Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Meltdown and Spectre patches

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Meltdown and Spectre patches

#76 Post by Wheelerof4te »

Head_on_a_Stick wrote:...And here we go:

http://lists.alpinelinux.org/alpine-devel/6022.html

^According to the Alpine Linux developers, the backported fix (as used by Debian stable) is based on the flawed KAISER patch rather than KTPI and it doesn't really work.

Oh dear.
Oh, thank God I've switched to a corporate-backed OS.
Viva La Microsoft!

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#77 Post by Head_on_a_Stick »

Wheelerof4te wrote:Oh, thank God I've switched to a corporate-backed OS.
Viva La Microsoft!
^ Is this a joke?

At least with the open source operating systems we can see exactly what goes into the patches and can thus evaluate them independently.

With proprietary operating systems the users must trust in the ability of the developers to write a bug-free software abstraction layer with no peer review at all beyond the corporate environment.

It is my understanding that MS have sacked their entire testing department and now instead rely on the Microsoft Insiders Program to garner feedback from paying users... :lol:
deadbang

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Meltdown and Spectre patches

#78 Post by Wheelerof4te »

^It's not a joke. MS has a lot to lose from this, and at least concerning Meltdown and Spectre, the patches have to work. But then again, so does Red Hat, and Novell. Canonical is already doing business in the red zone, so they bided their time.
OTOH, Red Hat and SUSE had patches ready almost instantly.
So yeah, if you need an OS for your PC, choose ones that have something to lose when things go south.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#79 Post by Head_on_a_Stick »

Wheelerof4te wrote:Red Hat and SUSE had patches ready almost instantly
Not really, Intel have known about the problem since June 2017 and made the commercial operating systems aware of it (under a non-disclosure agreement, of course) back in October 2017.

Has Microsoft fixed Spectre yet? *innocent look*

Link: https://www.theregister.co.uk/2018/01/0 ... _problems/

EDIT: all I can say is that you are very trusting, and some would even say gullible.
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#80 Post by bw123 »

Head_on_a_Stick wrote:...And here we go:

http://lists.alpinelinux.org/alpine-devel/6022.html

^According to the Alpine Linux developers, the backported fix (as used by Debian stable) is based on the flawed KAISER patch rather than KTPI and it doesn't really work.

Oh dear.
I did not read that the same way, the link says it has "reliability" issues, not that it "does not work" against meltdown?

The reference link says this:
At least some versions of "KAISER", on meltdown-affected hardware, expose the kernel stack to userspace.
please fight the FUD and misinformation.
resigned by AI ChatGPT

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#81 Post by Head_on_a_Stick »

bw123 wrote:please fight the FUD and misinformation
Well for me "works" means "corrects the hardware defect" and the KAISER patch clearly does not do that to the same extent as the KTPI patch.

This is the reason why Alpine Linux (a security-orientated distribution) have decided to switch their stock kernel to the non-LTS version that uses the genuine KTPI patch — they do no consider that the KAISER patch (as used for the LTS kernels) offers the same level of vulnerability mitigation as the KTPI patch and I agree with them.
deadbang

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Meltdown and Spectre patches

#82 Post by Wheelerof4te »

You are quoting me about RH and SUSE, and post an article about MS and some patch that made some machines unusable. I said they had patches almost instantly when they baceme public...certanly waaay before Debian.
So what if Intel contacted only commercial distros? Isn't that the point I'm making about using corporate OSes? Intel had something to lose if it didn't. It does not have anything to lose when compared to, say, Debian.

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#83 Post by bw123 »

bw123 wrote:please fight the FUD and misinformation
...the KAISER patch clearly does not do that to the same extent as the KTPI patch.
Okay without any references that statementt is hard to evaluate.

I also don't see any references for this satement that was made:
the backported fix (as used by Debian stable) is based on the flawed KAISER patch
A lot of code is based on flawed code, but where is the proof that the patch in debian specifically "doesn't really work" ?
resigned by AI ChatGPT

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#84 Post by Head_on_a_Stick »

Wheelerof4te wrote:So what if Intel contacted only commercial distros?
If Intel and all of the commercial operating systems have been lying to their users since June last year what on Earth makes you think they will stop now?

You are very naïve.
deadbang

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#85 Post by Head_on_a_Stick »

bw123 wrote:where is the proof that the patch in debian specifically "doesn't really work" ?
The Hacker News thread linked in the mailing list post:
amiuto wrote:Contrary to its marketing, KAISER does not effectively mitigate the old kASLR leaks. PTI very nearly does, and I intend to improve it further once I find some time to do so. I doubt those improvements will get backported to pre-4.14 kernels.
Also:
If you can put pressure on your organization or suppliers to update to 4.14 or better, please do so.
https://news.ycombinator.com/item?id=16087736

I have already suggested that BunsenLabs moves to the Liquorix kernel instead to gain access to the genuine KTPI patch.
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#86 Post by bw123 »

Head_on_a_Stick wrote:
bw123 wrote:where is the proof that the patch in debian specifically "doesn't really work" ?
The Hacker News thread linked in the mailing list post:
amiuto wrote:Contrary to its marketing, KAISER does not effectively mitigate the old kASLR leaks. PTI very nearly does, and I intend to improve it further once I find some time to do so. I doubt those improvements will get backported to pre-4.14 kernels.
Also:
If you can put pressure on your organization or suppliers to update to 4.14 or better, please do so.
https://news.ycombinator.com/item?id=16087736

I have already suggested that BunsenLabs moves to the Liquorix kernel instead to gain access to the genuine KTPI patch.
You get on here, and make claims about debian Based on one post from a user handle on "Hacker News" okay well, that sounds pretty rush to judgement to believe them over debian kernel developers, but it's your distro.

and I am pretty sure it kpti not KTPI isn't it? Page table Isolation is the thing...

I bet a lot of distros and os vendors and even hardware makers are going to be using fud and misinformation to push their agendas. That really has nothing to do with debian though, so why spread mis-info this way?
Last edited by bw123 on 2018-01-14 19:33, edited 1 time in total.
resigned by AI ChatGPT

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Meltdown and Spectre patches

#87 Post by Wheelerof4te »

Head_on_a_Stick wrote:
Wheelerof4te wrote:So what if Intel contacted only commercial distros?
If Intel and all of the commercial operating systems have been lying to their users since June last year what on Earth makes you think they will stop now?

You are very naïve.
So you think they should have announced this MAJOR security flaw for all to see, when there isn't even a fix ready? People have been working on a fix since and only came forward when ready. At least they would have, if someone hasn't leaked the info. You are the one who is very ignorant and naive.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#88 Post by Head_on_a_Stick »

bw123 wrote:You get on here, and make claims about debian Based on one post from a user handle on "Hacker News"
I was posting here because of the notification on the Alpine Linux mailing lists that they have decided to switch kernel version.

Alpine Linux clearly believe this is serious enough to warrant such an action and I would tend to agree with them.
and I am pretty sure it kpti not KTPI isn't it? Page table Isolation is the thing...
Damn it, yes it is.

Dyslexia is embarrassing sometimes, sorry about that :oops:

EDIT: no, I'm right because the kernel parameter to disable it is notpi so the it must be called the Kernel Table Page Isolation patch (I think).
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#89 Post by bw123 »

Head_on_a_Stick wrote:
bw123 wrote:You get on here, and make claims about debian Based on one post from a user handle on "Hacker News"
I was posting here because of the notification on the Alpine Linux mailing lists that they have decided to switch kernel version.
Well, if you can get me proof the kaiser patches don't work "on debian" I will file the bug, "on debian" for you.
no, I'm right because the kernel parameter to disable it is notpi so the it must be called the Kernel Table Page Isolation patch (I think).
According to the changelog "on debian" they added a "nokaiser" switch, I have no idea what you are using for documentation, "on debian."
resigned by AI ChatGPT

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#90 Post by Head_on_a_Stick »

bw123 wrote:According to the changelog "on debian" they added a "nokaiser" switch
Do you have a source for this please?

So Debian stable is using the old, abandoned KAISER patch but Debian sid is using the KTPI[1] patch?

[1] That's definitely it, you were right: https://github.com/torvalds/linux/blob/ ... .txt#L3309
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#91 Post by bw123 »

Head_on_a_Stick wrote:
bw123 wrote:According to the changelog "on debian" they added a "nokaiser" switch
Do you have a source for this please?
There is a changelog in /usr/share/doc/linux-image* for every kernel installed, are you even using debian anymore? Your posts in the past have been really excellent, but lately you seem a little off balance with regard to debian.
resigned by AI ChatGPT

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#92 Post by Head_on_a_Stick »

bw123 wrote:are you even using debian anymore?
I haven't used Debian myself for several years, I prefer less complicated operating systems :)

I do maintain the family laptop though and that's always run Debian stable, I did enable unattended-upgrades once stretch rolled out and I hardly ever touch the box these days. It's wonderful :D
deadbang

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Meltdown and Spectre patches

#93 Post by stevepusser »

Hmmm...just did a rebuild of the backported MX 17 4.14.12-2 kernels overnight on generic Stretch pbuilders to add the Ryzen amd64-microcode patch and have the headers pull in libelf-dev, which is still not fixed in Sid. Headaches: some report the Spectre-mitigated 384.111 Nvidia driver just added to stretch-backports won't build on that kernel, but I was able to do so and use it on my Optimus laptop. They had no issue with the Liquorix kernel, though. That kernel isn't in stretch-backports, though.

If that's true about older kernels, are standard Jessie users up the creek with all 32-bit users now?
MX Linux packager and developer

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#94 Post by Head_on_a_Stick »

stevepusser wrote:If that's true about older kernels, are standard Jessie users up the creek with all 32-bit users now?
Well, I wouldn't say that 32-bit users were "up the creek" because the patch developer has committed to work on it, albeit without a timeframe.

Also, the KAISER fix appears to have been used for all kernels not of the 4.14-series so that would mean stretch, jessie and wheezy.

The KAISER patch was originally designed as a strengthened form of KASLR[1] that incorporated more of Grsecurity's work but it does not offer the same level of protection as KPTI, so again I think "up the creek" is perhaps putting it a little strongly.

[1] https://gruss.cc/files/kaiser.pdf
deadbang

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Meltdown and Spectre patches

#95 Post by Wheelerof4te »

https://skyfallattack.com/
Skyfall and Solace are two speculative attacks based on the work highlighted by Meltdown and Spectre.
:lol:

Post Reply