| View previous topic :: View next topic |
| Author |
Message |
PrSo
Tux's lil' helper
Joined: 01 Jun 2017
Posts: 136
|
 Posted: Tue Jan 09, 2018 11:15 pm Post subject: |
 |
|
| Pearlseattle wrote: |
E.g. my "Xeon(R) CPU E3-1260L v5" hasn't been patched yet  |
Telling the truth I have no idea why because Lenovo System x3250 M5 has E3-1200 v3 which is older.
Lenovo page was modified couple of times. If I remember correctly update for t530 should be done firstly on 26th or 28th of January. Maybe it is Lenovo fault or maybe Intel plays on time.
After bios update there could be a performance downgrade from 2% to 30% with current solution in software part, especially on servers.
If you apply Thistled's tin foil hat theory on that IMHO it comes to "money" or just to rework less resource-hungry way (I know that Intel and AMD were informed earlier about Meltdown and Spectre) and maybe those updated desktops/laptops cpu's are just the testing ground for code optimization. I presume that I could be wrong.
And that is a hell good question:
| dmpogo wrote: |
To those of you who have patched/upgraded everything - can you comment on the performance, is there a noticable hit ? |
|
|
| Back to top |
|
 |
Aiken
Apprentice
Joined: 22 Jan 2003
Posts: 239
Location: Toowoomba/Australia
|
| Posted: Wed Jan 10, 2018 12:07 am Post subject: Re: So how is the performance after patches ? |
|
|
| eccerr0r wrote: | | I don't know if it's valid to run 32-in-64... that would be another interesting situation... |
Do you mean 23 bit user space with a 64 bit kernel? Had a few 32 bit machines that I changed to a 64 kernel because I got fed up with the oom kill doing it's thing with low mem filling up while high mem and swap were mostly free. The only problem I had was the day I forgot to select 32 bit support in the 64 bit kernel and that machine promptly failed to boot. Nothing on those machines was in danger of hitting the address limit of 32 bit. Only reason I moved them to 64 bit user space was so I could use a single build server.
| dmpogo wrote: | | To those of you who have patched/upgraded everything - can you comment on the performance, is there a noticable hit ? |
Cpu old enough to not get a microcode update and with the tool chain and statics libs now pie. These are my results on an old box I was testing with. Core2 e8500, 8G ram, 160G hd.
For a kernel compile was using the vanilla source for 4.14.11 and make oldconfig.
running 4.9.72 it took 11 min 22 sec
running 4.14.11 it took 11 min 45 sec
running 4.14.12 with a pie tool chain 11 min 57 sec.
With a database only had a look at loading a database. 9.5 million lines in the dump and on disk space 1.2G. Running kernel 4.1.4.12.
boot pti=off a db load takes 2 min 31 sec
boot pti=on a db load takes 2 min 32.5 sec
Doing a dna sequence search with a ncbi-blast on the nt dna set I download november 21 the searches were 11 min 28 sec and 11 min 30 sec. That is not a good machine for doing searches at the best of times.
_________________
Beware the grue. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9884
Location: almost Mile High in the USA
|
| Posted: Wed Jan 10, 2018 12:11 am Post subject: Re: So how is the performance after patches ? |
|
|
| Aiken wrote: | | eccerr0r wrote: | | I don't know if it's valid to run 32-in-64... that would be another interesting situation... |
Do you mean 23 bit user space with a 64 bit kernel?
|
Yes, except that the concern is whether the 32-bit userland gets the security advantage of the patched 64-bit kernel. I would hope yes.
This hack unfortunately does not work for the ppro, p2, p3, etc. as they do not have 64-bit execution cores...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23071
|
| Posted: Wed Jan 10, 2018 12:15 am Post subject: |
|
|
Regarding the lack of older microcode, there are several plausible innocuous explanations:- Perhaps some of the affected systems do so much of the work in pure hardware that a microcode fix is impossible
- Perhaps the CPU's storage for microcode is too limited to accept the size increase that would come from augmenting the microcode with the fix. Since microcode is the dumping ground for all such fixes, it tends to grow over time, and rarely if ever shrink for a given CPU.
- Perhaps the environment to build the microcode has bitrotted, and the vendor is no longer able to produce microcode for that chip
- Perhaps the vendor has other projects that they consider higher priority (possibly even rightly so), so the people qualified to write the microcode fix are busy doing other work
|
|
| Back to top |
|
|
saboya
Guru
Joined: 28 Nov 2006
Posts: 552
Location: Brazil
|
| Posted: Wed Jan 10, 2018 1:14 am Post subject: |
|
|
| Hu wrote: | Regarding the lack of older microcode, there are several plausible innocuous explanations:- Perhaps some of the affected systems do so much of the work in pure hardware that a microcode fix is impossible
- Perhaps the CPU's storage for microcode is too limited to accept the size increase that would come from augmenting the microcode with the fix. Since microcode is the dumping ground for all such fixes, it tends to grow over time, and rarely if ever shrink for a given CPU.
- Perhaps the environment to build the microcode has bitrotted, and the vendor is no longer able to produce microcode for that chip
- Perhaps the vendor has other projects that they consider higher priority (possibly even rightly so), so the people qualified to write the microcode fix are busy doing other work
|
I think it's much more likely that they won't support processors after their EOL. I believe it's 5 years for Intel CPUs, so neither Sandy Bridge or Ivy Bridge should receive new microcodes. |
|
| Back to top |
|
|
Aiken
Apprentice
Joined: 22 Jan 2003
Posts: 239
Location: Toowoomba/Australia
|
| Posted: Wed Jan 10, 2018 2:58 am Post subject: |
|
|
At least as far as meltdown goes even with the 32 bit user space I had expected meltdown to be dealt with using the an updated 64 bit kernel. I have one such system left. The checking tools not compiling under 32 bit does not help. This is a Prescott P4 and most of the checking I have done with it has been in a 64 bit chroot. I am getting mixed results. So far the Am-I-affected-by-Meltdown tool someone posted in this thread earlier has said it is safe no matter what kernel I have tried. Another tool looks for pti in the cpu cflags listed in /proc/cpuinfo. For me it is becoming academic as I am thinking time to retire that computer.
The core2 test box Am-I-affected-by-Meltdown gives the expected results depending on whether is booted with pti=on or pti=off.
Those sound like plausible reasons for no microcode update. I had taken the cynical approach and wondered how much of the decision was marketing with an arbitrary cut off date.
_________________
Beware the grue. |
|
| Back to top |
|
|
PrSo
Tux's lil' helper
Joined: 01 Jun 2017
Posts: 136
|
|
| Back to top |
|
|
fedeliallalinea
Administrator
Joined: 08 Mar 2003
Posts: 31450
Location: here
|
| Posted: Wed Jan 10, 2018 10:26 am Post subject: |
|
|
| krinn wrote: | | As you see, no update for 306e4 cpu, so i suppose the version gentoo speak in the wiki, is a not yet release version that will have the fix. |
With intel-microcode-20180108 now is ok
| Code: | $ dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0x42a, date = 2017-12-01
[ 1.750161] microcode: sig=0x306e4, pf=0x4, revision=0x42a
[ 1.750528] microcode: Microcode Update Driver: v2.2. |
_________________
Questions are guaranteed in life; Answers aren't. |
|
| Back to top |
|
|
fedeliallalinea
Administrator
Joined: 08 Mar 2003
Posts: 31450
Location: here
|
| Posted: Wed Jan 10, 2018 10:32 am Post subject: |
|
|
| krinn wrote: | albright: you are right, the wiki page seems incorrect with 0xc2
| Code: | iucode_tool -l /lib/firmware/intel-ucode/* | grep 506e3
066/001: sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304
|
|
New version of microcode report 0xc2 for skylake
| Code: | # iucode_tool -l /lib/firmware/intel-ucode/* | grep 506e3
066/001: sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 |
_________________
Questions are guaranteed in life; Answers aren't. |
|
| Back to top |
|
|
Spargeltarzan
Guru
Joined: 23 Jul 2017
Posts: 328
|
| Posted: Wed Jan 10, 2018 1:04 pm Post subject: |
|
|
So in the microcode upgrade 2017-01-08 we can excpect microcodes as of 2017-11-16 in v2.2? Shouldn't it be 2017-01-08 as shown here? (When I click on my CPU it still shows 2017-01-08, but with the upgrade from today my microcodes become firstly upgraded to 2017-11-16. Crazy?
ADD: I have got an i7-6500U, Skylake, so I guess currently the 2017-11-16 is the latest in Gentoo Repos, but on Intel Page the 2018-01-08 is available. Hope it becomes available soon.
ADD: Output from spectre-meltdown-checker
| Code: |
Spectre and Meltdown mitigation detection tool v0.21
Checking for vulnerabilities against live running kernel Linux 4.14.12-gentoo #2 SMP Sat Jan 6 23:12:20 CET 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO (only 32 opcodes found, should be >= 70)
> STATUS: VULNERABLE (heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
|
I see cpu microcode is not vulnerable any more, so probably this was already fixed by microcodes v2.2 - 2017-11-16?
Is my test result the maximum fix at the moment?
_________________
___________________
Regards
Spargeltarzan
Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Wed Jan 10, 2018 1:44 pm Post subject: |
|
|
| Quote: | | Is my test result the maximum fix at the moment? |
Probably not. Look at the output from a RHEL 7 server I posted two days ago. The tool indicates that they already have Kernel support for IBRS and LFENCE opcodes. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Wed Jan 10, 2018 2:24 pm Post subject: |
|
|
Here are results on my testing:
the variant 1 : i don't have the fix for that yet.
the variant 2 : microcode has fix it
the variant 3 : KPTI should fix it (i have KPTI, but nothing to test it).
the spectre and update spectre-thread spoke earlier are variant1 (and yes, they do work flawlessly)
the meltdown earlier is variant2 : (with the microcode update it fail, without it, it work)
on my core2 using x86: variant1 test fail, variant2 test fail (i even cannot build them, but my corei2 as done the job with -m32)
i also prefer those two tools, because they don't check your security, they just try to abuse you : no need for a script telling me: ok your microcode is update if anyone could still fuck me with that microcode.
expect variant1 virus incoming 
guys: i suppose we have to find those IBRS LFENCE ready kernel. |
|
| Back to top |
|
|
blopsalot
Apprentice
Joined: 28 Jan 2017
Posts: 231
|
| Posted: Wed Jan 10, 2018 5:03 pm Post subject: |
|
|
FYI : I''ve been testing Gentoo Hardened Profile devices using the following the projects and I don't see it working on processors reported as vulnerable on other distros, kernels predate the Page Table/Kaiser inclusion.
https://github.com/paboldin/meltdown-exploit
reports not vulnerable on all tested
https://github.com/IAIK/meltdown
this one says it finds the offset of KASLR (its wrong). inputting correct offset, the reliability test is .4% and I still cannot read values from ./secret
https://github.com/Eugnis/spectre-attack
this one works at default but i don't see it sucessfully reading anything else |
|
| Back to top |
|
|
Aiken
Apprentice
Joined: 22 Jan 2003
Posts: 239
Location: Toowoomba/Australia
|
| Posted: Wed Jan 10, 2018 10:42 pm Post subject: |
|
|
The 2 newer desktops (i7 700k) got microcode updates from both 20171117_p20171215-r1 and 20180108. Everything else is outside that 5 year limit.
Anyone been trying kvm on older hardware? On the core2 having kpti enabled in the guest is a killer. Timing a kernel compile I am getting
Host 11 1/2 - 12 minutes depending on booting with pti=on/pti=off
Host pti=off, guest pti=off 21 - 25 min
Host pti=on, guest pti=off 27 min
Host pti=on, guest pti=on 41 - 53 min
This is hw old enough to not have the pcid instruction. At least on the older hw can not say I am happy if kpti gets enabled in the guest.
_________________
Beware the grue. |
|
| Back to top |
|
|
blopsalot
Apprentice
Joined: 28 Jan 2017
Posts: 231
|
| Posted: Thu Jan 11, 2018 5:58 am Post subject: |
|
|
| blopsalot wrote: | FYI : I''ve been testing Gentoo Hardened Profile devices using the following the projects and I don't see it working on processors reported as vulnerable on other distros, kernels predate the Page Table/Kaiser inclusion.
https://github.com/paboldin/meltdown-exploit
reports not vulnerable on all tested
https://github.com/IAIK/meltdown
this one says it finds the offset of KASLR (its wrong). inputting correct offset, the reliability test is .4% and I still cannot read values from ./secret
https://github.com/Eugnis/spectre-attack
this one works at default but i don't see it sucessfully reading anything else |
this one works, other two seem broken. im prett sure it had to do with catching the right cpu, but i'm still unsure. https://github.com/IAIK/meltdown |
|
| Back to top |
|
|
PrSo
Tux's lil' helper
Joined: 01 Jun 2017
Posts: 136
|
|
| Back to top |
|
|
queen
Veteran
Joined: 19 Jul 2005
Posts: 1642
|
| Posted: Thu Jan 11, 2018 12:35 pm Post subject: |
|
|
Hi Guys
With all the mess of the latest vulnerabilities, I decided not to upgrade the kernel and install all the new firmware, microcode etc. It's a totally waste of time, because the problem won't be solved anyway until they develop a new CPU(which will take around 5 years as a person from Intel told me). And definitely the performance will be affected. My question is how other packages will be affected?
What other packages might be affected (gcc)? emerge world? Normal programs will be affected? |
|
| Back to top |
|
|
Spargeltarzan
Guru
Joined: 23 Jul 2017
Posts: 328
|
| Posted: Thu Jan 11, 2018 2:42 pm Post subject: |
|
|
@ queen:
At least you can protect against Meltdown.
Further, I believe a Spectre upgrade which close this issue is possible. There are some performance test comparisons which differ from almost no hit to significant hit, let's wait a bit here. Desktop PCs might be less affected anyway.
All in all, do you have an alternative to upgrade currently, do you prefer abuse of your data?
_________________
___________________
Regards
Spargeltarzan
Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen |
|
| Back to top |
|
|
queen
Veteran
Joined: 19 Jul 2005
Posts: 1642
|
| Posted: Thu Jan 11, 2018 2:56 pm Post subject: |
|
|
Well, I heard the lecture of Daniel Genkin (one of the authors of the paper) this week. He said spectre will haunt us for years. Furthermore, one of the greatest cpu architests that worked until recently at intel said that it needs a new design of cpu which will take 5 years. So don't be naive about spectre. I might consider applying kaiser. Unfortunately, our data is abused all over.
BTW, the person who worked at intel, told me that they designed about 10 years ago a cpu that would have resolved some of the issues that were presented now, but intel refused it because the performance was only 10% and intel wanted only performance. The guy is a genius. |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1172
Location: /run/user/1000
|
| Posted: Thu Jan 11, 2018 3:06 pm Post subject: |
|
|
| Spectre and Meltdown aside, who knows what else is there that we don't know about. |
|
| Back to top |
|
|
Myu
Apprentice
Joined: 22 Oct 2014
Posts: 164
Location: Belgium
|
| Posted: Thu Jan 11, 2018 4:28 pm Post subject: |
|
|
Intel CPU's older than 5 years should get microcode security fixes : https://newsroom.intel.com/news-releases/security-first-pledge/
| Quote: | | By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January |
_________________
Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9884
Location: almost Mile High in the USA
|
| Posted: Thu Jan 11, 2018 5:40 pm Post subject: |
|
|
| Myu wrote: | Intel CPU's older than 5 years should get microcode security fixes : https://newsroom.intel.com/news-releases/security-first-pledge/
| Quote: | | By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January |
|
Actually it probably meant,
90% of the last 5 years CPU: by Jan 15
10% of the last 5 years CPU: by Jan 31
100% of older than 5 years: SOL
ugh, don't know what to do about my Sandybridge i7...
| queen wrote: | | BTW, the person who worked at intel, told me that they designed about 10 years ago a cpu that would have resolved some of the issues that were presented now, but intel refused it because the performance was only 10% and intel wanted only performance. The guy is a genius. |
I wonder if they meant Itanium since apparently it was not affected, and it wasn't just Intel that wanted performance, it's the customer that wanted performance and binary compatibility (power consumption comes later I suppose)...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
PrSo
Tux's lil' helper
Joined: 01 Jun 2017
Posts: 136
|
| Posted: Thu Jan 11, 2018 5:53 pm Post subject: |
|
|
@ eccerr0r
| Quote: | | Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers. |
Last edited by PrSo on Thu Jan 11, 2018 6:11 pm; edited 1 time in total |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Thu Jan 11, 2018 6:03 pm Post subject: |
|
|
The important word is "introduced" - and it was carefully chosen. It does not mean: "delivered" or "sold".  |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Thu Jan 11, 2018 6:09 pm Post subject: |
|
|
| Quote: | | remainder of these CPUs available by the end of January |
Not remainder of our CPU's. It's clearly referring to CPU's from the last five years. |
|
| Back to top |
|
|
|
Kernel & Hardware
