Meltdown and Spectre patches

If it doesn't relate to Debian, but you still want to share it, please do it here

Re: Meltdown and Spectre patches

Postby n_hologram » 2018-01-07 15:30

https://lkml.org/lkml/2017/12/4/709
Subject [patch 00/60] x86/kpti: Kernel Page Table Isolation (was KAISER)
This series is a major overhaul of the KAISER patches:

1) Entry code

Mostly the same, except for a handful of fixlets and delta
improvements folded into the corresponding patches

New: Map TSS read only into the user space visible mapping

This is 64bit only, as 32bit needs the TSS mapped RW

Does this support bw123's finding from earlier -- that kpti isn't available for 686? Based on the comment above, it looks like 686 needs only TSS mapped RW. I have no idea how to verify, though.

acewiza wrote:What's all the fuss about?

EDITED: Okay, I had my coffee and realize that my last comment was itself getting off-topic. Opinions really aren't helpful to the original post, and I thought it was obvious from the first post. Maybe a separate thread would be helpful.
Last edited by n_hologram on 2018-01-07 16:20, edited 2 times in total.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 435
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

Postby bw123 » 2018-01-07 15:36

n_hologram wrote:
This is 64bit only, as 32bit needs the TSS mapped RW

Does this support bw123's finding from earlier -- that kpti isn't available for 686? Based on the comment above, it looks like 686 needs only TSS mapped RW. I have no idea how to verify, though.


No I was unclear I guess. I am testing/using debian's 4.9.0-5-amd64 kernel on two cpus, an amd sempron and an atom n450. the kernel boots by default with kpti disabled for the sempron, enabled for the atom.

I have not tested any 686 kernels.
User avatar
bw123
 
Posts: 3389
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Meltdown and Spectre patches

Postby Wheelerof4te » 2018-01-07 15:42

Real slowdown will come after firmware and BIOS updates:
https://imgur.com/a/zYRap

Horrific. RIP servers on Intel CPUs.
Also, better save those HDDs:
https://www.youtube.com/watch?v=JbhKUjPRk5Q
User avatar
Wheelerof4te
 
Posts: 1134
Joined: 2015-08-30 20:14

Re: Meltdown and Spectre patches

Postby acewiza » 2018-01-07 20:53

Head_on_a_Stick wrote:
acewiza wrote:"technically" this is a low-risk, local, read-only exploit

Yes but javascript executed by your browser is "local", isn't it?

Only as it relates to my right index finger. Sorry, I tend to overlook the large body of users who gleefully click any link that crosses their desktop.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 358
Joined: 2013-05-28 12:38
Location: Out West

Re: Meltdown and Spectre patches

Postby bw123 » 2018-01-07 21:04

n_hologram wrote:EDITED: Okay, I had my coffee and realize that my last comment was itself getting off-topic. Opinions really aren't helpful to the original post, and I thought it was obvious from the first post. Maybe a separate thread would be helpful.


uh, don't look now but this whole thread is in "off-topic" I thought you knew, you started it?
acewiza wrote: I tend to overlook the large body of users who gleefully click any link that crosses their desktop.


Yeah and with all the publicity, and "experts" who wrote about this, I didn't see one with the common sense to warn people to turn off or filter javascript.
User avatar
bw123
 
Posts: 3389
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Meltdown and Spectre patches

Postby Head_on_a_Stick » 2018-01-07 21:20

bw123 wrote:I didn't see one with the common sense to warn people to turn off or filter javascript.

Erm, firefox-esr cannot be used as an attack vector[1] (unlike the non-ESR >v57.0.4) and so users of Debian stable can leave their javascript enabled with impunity.

[1] Ref: https://www.mozilla.org/en-US/security/ ... sa2018-01/
Mozilla wrote:SharedArrayBuffer is already disabled in Firefox 52 ESR.
User avatar
Head_on_a_Stick
 
Posts: 8002
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Meltdown and Spectre patches

Postby Head_on_a_Stick » 2018-01-07 21:24

Also, the jessie-backports kernel now has the KTPI patch so oldstable users can change to that until the stock version is fixed.
User avatar
Head_on_a_Stick
 
Posts: 8002
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Meltdown and Spectre patches

Postby bw123 » 2018-01-07 21:42

Head_on_a_Stick wrote:...users of Debian stable can leave their javascript enabled with impunity.


That is like saying I know how to swim so I can't die in a car wreck. Being protected on one browser from one attack does not make unrestricted javascript a good idea.

There are many links about the subject, so I'm confused that you haven't heard about it.

https://panopticlick.eff.org/about
https://www.gnu.org/philosophy/javascript-trap.html

If javascript isn't the attack vector then what is?
Last edited by bw123 on 2018-01-07 21:47, edited 1 time in total.
User avatar
bw123
 
Posts: 3389
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Meltdown and Spectre patches

Postby Head_on_a_Stick » 2018-01-07 21:44

^ To clarify: my statement was made strictly in respect of the Meltdown vulnerability, as per the forum topic.
User avatar
Head_on_a_Stick
 
Posts: 8002
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Meltdown and Spectre patches

Postby rinatik » 2018-01-07 22:07

rinatik wrote:
Head_on_a_Stick wrote:
Lysander wrote:Haven't done anything to my Debian box yet though

Debian stable has the KTPI patch that (mostly) protects against Meltdown, now that 4.9.75 has been released upstream it shouldn't be long before oldstable gets the fix applied; not sure about poor old wheezy though.


new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints. is anybody knows why?


bump .. (
rinatik
 
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

Postby stevepusser » 2018-01-07 22:22


new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints. is anybody knows why?

bump .. (


...footprints? You mean on your particular systems? What is your install and hardware? (hint: inxi -F)
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Kdenlive 18.08.1, Pale Moon 28.1.0, wine-staging 3.17, qBittorrent 4.1.3, Liquorix kernel 4.18-13, Audacity 2.3.0
User avatar
stevepusser
 
Posts: 9994
Joined: 2009-10-06 05:53

Re: Meltdown and Spectre patches

Postby rinatik » 2018-01-07 23:33

stevepusser wrote:

new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints. is anybody knows why?

bump .. (


...footprints? You mean on your particular systems? What is your install and hardware? (hint: inxi -F)


I mean i686 kernel has no any kpti patch at all

WHY?
rinatik
 
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

Postby stevepusser » 2018-01-08 00:05

rinatik wrote:
stevepusser wrote:

new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints. is anybody knows why?

bump .. (


...footprints? You mean on your particular systems? What is your install and hardware? (hint: inxi -F)


I mean i686 kernel has no any kpti patch at all

WHY?


sounds like a JOB FOR GOOGLEMAN

BTW, Pale Moon says their timer is "fuzzy" enough to be immune to those timer-based SPECTRE attacks.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Kdenlive 18.08.1, Pale Moon 28.1.0, wine-staging 3.17, qBittorrent 4.1.3, Liquorix kernel 4.18-13, Audacity 2.3.0
User avatar
stevepusser
 
Posts: 9994
Joined: 2009-10-06 05:53

Re: Meltdown and Spectre patches

Postby stevepusser » 2018-01-08 01:47

Backported the 4.14.12 upstream kernel, but it leaves out an important dependency in the headers: https://bugs.debian.org/cgi-bin/bugrepo ... bug=886474

That also affects broadcom-sta-dkms and ndiswrapper builds. :( Kernel was a pain to backport already and takes a looong time to build, what wth extra realtime versions and 550 MB -dbg packages for each kernel variant. :? :( :( Will make some other metapackage pull in libelf-dev until the bug gets fixed.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Kdenlive 18.08.1, Pale Moon 28.1.0, wine-staging 3.17, qBittorrent 4.1.3, Liquorix kernel 4.18-13, Audacity 2.3.0
User avatar
stevepusser
 
Posts: 9994
Joined: 2009-10-06 05:53

Re: Meltdown and Spectre patches

Postby n_hologram » 2018-01-08 02:19

@rinatik: If you look at the kernel source, PAGE_TABLE_ISOLATION requires x86_64 bit, and is auto-disabled if one is not building a 64-bit kernel (aka, if your kernel is 32-bits). Based on this, to be completely honest, I have no idea if this means that a 32-bit kernel (686) is mitigated against Meltdown or not. I shared in a previous post that i686 users can grep "cpu_insecure" from /proc/cpuinfo (not that it indicates much), but dmesg doesn't report anything, and obviously x86_64 is a dependency; I'm not even sure what criteria to Google at this point. Perhaps someone more knowledgeable can shed insight.

EDIT: From the link I shared above:
In standard kernels, the strings Kernel/User page tables isolation: enabled or Kernel/User page tables isolation: force enabled on command line in the dmesg output means that the kernel is performing kernel page table isolation. The latter message additionally means that the kernel thinks page-table isolation is not required for this CPU.
In some vendor-patched kernels (mainly RedHat and derivatives): a nonzero value in /sys/kernel/debug/x86/pti_enabled. The absence of this file does not mean anything, however: the standard kernel does not provide it.

It would appear, then, that dmesg is one's best bet for confirming the presence of KPTI. Nonetheless, I feel like I'm misinterpreting something.
EDIT 2: I'm investigating this page, but I'm on the move and won't be able to read it in-depth until later.
Last edited by n_hologram on 2018-01-08 19:37, edited 3 times in total.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 435
Joined: 2013-06-16 00:10

PreviousNext

Return to Offtopic

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable