ATTN!...Intel CPU owners (Spectre,Meltdown,Foreshadow, flaws)

Chat about just about anything else
User avatar
michael louwe
Level 9
Level 9
Posts: 2771
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Mon Jan 29, 2018 5:09 pm

@ rene, .......
rene wrote:...
.
My apologies, I think you are correct, ie Linus Torvald/kernel.org have their own Retpoline path to patching the Linux kernel for Spectre 2, whereas Canonical Inc/Ubuntu have their own IBRS path to patching the Linux kernel for Spectre 2. ...
http://mail.phoronix.com/scan.php?page= ... -Retpoline (dated 15 Jan 2018 - Retpoline Backported To Linux 4.9, Linux 4.14 Kernels)

https://lkml.org/lkml/2018/1/4/432 (4 Jan 2018)
Something like that, yeah. But remember, setting IBRS is a barrier too. You can't just set it and forget it; you have to do it on *every* entry into the kernel.

Later CPUs are intended to have an 'IBRS all the time' feature which is set-and-forget, and will perform much better, I believe. If we find we're running on a CPU with that, we'll turn off the retpoline with alternatives. ...

That's good, because retpoline doesn't work on Skylake (since Skylake will actually predict rets too, and then you're just completely hosed).

So on Skylake, we'll be using the basic IBRS support too, and also alternativing out the retpoline.
.
.
LM users will have to rely on Canonical/Ubuntu for their Linux kernel support = Ubuntu are most likely adopting the IBRS feature instead of the Retpoline feature.
... Seems, to apply Retpoline, users need to change their compiler = quite impractical for deployment by Ubuntu/LM.

curtvaughan
Level 3
Level 3
Posts: 155
Joined: Sun Dec 21, 2014 5:54 pm
Location: Austin, Tx

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by curtvaughan » Mon Jan 29, 2018 6:10 pm

rene wrote:
Pat D wrote:Sounds to me that Intel says that "their" problem is now "our" problem. (Expletive deleted. lol)
After reading David Woodhouse's above linked rebuttal a few more times I would myself actually more go with a "Linus is full of it" theory for now.

The main stated technical objection from Linus is nonsensicallity of expensive MSR writes on kernel entry/exit that protect the kernel itself even though said kernel already has a low cost and fully software-implemented solution available in the form of retpoline; see https://security.googleblog.com/2018/01 ... cpu_4.html if interested. But David explains that, 1, the expensive method was developed before retpoline was even available; that, 2, said method covers kernels built without retpoline (for which specific compiler support is needed) and moreover, 3, covers Skylake which retpoline does not fully. That it is a fallback method for "for now" and for Skylake.

I find myself to be fairly peanut-convinced there; this to reflect worse on Intel than in fact seems called for. Which, once again, does not in fact matter as long as you take Linus' posts for what they are: parts of a technical discussion.
This is perhaps the most interesting back-and-forth since the systemd wars in 2014. I already applied the initial Intel patch to my XPS 9360 (Kaby Lake) prior to all of this - so far, no issues, but Dell removed the patch from their support website just a few days ago with promises for further updates in the future.
Move from rim to hub: know the wheel.

Image

rene
Level 8
Level 8
Posts: 2226
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Mon Jan 29, 2018 6:22 pm

michael louwe wrote:Ubuntu are most likely adopting the IBRS feature instead of the Retpoline feature.
That is for now indeed what they've done. Can assure it'll be for a short-lived value of "now" though: current for Spectre updated Ubuntu kernels are not compiled with a retpoline compiler but other than retpoline only having become available in GCC one or two weeks ago there wouldn't seem to be a reason we'd not in the quite near future see kernels compiled with a retpoline compiler coming down our update pipelines. At which point certainly IBRS support will not be removed but at which point the default Spectre 2 mitigation for kernel space could very well be made retpoline; it's quite a performance gain...

At the time of upstream 4.16 things will moreover no doubt have settled down further both with regards to microcode and the kernel-side support of IBRS/IBPB and Ubuntu is at that time almost guaranteed to "rejoin the fold".

Which is in fact badly put: other distributions are doing the exact same thing as Ubuntu, https://access.redhat.com/articles/3311301, and distribution-wise they're all right smack in the middle of that fold already. It's just that distributions need "full protection" now whereas the upstream kernel has the luxury of being a bit more critical, given different audiences.

rene
Level 8
Level 8
Posts: 2226
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Mon Jan 29, 2018 6:38 pm

curtvaughan wrote:I already applied the initial Intel patch to my XPS 9360 (Kaby Lake) prior to all of this - so far, no issues, but Dell removed the patch from their support website just a few days ago with promises for further updates in the future.
Yes, initially thought to be Broadwell and Haswell specific but in the mean time found to be more widely problematic the up to now released Intel spectre-related new microcode causes stability issues. Current status seems to be that Intel is confident it has found the root cause and new-new microcode is forthcoming.

User avatar
michael louwe
Level 9
Level 9
Posts: 2771
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Tue Jan 30, 2018 1:55 am

@ rene, .......
rene wrote:...
.
Linus Torvald/kernel.org's Linux kernel 4.15 has the Retpoline feature for Spectre 2 built-in, but not for the IBRS/IBPB features, whereas Canonical Inc/Ubuntu(and Red Hat)'s latest patched Linux kernels are adopting the IBRS/IBPB features for Spectre 2 but not for Retpoline.
... But Intel's David Woodhouse has stated that Retpoline does not work for SkyLake CPUs.

So, what will likely happen is for both Linus Torvald/kernel.org and Canonical Inc/Ubuntu to adopt both the Retpoline and IBRS/IBPB features to patch for Spectre 2. If so, LM users will then have the choice of using either one or both features for Spectre 2, eg SkyLake users will install the appropriate kernel update and Intel microcode update for the IBRS/IBPB features, while non-Skylake users can opt to install only the kernel update for the Retpoline feature or install both updates for both the Retpoline and IBRS/IBPB features.

Which features will future Intel CPUs build-in for Meltdown and Spectre.?
_ _ _ _ _ _ _

EDIT & CORRECTION; Looks like kernel.org's Linux kernel 4.15 also supports Intel SkyLake CPUs for Retpoline, as per ... https://www.phoronix.com/scan.php?page= ... Benchmarks (17 Jan 2018 - Benchmarking Retpoline Underflow Protection With Intel Skylake/Kabylake)
... So, Linux users will likely just need to use the Retpoline feature for Spectre 2, ie no need to install any CPU microcode updates for the IBRS/IBPB features that also patch for Spectre 2. If so, Canonical Inc/Ubuntu will have to release new kernel updates to revert the IBRS/IBPB features presently contained in 3.13.141, 4.4.112 and 4.13.32.

What will happen to Windows systems wrt Spectre 2.? Does Windows has a similar Retpoline feature in its kernel.?
... https://www.crowdstrike.com/blog/chip-f ... -mitigate/ (11 Jan 2018)
Without the microcode update, Google’s software workaround (the retpoline) can be used, but it requires custom compiler support and recompiled binaries which leverage the technique. GCC as well as Clang/LLVM, the major open source compilers, now have support for generating such retpolines, while Windows and Visual Studio are not currently pursuing this approach.
.

http://www.zdnet.com/article/google-our ... ll-use-it/ (12 Jan 2018)
Google: Our brilliant Spectre fix dodges performance hit, so you should all use it.

Google wants the whole industry to adopt its Retpoline fixes for Variant 2 of the Meltdown-Spectre bugs.
.
https://www.phoronix.com/scan.php?page= ... ne-Patches (4 Jan 2018 - More Linux Kernel & GCC Patches Come Out In The Wake Of Spectre+Meltdown)
https://www.phoronix.com/scan.php?page= ... -Published (6 Jan 2018 - Retpoline v5 Published For Fending Off Spectre Branch Target Injection)
Last edited by michael louwe on Tue Jan 30, 2018 2:43 pm, edited 2 times in total.

User avatar
michael louwe
Level 9
Level 9
Posts: 2771
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Tue Jan 30, 2018 4:09 am

https://insights.ubuntu.com/2018/01/17/ ... -proposed/ (17 Jan 2018)
We are actively investigating Google’s “Retpoline” toolchain-based approach, which requires rebuilding Ubuntu binaries but reduce performance impact of the mitigation.

For your reference, the following links explain how to enable Ubuntu’s Proposed repositories, ...
Seems, for Ubuntu to support Retpoline requires a lot of work.
.
https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown
Support for retpoline is not yet included in any of these kernel updates

User avatar
thx-1138
Level 6
Level 6
Posts: 1245
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 » Tue Jan 30, 2018 8:53 am

...my understanding (i might be wrong though), is that at least until Ubuntu 18.04 there won't likely be widely-deployed apps recompiled with retpoline. The kernel itself - maybe (and hopefully!), the apps themselves though, i doubt...as even the current Bionic uses gcc 7.2 (& retpoline was backported to 7.3 few days ago - hence, if 18.04 will have 7.3 instead...)

I don't really follow what MS does, but i don't think they have an equilevant of retpoline. VisualStudio 15.5 has added an extra switch /Qspectre for variant #1 few days ago, it's not for variant #2 though...and i have absolutely no idea how they deal with such kernel-wise...But i believe it's pretty safe to assume that (most?) binaries coming down to windows end-users from here on with the kb-alphanumerics will be built with that switch enabled...

User avatar
michael louwe
Level 9
Level 9
Posts: 2771
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Wed Jan 31, 2018 3:53 pm

http://www.zdnet.com/article/amd-vs-spe ... -says-ceo/ (31 Jan 2018 - AMD vs Spectre: Our new Zen 2 chips will be protected, says CEO)

User avatar
xenopeek
Level 24
Level 24
Posts: 23101
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by xenopeek » Wed Jan 31, 2018 6:49 pm

So looking at hardware fixes:
- Intel's 10nm Cannon-lake processors will be their first to have the hardware fix. Release around end of 2018.
- AMD's 7nm Zen 2 processors will be their first to have the hardware fix. Release in (probably early) 2019.

Safe to assume, AMD's upcoming Zen+ (launch in April) processors will also be unaffected by Meltdown and will have the microcode fix for Spectre variant 1.
Image

User avatar
Lucap
Level 5
Level 5
Posts: 913
Joined: Tue May 24, 2016 1:40 am

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Lucap » Thu Feb 01, 2018 8:57 am

Intel announces new CTO, security manager

https://www.bit-tech.net/news/intel-ann ... manager/1/
Dr. Mayberry will be in charge of steering the technical direction of a company hammered by the Spectre and Meltdown speculative execution vulnerabilities - hands-down the most widespread and serious security flaws in the company's history, and a source of prolonged embarrassment as Intel struggles to patch both the vulnerabilities themselves and the damage to its reputation they have caused.
I wonder if he'll actually do anything other than to turn up to live events to publicly speak on how great Intel is?

User avatar
Spearmint2
Level 15
Level 15
Posts: 5734
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Spearmint2 » Thu Feb 01, 2018 10:09 am

Being president then of Intel, maybe he can give us each year a State Of The Processor speech.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

sichenia
Level 1
Level 1
Posts: 28
Joined: Tue Nov 15, 2016 4:25 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by sichenia » Sat Feb 03, 2018 1:56 pm

The new kernel won't work on my machine as explained here
viewtopic.php?f=208&t=261394&p=1425547#p1425547
I hope the newer ones will fix the problem, right now after boot I get a black screen. My friend says it's because now the video options are invoked not by X directly but through the kernel and the kernel can't determine the right specs that my machine needs.
Anyway I'm back to the unpatched kernel and trying to install patched browsers of my liking.
Not a happy camper here.

User avatar
thx-1138
Level 6
Level 6
Posts: 1245
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 » Wed Feb 07, 2018 4:25 am

...it looks like the next ubuntu kernels will come with retpoline enabled:
https://launchpad.net/~canonical-kernel ... hive-extra

Edit: it also appears that grep . /sys/devices/system/cpu/vulnerabilities/* could now be used on such, as was the case in 4.15.x/4.14.x upstream...

User avatar
Pjotr
Level 20
Level 20
Posts: 10960
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Pjotr » Wed Feb 07, 2018 5:15 am

thx-1138 wrote:...it looks like the next ubuntu kernels will come with retpoline enabled:
https://launchpad.net/~canonical-kernel ... hive-extra

Edit: it also appears that grep . /sys/devices/system/cpu/vulnerabilities/* could now be used on such, as was the case in 4.15.x/4.14.x upstream...
Interesting.... The link concerns the 4.13 kernel series; I'm curious whether this'll also be done for the 4.4 kernel series.
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
thx-1138
Level 6
Level 6
Posts: 1245
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 » Wed Feb 07, 2018 5:39 am

...indeed, my fault, should have posted both...seems that yes, they've been working on it for both 4.4.x & 4.13.x...
https://launchpad.net/~canonical-kernel ... hive-extra
https://launchpad.net/~canonical-kernel ... /+packages

(edit: i don't see the CONFIG_GENERIC_CPU_VULNERABILITIES in 4.4.x changelog yet though, so this verification method doesn't appear to be backported on that version...)

User avatar
Pjotr
Level 20
Level 20
Posts: 10960
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Pjotr » Wed Feb 07, 2018 5:46 am

@thx-1138: thanks! :)
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
michael louwe
Level 9
Level 9
Posts: 2771
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Wed Feb 07, 2018 5:50 am

@ thx-1138, .......
thx-1138 wrote:...it looks like the next ubuntu kernels will come with retpoline enabled:
https://launchpad.net/~canonical-kernel ... hive-extra

Edit: it also appears that grep . /sys/devices/system/cpu/vulnerabilities/* could now be used on such, as was the case in 4.15.x/4.14.x upstream...
.
Looks like the next Linux kernel update from Ubuntu will include the Retpoline patch for Spectre 2, ie kernel update 4.13.33, 4.4.113 and 3.13.142.
... AFAIK, the Retpoline patch in the new kernel updates will also require installed apps/programs and repositories to be recompiled or updated. So, after installing the new kernel updates, eg kernel 4.13.33, certain self/post-installed apps/programs may stop working, especially those installed from 3rd-party PPAs/repositories.

If LM/Ubuntu systems have been patched with Retpoline for Spectre 2, there will be no need for any CPU update/patch, eg no need for an Intel microcode update for Linux or a BIOS firmware update for Windows = no need for the IBRS and IBPB features.

Previously, kernel updates 4.13.32, 4.4.112 and 3.13.141 have the patches for Meltdown(= the KPTI feature), Spectre 2 and Spectre 1. Spectre 2(= the IBRS and IBPB features) requires the CPU to be updated/patched also. Intel's CPU updates/patches proved buggy and were later pulled.
... 32bit systems are only patched for Spectre 1, ie not yet patched for Meltdown and Spectre 2.

neversaynever
Level 1
Level 1
Posts: 20
Joined: Sat Jan 13, 2018 4:26 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by neversaynever » Wed Feb 07, 2018 11:54 am

michael louwe wrote:@ thx-1138, .......

Looks like the next Linux kernel update from Ubuntu will include the Retpoline patch for Spectre 2, ie kernel update 4.13.33, 4.4.113 and 3.13.142.
...
Previously, kernel updates 4.13.32, 4.4.112 and 3.13.141 have the patches for Meltdown(= the KPTI feature), Spectre 2 and Spectre 1. Spectre 2(= the IBRS and IBPB features) requires the CPU to be updated/patched also. Intel's CPU updates/patches proved buggy and were later pulled.
... 32bit systems are only patched for Spectre 1, ie not yet patched for Meltdown and Spectre 2.
Hi Michael. I update daily my LM 18.0 32bit: now i'm with kernel 4.4.0.112-135 generic; but github control software says that I'm VULNERABLE also by spectre 1 (with 4.4.0.109 it said NOT VULNERABLE). I'm confused: do you have any idea about why?
While waiting for a kernel pactched for 32-bit systems, is 4.4.0.113-136 ~retpoline4 (xenial) usefull for me? (it is not among automatic updates, but i saw that it exists also for i386 systems). Thanks

User avatar
michael louwe
Level 9
Level 9
Posts: 2771
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Wed Feb 07, 2018 3:15 pm

@ neversaynever, .......
neversaynever wrote:...
.
I have no idea why the patch for Spectre 1 behaved that way.

About the kernel update for Retpoline, we should wait for confirmation from ... https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown

User avatar
thx-1138
Level 6
Level 6
Posts: 1245
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 » Fri Feb 09, 2018 5:35 am

...Corporate blabla... :)

The revision guide has been updated at least...

Post Reply

Return to “Open chat”