ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Chat about just about anything else
User avatar
michael louwe
Level 8
Level 8
Posts: 2014
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Fri Feb 09, 2018 5:20 pm

@ neversaynever, .......
neversaynever wrote:...
.
About Spectre 1 being pulled, please refer to ... https://lists.ubuntu.com/archives/kerne ... 89971.html = to implement the Retpoline feature for Spectre 2 in a new kernel, the Spectre 1 patch has to be pulled, modified and later re-released.

User avatar
michael louwe
Level 8
Level 8
Posts: 2014
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Mon Feb 12, 2018 1:54 pm

According to this link ... http://www.zdnet.com/article/linux-melt ... ests-show/ (12 Feb 2018 - Linux Meltdown patch: 'Up to 800 percent CPU overhead', Netflix tests show. ... The performance impact of Meltdown patches makes it essential to move systems to Linux 4.14.),
the Meltdown/KPTI patch's performance hit can be reduced by using the mainline/upstream kernel 4.14 which has PCID support for the relevant Intel CPUs, ie 4th-gen Haswell Core or newer.

Presently, afaik, only Ubuntu 17.10 has the kernel 4.15 available for install. Affected LM users can install the mainline/upstream kernel 4.14 directly from kernel.org or with the Ukuu program = do so at your own risk.
... Later, when Canonical Inc make this PCID-supported kernel 4.14 available downstream for LM/Ubuntu, the above LM users should change from the mainline kernel to the Ubuntu kernel = better compatibility and support.

LM 19.0 LTS, coming in May 2018, should have Ubuntu kernel 4.14 available for install.

smurphos
Level 4
Level 4
Posts: 482
Joined: Fri Sep 05, 2014 12:18 am

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by smurphos » Tue Feb 13, 2018 2:46 am

michael louwe wrote:
Mon Feb 12, 2018 1:54 pm
Ubuntu backported PCID support along with PTI to their patched 4.4 and 4.13 kernels

http://changelogs.ubuntu.com/changelogs ... /changelog

Mint 19 should have a 4.15 kernel as base as 4.15 is Ubuntu's target for their next LTS kernel and should be the base in Bionic 18.4

User avatar
michael louwe
Level 8
Level 8
Posts: 2014
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe » Tue Feb 13, 2018 3:17 am

@ smurphos, .......
smurphos wrote:...
.
Thank you for the correction and update on LM 19.0.

User avatar
thx-1138
Level 5
Level 5
Posts: 616
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 » Thu Feb 15, 2018 5:56 am


rene
Level 7
Level 7
Posts: 1636
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Thu Feb 15, 2018 6:09 am

Note, still timing based, and as such as effectively mitigated through current browsers/JavaScript engines denying high-resolution timer access to "active content" as the original exploits are: those of us not in the habit of explicitly downloading and running exploits may remain unconcerned.

User avatar
thx-1138
Level 5
Level 5
Posts: 616
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 » Fri Feb 16, 2018 11:57 am

https://www.youtube.com/watch?v=hqIavX_SCWc
Presentation from one of the researchers who discovered Spectre in the first place...

rene
Level 7
Level 7
Posts: 1636
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Fri Feb 16, 2018 2:26 pm

thx-1138 wrote:
Fri Feb 16, 2018 11:57 am
Presentation from one of the researchers who discovered Spectre in the first place...
... whom in the context of my reply one up makes the point that by simply repeating the timing-based inferral for a given memory location enough times you can get past any timer resolution limit that's been set; that as such disallowing access to high-resolution timers is not a fundamental or even necessarily practically effective solution. Hadn't noticed but that's obviously true. Personally I still postpone running around screaming but, well, yes, certainly that point means the issue's not fully removed from the "malicious active content" context simply by using current browsers.

User avatar
thx-1138
Level 5
Level 5
Posts: 616
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 » Fri Feb 16, 2018 2:57 pm

...i stumbled upon this article of his earlier today, and almost purely by coincidence to his video presentation on youtube above...
Was actually surprised it had so few views (then again, when i looked at his cv, i thought, ok, probably not the type of guy that would need 'exposure' via social media to get work etc...)

I'm still not much worried myself about Spectre & Meltdown (but maybe that's due to my rather limited technical understanding - blissed is the ignorant, lol!) - after the...''shock doctrine" of the first 2-3 days, it became obvious that more than 99.9% of the cases will be covered & in a timely manner...
More curious how this will be played out eventually (eg. i found it quite funny in a certain sense that they are now digging to find more exploits related to such...seems to me that researchers will go all the way down the rabbit hole eventually, especially since Intel also came up with an official bug bounty...)

DAMIEN1307
Level 4
Level 4
Posts: 463
Joined: Tue Feb 21, 2017 8:13 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by DAMIEN1307 » Fri Feb 16, 2018 3:17 pm

i have a feeling that the "rabbit hole" is a lot deeper and expansive than they first thought it would be...or willing to admit to at this time...DAMIEN

rene
Level 7
Level 7
Posts: 1636
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Fri Feb 16, 2018 4:01 pm

thx-1138 wrote:
Fri Feb 16, 2018 2:57 pm
I'm still not much worried myself about Spectre & Meltdown
Nor should anyone. Meltdown is first of all fully solved by KPTI: if you are running a current kernel (or have an AMD processor) you are not affected by Meltdown.

By Spectre you are in theory but the actually important part of that is as far as I'm aware as fully solved by either retpoline or CPU microcode updates (both of which may still need to make it down to you) in the sense of restoring full privilege separation of user- and kernel addressspace. What fundamentally remains concerns multiple untrusted VM situations and the like: very applicable to hosting providers but not so much to you or me.

This, moreover, is while Spectre exploits are quite involved to begin with; proof of concept code is out there but as far as I know no actual exploits or even attempts at exploit have been observed in the wild. If they were they, moremoreover, would be unlikely to target Linux rather than Windows. And certainly given that, moremoremoreover, getting an exploit delivered to you on Linux is itself quite involved: full-blown Linux malware is for all intents and purposes non-existent and while not solved as per above, current browser vigilance mitigates dynamic content worries.

"Friends don't let friends do Facebook" or whichever other primary source of malicious content is popular among 14 year olds this month but other than that I'd advise anyone here to not worry about any of it.

User avatar
Arch_Enemy
Level 5
Level 5
Posts: 978
Joined: Tue Apr 26, 2016 3:28 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Arch_Enemy » Fri Feb 16, 2018 8:08 pm

rene wrote:
Fri Feb 16, 2018 4:01 pm
thx-1138 wrote:
Fri Feb 16, 2018 2:57 pm
I'm still not much worried myself about Spectre & Meltdown
Nor should anyone. Meltdown is first of all fully solved by KPTI: if you are running a current kernel (or have an AMD processor) you are not affected by Meltdown.

By Spectre you are in theory but the actually important part of that is as far as I'm aware as fully solved by either retpoline or CPU microcode updates (both of which may still need to make it down to you) in the sense of restoring full privilege separation of user- and kernel addressspace. What fundamentally remains concerns multiple untrusted VM situations and the like: very applicable to hosting providers but not so much to you or me.

This, moreover, is while Spectre exploits are quite involved to begin with; proof of concept code is out there but as far as I know no actual exploits or even attempts at exploit have been observed in the wild. If they were they, moremoreover, would be unlikely to target Linux rather than Windows. And certainly given that, moremoremoreover, getting an exploit delivered to you on Linux is itself quite involved: full-blown Linux malware is for all intents and purposes non-existent and while not solved as per above, current browser vigilance mitigates dynamic content worries.

"Friends don't let friends do Facebook" or whichever other primary source of malicious content is popular among 14 year olds this month but other than that I'd advise anyone here to not worry about any of it.
Actually, the 14-28 year old segment (I thought Facebook had a 14 year old limitation... :cry: ) is abandoning FaceBook in droves.
I have travelled 35629424162.9 miles in my lifetime

One thing I would suggest, create a partition a ~28G partition as /. Partition the rest as /Home.
When the system fails, reinstall and use the exact same username and all your 'stuff' comes back to you.

smurphos
Level 4
Level 4
Posts: 482
Joined: Fri Sep 05, 2014 12:18 am

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by smurphos » Wed Feb 21, 2018 11:58 pm

And we have gone full reptoline at least in kernel space....

Code: Select all

Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.13.0-36-generic #40~16.04.1-Ubuntu SMP Fri Feb 16 23:25:58 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i5-2430M CPU @ 2.40GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates IBRS capability:  NO 
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO 
    * CPU indicates IBPB capability:  NO 
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates STIBP capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 42 stepping 7 ucode 0x29)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  NO 
* Kernel has the Red Hat/Ubuntu patch:  YES 
> STATUS:  NOT VULNERABLE  (Mitigation: OSB (observable speculation barrier, Intel v6))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

DAMIEN1307
Level 4
Level 4
Posts: 463
Joined: Tue Feb 21, 2017 8:13 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by DAMIEN1307 » Thu Feb 22, 2018 5:11 am

can i now assume that this is now over???...heres what i get with the new kernel...DAMIEN

damien@DAMIEN ~ $ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: OSB (observable speculation barrier, Intel v6)
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline
damien@DAMIEN ~ $

User avatar
catweazel
Level 13
Level 13
Posts: 4847
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by catweazel » Thu Feb 22, 2018 5:25 am

DAMIEN1307 wrote:
Thu Feb 22, 2018 5:11 am
can i now assume that this is now over???
I hope not. It's grown into a monster thread.
A new scientific truth does not triumph by convincing its opponents and making them see the light, but rather because its opponents eventually die, and a new generation grows up that is familiar with it. - Max Planck

DAMIEN1307
Level 4
Level 4
Posts: 463
Joined: Tue Feb 21, 2017 8:13 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by DAMIEN1307 » Thu Feb 22, 2018 5:33 am

hi catweazel...when i started this thread, i had no idea what a pandoras' little box of horrors this was going to be...WOW...DAMIEN

neversaynever
Level 1
Level 1
Posts: 19
Joined: Sat Jan 13, 2018 4:26 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by neversaynever » Thu Feb 22, 2018 1:10 pm

@ michael louwe,.....
michael louwe wrote:
Wed Feb 07, 2018 5:50 am

... 32bit systems are only patched for Spectre 1, ie not yet patched for Meltdown and Spectre 2.
michael louwe wrote:
Fri Feb 09, 2018 5:20 pm
@ neversaynever, .......

About Spectre 1 being pulled, please refer to ... https://lists.ubuntu.com/archives/kerne ... 89971.html = to implement the Retpoline feature for Spectre 2 in a new kernel, the Spectre 1 patch has to be pulled, modified and later re-released.
Hi Michael. Today I've found this: http://news.softpedia.com/news/canonica ... 9909.shtml
" Feb 22, 2018 11:46 GMT · By Marius Nestor - Canonical released on Wednesday new kernel updates for all of its supported Ubuntu Linux releases to address several security issues, as well as to provide compiler-based Retpoline kernel mitigation for Spectre Variant 2 on the amd64 and i386 architectures. ......

All users are urged to update their installations to the linux-image 4.13.0.36.38 on Ubuntu 17.10, linux-image 4.4.0-116.140 on Ubuntu 16.04 LTS, linux-image 4.13.0-36.40~16.04.1 on Ubuntu 16.04.3 LTS with Artful HWE kernel, linux-image 4.4.0-116.140~14.04.1 on Ubuntu 14.04.5 LTS with Xenial HWE kernel, and linux-image 3.2.0.133.148 on Ubuntu 12.04 ESM".

I installed on my LM 18.0 32-bit the 4.4.0-116.140 kernel and and I have the intel microcode version 3.20180108.0+really20170707ubuntu16.0401 enabled.
Now the test for Spectre/Meltdown is:
Spectre v.1: NOT VULNERABLE (Mitigation: observable speculation barrier, Intel v6) (GOOD!)
Spectree v.2: NOT VULNERABLE (Mitigation: full generic retpoline) (GOOD!)
Meltdown: VULNERABLE (PTI is needed to mitigate the vulnerability) (PROBLEM)

Is there something else I can do to enable PTI and mitigate Meltdown on my 32-bit installation or do I have to wait for a new kernel update?

rene
Level 7
Level 7
Posts: 1636
Joined: Sun Mar 27, 2016 6:58 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by rene » Thu Feb 22, 2018 3:39 pm

neversaynever wrote:
Thu Feb 22, 2018 1:10 pm
Is there something else I can do to enable PTI and mitigate Meltdown on my 32-bit installation or do I have to wait for a new kernel update?
You'll have to wait; KPTI(-equivalent) has not been released into the wild for 32-bit yet. Won't take very long at this point: https://lkml.org/lkml/2018/2/9/98.

neversaynever
Level 1
Level 1
Posts: 19
Joined: Sat Jan 13, 2018 4:26 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by neversaynever » Fri Feb 23, 2018 7:39 am

rene wrote:
Thu Feb 22, 2018 3:39 pm
neversaynever wrote:
Thu Feb 22, 2018 1:10 pm
Is there something else I can do to enable PTI and mitigate Meltdown on my 32-bit installation or do I have to wait for a new kernel update?
You'll have to wait; KPTI(-equivalent) has not been released into the wild for 32-bit yet. Won't take very long at this point: https://lkml.org/lkml/2018/2/9/98.
Thankyou very much rene. So it seems I have some hope ...

Harfud
Level 1
Level 1
Posts: 30
Joined: Tue Dec 05, 2017 3:38 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Harfud » Wed Feb 28, 2018 5:39 am

This looks like an Intel plan as to which CPUs are going to receive updated microcode and when, dated 26th Feb so it's very recent...

https://newsroom.intel.com/wp-content/u ... idance.pdf

Post Reply

Return to “Open chat”