Meltdown and Spectre patches

If it doesn't relate to Debian, but you still want to share it, please do it here

Re: Meltdown and Spectre patches

Postby Seventh » 2018-01-10 13:31

Zenwalk linux is claiming firefox have "fixed" spectre and meltdown timing attacks for linux with firefox 58 ?

https://zenwalkgnulinux.blogspot.com.au/
Seventh
 
Posts: 44
Joined: 2017-04-01 10:13

Re: Meltdown and Spectre patches

Postby steve_v » 2018-01-10 14:20

Seventh wrote:Zenwalk linux is claiming firefox have "fixed" spectre and meltdown timing attacks for linux with firefox 58
Reduced the accuracy of timers available to javascript, like chrome has. A rather dirty workaround, not a fix.
You can't really "fix" CPU sidechannel attacks in software, and there are plenty of other ways to generate a fast enough tick for cache timing analysis.
If one is concerned about a browser drive-by, disable javascript.
steve_v
 
Posts: 681
Joined: 2012-10-06 05:31
Location: New Zealand

Re: Meltdown and Spectre patches

Postby bester69 » 2018-01-11 12:42

Im using for long (Head_on_a_Stick gave a a good contribution, Thanks to him here): Adblocking with /etc/hosts (I guess It can help against ad javacripts)
viewtopic.php?f=16&t=129202

It updates very often; all these people contribuite (I just hope they gone bad eventually :shock: )
# Bill Allison, Harj Basi, Lance Russhing, Marshall Drew-Brook,
# Leigh Brasington, Scott Terbush, Cary Newfeldt, Kaye, Jeff
# Scrivener, Mark Hudson, Matt Bells, T. Kim Nguyen, Lino Demasi,
# Marcelo Volmaro, Troy Martin, Donald Kerns, B.Patten-Walsh,
# bobeangi, Chris Maniscalco, George Gilbert, Kim Nilsson, zeromus,
# Robert Petty, Rob Morrison, Clive Smith, Cecilia Varni, OleKing
# Cole, William Jones, Brian Small, Raj Tailor, Richard Heritage,
# Alan Harrison, Ordorica, Crimson, Joseph Cianci, sirapacz,
# Dvixen, Matthew Craig, Tobias Hessem, Kevin F. Quinn, Thomas
# Corthals, Chris McBee, Jaime A. Guerra, Anders Josefson,
# Simon Manderson, Spectre Ghost, Darren Tay, Dallas Eschenauer, Cecilia
# Varni, Adam P. Cole, George Lefkaditis, grzesiek, Adam Howard, Mike
# Bizon, Samuel P. Mallare, Leinweber, Walter Novak, Stephen Genus,
# Zube, Johny Provoost, Peter Grafton, Johann Burkard, Magus, Ron Karner,
# Fredrik Dahlman, Michele Cybula, Bernard Conlu, Riku B, Twillers,
# Shaika-Dzari, Vartkes Goetcherian, Michael McCown, Garth, Richard Nairn,
# Exzar Reed, Robert Gauthier, Floyd Wilder, Mark Drissel, Kenny Lyons,
# Paul Dunne, Tirath Pannu, Mike Lambert, Dan Kolcun, Daniel Aleksandersen,
# Chris Heegard, Miles Golding, Daniel Bisca, Frederic Begou, Charles
# Fordyce, Mark Lehrer, Sebastien Nadeau-Jean, Russell Gordon, Alexey
# Gopachenko, Stirling Pearson, Alan Segal, Bobin Joseph, Chris Wall, Sean
# Flesch, Brent Getz, Jerry Cain, Brian Micek, Lee Hancock, Kay Thiele,
# Kwan Ting Chan, Wladimir Labeikovsky, Lino Demasi, Bowie Bailey, Andreas
# Marschall, Michael Tompkins, Michael O'Donnell, José Lucas Teixeira
# de Oliveira, M. Ömer Gölgeli, and Anthony Gelibert for helping to build
# the hosts file.
# Russell O'Connor for OS/2 information
# kwadronaut for Windows 7 and Vista information
# John Mueller and Lawrence H Smith for Mac Pre-OSX information
# Jesse Baird for the Cisco IOS script

http://someonewhocares.org/hosts/zero/
# Last updated: Wed, 03 Jan 2018 at 18:00:26 GMT
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1046
Joined: 2015-04-02 13:15

Re: Meltdown and Spectre patches

Postby debiman » 2018-01-11 19:06

nhologram wrote:Thanks for the info; good to know jessie/686 isn't left astray ^^
Were you able to check it against the spectre-meltdown-checker that steve shared?

i did now.
Code: Select all
$ dmesg | grep isolation
$ grep TABLE_ISOLATION /boot/config-$(uname -r)
$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) i686

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO
* PTI enabled and active:  NO
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

as i said before, the kernel version surely is the patched one, but according to these outputs it does not apply to my 32bit intel processor?
User avatar
debiman
 
Posts: 2127
Joined: 2013-03-12 07:18

Re: Meltdown and Spectre patches

Postby n_hologram » 2018-01-11 19:36

debiman wrote:as i said before, the kernel version surely is the patched one, but according to these outputs it does not apply to my 32bit intel processor?

This is exactly the crux of the 32-bit issue: no one knows. I'm going to email the patch developer later and ask what's going on.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 391
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

Postby debiman » 2018-01-13 07:58

n_hologram wrote:This is exactly the crux of the 32-bit issue: no one knows. I'm going to email the patch developer later and ask what's going on.

thank you, i'd be delighted if you could report back.

__________________________________________________________
(identical post on bunsenlabs forums)

i spent a half hour searching the web for references to meltdown, its fix for linux, and 32 bit architecture.
there's very little hard info, and not much opinion either.
here's what i think is the situation:
  • meltdown affects all intel cpus since 1995 - that must include 32 bit architecture => 32bit computers are vulnerable.
  • the kernel fix applies to 64bit architectures only.
  • it is unclear whether a (different) fix for 32bit is possible, whether someone's working on it or even considering it a priority.
  • in addition to the 3.16.0-5-686-pae kernel, i tried Linux 4.9.0-0.bpo.5-686-pae #1 SMP Debian 4.9.65-3+deb9u2~bpo8+1 (2017-01-05) i686 & reran the spectre-meltdown-checker, with identical results: all 3 vulnerabilities are not fixed.
links:
https://security-tracker.debian.org/tra ... -2017-5754
https://github.com/speed47/spectre-melt ... /issues/58
https://www.neowin.net/news/ubuntu-will ... anuary-9th
https://security.stackexchange.com/ques ... -platforms

of course all this still doesn't address the Spectre Vulnerability...


edit: fixed kernel version for 3.16 - i did try the patched version.
Last edited by debiman on 2018-01-14 09:38, edited 2 times in total.
User avatar
debiman
 
Posts: 2127
Joined: 2013-03-12 07:18

Re: Meltdown and Spectre patches

Postby Thorny » 2018-01-13 09:58

debiman wrote:[*]in addition to the 3.16.0-4-686-pae kernel,...

I don't know if it is what you want or not but

Package linux-image-3.16.0-5-686-pae
jessie (oldstable) (kernel): Linux 3.16 for modern PCs
3.16.51-3+deb8u1 [security]: i386
and
Package: linux-image-4.9.0-3-686-pae (4.9.30-2+deb9u5) [security]

, indicate a security fix and are newer than what was mentioned.
User avatar
Thorny
 
Posts: 542
Joined: 2011-02-27 13:40

Re: Meltdown and Spectre patches

Postby n_hologram » 2018-01-13 15:06

Thorny wrote:I don't know if it is what you want or not but.

Unfortunately, it isn't. I've already tried the updated 686 kernels against spectre-meltdown-checker.sh, and they are vulnerable to meltdown. The points mentioned in the updated original post should clarify more details. Semi-related: someone mentioned (can't remember where tbh) that the patched pre-4.14.11 patches use an older version of KTPI, so its results in practice may be nebulous.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 391
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

Postby n_hologram » 2018-01-13 22:14

The patch developer confirmed that x86 (32-bit) is still vulnerable. Spread the word, boys and girls:
> Hi,
> I'm writing to you because I noticed your involement with the KPTI/KAISER
> patches. Across several varieties of linux distributions, users have
> noticed that kpti is impossible to enable because it depends on x86_64.
> Many of us are concerned that we are running 32-bit systems that are
> still vulnerable to meltdown; we are also concerned because it's a
> handful of users who have brought this to light, and major news and
> information from our distros are keeping silent on the topic. We are all
> wondering if you could shed some light: in particular, is x86 vulnerable?


Yes, 32bit is vulnerable. We haven't yet had time to look into that as the
vast majority of systems, especially the most endangered cloud stuff, runs
64bit. We know about it and the 32bit mitigation has been under discussion
already, but I can't tell at the moment when we are going to have that.

Sorry that I can't tell you better news.

Thanks,

Thomas
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 391
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

Postby stevepusser » 2018-01-13 23:20

The latest intel-microcode from Buster adds a bit of Spectre mitigation to the script output for my i5-6200u.

There's also a newer amd64-microcode that adds some mitigation for AMD Ryzen, but that requires some latest kernel versions that aren't in Debian yet. Liquorix-4.14-13.1 supports the Ryzen microcode, and I'm looking into adding the patch to the MX 4.14.12 kernel backport.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Notepadqq 1.2.0, Pale Moon 27.8.3, KeePassXC 2.3.1, Calligra 3.1, VLC 3.0.1, Firefox 59.0.2, Shotwell 28.2
User avatar
stevepusser
 
Posts: 9436
Joined: 2009-10-06 05:53

Re: Meltdown and Spectre patches

Postby debiman » 2018-01-14 09:42

Thorny wrote:I don't know if it is what you want or not but

sorry, that was a typo.
i did try with the patched version ...-5.
fixed post.

n_hologram wrote:The patch developer confirmed that x86 (32-bit) is still vulnerable. Spread the word, boys and girls:
> Hi,
> I'm writing to you because I noticed your involement with the KPTI/KAISER
> patches. Across several varieties of linux distributions, users have
> noticed that kpti is impossible to enable because it depends on x86_64.
> Many of us are concerned that we are running 32-bit systems that are
> still vulnerable to meltdown; we are also concerned because it's a
> handful of users who have brought this to light, and major news and
> information from our distros are keeping silent on the topic. We are all
> wondering if you could shed some light: in particular, is x86 vulnerable?


Yes, 32bit is vulnerable. We haven't yet had time to look into that as the
vast majority of systems, especially the most endangered cloud stuff, runs
64bit. We know about it and the 32bit mitigation has been under discussion
already, but I can't tell at the moment when we are going to have that.

Sorry that I can't tell you better news.

Thanks,

Thomas

thank you, n_hologram, and thank you, Thomas (*) for answering, and a big THANK YOU for the unsung heroes that are working on these patches!!!

(*) n_hologram, any more info on who this is and where you got that answer?


____________________________________________________________


i am calmer now, since it seems that
a) NOT using virtualisation
b) NOT executing any external code (javascript etc.)
i'm fairly safe on my 32bit server.
User avatar
debiman
 
Posts: 2127
Joined: 2013-03-12 07:18

Re: Meltdown and Spectre patches

Postby Head_on_a_Stick » 2018-01-14 14:43

stevepusser wrote:The latest intel-microcode from Buster adds a bit of Spectre mitigation

Theo just posted this on the OpenBSD mailing lists:
Also, Intel is saying their new microcodes sucks and people should
wait a little.

"Hi, my name is Intel and I'm an cheating speculator".

https://marc.info/?l=openbsd-tech&m=151588857304763&w=2

I am quite certain that there will be a concerted effort by Intel and all the vested commercial interests behind the various "big" operating systems (Linux, Windows & OS X) to rubber stamp any "fixes" (ie, software patches designed to overcome a fundamental design flaw in the underlying hardware) and convince the public that everything is OK.
"Only the mediocre are always at their best." — Jean Giraudoux
User avatar
Head_on_a_Stick
 
Posts: 7406
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Meltdown and Spectre patches

Postby Head_on_a_Stick » 2018-01-14 15:46

...And here we go:

http://lists.alpinelinux.org/alpine-devel/6022.html

^According to the Alpine Linux developers, the backported fix (as used by Debian stable) is based on the flawed KAISER patch rather than KTPI and it doesn't really work.

Oh dear.
"Only the mediocre are always at their best." — Jean Giraudoux
User avatar
Head_on_a_Stick
 
Posts: 7406
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Meltdown and Spectre patches

Postby acewiza » 2018-01-14 16:00

Head_on_a_Stick wrote:I am quite certain that there will be a concerted effort by Intel and all the vested commercial interests behind the various "big" operating systems (Linux, Windows & OS X) to rubber stamp any "fixes" (ie, software patches designed to overcome a fundamental design flaw in the underlying hardware) and convince the public that everything is OK.

This is, along with my previous response(s), why I am taking a wait-and-see approach on this one. No point rushing into this low-risk vulnerability in a blind tizzy. It's just the beginning...
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 344
Joined: 2013-05-28 12:38
Location: Out West

Re: Meltdown and Spectre patches

Postby bester69 » 2018-01-14 16:58

stevepusser wrote:The latest intel-microcode from Buster adds a bit of Spectre mitigation to the script output for my i5-6200u.

There's also a newer amd64-microcode that adds some mitigation for AMD Ryzen, but that requires some latest kernel versions that aren't in Debian yet. Liquorix-4.14-13.1 supports the Ryzen microcode, and I'm looking into adding the patch to the MX 4.14.12 kernel backport.


OK, I will install buster microcode in stretch if not such a performance downgrade like patch kernel;
Do you know around how much downgrade might bright last intel microcode?
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1046
Joined: 2015-04-02 13:15

PreviousNext

Return to Offtopic

Who is online

Users browsing this forum: No registered users and 1 guest

fashionable