Meltdown and Spectre patches

If it doesn't relate to Debian, but you still want to share it, please do it here

Re: Meltdown and Spectre patches

Postby n_hologram » 2018-01-06 19:22

stevepusser wrote:Since the majority opinion is leaning toward that AMD processors aren't exploitable, you could boot with one of the flags to turn off kpti. Liquorix kernels don't seem to enable it for AMD at all, based on what I saw in the 4.14-11 patch.

https://www.phoronix.com/scan.php?page= ... le-x86-PTI
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
n_hologram
 
Posts: 281
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

Postby Head_on_a_Stick » 2018-01-06 19:25

stevepusser wrote:the majority opinion is leaning toward that AMD processors aren't exploitable

CVEs 2017-57{15,53} ("Spectre") still affect _all_ processor types that don't begin with S* and the KTPI patch provides only _partial_ protection for CVE-2017-5754 ("Meltdown").

AMD assures us that it's processors are not susceptible to CVE-2017-5754 but they would say that, wouldn't they? :mrgreen:
"To be free is nothing, to become free is everything." — Hegel
User avatar
Head_on_a_Stick
 
Posts: 7005
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Meltdown and Spectre patches

Postby bw123 » 2018-01-06 19:52

Head_on_a_Stick wrote:
stevepusser wrote:the majority opinion is leaning toward that AMD processors aren't exploitable

CVEs 2017-57{15,53} ("Spectre") still affect _all_ processor types that don't begin with S* and the KTPI patch provides only _partial_ protection for CVE-2017-5754 ("Meltdown").

AMD assures us that it's processors are not susceptible to CVE-2017-5754 but they would say that, wouldn't they? :mrgreen:


I read another blurb somewhere or other that some of the atom processors might be exempt from one issue or the other. I have one of those on my netbook that I use online, so if anybody runs across any actual info that hasn't signed any non-disclosures or retaineded an attorney, or sells clicks as news, let me know...
User avatar
bw123
 
Posts: 2625
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Meltdown and Spectre patches

Postby bester69 » 2018-01-06 21:10

Head_on_a_Stick wrote:
bester69 wrote:Reading that, as a regular user I woundt care very much about those holes

That is a very ignorant statement: if the KTPI patch is not applied to your system then an accidentally-opened browser pop-up tab could let an attacker read every keystroke that you make, as well as any passwords stored in your keyring.

See https://misc0110.net/web/files/keystroke_js.pdf for a practical example.

Then , I guess, there will be thousands of victims in world before than me, I will be pending just in case there is some news about hundreds of users being stolen becouse of Meltdown and spectre, so I put myself in a hurry and decide to patch. This sounds like 2000 effect to me, As for regular users its all an exageration, regular home users dont receive extrange vistants in the night since 2005 or so for Windows (around Win7 kernel) and ever for linux in real life. Its all about common sense.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1034
Joined: 2015-04-02 13:15

Re: Meltdown and Spectre patches

Postby dilberts_left_nut » 2018-01-06 21:40

@bester69
This is a technical thread about this issue - not about whether you feel it's necessary or not.
Please refrain from any further OT comments.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4744
Joined: 2009-10-05 07:54
Location: enzed

Re: Meltdown and Spectre patches

Postby Lysander » 2018-01-07 13:22

bw123 wrote:I read another blurb somewhere or other that some of the atom processors might be exempt from one issue or the other. I have one of those on my netbook that I use online, so if anybody runs across any actual info that hasn't signed any non-disclosures or retaineded an attorney, or sells clicks as news, let me know...


I'd be interested in to know as well. My netbook runs an Atom, I just updated the kernel in Slackware from 4.4.14 to 4.4.88 - though apparently it needs to be at least 4.4.109. It would be good if it doesn't affect Atoms, since they can take a while to do things.

http://news.softpedia.com/news/linux-ke ... 9215.shtml

Haven't done anything to my Debian box yet though. I've never upgraded the kernel before. Should I do so to 4.9.75?
Last edited by Lysander on 2018-01-07 14:02, edited 1 time in total.
User avatar
Lysander
 
Posts: 406
Joined: 2017-02-23 10:07
Location: London

Re: Meltdown and Spectre patches

Postby Head_on_a_Stick » 2018-01-07 13:35

Lysander wrote:Haven't done anything to my Debian box yet though

Debian stable has the KTPI patch that (mostly) protects against Meltdown, now that 4.9.75 has been released upstream it shouldn't be long before oldstable gets the fix applied; not sure about poor old wheezy though.
"To be free is nothing, to become free is everything." — Hegel
User avatar
Head_on_a_Stick
 
Posts: 7005
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Meltdown and Spectre patches

Postby bw123 » 2018-01-07 14:00

stevepusser wrote:Since the majority opinion is leaning toward that AMD processors aren't exploitable, you could boot with one of the flags to turn off kpti. Liquorix kernels don't seem to enable it for AMD at all, based on what I saw in the 4.14-11 patch.


After a little more research, and reading the changelog I figured out that kpti is auto by default,
and on my amd sempron it is not enabled, I checked like this:

Code: Select all
# dmesg | grep isolation
[    0.000000] Kernel/User page tables isolation: disabled


but it *IS* enabled for the notebook with the atom N450, and the dd copy test is about 25-30% slower. Can't tell any difference in actual usage though, machine works like it always has.
User avatar
bw123
 
Posts: 2625
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Meltdown and Spectre patches

Postby rinatik » 2018-01-07 14:14

Head_on_a_Stick wrote:
Lysander wrote:Haven't done anything to my Debian box yet though

Debian stable has the KTPI patch that (mostly) protects against Meltdown, now that 4.9.75 has been released upstream it shouldn't be long before oldstable gets the fix applied; not sure about poor old wheezy though.


new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints. is anybody knows why?
rinatik
 
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

Postby Head_on_a_Stick » 2018-01-07 14:26

rinatik wrote:new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints

I'm not sure what you mean by this, exactly.

Can we please see the output of:
Code: Select all
grep TABLE_ISOLATION /boot/config-$(uname -r)

A patched kernel will report:
Code: Select all
CONFIG_PAGE_TABLE_ISOLATION=y
"To be free is nothing, to become free is everything." — Hegel
User avatar
Head_on_a_Stick
 
Posts: 7005
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Meltdown and Spectre patches

Postby acewiza » 2018-01-07 14:30

dilberts_left_nut wrote:This is a technical thread about this issue - not about whether you feel it's necessary or not.

Is everyone on this forum working for an enterprise operation or cloud service provider? Because if not, "technically" this is a low-risk, local, read-only exploit that has not yet even been seen in the wild. My passwords, credit card numbers and personal information is still much safer on my own systems that they are spread across who knows how many vendors, doctors, insurance companies, etc, etc, regardless.

What's all the fuss about?
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 296
Joined: 2013-05-28 12:38
Location: Out West

Re: Meltdown and Spectre patches

Postby rinatik » 2018-01-07 14:31

Head_on_a_Stick wrote:
rinatik wrote:new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints

I'm not sure what you mean by this, exactly.

Can we please see the output of:
Code: Select all
grep TABLE_ISOLATION /boot/config-$(uname -r)

A patched kernel will report:
Code: Select all
CONFIG_PAGE_TABLE_ISOLATION=y

pls provide uname -a as well. thnx.
rinatik
 
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

Postby bw123 » 2018-01-07 14:41

acewiza wrote:What's all the fuss about?


I've been asking myself the same. I mean this has been known and kept hidden since the middle of last year, if not earlier. I assume the lawyers and hotshots and corporations and public relations firms all had their act together, but it was revealed somehow. Now they are scrambling to assure people that everything is okay...
User avatar
bw123
 
Posts: 2625
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Meltdown and Spectre patches

Postby Head_on_a_Stick » 2018-01-07 14:45

acewiza wrote:"technically" this is a low-risk, local, read-only exploit

Yes but javascript executed by your browser is "local", isn't it?

Please refer the paper to which I linked for @bester69 for a technical explanation.

This is why Chrom{e,ium} & Firefox have rushed out updates.
"To be free is nothing, to become free is everything." — Hegel
User avatar
Head_on_a_Stick
 
Posts: 7005
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Meltdown and Spectre patches

Postby rinatik » 2018-01-07 15:01

Head_on_a_Stick wrote:
rinatik wrote:new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints

I'm not sure what you mean by this, exactly.

Can we please see the output of:
Code: Select all
grep TABLE_ISOLATION /boot/config-$(uname -r)

A patched kernel will report:
Code: Select all
CONFIG_PAGE_TABLE_ISOLATION=y


there is nothing of that flags on my i686 debian 4.9.65-3+deb9u2
this was meant.
rinatik
 
Posts: 7
Joined: 2018-01-06 16:43

PreviousNext

Return to Offtopic

Who is online

Users browsing this forum: deborah-and-ian and 4 guests

fashionable