Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Meltdown and Spectre patches

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
Seventh
Posts: 44
Joined: 2017-04-01 10:13

Re: Meltdown and Spectre patches

#61 Post by Seventh »

Zenwalk linux is claiming firefox have "fixed" spectre and meltdown timing attacks for linux with firefox 58 ?

https://zenwalkgnulinux.blogspot.com.au/

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: Meltdown and Spectre patches

#62 Post by steve_v »

Seventh wrote:Zenwalk linux is claiming firefox have "fixed" spectre and meltdown timing attacks for linux with firefox 58
Reduced the accuracy of timers available to javascript, like chrome has. A rather dirty workaround, not a fix.
You can't really "fix" CPU sidechannel attacks in software, and there are plenty of other ways to generate a fast enough tick for cache timing analysis.
If one is concerned about a browser drive-by, disable javascript.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

User avatar
bester69
Posts: 2072
Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times

Re: Meltdown and Spectre patches

#63 Post by bester69 »

Im using for long (Head_on_a_Stick gave a a good contribution, Thanks to him here): Adblocking with /etc/hosts (I guess It can help against ad javacripts)
http://forums.debian.net/viewtopic.php?f=16&t=129202

It updates very often; all these people contribuite (I just hope they gone bad eventually :shock: )
# Bill Allison, Harj Basi, Lance Russhing, Marshall Drew-Brook,
# Leigh Brasington, Scott Terbush, Cary Newfeldt, Kaye, Jeff
# Scrivener, Mark Hudson, Matt Bells, T. Kim Nguyen, Lino Demasi,
# Marcelo Volmaro, Troy Martin, Donald Kerns, B.Patten-Walsh,
# bobeangi, Chris Maniscalco, George Gilbert, Kim Nilsson, zeromus,
# Robert Petty, Rob Morrison, Clive Smith, Cecilia Varni, OleKing
# Cole, William Jones, Brian Small, Raj Tailor, Richard Heritage,
# Alan Harrison, Ordorica, Crimson, Joseph Cianci, sirapacz,
# Dvixen, Matthew Craig, Tobias Hessem, Kevin F. Quinn, Thomas
# Corthals, Chris McBee, Jaime A. Guerra, Anders Josefson,
# Simon Manderson, Spectre Ghost, Darren Tay, Dallas Eschenauer, Cecilia
# Varni, Adam P. Cole, George Lefkaditis, grzesiek, Adam Howard, Mike
# Bizon, Samuel P. Mallare, Leinweber, Walter Novak, Stephen Genus,
# Zube, Johny Provoost, Peter Grafton, Johann Burkard, Magus, Ron Karner,
# Fredrik Dahlman, Michele Cybula, Bernard Conlu, Riku B, Twillers,
# Shaika-Dzari, Vartkes Goetcherian, Michael McCown, Garth, Richard Nairn,
# Exzar Reed, Robert Gauthier, Floyd Wilder, Mark Drissel, Kenny Lyons,
# Paul Dunne, Tirath Pannu, Mike Lambert, Dan Kolcun, Daniel Aleksandersen,
# Chris Heegard, Miles Golding, Daniel Bisca, Frederic Begou, Charles
# Fordyce, Mark Lehrer, Sebastien Nadeau-Jean, Russell Gordon, Alexey
# Gopachenko, Stirling Pearson, Alan Segal, Bobin Joseph, Chris Wall, Sean
# Flesch, Brent Getz, Jerry Cain, Brian Micek, Lee Hancock, Kay Thiele,
# Kwan Ting Chan, Wladimir Labeikovsky, Lino Demasi, Bowie Bailey, Andreas
# Marschall, Michael Tompkins, Michael O'Donnell, José Lucas Teixeira
# de Oliveira, M. Ömer Gölgeli, and Anthony Gelibert for helping to build
# the hosts file.
# Russell O'Connor for OS/2 information
# kwadronaut for Windows 7 and Vista information
# John Mueller and Lawrence H Smith for Mac Pre-OSX information
# Jesse Baird for the Cisco IOS script
http://someonewhocares.org/hosts/zero/
# Last updated: Wed, 03 Jan 2018 at 18:00:26 GMT
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Meltdown and Spectre patches

#64 Post by debiman »

n[i]hologram wrote:Thanks for the info; good to know jessie/686 isn't left astray ^[/i]^
Were you able to check it against the spectre-meltdown-checker that steve shared?
i did now.

Code: Select all

$ dmesg | grep isolation
$ grep TABLE_ISOLATION /boot/config-$(uname -r)
$ sudo ./spectre-meltdown-checker.sh 
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) i686

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

as i said before, the kernel version surely is the patched one, but according to these outputs it does not apply to my 32bit intel processor?

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

#65 Post by n_hologram »

debiman wrote:as i said before, the kernel version surely is the patched one, but according to these outputs it does not apply to my 32bit intel processor?
This is exactly the crux of the 32-bit issue: no one knows. I'm going to email the patch developer later and ask what's going on.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Meltdown and Spectre patches

#66 Post by debiman »

n_hologram wrote:This is exactly the crux of the 32-bit issue: no one knows. I'm going to email the patch developer later and ask what's going on.
thank you, i'd be delighted if you could report back.

__________________________________________________________
(identical post on bunsenlabs forums)

i spent a half hour searching the web for references to meltdown, its fix for linux, and 32 bit architecture.
there's very little hard info, and not much opinion either.
here's what i think is the situation:
  • meltdown affects all intel cpus since 1995 - that must include 32 bit architecture => 32bit computers are vulnerable.
  • the kernel fix applies to 64bit architectures only.
  • it is unclear whether a (different) fix for 32bit is possible, whether someone's working on it or even considering it a priority.
  • in addition to the 3.16.0-5-686-pae kernel, i tried Linux 4.9.0-0.bpo.5-686-pae #1 SMP Debian 4.9.65-3+deb9u2~bpo8+1 (2017-01-05) i686 & reran the spectre-meltdown-checker, with identical results: all 3 vulnerabilities are not fixed.
links:
https://security-tracker.debian.org/tra ... -2017-5754
https://github.com/speed47/spectre-melt ... /issues/58
https://www.neowin.net/news/ubuntu-will ... anuary-9th
https://security.stackexchange.com/ques ... -platforms

of course all this still doesn't address the Spectre Vulnerability...


edit: fixed kernel version for 3.16 - i did try the patched version.
Last edited by debiman on 2018-01-14 09:38, edited 2 times in total.

User avatar
Thorny
Posts: 542
Joined: 2011-02-27 13:40

Re: Meltdown and Spectre patches

#67 Post by Thorny »

debiman wrote:[*]in addition to the 3.16.0-4-686-pae kernel,...
I don't know if it is what you want or not but

Package linux-image-3.16.0-5-686-pae
jessie (oldstable) (kernel): Linux 3.16 for modern PCs
3.16.51-3+deb8u1 [security]: i386
and
Package: linux-image-4.9.0-3-686-pae (4.9.30-2+deb9u5) [security]

, indicate a security fix and are newer than what was mentioned.

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

#68 Post by n_hologram »

Thorny wrote:I don't know if it is what you want or not but.
Unfortunately, it isn't. I've already tried the updated 686 kernels against spectre-meltdown-checker.sh, and they are vulnerable to meltdown. The points mentioned in the updated original post should clarify more details. Semi-related: someone mentioned (can't remember where tbh) that the patched pre-4.14.11 patches use an older version of KTPI, so its results in practice may be nebulous.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

#69 Post by n_hologram »

The patch developer confirmed that x86 (32-bit) is still vulnerable. Spread the word, boys and girls:
> Hi,
> I'm writing to you because I noticed your involement with the KPTI/KAISER
> patches. Across several varieties of linux distributions, users have
> noticed that kpti is impossible to enable because it depends on x86_64.
> Many of us are concerned that we are running 32-bit systems that are
> still vulnerable to meltdown; we are also concerned because it's a
> handful of users who have brought this to light, and major news and
> information from our distros are keeping silent on the topic. We are all
> wondering if you could shed some light: in particular, is x86 vulnerable?


Yes, 32bit is vulnerable. We haven't yet had time to look into that as the
vast majority of systems, especially the most endangered cloud stuff, runs
64bit. We know about it and the 32bit mitigation has been under discussion
already, but I can't tell at the moment when we are going to have that.

Sorry that I can't tell you better news.

Thanks,

Thomas
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Meltdown and Spectre patches

#70 Post by stevepusser »

The latest intel-microcode from Buster adds a bit of Spectre mitigation to the script output for my i5-6200u.

There's also a newer amd64-microcode that adds some mitigation for AMD Ryzen, but that requires some latest kernel versions that aren't in Debian yet. Liquorix-4.14-13.1 supports the Ryzen microcode, and I'm looking into adding the patch to the MX 4.14.12 kernel backport.
MX Linux packager and developer

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Meltdown and Spectre patches

#71 Post by debiman »

Thorny wrote:I don't know if it is what you want or not but
sorry, that was a typo.
i did try with the patched version ...-5.
fixed post.
n_hologram wrote:The patch developer confirmed that x86 (32-bit) is still vulnerable. Spread the word, boys and girls:
> Hi,
> I'm writing to you because I noticed your involement with the KPTI/KAISER
> patches. Across several varieties of linux distributions, users have
> noticed that kpti is impossible to enable because it depends on x86_64.
> Many of us are concerned that we are running 32-bit systems that are
> still vulnerable to meltdown; we are also concerned because it's a
> handful of users who have brought this to light, and major news and
> information from our distros are keeping silent on the topic. We are all
> wondering if you could shed some light: in particular, is x86 vulnerable?


Yes, 32bit is vulnerable. We haven't yet had time to look into that as the
vast majority of systems, especially the most endangered cloud stuff, runs
64bit. We know about it and the 32bit mitigation has been under discussion
already, but I can't tell at the moment when we are going to have that.

Sorry that I can't tell you better news.

Thanks,

Thomas
thank you, n_hologram, and thank you, Thomas (*) for answering, and a big THANK YOU for the unsung heroes that are working on these patches!!!

(*) n_hologram, any more info on who this is and where you got that answer?


____________________________________________________________


i am calmer now, since it seems that
a) NOT using virtualisation
b) NOT executing any external code (javascript etc.)
i'm fairly safe on my 32bit server.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#72 Post by Head_on_a_Stick »

stevepusser wrote:The latest intel-microcode from Buster adds a bit of Spectre mitigation
Theo just posted this on the OpenBSD mailing lists:
Also, Intel is saying their new microcodes sucks and people should
wait a little.

"Hi, my name is Intel and I'm an cheating speculator".
https://marc.info/?l=openbsd-tech&m=151588857304763&w=2

I am quite certain that there will be a concerted effort by Intel and all the vested commercial interests behind the various "big" operating systems (Linux, Windows & OS X) to rubber stamp any "fixes" (ie, software patches designed to overcome a fundamental design flaw in the underlying hardware) and convince the public that everything is OK.
deadbang

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#73 Post by Head_on_a_Stick »

...And here we go:

http://lists.alpinelinux.org/alpine-devel/6022.html

^According to the Alpine Linux developers, the backported fix (as used by Debian stable) is based on the flawed KAISER patch rather than KTPI and it doesn't really work.

Oh dear.
deadbang

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Meltdown and Spectre patches

#74 Post by acewiza »

Head_on_a_Stick wrote:I am quite certain that there will be a concerted effort by Intel and all the vested commercial interests behind the various "big" operating systems (Linux, Windows & OS X) to rubber stamp any "fixes" (ie, software patches designed to overcome a fundamental design flaw in the underlying hardware) and convince the public that everything is OK.
This is, along with my previous response(s), why I am taking a wait-and-see approach on this one. No point rushing into this low-risk vulnerability in a blind tizzy. It's just the beginning...
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

User avatar
bester69
Posts: 2072
Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times

Re: Meltdown and Spectre patches

#75 Post by bester69 »

stevepusser wrote:The latest intel-microcode from Buster adds a bit of Spectre mitigation to the script output for my i5-6200u.

There's also a newer amd64-microcode that adds some mitigation for AMD Ryzen, but that requires some latest kernel versions that aren't in Debian yet. Liquorix-4.14-13.1 supports the Ryzen microcode, and I'm looking into adding the patch to the MX 4.14.12 kernel backport.
OK, I will install buster microcode in stretch if not such a performance downgrade like patch kernel;
Do you know around how much downgrade might bright last intel microcode?
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Meltdown and Spectre patches

#76 Post by Wheelerof4te »

Head_on_a_Stick wrote:...And here we go:

http://lists.alpinelinux.org/alpine-devel/6022.html

^According to the Alpine Linux developers, the backported fix (as used by Debian stable) is based on the flawed KAISER patch rather than KTPI and it doesn't really work.

Oh dear.
Oh, thank God I've switched to a corporate-backed OS.
Viva La Microsoft!

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#77 Post by Head_on_a_Stick »

Wheelerof4te wrote:Oh, thank God I've switched to a corporate-backed OS.
Viva La Microsoft!
^ Is this a joke?

At least with the open source operating systems we can see exactly what goes into the patches and can thus evaluate them independently.

With proprietary operating systems the users must trust in the ability of the developers to write a bug-free software abstraction layer with no peer review at all beyond the corporate environment.

It is my understanding that MS have sacked their entire testing department and now instead rely on the Microsoft Insiders Program to garner feedback from paying users... :lol:
deadbang

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: Meltdown and Spectre patches

#78 Post by Wheelerof4te »

^It's not a joke. MS has a lot to lose from this, and at least concerning Meltdown and Spectre, the patches have to work. But then again, so does Red Hat, and Novell. Canonical is already doing business in the red zone, so they bided their time.
OTOH, Red Hat and SUSE had patches ready almost instantly.
So yeah, if you need an OS for your PC, choose ones that have something to lose when things go south.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#79 Post by Head_on_a_Stick »

Wheelerof4te wrote:Red Hat and SUSE had patches ready almost instantly
Not really, Intel have known about the problem since June 2017 and made the commercial operating systems aware of it (under a non-disclosure agreement, of course) back in October 2017.

Has Microsoft fixed Spectre yet? *innocent look*

Link: https://www.theregister.co.uk/2018/01/0 ... _problems/

EDIT: all I can say is that you are very trusting, and some would even say gullible.
deadbang

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#80 Post by bw123 »

Head_on_a_Stick wrote:...And here we go:

http://lists.alpinelinux.org/alpine-devel/6022.html

^According to the Alpine Linux developers, the backported fix (as used by Debian stable) is based on the flawed KAISER patch rather than KTPI and it doesn't really work.

Oh dear.
I did not read that the same way, the link says it has "reliability" issues, not that it "does not work" against meltdown?

The reference link says this:
At least some versions of "KAISER", on meltdown-affected hardware, expose the kernel stack to userspace.
please fight the FUD and misinformation.
resigned by AI ChatGPT

Post Reply