| View previous topic :: View next topic |
| Author |
Message |
Hossie
Tux's lil' helper
Joined: 08 Dec 2005
Posts: 116
|
 Posted: Thu Mar 29, 2018 8:35 am Post subject: |
 |
|
1: Skylake and later are not fully fixed with retpoline alone:
https://lwn.net/Articles/743019/
| Quote: | Speculation on Skylake and later requires these patches ("dynamic IBRS")
be used instead of retpoline[1]. |
2: IBRS is needed for KVM and guests that do not use retpoline, for example RHEL/CentOS. They depend on IBRS being available and passed through to the guest. |
|
| Back to top |
|
 |
PrSo
Tux's lil' helper
Joined: 01 Jun 2017
Posts: 136
|
| Posted: Wed Apr 11, 2018 7:18 am Post subject: |
|
|
AMD released microcode updates with mitigation against Spectre v2 which covers all CPU's since 2011 (Bulldozer family), but I wonder if it will be included in linux firmware package tough.
https://www.amd.com/en/corporate/security-updates |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Wed Apr 11, 2018 8:05 am Post subject: |
|
|
| PrSo wrote: | AMD released microcode updates with mitigation against Spectre v2 which covers all CPU's since 2011 (Bulldozer family), but I wonder if it will be included in linux firmware package tough.
https://www.amd.com/en/corporate/security-updates |
Thanks for the heads up. How can we avoid these microcode updates? |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Wed Apr 11, 2018 10:53 am Post subject: |
|
|
| If you don't want them, USE=savedconfig on linux-firmware can take care of that. |
|
| Back to top |
|
|
v_andal
Guru
Joined: 26 Aug 2008
Posts: 544
Location: Germany
|
| Posted: Sun Apr 29, 2018 9:17 am Post subject: |
|
|
Today I've tried to install gentoo-sources-4.4.95. It just refuses to boot on my PC. It freezes early in the boot process and I have to pull the plug, otherwise PC reacts to nothing. Now I guess I understand why newest Windows 10 does not work on my PC, most likely it has the same fixes and brings it to the same absolute freeze 
I've also tried to build kernel without new option, but it didn't help. So far I had to mask this version. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sun Apr 29, 2018 1:49 pm Post subject: |
|
|
| v_andal wrote: | Today I've tried to install gentoo-sources-4.4.95. It just refuses to boot on my PC. It freezes early in the boot process and I have to pull the plug, otherwise PC reacts to nothing. Now I guess I understand why newest Windows 10 does not work on my PC, most likely it has the same fixes and brings it to the same absolute freeze
I've also tried to build kernel without new option, but it didn't help. So far I had to mask this version. |
I can boot 4.4.129 on my Bristol Ridge which is a bulldozer derivative. I have not knowingly installed any microcode updates, although I have MSI's latest AM4 BIOS which may have installed some. It does seem slower than when I first got it. Is it the kernel? Profile 17.0? Microcode? Or am I just getting used to the speed and wanting more? NO RETPOLINE or any other mitigation that I know of. The earlier kernels were dropped out of portage and I have heard (hear-say) that some kernel developers are bypassing instructions that would speed up but are Spectre vulnerable regardless of CONFIG settings. Another possibility is that Intel Meltdown vulnerabilities are patched even for AMD processors. After all, everyone uses Intel, don't they?
Try building 4.4.95 for a generic CPU. If that boots then possibly microcode has crippled your CPU. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54578
Location: 56N 3W
|
| Posted: Sun Apr 29, 2018 3:06 pm Post subject: |
|
|
Tony0945,
If the Intel microcode update is being done by the kernel, it does not matter what CPU the kernel is built for.
The microcode updater identifies the CPU its running on and if there is an update it can apply, it does it.
Conversely, its enough to disable kernel microcode updating to test the theory.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Sun Apr 29, 2018 4:42 pm Post subject: |
|
|
| Ant P. wrote: | | Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum |
I totally agree, and have for years; but it bugs me, that there aren't at least 2 or 3 FLOSS browsers which do not give away any info, as a default. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sun Apr 29, 2018 5:52 pm Post subject: |
|
|
| NeddySeagoon wrote: | Tony0945,
If the Intel microcode update is being done by the kernel, it does not matter what CPU the kernel is built for.
The microcode updater identifies the CPU its running on and if there is an update it can apply, it does it.
Conversely, its enough to disable kernel microcode updating to test the theory. |
The main reason that I suggested building for generic was in case the kernel was using an opcode that the CPU hung on.
The rest of the post was just describing my setup that works with the later kernel. I may have had trouble with .75 also. I'm not sure. I know that at some fairly recent time I also blocked a kernel because it wouldn't build. |
|
| Back to top |
|
|
roki942
Apprentice
Joined: 18 Apr 2005
Posts: 285
Location: Seattle
|
|
| Back to top |
|
|
ChrisJumper
Advocate
Joined: 12 Mar 2005
Posts: 2400
Location: Germany
|
| Posted: Thu Jun 28, 2018 7:07 pm Post subject: |
|
|
And one more POC Code for Browsers and Spectre 1. alephsecurity - Overcoming (some) Spectre browser mitigations released a Paper and a javascript proof of concept Code for your Browser.
Right now just the mitigation in the firefox Browser work fine. It runs minutes here without a pair value.
On the stable chromium the poc work and deliver a functional working poc.
| Code: | original value: 1100110011001100110011001100110
restored value: 1100110011001100110011001100110 |
Download poc as zip file. And open Spectre.html with your browser and its web developer Console to show the output of the javascript.
Shortcuts to open the console:
Firefox: ctrl + shift + j
Chromium: ctrl + shift + i |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20485
|
|
| Back to top |
|
|
|
Kernel & Hardware
