Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Meltdown and Spectre patches

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
User avatar
Lysander
Posts: 643
Joined: 2017-02-23 10:07
Location: London
Been thanked: 1 time

Re: Meltdown and Spectre patches

#21 Post by Lysander »

bw123 wrote:I read another blurb somewhere or other that some of the atom processors might be exempt from one issue or the other. I have one of those on my netbook that I use online, so if anybody runs across any actual info that hasn't signed any non-disclosures or retaineded an attorney, or sells clicks as news, let me know...
I'd be interested in to know as well. My netbook runs an Atom, I just updated the kernel in Slackware from 4.4.14 to 4.4.88 - though apparently it needs to be at least 4.4.109. It would be good if it doesn't affect Atoms, since they can take a while to do things.

http://news.softpedia.com/news/linux-ke ... 9215.shtml

Haven't done anything to my Debian box yet though. I've never upgraded the kernel before. Should I do so to 4.9.75?
Last edited by Lysander on 2018-01-07 14:02, edited 1 time in total.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#22 Post by Head_on_a_Stick »

Lysander wrote:Haven't done anything to my Debian box yet though
Debian stable has the KTPI patch that (mostly) protects against Meltdown, now that 4.9.75 has been released upstream it shouldn't be long before oldstable gets the fix applied; not sure about poor old wheezy though.
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#23 Post by bw123 »

stevepusser wrote: Since the majority opinion is leaning toward that AMD processors aren't exploitable, you could boot with one of the flags to turn off kpti. Liquorix kernels don't seem to enable it for AMD at all, based on what I saw in the 4.14-11 patch.
After a little more research, and reading the changelog I figured out that kpti is auto by default,
and on my amd sempron it is not enabled, I checked like this:

Code: Select all

# dmesg | grep isolation
[    0.000000] Kernel/User page tables isolation: disabled
but it *IS* enabled for the notebook with the atom N450, and the dd copy test is about 25-30% slower. Can't tell any difference in actual usage though, machine works like it always has.
resigned by AI ChatGPT

rinatik
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

#24 Post by rinatik »

Head_on_a_Stick wrote:
Lysander wrote:Haven't done anything to my Debian box yet though
Debian stable has the KTPI patch that (mostly) protects against Meltdown, now that 4.9.75 has been released upstream it shouldn't be long before oldstable gets the fix applied; not sure about poor old wheezy though.
new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints. is anybody knows why?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#25 Post by Head_on_a_Stick »

rinatik wrote:new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints
I'm not sure what you mean by this, exactly.

Can we please see the output of:

Code: Select all

grep TABLE_ISOLATION /boot/config-$(uname -r)
A patched kernel will report:

Code: Select all

CONFIG_PAGE_TABLE_ISOLATION=y
deadbang

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Meltdown and Spectre patches

#26 Post by acewiza »

dilberts_left_nut wrote:This is a technical thread about this issue - not about whether you feel it's necessary or not.
Is everyone on this forum working for an enterprise operation or cloud service provider? Because if not, "technically" this is a low-risk, local, read-only exploit that has not yet even been seen in the wild. My passwords, credit card numbers and personal information is still much safer on my own systems that they are spread across who knows how many vendors, doctors, insurance companies, etc, etc, regardless.

What's all the fuss about?
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

rinatik
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

#27 Post by rinatik »

Head_on_a_Stick wrote:
rinatik wrote:new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints
I'm not sure what you mean by this, exactly.

Can we please see the output of:

Code: Select all

grep TABLE_ISOLATION /boot/config-$(uname -r)
A patched kernel will report:

Code: Select all

CONFIG_PAGE_TABLE_ISOLATION=y
pls provide uname -a as well. thnx.

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#28 Post by bw123 »

acewiza wrote: What's all the fuss about?
I've been asking myself the same. I mean this has been known and kept hidden since the middle of last year, if not earlier. I assume the lawyers and hotshots and corporations and public relations firms all had their act together, but it was revealed somehow. Now they are scrambling to assure people that everything is okay...
resigned by AI ChatGPT

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#29 Post by Head_on_a_Stick »

acewiza wrote:"technically" this is a low-risk, local, read-only exploit
Yes but javascript executed by your browser is "local", isn't it?

Please refer the paper to which I linked for @bester69 for a technical explanation.

This is why Chrom{e,ium} & Firefox have rushed out updates.
deadbang

rinatik
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

#30 Post by rinatik »

Head_on_a_Stick wrote:
rinatik wrote:new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints
I'm not sure what you mean by this, exactly.

Can we please see the output of:

Code: Select all

grep TABLE_ISOLATION /boot/config-$(uname -r)
A patched kernel will report:

Code: Select all

CONFIG_PAGE_TABLE_ISOLATION=y
there is nothing of that flags on my i686 debian 4.9.65-3+deb9u2
this was meant.

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

#31 Post by n_hologram »

https://lkml.org/lkml/2017/12/4/709
Subject [patch 00/60] x86/kpti: Kernel Page Table Isolation (was KAISER)
This series is a major overhaul of the KAISER patches:

1) Entry code

Mostly the same, except for a handful of fixlets and delta
improvements folded into the corresponding patches

New: Map TSS read only into the user space visible mapping

This is 64bit only, as 32bit needs the TSS mapped RW
Does this support bw123's finding from earlier -- that kpti isn't available for 686? Based on the comment above, it looks like 686 needs only TSS mapped RW. I have no idea how to verify, though.
acewiza wrote:What's all the fuss about?
EDITED: Okay, I had my coffee and realize that my last comment was itself getting off-topic. Opinions really aren't helpful to the original post, and I thought it was obvious from the first post. Maybe a separate thread would be helpful.
Last edited by n_hologram on 2018-01-07 16:20, edited 2 times in total.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#32 Post by bw123 »

n_hologram wrote:
This is 64bit only, as 32bit needs the TSS mapped RW
Does this support bw123's finding from earlier -- that kpti isn't available for 686? Based on the comment above, it looks like 686 needs only TSS mapped RW. I have no idea how to verify, though.
No I was unclear I guess. I am testing/using debian's 4.9.0-5-amd64 kernel on two cpus, an amd sempron and an atom n450. the kernel boots by default with kpti disabled for the sempron, enabled for the atom.

I have not tested any 686 kernels.
resigned by AI ChatGPT

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Meltdown and Spectre patches

#33 Post by Wheelerof4te »

Real slowdown will come after firmware and BIOS updates:
https://imgur.com/a/zYRap

Horrific. RIP servers on Intel CPUs.
Also, better save those HDDs:
https://www.youtube.com/watch?v=JbhKUjPRk5Q

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Meltdown and Spectre patches

#34 Post by acewiza »

Head_on_a_Stick wrote:
acewiza wrote:"technically" this is a low-risk, local, read-only exploit
Yes but javascript executed by your browser is "local", isn't it?
Only as it relates to my right index finger. Sorry, I tend to overlook the large body of users who gleefully click any link that crosses their desktop.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#35 Post by bw123 »

n_hologram wrote:EDITED: Okay, I had my coffee and realize that my last comment was itself getting off-topic. Opinions really aren't helpful to the original post, and I thought it was obvious from the first post. Maybe a separate thread would be helpful.
uh, don't look now but this whole thread is in "off-topic" I thought you knew, you started it?
acewiza wrote: I tend to overlook the large body of users who gleefully click any link that crosses their desktop.
Yeah and with all the publicity, and "experts" who wrote about this, I didn't see one with the common sense to warn people to turn off or filter javascript.
resigned by AI ChatGPT

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#36 Post by Head_on_a_Stick »

bw123 wrote:I didn't see one with the common sense to warn people to turn off or filter javascript.
Erm, firefox-esr cannot be used as an attack vector[1] (unlike the non-ESR >v57.0.4) and so users of Debian stable can leave their javascript enabled with impunity.

[1] Ref: https://www.mozilla.org/en-US/security/ ... sa2018-01/
Mozilla wrote:SharedArrayBuffer is already disabled in Firefox 52 ESR.
deadbang

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#37 Post by Head_on_a_Stick »

Also, the jessie-backports kernel now has the KTPI patch so oldstable users can change to that until the stock version is fixed.
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#38 Post by bw123 »

Head_on_a_Stick wrote:...users of Debian stable can leave their javascript enabled with impunity.
That is like saying I know how to swim so I can't die in a car wreck. Being protected on one browser from one attack does not make unrestricted javascript a good idea.

There are many links about the subject, so I'm confused that you haven't heard about it.

https://panopticlick.eff.org/about
https://www.gnu.org/philosophy/javascript-trap.html

If javascript isn't the attack vector then what is?
Last edited by bw123 on 2018-01-07 21:47, edited 1 time in total.
resigned by AI ChatGPT

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#39 Post by Head_on_a_Stick »

^ To clarify: my statement was made strictly in respect of the Meltdown vulnerability, as per the forum topic.
deadbang

rinatik
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

#40 Post by rinatik »

rinatik wrote:
Head_on_a_Stick wrote:
Lysander wrote:Haven't done anything to my Debian box yet though
Debian stable has the KTPI patch that (mostly) protects against Meltdown, now that 4.9.75 has been released upstream it shouldn't be long before oldstable gets the fix applied; not sure about poor old wheezy though.
new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints. is anybody knows why?
bump .. (

Post Reply