.com/news/93088/timing-o ... es-concern

rene
Level 8
Level 8
Posts: 2068
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Mon Jan 29, 2018 4:09 pm

michael louwe wrote:If what you say is correct, ie the latest Linux kernel 4.15 has removed the IBRS feature for Spectre 2 [ ... ]
The upstream 4.15 kernel has not removed IBRS support: IBRS support has up to now never been part of the upstream kernel. Note that Ubuntu kernels are not (generally) unmodified upstream kernels; in this case Ubuntu has backported the Intel IBRS patches to their supported kernels even though the upstream kernel has not merged them and likely will not in their current form.

The source I can find that states this most clearly is https://www.phoronix.com/scan.php?page= ... re-Kernels but you of course don't have to rely on his, my or anyone else's word. Ubuntu makes it easy to install vanilla ("mainline") kernels and has 4.15 available at http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15/. If you install and boot it you will find to not have IBRS support available any more. Such as determined by for example that spectre-meltdown-checker.sh script or simply by noting that on a current standard Ubuntu kernel you have,

Code: Select all

$ ls -l /proc/sys/kernel/ib*
-rw-r--r-- 1 root root 0 jan 29 20:48 /proc/sys/kernel/ibpb_enabled
-rw-r--r-- 1 root root 0 jan 29 20:48 /proc/sys/kernel/ibrs_dump
-rw-r--r-- 1 root root 0 jan 29 20:48 /proc/sys/kernel/ibrs_enabled
with these unavailable on a mainline kernel, 4.15 or any other one.

While distribution-kernels deviating from mainline is generally speaking a bit of a nuisance it's in this case also quite proper. As referred to above, retpoline is quite sufficient for an overwhelming majority of use cases --- assuming the kernel's built with a retpoline-enabled compiler and you don't do overly funky userspace things. Distribution kernels though have the widest target audience; need to just work.

Shall do my utmost to refrain from saying that this is true especially in the security context, with the truly absurd number of rebels-without-a-clue playing The Matrix around the edges, speaking of and loudly denouncing things they do not understand. Please don't underestimate that: that's very hard for me to refrain from...

Post Reply

Return to “Open chat”