Meltdown - Intel CPU design flaw affecting all OS platforms

ohnonot · 2018-01-06 09:48:05

earlybird wrote:

vinzv wrote:
In general the figures of "...30% loss on performance..." haunting through tech press have to be taken with a grain of salt as these are extreme examples. As long as there aren't any in-depth benchmarks I wouldn't rely on any thing circulating.
This is a good point, I'm curious myself. Wondering if huge backup I/O load (rsyncing entire file systems with lots of files) is going to cause noticably degraded performance.

my kernel is now patched, and i see no performance difference.
someone (HoaS?) said performance drops after the patch are worst for virtualisation, which, afaiu, is also where the flaw is at its most dangerous unpatched.

here a list of patched kernels:
http://news.softpedia.com/news/linux-ke … 9215.shtml

Head_on_a_Stick · 2018-01-06 12:18:56

ohnonot wrote:

(HoaS?) said performance drops after the patch are worst for virtualisation

https://forums.bunsenlabs.org/viewtopic … 303#p66303

I was just parroting what more expert users on other forums have been saying though.

The kernel in Debian stretch (and Arch) has the sticking-plaster (partial) fix applied, check with:

grep TABLE_ISOLATION /boot/config-$(uname -r)

A patched kernel will report:

CONFIG_PAGE_TABLE_ISOLATION=y

Test for the speed differences by pressing "e" with the BunsenLabs GRUB menuentry highlighted and adding this to the end of the line that starts with "linux":

notpi

Then press <Ctrl>+x (at the same time) to boot the modified entry and disable the protections.

Be warned though: without the KTPI patch, the system is wide open.

All BunsenLabs Hydrogen/Deuterium users are currently vulnerable, sorry.

Last edited by Head_on_a_Stick (2018-01-06 15:14:34)

vinzv · 2018-01-06 16:14:15

ohnonot wrote:

someone (HoaS?) said performance drops after the patch are worst for virtualisation, which, afaiu, is also where the flaw is at its most dangerous unpatched.

Epic Games patched their gaming servers leading to more than doubled CPU load: https://www.epicgames.com/fortnite/foru … ity-update

Head_on_a_Stick · 2018-01-06 16:46:59

vinzv wrote:

https://www.epicgames.com/fortnite/foru … ity-update

Epic wrote:

We heavily rely on cloud services to run our back-end

Yeah, so they're ****ed, basically

The KTPI patch is just a partial fix and Spectre in particular will haunt us for many years (hence the name).

This whole nasty business requires that we all change our basic habits and it really does highlight the need for a fully open-source hardware solution.

vinzv · 2018-01-06 20:23:40

Head_on_a_Stick wrote:

This whole nasty business requires that we all change our basic habits and it really does highlight the need for a fully open-source hardware solution.

Word!
Looking at how Intel is handling the whole issue in terms of PR makes me really mad. Even after such a desaster they still rest on their laurels and I'm convinced that every other of the big names would act exactly like that.

tknomanzr · 2018-01-06 20:27:37

My two cents, someone just found the backdoors that have been required to be there all along. It is just a matter of time before all machines have to register themselves onto some sort of a blockchain. We may want secure machine but sadly most governments do not.

Head_on_a_Stick · 2018-01-06 20:30:18

tknomanzr wrote:

We may want secure machine but sadly most governments do not.

The Russian government uses their own implementation of Oracle's OpenSPARC architecture, for reasons that have suddenly become very clear 8)

A custom computer built around an FPGA running the OpenSPARC T2 architecture looks very appealing right now...

vinzv · 2018-01-06 20:30:39

Yeah. That's the other side of the medal. This whole freedom thingy has been around way too long.

vinzv · 2018-01-06 21:59:49

Though self-quoting is not the most polite behaviour I have to do so:

vinzv wrote:

But looking at AMD's driver code quality doesn't make me trust them too far.

Not even 48 hours later:
"Security hole in AMD CPUs' hidden secure processor code revealed ahead of patches"

Seems like AMD is doing their very best to catch up with being as a mess like Intel is. Best quote from the article:
"Now that the 90-day disclosure window has passed seemingly without any action by AMD, details about the flaw have been made public."

Head_on_a_Stick · 2018-01-07 21:52:10

It looks like the new jessie-backports kernel has the KTPI fix applied:

http://metadata.ftp-master.debian.org/c … _changelog

Any BunsenLabs Hydrogen/Deuterium users concerned about the Meltdown vulnerability can switch to that kernel version by following this guide:

https://forums.bunsenlabs.org/viewtopic.php?id=1257

I'm pretty sure that the stock jessie kernel will get this fix backported as it is still under the aegis of the Security Team but it may take a bit.

Last edited by Head_on_a_Stick (2018-01-08 19:21:05)

ohnonot · 2018-01-08 06:44:28

Head_on_a_Stick wrote:

It looks like the new jessie-backports kernel has the KTPI fix applied:
http://metadata.ftp-master.debian.org/c … _changelog

I'm not sure how to read this; does it mean all changes to the stretch version apply to the backport version as well?
because I cannot find any reference kpti/kaiser under the ~bpo* headings.

Head_on_a_Stick · 2018-01-08 06:59:33

ohnonot wrote:

because I cannot find any reference kpti/kaiser under the ~bpo* headings.

Actually, I think you're right there, sorry everybody!

If anybody with access to a BL system could check that might be useful:

grep TABLE_ISO /boot/config-$(uname -r)

martix · 2018-01-08 13:38:38

Checked.

CONFIG_PAGE_TABLE_ISOLATION=y

Patent from 04. Mai 1990: Lattice scheduler method for reducing the impact of covert-channel countermeasures - is this to avoid Spectre? From 1990.

Head_on_a_Stick · 2018-01-08 19:20:34

martix wrote:

Checked

Thanks!

Which kernel is that?

EDIT: wheezy's kernel is fixed but we're still waiting for jessie

Last edited by Head_on_a_Stick (2018-01-08 19:21:39)

Head_on_a_Stick · 2018-01-08 19:26:31

martix wrote:

is this to avoid Spectre?

No, the Kernel Table Page Isolation (KTPI) patch only protects against Meltdown and provides no protection whatsoever against Spectre.

I think it is also probably worth noting[1] that the KTPI patch is a software abstraction layer designed to overcome an underlying hardware defect and so it can only be as effective as the patch is bug-free. Fingers crossed, eh? 8o

[1] I say "probably" because I raised this point over at bbs.archlinux.org and it seemed to upset several people and caused one of the mods to TGN the thread, which was amusing.

Last edited by Head_on_a_Stick (2018-01-08 20:17:07)

martix · 2018-01-08 19:45:51

Head_on_a_Stick wrote:

Which kernel is that?

It's Stretch, 4.9.0-5-amd64. As I recall it was quick, right after the news hit.

Head_on_a_Stick · 2018-01-08 19:51:37

martix wrote:

As I recall it was quick, right after the news hit.

Well, that was two months after Ubuntu found out about it[1] and six months after Intel were first aware of the problem so...

What happened to "open source"? :cry:

The OpenBSD developers only found out about it because of traffic on the Linux kernel mailing lists, which is outrageous IMO.

[1] https://wiki.ubuntu.com/SecurityTeam/Kn … 1514323332

2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA

Last edited by Head_on_a_Stick (2018-01-08 19:54:36)

stevep · 2018-01-09 22:21:47

What's the thinking about 32-bit users? The KPTI patches only work on the 64-bit kernel, and processors in 32-bit mode still do the same speculation, right? So are they just twisting in the wind for now?

Head_on_a_Stick · 2018-01-09 22:26:25

32-bit systems are exploitable so yes, they are twisting

In other news: jessie is fixed

Update && upgrade everybody!

jr2 · 2018-01-10 02:12:07

Head_on_a_Stick wrote:

32-bit systems are exploitable so yes, they are twisting
In other news: jessie is fixed
Update && upgrade everybody!

Is that for 64-bit only?
On this 32bit laptop, after up{date,grade} just now:

john@bunsen-bv:~$ grep PAGE_TABLE /boot/config-$(uname -r) # ie nothing
john@bunsen-bv:~$ uname -r
3.16.0-5-686-pae

...so there's nothing in the pipeline for 32bit?

Last edited by jr2 (2018-01-10 02:14:37)

#21 2018-01-06 09:48:05

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#22 2018-01-06 12:18:56

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#23 2018-01-06 16:14:15

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#24 2018-01-06 16:46:59

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#25 2018-01-06 20:23:40

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#26 2018-01-06 20:27:37

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#27 2018-01-06 20:30:18

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#28 2018-01-06 20:30:39

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#29 2018-01-06 21:59:49

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#30 2018-01-07 21:52:10

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#31 2018-01-08 06:44:28

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#32 2018-01-08 06:59:33

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#33 2018-01-08 13:38:38

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#34 2018-01-08 19:20:34

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#35 2018-01-08 19:26:31

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#36 2018-01-08 19:45:51

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#37 2018-01-08 19:51:37

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#38 2018-01-09 22:21:47

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#39 2018-01-09 22:26:25

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

#40 2018-01-10 02:12:07

Re: Meltdown - Intel CPU design flaw affecting all OS platforms

Board footer