Spectre and Meltdown: Next Generation

[Cosmo.]

There was the hope, that we will have after some time the complete fixes for Spectre and Meltdown threads. This hope has ended today.

Security researchers have found 8 new security threats, currently named as Spectre Next Generation. Intel has currently classified 4 of them as high critical. One of them is able to break the borders of the system; this means, that an exploit, running in a virtual machine, can break its border and can affect the host and other virtual machines on this host. This risk will affect all servers, which are running in a cloud as VMs.

At this time the information about Spectre NG is exclusively readable in the German c't Magazin, also online. Don't ask for an English article, currently there doesn't seem to exist any. Most likely we will see a public report by Google's Project Zero for one of the new threats at the beginning of the next week, when their grace time for reporting runs out.

[Moem]

Google-translated version here.
Google translate is nice, but Heise provide a tranlated version of their own article:
EN: Exclusive: Spectre-NG - Multiple new Intel CPU flaws revealed, several serious
DE: Super-GAU für Intel: Weitere Spectre-Lücken im Anflug

[DAMIEN1307]

hi moem and cosmo...thanks for the heads up on this new spectre issue...should i close out my original thread about spectre and meldown by marking IT as "solved" and let this thread take over from here, or are you going to transfer this thread to that one as a continuation of the ongoing threat?...DAMIEN

[Moem]

Neither, I think... these are new and different vulnerabilities, they 'deserve' their own thread to avoid confusing them with the previous ones. And there is no need to 'close' your thread: the issue is not really solved and people may want to talk about it still.

[DAMIEN1307]

OK thanks moem...sounds logical to me...lol...somehow, i just knew we had not heard anywhere near the end of this story yet...DAMIEN

[Pepi]

All most like a 'Soap' on TV

Is the Intel Atom® affected by these? I've got a few of computers with Intel Atom®.

[DAMIEN1307]

i have a couple computers with intel atom CPUs in the...when i run the following command in the terminal they both come back saying "not effected" or not vulnerable or something to that effect...DAMIEN

grep . /sys/devices/system/cpu/vulnerabilities/*

[absque fenestris]

All most like a 'Soap' on TV

Is the Intel Atom® affected by these? I've got a few of computers with Intel Atom®.

So somehow from January the Intel Atoms® have become very much appreciated...
Maybe I still have to fix the little broken Atom®-HP.

[Cosmo.]

@DAMIEN1307:

Note, that Spectre NG is only a preliminary name; official names have not yet been given. (But the CVE numbers do exist.

Regarding Atom: I did not check, what Google translator makes out of the article. In the original article are no special CPU's named (possibly intentional, as currently no patch is available). Further more the article says, that there are indications (no proofs), that some ARM cpus are also affected. How far also AMD cpus are affected is under investigation.

[rene]

The Atom name has unfortunately been recycled but Intel Atom from before 2013 is an in-order CPU and is as such intrinsically non-vulnerable. Newer Atoms are out-of-order and vulnerable to Meltdown, Spectre and undoubtedly these new variants.

[michael louwe]

Jan 2018 = 1st-generation Spectre(variant1 and v2) CPU bugs.

May 2018 = 2nd-gen Spectre(variant3 and v4.?) CPU bugs.

?.?.? = 3rd-gen Spectre CPU bugs.?

(A play on 6th-gen Intel Skylake and 7th-gen Intel Kabylake CPUs)
_ _ _

Another round of kernel and Intel microcode updates; and performance hits.?

Keep in mind that the CPU bugs may "only" expose your sensitive login and/or financial credentials to hackers.

[Pepi]

All most like a 'Soap' on TV

Is the Intel Atom® affected by these? I've got a few of computers with Intel Atom®.

So somehow from January the Intel Atoms® have become very much appreciated...
Maybe I still have to fix the little broken Atom®-HP.

I've got two Toshiba mini laptops that I upgraded to 2 GIG RAM and SS drives. They were still slow until I installed Peppermint on them ? For some reason it runs very well on these two minis

[Pippin]

English version:
https://www.heise.de/ct/artikel/Exclusi ... 40648.html

[Cosmo.]

?.?.? = 3rd-gen Spectre CPU bugs.?

Likely.
In the article is said, that we can nowadays not more speak about holes. It is merely a kind of Swiss cheese, which is designed to have holes. With the current cpus there is no end of the drama in sight.

[AZgl1800]

Sigh!

Fixing this is going to slow down our computers.

[absque fenestris]

At least as far as the Swiss cheese with the holes is concerned - more precisely it is the Emmentaler:
https://en.wikipedia.org/wiki/Emmental_cheese

and with all these other holes, the term open society always comes to mind

[DAMIEN1307]

dont be so glum about speed AZgl1500...all is not so dire...you may remember when i posted the first problems with this little nasty...

viewtopic.php?f=58&t=260764&start=80#p1409735...

on page 5, i gave a "summary" that was applicable at that time of the mitigations i used to mitigate the first problems of spectre/meltdown at that time...there was zero slowdown, not just for me but all systems here in alamogrodo nm (71 of them) that i had converted to linux systems of various flavours at that time until the kernel and microcode updates finally filtered down to us...was i panicky?...i really was considering i convinced these people that linux was superior to anything that microsoft could offer...but microsoft didnt cause this problem...the chip designers did in their quest for faster processors and of course bigger sales and market share...and yep...its true that especially the microcodes, had to be done manually from a .deb repository i use from the oregon state university, but i never posted them to the linux mint forums until i tried and proved them out first...i will do the same again as well...i always try everything on my own computers first and if they fail on me...oh well...reinstall and try again...if i fail, it effects me first with any luck and no one else...but the kicker is that not one of these systems i worked on reported ANY problems or slowdowns whatsoever...remember that the media loves to hype up the crap that happens and always makes it sound like the "end of life as we know it" scenario...its usually never quite as bad as the hype the media uses to cause panic...as the "brits" always say..."keep calm and carry on"...thats what the spirit of the linux mint forum is all about here...we are all here to help out each other and i think we are all committed to doing our level best to assist everyone here, be it newbees or old timers...we are all in this cesspool together that has been created by the big corporations shortsightedness that allowed these things to happen in the first place...lol...so tell me, how does it feel to be just like the rest of us in "the sea of the unwashed masses ?" or as i like to joke about it..."we are all mushrooms...always kept in the dark, and being fed on BS"...lol

[AZgl1800]

Now that you mention that, I do recall your work on that project.

I used to live in Hobbs, NM for a couple years, then moved to Cedar Crest, NM for 10 years.... that is on Hwy 14 on the east side of Sandia Crest ( ABQ )

loved that country.... but jobs moved me 21 times over 40 years.

[DAMIEN1307]

hi AZgl1500...im originally from south boston...(southie)...think the movie "the departed" by the way..."alex" (lead singer) (im shipping up to boston) music soundtrack from the movie" https://www.youtube.com/watch?v=x-64CaD8GXw from the "drop kick murphys" is a friend of mine and is still alive and well living in portsmouth nh...the only thing you could hope for in life coming out of "southie was either being a priest, cop , politician, or "whitey bulger", the head of the "winterhill gang, aka, the irish mafia...his brother..."billy" bulger was massacusetts state senator and senate president of the commonwealth of massachusetts...and i decided to be WHAT...the police constable of the commonwealth of massachusetts...what the hell was i thinking...lol,,,and people still wonder why i resigned from being "the police constable of the commonwealth"...lol...
...i retired here 7 yrs ago after surviving the heart attack and 6...yep...6 tia strokes...before moving to alamooghetto...lol...my last 20 years before being here was spent in new hampshire about a mile from the maine border working for valvoline oil corp. as their "customer service manager" and being transported across the atlantic seaboard and mid-atlantic regions doing troublshooting of their VIOC locations...you can imagine my kennedy-esque boston style accent melded with the new hampshire/maine downeast accent being melded together...lol......that was after being the "police constable" for the commonwealth of massachusetts for many years culminating with me resigning back in 1989...and here i thought "police work" was stressful...lol...there was much more stress working for "corporate america" (now you all may know why i RAIL so much against adverts, spying, privacy issues, just wanting to use the internet and just be left alone etc)...i moved here after being "forcefully retired due to my heart/health issues." at the age of 55...im now 63...thats because with "social security"...(the name itself is a farce)...could no longer allow me to any longer afford to live there...it costs me a third of the amount to live here in alamogordo nm then the cost of staying in new hampshire, so the choice was obvious after i did the demographics of my situation...you probably remember on television, station, KOB...HOBBS new mexico...based out of Albuquerque NM...lol...i always told everyone that when i retired, that i refuse to move no further south than Nome Alaska...my friends back in new england always call me and say "hey robb...hows the weather in Nome...lol...i do admit that in the winter here, its great to still just wear a t-shirt...but in the summer...dont tell me "but its a dry heat"...im suffering...lol...so where are you situated now these days?...DAMIEN

[DAMIEN1307]

hi AZgl1500...as promised...im working on this new issue regarding "Spectre NG"...i DO NOT RECOMMEND TO DO THIS AS IM ONLY INTO 1 HOUR OF TESTING...this is why im not creating a link to download this microcode at this time...better i suffer the problems first if they exist on my i5 sandybridge experimental system...there is a new microcode in the repositories im using to test out this "new" issue of what cosmo calls a "swiss cheese" aspect of new issues regarding "Spectre NG" meaning New Generation...aka...not the real name yet but is what is being used right now...im testing, testing, and testing...im sure its only a short term mitigation...just to be clear...this "issue" to my knowledge has only been published in the german press...not world wide as of yet...be also aware that a microcode update does not become a "fix for multiple problems invovling the chipset"

the new microcode im using is...intel-microcode 3.20180425.1 amd64 Processor microcode firmware for Intel CPU

first...damien1@damien1 ~ $ dpkg -l | grep microcode
ii intel-microcode 3.20180425.1 amd64 Processor microcode firmware for Intel CPUs
ii iucode-tool 1.5.1-1ubuntu0.1 amd64 Intel processor microcode tool

second...damien1@damien1 ~ $ grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched" || echo "unpatched"
CONFIG_PAGE_TABLE_ISOLATION=y
patched

third...damien1@damien1 ~ $ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW

this is my results thus far...this is the best i can provide so far with only 1 hour of testing...so far so good...nothing has borked as of yet...DAMIEN