Speculative Execution Flaw

Kernels & Hardware, configuring network, installing services

Speculative Execution Flaw

Postby Xan » 2018-01-03 20:14

Hi everyone,

I believe the following to be true:
* An upcoming security workaround to the kernel will soon cause major performance slowdowns (at least for some workloads).
* This slowdown is mitigated (at least to some extent) by the PCID feature, which has been included in Intel chips for quite some time now (check /proc/cpuinfo).
* The Linux kernel only began supporting PCID in 2017, meaning that even the latest Debian stable kernel does not take advantage of it.

Given these facts, is there any way for the PCID feature to be backported to stable (Stretch) along with the security fix? Ideally this would apply to oldstable (Jessie) and oldoldstable (Wheezy) as well.
User avatar
Xan
 
Posts: 12
Joined: 2006-05-05 00:06

Re: Speculative Execution Flaw

Postby bw123 » 2018-01-03 21:35

Xan wrote:I believe the following to be true:


Why do you believe any of that?

http://www.zdnet.com/article/security-f ... ulnerable/
One example of a worst-case scenario is a low-privileged user on a vulnerable computer could run JavaScript code on an ordinary-looking web page, which could then gain access to the contents of protected memory.


jeez is that a weasly description of a worst-case critical security flaw or what?

scared me scared me scared me
User avatar
bw123
 
Posts: 3257
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Speculative Execution Flaw

Postby Xan » 2018-01-03 21:46

https://www.phoronix.com/scan.php?page= ... 6pti&num=1
https://www.phoronix.com/scan.php?page= ... 6pti&num=1

My workload is a read-heavy high-contention database on a fast NVMe drive, so I expect results similar to the "pgbench" test, which is about a 25% slowdown.

I'm taking the first link's word about PCID support: 'But with lots of the Linux kernel PCID "Process Context Identifiers" support being merged just in 2017, the older LTS kernel back-ports are expected to be slower with not having PCID support for avoiding TLB flushes on context switches.'

Are you saying you don't think these things are true? Can you tel me which are not? I certainly hope you're right!
User avatar
Xan
 
Posts: 12
Joined: 2006-05-05 00:06

Re: Speculative Execution Flaw

Postby bw123 » 2018-01-03 21:51

Xan wrote:Are you saying you don't think these things are true? Can you tel me which are not? I certainly hope you're right!


No I am not saying anything is true or false, except I believe that clicks make money on the internet for a lot of people. Some people like to jump on any old bandwagon that comes along, throwing in their 'facts' and adding to the hysteria. It's all very exciting, but after about the 5,000th "critical security flaw" it gets b-o-r-i-n-g


https://en.wikipedia.org/wiki/Goodtimes_virus
User avatar
bw123
 
Posts: 3257
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Speculative Execution Flaw

Postby Xan » 2018-01-03 22:02

Okay. Well please let somebody who knows something get a word in.
User avatar
Xan
 
Posts: 12
Joined: 2006-05-05 00:06

Re: Speculative Execution Flaw

Postby Wheelerof4te » 2018-01-03 22:19

I have read a lot about this today and it's not that easy to explain. Simplest explanation would be that there is a hardware flaw in Intel chips that allows some malicious code exploit inside the kernel memory space, compromising everything that is cached there.
The fix works in such a way that it diverts the input meant for the kernel memory to a dummy-like process. Then it switches back to the real task, thus the performance loss.
User avatar
Wheelerof4te
 
Posts: 1129
Joined: 2015-08-30 20:14

Re: Speculative Execution Flaw

Postby Xan » 2018-01-04 00:02

The embargo has been lifted: Meltdown and Spectre.

https://spectreattack.com/
User avatar
Xan
 
Posts: 12
Joined: 2006-05-05 00:06

Re: Speculative Execution Flaw

Postby stevepusser » 2018-01-04 00:58

The KAISER patches for Meltdown are supposed to also be in 4.14.10, which was incorporated in the Liquorix kernel 4.14-13...thus one could test my backports of those for slowdowns: https://techpatterns.com/forums/about2615.html

Gonna try that as soon as I build a MX version. Note that you will need stretch-backports versions of most out-of tree drivers, like Nvidia, if you want to build them on 4.14. I don't think that Debian backported them to jessie, but I have some in that same Liquorix backports repo.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: GIMP 2.10.6, Pale Moon 28.0.1, wine-staging 3.15, qBittorrent 4.1.2, Linux kernel 4.18.6, virtualbox 5.2.18
User avatar
stevepusser
 
Posts: 9892
Joined: 2009-10-06 05:53

Re: Speculative Execution Flaw

Postby stevepusser » 2018-01-04 21:15

Turned out that Liquorix isn't enabling KTPI. Turned that on and rebuilt the amd64 4.14-11 kernel with it enabled. Now I get

Code: Select all
$ sudo grep isolation /var/log/messages
Jan  4 13:30:56 mx1 kernel: Kernel/User page tables isolation: enabled


So far, kernel is running OK. Public builds are finishing up in my OBS repo.

Edit: Got a two-line patch from Arch that disables KPTI automatically for AMD processors, which are not supposed to be vunerable. Will try adding that and rebuilding the OBS versions.

Edit 2: Liquorix already has the Arch patch for the AMD, unless it was mainlined in the 4.4.11 update.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: GIMP 2.10.6, Pale Moon 28.0.1, wine-staging 3.15, qBittorrent 4.1.2, Linux kernel 4.18.6, virtualbox 5.2.18
User avatar
stevepusser
 
Posts: 9892
Joined: 2009-10-06 05:53


Return to System configuration

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable