View previous topic :: View next topic |
Author |
Message |
EasterParade l33t
Joined: 26 Jul 2003 Posts: 938
|
Posted: Thu Jan 04, 2018 6:46 pm Post subject: |
|
|
[b]
Last edited by EasterParade on Fri Jan 05, 2018 10:09 pm; edited 1 time in total |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
NightMonkey Guru
Joined: 21 Mar 2003 Posts: 357 Location: Philadelphia, PA
|
Posted: Thu Jan 04, 2018 7:04 pm Post subject: Mitigation? |
|
|
Is there any mitigation possible, perhaps in either the kernel config, or via CFLAGs, that removes some feature that is allowing this exploitable path in our chipsets? Pretty ugly stuff - and I wonder who has been exploiting this for years without the public knowing... _________________
|
|
Back to top |
|
|
PrSo Tux's lil' helper
Joined: 01 Jun 2017 Posts: 136
|
|
Back to top |
|
|
Myu Apprentice
Joined: 22 Oct 2014 Posts: 164 Location: Belgium
|
Posted: Thu Jan 04, 2018 7:07 pm Post subject: |
|
|
Quote: | Is there any mitigation possible, perhaps in either the kernel config, or via CFLAGs, that removes some feature that is allowing this exploitable path in our chipsets? Pretty ugly stuff - and I wonder who has been exploiting this for years without the public knowing... |
Kernel 4.14.11 has CONFIG_PAGE_TABLE_ISOLATION=y but that only for Meltdown attack. Spectre is a different beast
(edited) _________________ Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded.
Last edited by Myu on Thu Jan 04, 2018 7:08 pm; edited 1 time in total |
|
Back to top |
|
|
CPUFan n00b
Joined: 21 May 2015 Posts: 58
|
Posted: Thu Jan 04, 2018 7:08 pm Post subject: |
|
|
Just FYI: This is "part" of a solution:
/etc/portage/package.accept_keywords: | # Meltdown:
=sys-kernel/gentoo-sources-4.14.11-r2 ~amd64
| (followed by an update)
There will be 3 GLSAs about the full solution.
Thanks to grknight from #gentoo for confirming.
Last edited by CPUFan on Thu Jan 04, 2018 8:01 pm; edited 1 time in total |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9835 Location: almost Mile High in the USA
|
Posted: Thu Jan 04, 2018 7:08 pm Post subject: |
|
|
Anyone have the PoC code, and whether disabling L1/L2 caches would mitigate the problem?
Granted, this would kill performance really badly, but it's a stopgap solution? heh heh heh _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6070 Location: Removed by Neddy
|
Posted: Thu Jan 04, 2018 7:09 pm Post subject: Re: Mitigation? |
|
|
NightMonkey wrote: | Is there any mitigation possible, perhaps in either the kernel config, or via CFLAGs, that removes some feature that is allowing this exploitable path in our chipsets? Pretty ugly stuff - and I wonder who has been exploiting this for years without the public knowing... | yes, buy a ryzen setup _________________ #define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0; |
|
Back to top |
|
|
Myu Apprentice
Joined: 22 Oct 2014 Posts: 164 Location: Belgium
|
Posted: Thu Jan 04, 2018 7:10 pm Post subject: |
|
|
@CPUFan :
Have an Intel CPU and 4.14.11 ? Then run
Code: | cat /proc/cpuinfo | grep -i insecure |
If you have something like this, the KPTI patch is enabled :
Code: |
bugs : cpu_insecure
bugs : cpu_insecure
... |
_________________ Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded. |
|
Back to top |
|
|
ycUygB1 Apprentice
Joined: 27 Jul 2005 Posts: 276 Location: Portland, Oregon
|
Posted: Thu Jan 04, 2018 8:15 pm Post subject: |
|
|
CPUFan wrote: |
There will be 3 GLSAs about the full solution.
Thanks to grknight from #gentoo for confirming. |
Thank you. |
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Thu Jan 04, 2018 8:16 pm Post subject: |
|
|
Wooo! Time for the C64 to RISE AGAIN!!!!! |
|
Back to top |
|
|
EasterParade l33t
Joined: 26 Jul 2003 Posts: 938
|
Posted: Thu Jan 04, 2018 8:23 pm Post subject: |
|
|
[b]
Last edited by EasterParade on Fri Jan 05, 2018 10:09 pm; edited 1 time in total |
|
Back to top |
|
|
Joseph Powers n00b
Joined: 26 Nov 2017 Posts: 41
|
Posted: Thu Jan 04, 2018 9:08 pm Post subject: |
|
|
Can I patch the Meltdown bug with Gentoo hardened sources? |
|
Back to top |
|
|
papas Tux's lil' helper
Joined: 01 Dec 2014 Posts: 141 Location: Athens
|
Posted: Thu Jan 04, 2018 9:20 pm Post subject: |
|
|
great news for me 2 days ago I ordered a i7 8700k just to avoid the AMD segfault |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Thu Jan 04, 2018 9:39 pm Post subject: |
|
|
It's going to take awhile before any fixed hardware reaches the market. First the design needs to be fixed, then it needs to be tested and then boards need to be designed around the newer chips. We're all screwed for awhile. |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6070 Location: Removed by Neddy
|
Posted: Thu Jan 04, 2018 9:45 pm Post subject: |
|
|
1clue wrote: | It's going to take awhile before any fixed hardware reaches the market. First the design needs to be fixed, then it needs to be tested and then boards need to be designed around the newer chips. We're all screwed for awhile. | You can take the risk with present Ryzen stock & you might be lucky not to pick up with early fab issues OR wait a couple of months an Zen2 is due out
If you want to stick with intel then sure... might take some time *if* they actually fix it (note they never actually fixed the fpu issue) as they have to gut their entire arch rather than building on it _________________ #define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0; |
|
Back to top |
|
|
1clue Advocate
Joined: 05 Feb 2006 Posts: 2569
|
Posted: Thu Jan 04, 2018 9:52 pm Post subject: |
|
|
Naib wrote: | 1clue wrote: | It's going to take awhile before any fixed hardware reaches the market. First the design needs to be fixed, then it needs to be tested and then boards need to be designed around the newer chips. We're all screwed for awhile. | You can take the risk with present Ryzen stock & you might be lucky not to pick up with early fab issues OR wait a couple of months an Zen2 is due out
If you want to stick with intel then sure... might take some time *if* they actually fix it (note they never actually fixed the fpu issue) as they have to gut their entire arch rather than building on it |
FWIW I'm sticking with Intel.
The idea that they don't fix this is insane. The FPU issue was a minor irritant with an easy software fix. This decimates the security or speed of their entire processor line for the last 15 years. |
|
Back to top |
|
|
gengreen Apprentice
Joined: 23 Dec 2017 Posts: 150
|
Posted: Thu Jan 04, 2018 10:28 pm Post subject: |
|
|
Better to directly turn off the javascript in about:config than use some plugins
javascript is a general useflag, I will put it in my make.conf (-javascript)
it's better than nothing... |
|
Back to top |
|
|
roki942 Apprentice
Joined: 18 Apr 2005 Posts: 285 Location: Seattle
|
|
Back to top |
|
|
luiztux n00b
Joined: 31 Aug 2015 Posts: 27 Location: /usr/portage/distfiles
|
Posted: Thu Jan 04, 2018 11:17 pm Post subject: |
|
|
Who knows now is the chance of Open Source Hardware gaining momentum? Or live like Stallman ... |
|
Back to top |
|
|
The Main Man Veteran
Joined: 27 Nov 2014 Posts: 1171 Location: /run/user/1000
|
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6070 Location: Removed by Neddy
|
|
Back to top |
|
|
The Main Man Veteran
Joined: 27 Nov 2014 Posts: 1171 Location: /run/user/1000
|
Posted: Thu Jan 04, 2018 11:52 pm Post subject: |
|
|
It's easier to copy the PoC code from here instead of the link I posted above:
https://github.com/Eugnis/spectre-attack
Anyway, I've executed this code on 4.14.11-gentoo-r2 with cpu_insecure and got this :
Code: | $ ./a.out
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
zsh: illegal hardware instruction ./a.out |
Would be interesting to see the result on non-patched system but I can't do it atm. |
|
Back to top |
|
|
gengreen Apprentice
Joined: 23 Dec 2017 Posts: 150
|
|
Back to top |
|
|
The Main Man Veteran
Joined: 27 Nov 2014 Posts: 1171 Location: /run/user/1000
|
Posted: Fri Jan 05, 2018 12:46 am Post subject: |
|
|
gengreen wrote: | https://paste.pound-python.org/show/X9OyOjgzkEMCgOKMTwTc/ |
Interesting, so the code actually works. On patched or non-patched system?
I just had to try it and on the same machine I have another gentoo installation that hasn't been updated in awhile (couple of months) , and I get the same result (zsh: illegal hardware instruction ./a.out), thought maybe it's zsh so I tried to execute in bash but I got the same thing. Maybe I'm doing something wrong, I've compiled the source with "gcc Source.c" |
|
Back to top |
|
|
|