You are not logged in.

#51 2018-01-10 23:47:34

obscurant
Member
Registered: 2017-08-06
Posts: 114

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Head_on_a_Stick wrote:
obscurant wrote:

the NVIDIA kernel module fails to initialize

If you are not using the stock nouveau drivers or the NVidia drivers from the Debian repositories then you will have to reinstall the drivers every time the kernel is updated.

I would strongly recommend sticking with the nouveau drivers unless you have a specific requirement for the non-free version as the latter can be quite troublesome.

Thanks. I manually install the non-free drivers. Haven't tried nouveau drivers yet, as the non-free have worked so well. About the only plus with it is getting the GPU output in conky, which has served no real purpose.

Offline

#52 2018-01-11 20:29:27

ohnonot
...again
Registered: 2015-09-29
Posts: 3,484
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Head_on_a_Stick wrote:

Can you please share the output of

grep TABLE_ISO /boot/config-$(uname -r)

If this is an Arch system then post

zgrep TABLE_ISO /proc/config.gz

Thanks!

thanks.
on archlinux, i get "CONFIGPAGETABLE_ISOLATION=y", on my 32bit jessie with

uname -rv
3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08)

i get nothing sad

sudo ./spectre-meltdown-checker.sh 
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) i686

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

i'm guessing it's still vulnerable, despite the kernel being updated (and marked fixed)?

problem is, i still don't have any hard info on this.

Offline

#53 2018-01-12 06:58:54

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

ohnonot wrote:

on my 32bit jessie with

uname -rv
3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08)

i get nothing sad

Best stick to that PineBook from now on then, eh? tongue

Last edited by Head_on_a_Stick (2018-01-12 07:05:43)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#54 2018-01-12 13:07:05

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Don't we all just love Intel? devil monkey devil smile neutral sad

Look at the recent news: "Finnish firm detects new Intel security flaw - the flaw had nothing to do with the "Spectre" and "Meltdown" vulnerabilities recently found in the micro-chips that are used in almost all computers, tablets and smartphones today. Rather, it was an issue within Intel Active Management Technology (AMT), which is commonly found in most corporate laptops, and allows an attacker to take complete control over a user's device in a matter of seconds."

There is a simple AMT check code here.

Offline

#55 2018-01-13 08:38:26

ohnonot
...again
Registered: 2015-09-29
Posts: 3,484
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Head_on_a_Stick wrote:
ohnonot wrote:

on my 32bit jessie with

uname -rv
3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08)

i get nothing sad

Best stick to that PineBook from now on then, eh? tongue

This is a real problem.
Given your obsession with computer security (and your position of responsibility at these forums), I don't understand how you can joke about it.
Also, it isn't even funny.

on topic:
i spent a half hour searching the web for references to meltdown, its fix for linux, and 32 bit architecture.
there's very little hard info, and not much opinion either.
here's what i think is the situation:

  • meltdown affects all intel cpus since 1995 - that must include 32 bit architecture => 32bit computers are vulnerable.

  • the kernel fix applies to 64bit architectures only.

  • it is unclear whether a (different) fix for 32bit is possible, whether someone's working on it or even considering it a priority.

  • in addition to the kernel mentioned above, i tried Linux 4.9.0-0.bpo.5-686-pae #1 SMP Debian 4.9.65-3+deb9u2~bpo8+1 (2017-01-05) i686 & reran the spectre-meltdown-checker, with identical results: all 3 vulnerabilities are not fixed.

links:
https://security-tracker.debian.org/tra … -2017-5754
https://github.com/speed47/spectre-melt … /issues/58
https://www.neowin.net/news/ubuntu-will … anuary-9th
https://security.stackexchange.com/ques … -platforms

of course all this is about meltdown only and doesn't address the Spectre Vulnerability...

Offline

#56 2018-01-13 12:56:11

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

ohnonot wrote:

Given your obsession with computer security (and your position of responsibility at these forums), I don't understand how you can joke about it.

Humour is a natural human response to a fundamentally untenable situation — would you prefer that I wail and gnash my teeth instead? monkey

Anyway, my glib retort contained pertinent advice: the arm64 architecture is unaffected by Meltdown and so can be used as a "safe" alternative.

Thanks for your research, I'm following n_hologram's thread over at fdn and hopefully they will report back with news from the patch developers about 32-bit coverage.

ohnonot wrote:

of course all this is about meltdown only and doesn't address the Spectre Vulnerability...

Yes, IMO Intel deliberately conflated Meltdown & Spectre in an attempt to confuse the public.

The Spectre vulnerability will be with us for a long time (but it is more difficult to exploit).

They are both local vulnerabilities so for a single-user system disabling javascript should eliminate the attack vector.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#57 2018-01-13 19:50:23

cloverskull
Member
Registered: 2015-10-01
Posts: 306

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Wow, my virtualized BL is noticeably slower. I haven't used it since December. What a bummer.

Offline

#58 2018-01-13 20:05:20

twoion
ほやほや
Registered: 2015-08-10
Posts: 2,345

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Updated my x240 ThinkPad's BIOS for the Intel microcode update addressing CVE-2017-5715. Downgraded again 5 minutes later because it felt like things ran slower. Maybe it was just my imagination…but what the hell, I'm not sacrificing more than 0% performance on my old Haswell CPU. I'll just pretend I got a Sandy Bridge system and didn't get updated by Intel anyway. Stuck on kernel 4.9.73 forever? :S A  disaster for Intel. Starting to look for a refurbished skylake or KabyLake ThinkPad x250/x260, there the performance penalty is supposed to be much less severe. A shame. I was hoping to use this system at least until 2020 (>=6 years).


Im grünen Wald, dort wo die Drossel singt…

Offline

#59 2018-01-13 23:09:05

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

I wrote:

I'm following n_hologram's thread over at fdn and hopefully they will report back with news from the patch developers about 32-bit coverage

The news is back and it's not good:

Patch person wrote:

Yes, 32bit is vulnerable. We haven't yet had time to look into that as the
vast majority of systems, especially the most endangered cloud stuff, runs
64bit. We know about it and the 32bit mitigation has been under discussion
already, but I can't tell at the moment when we are going to have that.

Sorry that I can't tell you better news.

Thanks,

Thomas

http://forums.debian.net/viewtopic.php?p=663711#p663711

cry


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#60 2018-01-14 04:46:04

jr2
Member
Registered: 2017-12-24
Posts: 51

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

People are starting to say that the only way out of this mess is a hardware upgrade - a complete rethink of CPU architecture.

Of course that would mean all old computers are vulnerable, a huge capital outlay for all the companies running servers, and...

...possibly the end of the "hobbyists" like us. Only those who could afford to lay out for new machines would be able to go on playing with Linux, BSD... etc, and all the users in less wealthy counries would be forced to rely on proprietary touchscreen devices.

Quite a desirable outcome for hardware manufacturers and content providers alike - everyone except the poor exploited users.

>> cue for wailing and gnashing of teeth, yes HoaS feel free to join in.


normal service will be resumed as soon as possible

Offline

#61 2018-01-14 06:41:39

nore
>2⁹
From: blueberry bush
Registered: 2015-09-29
Posts: 425

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

jr2 wrote:

...possibly the end of the "hobbyists" like us. Only those who could afford to lay out for new machines would be able to go on playing with Linux, BSD... etc,

Both major vulnerabilities still require physical access to the computer, right? If you keep several devices at home and keep an eye on those that you carry around, change BIOS and AMT passwords, where's the risk, really?

Offline

#62 2018-01-14 08:53:07

ohnonot
...again
Registered: 2015-09-29
Posts: 3,484
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Head_on_a_Stick wrote:

They are both local vulnerabilities so for a single-user system disabling javascript should eliminate the attack vector.

wait what, servers (no virtualisation) cannot be attacked from the outside???
sorry if i misunderstand something here; a physical server surely is a single user system?

ok i'm reading up on that right now, search for "server" e.g. [here][1] and [here][2]; it would seem that without virtualisation the problem is somehow smaller(?), and without allowing any outside code to run on the system, there's no danger at all (supposing all my installed software is safe)?

[1]: https://en.wikipedia.org/wiki/Meltdown_ … erability)
[2]: http://www.zdnet.com/article/how-to-pro … d-spectre/

Offline

#63 2018-01-14 11:05:55

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Bruce Schneier's blog has a nice article about Meltdown/Spectre:

https://www.schneier.com/blog/archives/ … mel_1.html

This bit is probably the most relevant:

This isn't to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don't click on strange e-mail attachments, don't visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.

Overall though, the only true long-term solution is open-source hardware — such as RISC-V — which will hopefully become cheap enough for "normal" people to use, the energy savings conferred by such devices should also be taken into consideration.

ohnonot wrote:

servers (no virtualisation) cannot be attacked from the outside?

Yes, that's correct.

I presume you aren't hosting a cloud server running lots of Docker containers for other people in your kitchen, right?


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#64 2018-01-14 13:11:47

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

twoion wrote:

Updated my x240 ThinkPad's BIOS for the Intel microcode update addressing CVE-2017-5715. ... A disaster for Intel. Starting to look for a refurbished skylake or KabyLake ThinkPad x250/x260

I see the point (getting a faster hardware), but it'll be still full of Intel proprietary junk. An other way would be downgrading and getting an X230, flashing Coreboot and being careful about physical access to the machine (as the exploitation of those recently discovered vulnerabilites (also the atm one) require physical access).

Last edited by martix (2018-01-14 13:51:18)

Offline

#65 2018-01-14 16:33:26

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Worrying news on the Alpine Linux mailing lists about the fix that has been applied to the 4.9-series kernels (as found in Debian stretch):

William Pitcock wrote:

[...] there were serious reliability patches with these "backports", largely because in reality the mitigation "backported" was actually a derivative of an earlier mitigation called KAISER. We have observed that KAISER had major reliability issues in private testing of the new kernels.

Natanael recently pushed 4.9.76 linux-vanilla kernel to edge for public testing and that also verified that there were still regressions in the release that was supposed to fix the regressions in 4.9.75. Accordingly, we are lead to believe that the situation is not likely to get better with trying to fix KAISER any time soon. In addition, it was posted to Hacker News that KAISER has severe design defects that neither the real KPTI or unpatched kernels have[1].
[...]
[1] https://news.ycombinator.com/item?id=16087736

http://lists.alpinelinux.org/alpine-devel/6022.html

This is exceptionally bad for BL-He (if true).

EDIT: a case for switching to the Liquorix kernel, perhaps?

https://liquorix.net/

Last edited by Head_on_a_Stick (2018-01-14 16:38:10)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#66 2018-01-15 00:31:46

stevep
MX Linux Developer
Registered: 2016-08-08
Posts: 336

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Well, the standard Liquorix kernel headers require gcc-7, but one could use my backported versions in the OBS...jeesh, another new one today?  It's every other day now. OK, I'll add that.

https://techpatterns.com/forums/about2615.html

Not to mention that most third-party drivers like broadcom-sta need updates or patches to build on the new kernels.  I have some in my repo for Jessie...I'll see if they are up to date.

Last edited by stevep (2018-01-15 00:54:24)

Offline

#67 2018-01-15 06:51:41

ohnonot
...again
Registered: 2015-09-29
Posts: 3,484
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Head_on_a_Stick wrote:

Bruce Schneier's blog has a nice article about Meltdown/Spectre:
https://www.schneier.com/blog/archives/ … mel_1.html

thanks again.
maybe i should make it a habit to visit his blog regularly.

I presume you aren't hosting a cloud server running lots of Docker containers for other people in your kitchen, right?

no, of course not.
all in all, no reason to panic for this setup.
just don't use wordpress big_smile

Offline

#68 2018-01-15 07:07:39

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

stevep wrote:

the standard Liquorix kernel headers require gcc-7

Drat, I forgot about that...

Scratch that plan then.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#69 2018-01-15 23:02:40

jr2
Member
Registered: 2017-12-24
Posts: 51

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Head_on_a_Stick wrote:

Worrying news on the Alpine Linux mailing lists about the fix that has been applied to the 4.9-series kernels (as found in Debian stretch):

William Pitcock wrote:

[...] there were serious reliability patches with these "backports", largely because in reality the mitigation "backported" was actually a derivative of an earlier mitigation called KAISER. We have observed that KAISER had major reliability issues in private testing of the new kernels.

Natanael recently pushed 4.9.76 linux-vanilla kernel to edge for public testing and that also verified that there were still regressions in the release that was supposed to fix the regressions in 4.9.75. Accordingly, we are lead to believe that the situation is not likely to get better with trying to fix KAISER any time soon. In addition, it was posted to Hacker News that KAISER has severe design defects that neither the real KPTI or unpatched kernels have[1].
[...]
[1] https://news.ycombinator.com/item?id=16087736

http://lists.alpinelinux.org/alpine-devel/6022.html

This is exceptionally bad for BL-He (if true).

EDIT: a case for switching to the Liquorix kernel, perhaps?

https://liquorix.net/

Hard to believe Debian would allow such a dire situation to continue for long - by the time Helium's out it'll probably be fixed. neutral


normal service will be resumed as soon as possible

Offline

#70 2018-01-16 06:45:59

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

jr2 wrote:

by the time Helium's out it'll probably be fixed

The kernels for wheezy, jessie and stretch are all marked as "fixed" for Meltdown[1] so as far as Debian are concerned the KAISER patch offers sufficient protection despite the fact that it was deemed unworthy enough to warrant a complete re-write (into KPTI) for the upstream fix.

I don't think we really have any choice but to accept that but I am not happy about the situation.

[1] https://security-tracker.debian.org/tra … -2017-5754


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#71 2018-01-16 06:51:03

ohnonot
...again
Registered: 2015-09-29
Posts: 3,484
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

^ i think i read somewhere that kernel dev's are aware that this is just a sticky-tape solution, and are still looking for better ways?
with intel contributing code to the kernel, my guess is that they themselves have an intrest in a satisfactory solution?

Offline

#72 2018-01-16 06:58:44

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

I know that Intel released a set of microcode updates on 2018-01-08 (my OpenBSD box keeps loading it onto my CPU) that should also fix things.

That version is in sid but not stable and I have no idea how Debian are handling that because the firmware is in the non-free repositories and so not technically part of the official release.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#73 2018-01-16 09:41:12

unklar
Member
Registered: 2015-10-31
Posts: 815

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

I have no idea...
truing me as a yardstick for sid thereafter

uname -a
Linux siduction 4.14.13-towo.2-siduction-amd64 #1 SMP PREEMPT siduction 4.14-24 (2018-01-15) x86_64 GNU/Linux
dmesg | grep microcode
[    0.688316] microcode: sig=0x1067a, pf=0x80, revision=0xa07
[    0.688357] microcode: Microcode Update Driver: v2.2.
cat /proc/cpuinfo | grep -m 1 bugs
bugs		: cpu_meltdown spectre_v1 spectre_v2

Quelle

Offline

#74 2018-01-16 19:11:15

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

unklar wrote:

truing me as a yardstick for sid thereafter

Thanks unklar!

Here's my output from OpenBSD (with the new microcode applied):

Puffy:~$ dmesg | grep microcode
cpu_ucode_intel_apply: microcode updated cpu 0 rev 0x2->0x4 (6282013)
cpu_ucode_intel_apply: microcode updated cpu 2 rev 0x2->0x4 (6282013)
Puffy:~$

I have no idea how to interpret this output big_smile

I will post back later with output from my Arch box.

Intel's microcode page offers downloads for Debian "7.x" & "8.x":

https://downloadcenter.intel.com/downlo … -Data-File

According to that page:

this file will be used by the operating system mechanism if the file is placed in the /etc/firmware directory of the Linux system

Another alternative would be the Arch Linux intel-ucode package, this contains a custom initramfs image that will apply the microcode — just untar the package, copy the intel-ucode.img to /boot and add it before Debian's initrd on the "initrd" line (in /etc/grub.d/40_custom).


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#75 2018-01-16 21:28:44

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Just booted Alpine Linux with Arch's intel-ucode.img first on the initrd line in GRUB and I now get this:

alpine:~$ sudo dmesg | grep microcode
[    0.538900] microcode: sig=0x20655, pf=0x10, revision=0x2
[    0.538971] microcode: Microcode Update Driver: v2.2.
alpine:~$

And:

alpine:~$ grep -m1 bugs /proc/cpuinfo
bugs		: cpu_meltdown
alpine:~$

yikes

I have KPTI enabled though, which is good.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

Board footer

Powered by FluxBB