View previous topic :: View next topic |
Author |
Message |
PrSo Tux's lil' helper
Joined: 01 Jun 2017 Posts: 136
|
Posted: Thu Jan 04, 2018 9:25 am Post subject: |
|
|
depontius wrote: | So at the moment there is no protection for Spectre? Has anyone contacted James Bond? |
LOL,
Funny, but it could be possible that this is backfire of "Three Letter Agency's" nonexistent backdoor. But if they are so generous to share with Brits I don't know... |
|
Back to top |
|
|
greyspoke Apprentice
Joined: 08 Jan 2010 Posts: 171
|
Posted: Thu Jan 04, 2018 10:14 am Post subject: |
|
|
So if AMD and ARM are affected by spectre, does that mean it exposes a flaw in the instruction set they are implementing? Or is there some shared code with a flaw in it? |
|
Back to top |
|
|
gengreen Apprentice
Joined: 23 Dec 2017 Posts: 150
|
Posted: Thu Jan 04, 2018 10:48 am Post subject: |
|
|
I was informed on this in freenode #musl
As far I understand, there is 2 vulnerability :
https://meltdownattack.com
Metldown : a security patch is available at https://github.com/IAIK/KAISER/tree/master/KAISER
Spectre : There is nothing available to prevent this vulnerability.
I had a hard feeling against intel since the story with Grsecurity, now I definitively ban intel (and all thing associated with this garbage corporate) from any future purchase.
Happy new year
Edit :
Myu wrote: | Not fixable by microcode ....
Also, nvidia-drivers-387.34 doesn't compile anymore with 4.14.11
Code: | FATAL: modpost: GPL-incompatible module nvidia.ko uses GPL-only symbol 'cpu_tlbstate'
make[3]: *** [/usr/src/linux-4.14.11-gentoo/scripts/Makefile.modpost:92: __modpost] Error 1 |
|
Don't bother yourself with CONFIG_PAGE_TABLE_ISOLATION, it won't help since your system have already a backdoor called nvidia proprietary drivers
It's like driving a motocycle with glove for the protection of your hands but no helmet.
Edit 2 :
Response of intel available here :
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
Quote: | Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers. |
At least, they have a sense of humor |
|
Back to top |
|
|
Tsigorf n00b
Joined: 15 Jun 2017 Posts: 18
|
|
Back to top |
|
|
Myu Apprentice
Joined: 22 Oct 2014 Posts: 164 Location: Belgium
|
Posted: Thu Jan 04, 2018 11:53 am Post subject: |
|
|
Quote: | Don't bother yourself with CONFIG_PAGE_TABLE_ISOLATION, it won't help since your system have already a backdoor called nvidia proprietary drivers
It's like driving a motocycle with glove for the protection of your hands but no helmet. |
While I understand your point, I would like to minimize the likeliness of having a security issue, hence why I will keep KPTI enabled.
If I could purchase an AMD GPU at a decent price, I would have done it already but with the crypto mining craze, I'm holding off still. _________________ Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded. |
|
Back to top |
|
|
gengreen Apprentice
Joined: 23 Dec 2017 Posts: 150
|
Posted: Thu Jan 04, 2018 12:07 pm Post subject: |
|
|
Myu wrote: | Quote: | Don't bother yourself with CONFIG_PAGE_TABLE_ISOLATION, it won't help since your system have already a backdoor called nvidia proprietary drivers
It's like driving a motocycle with glove for the protection of your hands but no helmet. |
While I understand your point, I would like to minimize the likeliness of having a security issue, hence why I will keep KPTI enabled.
If I could purchase an AMD GPU at a decent price, I would have done it already but with the crypto mining craze, I'm holding off still. |
There is no mention for now regarding the ibm power processor, only time will tell us if they are not affected by spectre, if you care about security you may be more interested by thoses processor.
Give a try to the drivers nouveau if you can
Quote: |
glxgears
Running synchronized to the vertical refresh. The framerate should be
approximately the same as the monitor refresh rate.
42173 frames in 5.0 seconds = 8434.567 FPS
42940 frames in 5.0 seconds = 8587.865 FPS |
It's not that bad and it is opensource.
Last edited by gengreen on Thu Jan 04, 2018 12:27 pm; edited 1 time in total |
|
Back to top |
|
|
yamabiko n00b
Joined: 22 Jul 2017 Posts: 10
|
Posted: Thu Jan 04, 2018 12:17 pm Post subject: |
|
|
Is it possible to provide a patch for the current stable gentoo-sources? Manually patching it on 4.9.72 gives me an hunk fail. |
|
Back to top |
|
|
limn l33t
Joined: 13 May 2005 Posts: 997
|
Posted: Thu Jan 04, 2018 12:18 pm Post subject: |
|
|
Monocultures are always bad. |
|
Back to top |
|
|
sligo Tux's lil' helper
Joined: 17 Oct 2011 Posts: 93
|
Posted: Thu Jan 04, 2018 1:24 pm Post subject: |
|
|
While i understand the problem, i am still a little confused. Is there something that can be done already? |
|
Back to top |
|
|
Tsigorf n00b
Joined: 15 Jun 2017 Posts: 18
|
Posted: Thu Jan 04, 2018 2:07 pm Post subject: |
|
|
There is a kernel patch for Linux you can apply to avoid Meltdown (the Kaiser patch set you can find here: https://lwn.net/Articles/738975/).
However for Spectre, that's an hardware issue. I don't even know if there's a way to patch our CPUs. That's why they're telling us to replace hardware. |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Thu Jan 04, 2018 2:50 pm Post subject: |
|
|
Ralphred wrote: | 1clue wrote: | It would be really neat if they fixed the bug with gcc 6.4 and recent kernels. The combination of this bug and the backported kernels is really unfortunate right now. |
I appreciate anecdotal evidence is mostly useless, but just built 4.14.11 with 6.4 and it's working fine, nothing funky other than the ~amd64 for the kernel in package.use |
I would be happy as a clam with that, except my attempt panics inside the first second of boot. No logs written. |
|
Back to top |
|
|
The Main Man Veteran
Joined: 27 Nov 2014 Posts: 1171 Location: /run/user/1000
|
Posted: Thu Jan 04, 2018 2:52 pm Post subject: |
|
|
Smells like a ploy to buy new hardware which will then have serious backdoors and kill switches. |
|
Back to top |
|
|
Watcom n00b
Joined: 12 Apr 2006 Posts: 21
|
Posted: Thu Jan 04, 2018 2:53 pm Post subject: |
|
|
Spectre needs:
- A "victim" program which accepts input provided by the attacker (i.e. from the network or file). This input tricks the program to fetch cache lines based on data that is "secret".
- A program running in the same processor, devised by the attacker, to collect the "secret" data by measuring the time it takes to fetch data from its own addressing space that uses the same cache lines. Fast access means the data was cached, slow means it wasn't. From this alone the secret data can be inferred by seeing which bytes of an array are fast and which are slow (e.g. first byte being fast means 'A', second byte fast means 'B' and so on. Not exactly this simple but it's the basic idea).
So as you can see not running untrusted code goes a long way in preventing Spectre attacks. |
|
Back to top |
|
|
EasterParade l33t
Joined: 26 Jul 2003 Posts: 938
|
Posted: Thu Jan 04, 2018 2:57 pm Post subject: |
|
|
(?)
Last edited by EasterParade on Fri Jan 05, 2018 10:08 pm; edited 1 time in total |
|
Back to top |
|
|
PrSo Tux's lil' helper
Joined: 01 Jun 2017 Posts: 136
|
Posted: Thu Jan 04, 2018 3:07 pm Post subject: |
|
|
This is ridiculous.
I have also QNAP NAS with intel celeron on-board - (ts-251), and waiting to upgrade a firmware.
Maybe it is an exception narrowed to Ivy Bridge but KAISER patch (PTI) BRAKES kernel.
https://lkml.org/lkml/2018/1/3/864,
and
https://lkml.org/lkml/2018/1/3/105
Should I turn it off, cut of from internet and let it work only locally?? |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Thu Jan 04, 2018 3:13 pm Post subject: |
|
|
PrSo wrote: | Should I turn it off, cut of from internet and let it work only locally?? |
Look at it this way - "Is it any worse than running Windoze XP & earlier?" |
|
Back to top |
|
|
sligo Tux's lil' helper
Joined: 17 Oct 2011 Posts: 93
|
Posted: Thu Jan 04, 2018 3:31 pm Post subject: |
|
|
Watcom wrote: | So as you can see not running untrusted code goes a long way in preventing Spectre attacks. |
Does that include Javascript? |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6069 Location: Removed by Neddy
|
Posted: Thu Jan 04, 2018 3:33 pm Post subject: |
|
|
Tony0945 wrote: | PrSo wrote: | Should I turn it off, cut of from internet and let it work only locally?? |
Look at it this way - "Is it any worse than running Windoze XP & earlier?" | yes because the flaw existed with those CPU's as well. just use AMD Zen (Ryzen,threadripper) _________________ #define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0; |
|
Back to top |
|
|
Myu Apprentice
Joined: 22 Oct 2014 Posts: 164 Location: Belgium
|
Posted: Thu Jan 04, 2018 4:02 pm Post subject: |
|
|
Quote: | There is no mention for now regarding the ibm power processor, only time will tell us if they are not affected by spectre, if you care about security you may be more interested by thoses processor.
|
Ah, I do care, but I can only go so deep in the rabbit hole, the more you know, the more it seems endless with stuff like Intel ME, ring -1 / -2 / -whatever and now this Spectre/Meltdown.
Quote: | Give a try to the drivers nouveau if you can |
I do some Linux 3D gaming and the poor GPU already struggles with the proprietary driver, I guess nouveau will be much worse. So yeah, an AMD GPU to pair with a nice open source driver is on my whishlist for sure ! _________________ Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded. |
|
Back to top |
|
|
gengreen Apprentice
Joined: 23 Dec 2017 Posts: 150
|
Posted: Thu Jan 04, 2018 4:04 pm Post subject: |
|
|
transsib wrote: | I remember how we chatted about major loop-holes built into the shipped hardware
more than a year ago ... for spying purposes mainly.
But theories of conspiracy plots aside if it wasn't so sad I'd
Also what's all the fuss about not activating security keys in UEFI!?
Who needs those keys at all if "anyone" can theoretically (?) milk anyone via a
leak built into the CPU itself!
Sorry. That was overly chatty.
And the Intel CEO sold Intel stocks before the news hit the world. |
I started to accept a while ago the fact that the security will always be compromised by volontary bug in anyway, even in the opensource code, they can just cover it up by "we made a mistake". Now we known for fact that the hardware is targeted as well, the war is lost.
Sadly, like snowden, assange before, this news will be covered for fews days and most of the poeple won't give a damn, even they known that their smartphone / computer or connected device spy on them all the day, they are willing to abandon their freedom for some fancy technology
Stupidity is a more dangerous enemy of the good than malice
Quote: | Ah, I do care, but I can only go so deep in the rabbit hole, the more you know, the more it seems endless with stuff like Intel ME, ring -1 / -2 / -whatever and now this Spectre/Meltdown. |
That is also true for a lot of other thing in life
The more I learn, the less I known |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20506
|
Posted: Thu Jan 04, 2018 4:26 pm Post subject: Re: Major security flaw found in Intel processors |
|
|
Merged this thread. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Watcom n00b
Joined: 12 Apr 2006 Posts: 21
|
Posted: Thu Jan 04, 2018 5:30 pm Post subject: |
|
|
sligo wrote: | Watcom wrote: | So as you can see not running untrusted code goes a long way in preventing Spectre attacks. |
Does that include Javascript? |
Yes it does, unfortunately. |
|
Back to top |
|
|
toofied n00b
Joined: 26 Oct 2016 Posts: 28
|
Posted: Thu Jan 04, 2018 5:58 pm Post subject: |
|
|
Ant P. wrote: | Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum after Rowhammer. |
Definitely agree! Unfortunately, many sites now require JS to have basic usability. Wix and AngularJS come to mind. Hopefully people will start refusing to participate in websites which demand javascript for basic function... |
|
Back to top |
|
|
Myu Apprentice
Joined: 22 Oct 2014 Posts: 164 Location: Belgium
|
Posted: Thu Jan 04, 2018 6:26 pm Post subject: |
|
|
Quote: | Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum after Rowhammer.
Definitely agree! Unfortunately, many sites now require JS to have basic usability. Wix and AngularJS come to mind. Hopefully people will start refusing to participate in websites which demand javascript for basic function... |
I did just that, installed µMatrix + NoScript, let's see how usable it is.
Quote: |
Sadly, like snowden, assange before, this news will be covered for fews days and most of the poeple won't give a damn, even they known that their smartphone / computer or connected device spy on them all the day, they are willing to abandon their freedom for some fancy technology |
I've no words because I know you speak the truth... but having to change all my hardware because the damn Intel CPU MMU security was a lie since 20+ years... it's unbelievable. _________________ Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded. |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6069 Location: Removed by Neddy
|
Posted: Thu Jan 04, 2018 6:26 pm Post subject: |
|
|
toofied wrote: | Ant P. wrote: | Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum after Rowhammer. |
Definitely agree! Unfortunately, many sites now require JS to have basic usability. Wix and AngularJS come to mind. Hopefully people will start refusing to participate in websites which demand javascript for basic function... | umatrix does permit per site settings _________________ #define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0; |
|
Back to top |
|
|
|