Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Speculative Execution Flaw

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
User avatar
Xan
Posts: 14
Joined: 2006-05-05 00:06

Speculative Execution Flaw

#1 Post by Xan »

Hi everyone,

I believe the following to be true:
* An upcoming security workaround to the kernel will soon cause major performance slowdowns (at least for some workloads).
* This slowdown is mitigated (at least to some extent) by the PCID feature, which has been included in Intel chips for quite some time now (check /proc/cpuinfo).
* The Linux kernel only began supporting PCID in 2017, meaning that even the latest Debian stable kernel does not take advantage of it.

Given these facts, is there any way for the PCID feature to be backported to stable (Stretch) along with the security fix? Ideally this would apply to oldstable (Jessie) and oldoldstable (Wheezy) as well.

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Speculative Execution Flaw

#2 Post by bw123 »

Xan wrote: I believe the following to be true:
Why do you believe any of that?
http://www.zdnet.com/article/security-f ... ulnerable/
One example of a worst-case scenario is a low-privileged user on a vulnerable computer could run JavaScript code on an ordinary-looking web page, which could then gain access to the contents of protected memory.
jeez is that a weasly description of a worst-case critical security flaw or what?

scared me scared me scared me
resigned by AI ChatGPT

User avatar
Xan
Posts: 14
Joined: 2006-05-05 00:06

Re: Speculative Execution Flaw

#3 Post by Xan »

https://www.phoronix.com/scan.php?page= ... 6pti&num=1
https://www.phoronix.com/scan.php?page= ... 6pti&num=1

My workload is a read-heavy high-contention database on a fast NVMe drive, so I expect results similar to the "pgbench" test, which is about a 25% slowdown.

I'm taking the first link's word about PCID support: 'But with lots of the Linux kernel PCID "Process Context Identifiers" support being merged just in 2017, the older LTS kernel back-ports are expected to be slower with not having PCID support for avoiding TLB flushes on context switches.'

Are you saying you don't think these things are true? Can you tel me which are not? I certainly hope you're right!

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Speculative Execution Flaw

#4 Post by bw123 »

Xan wrote: Are you saying you don't think these things are true? Can you tel me which are not? I certainly hope you're right!
No I am not saying anything is true or false, except I believe that clicks make money on the internet for a lot of people. Some people like to jump on any old bandwagon that comes along, throwing in their 'facts' and adding to the hysteria. It's all very exciting, but after about the 5,000th "critical security flaw" it gets b-o-r-i-n-g


https://en.wikipedia.org/wiki/Goodtimes_virus
resigned by AI ChatGPT

User avatar
Xan
Posts: 14
Joined: 2006-05-05 00:06

Re: Speculative Execution Flaw

#5 Post by Xan »

Okay. Well please let somebody who knows something get a word in.

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Speculative Execution Flaw

#6 Post by Wheelerof4te »

I have read a lot about this today and it's not that easy to explain. Simplest explanation would be that there is a hardware flaw in Intel chips that allows some malicious code exploit inside the kernel memory space, compromising everything that is cached there.
The fix works in such a way that it diverts the input meant for the kernel memory to a dummy-like process. Then it switches back to the real task, thus the performance loss.

User avatar
Xan
Posts: 14
Joined: 2006-05-05 00:06

Re: Speculative Execution Flaw

#7 Post by Xan »

The embargo has been lifted: Meltdown and Spectre.

https://spectreattack.com/

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Speculative Execution Flaw

#8 Post by stevepusser »

The KAISER patches for Meltdown are supposed to also be in 4.14.10, which was incorporated in the Liquorix kernel 4.14-13...thus one could test my backports of those for slowdowns: https://techpatterns.com/forums/about2615.html

Gonna try that as soon as I build a MX version. Note that you will need stretch-backports versions of most out-of tree drivers, like Nvidia, if you want to build them on 4.14. I don't think that Debian backported them to jessie, but I have some in that same Liquorix backports repo.
MX Linux packager and developer

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Speculative Execution Flaw

#9 Post by stevepusser »

Turned out that Liquorix isn't enabling KTPI. Turned that on and rebuilt the amd64 4.14-11 kernel with it enabled. Now I get

Code: Select all

$ sudo grep isolation /var/log/messages
Jan  4 13:30:56 mx1 kernel: Kernel/User page tables isolation: enabled
So far, kernel is running OK. Public builds are finishing up in my OBS repo.

Edit: Got a two-line patch from Arch that disables KPTI automatically for AMD processors, which are not supposed to be vunerable. Will try adding that and rebuilding the OBS versions.

Edit 2: Liquorix already has the Arch patch for the AMD, unless it was mainlined in the 4.4.11 update.
MX Linux packager and developer

Post Reply