Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, ... 21, 22, 23  Next  
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 136

PostPosted: Thu Jan 04, 2018 9:25 am    Post subject: Reply with quote

depontius wrote:
So at the moment there is no protection for Spectre? Has anyone contacted James Bond?


LOL,

Funny, but it could be possible that this is backfire of "Three Letter Agency's" nonexistent backdoor. But if they are so generous to share with Brits I don't know...
Back to top
View user's profile Send private message
greyspoke
Apprentice
Apprentice


Joined: 08 Jan 2010
Posts: 171

PostPosted: Thu Jan 04, 2018 10:14 am    Post subject: Reply with quote

So if AMD and ARM are affected by spectre, does that mean it exposes a flaw in the instruction set they are implementing? Or is there some shared code with a flaw in it?
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Thu Jan 04, 2018 10:48 am    Post subject: Reply with quote

I was informed on this in freenode #musl

As far I understand, there is 2 vulnerability :


https://meltdownattack.com

Metldown : a security patch is available at https://github.com/IAIK/KAISER/tree/master/KAISER
Spectre : There is nothing available to prevent this vulnerability.

I had a hard feeling against intel since the story with Grsecurity, now I definitively ban intel (and all thing associated with this garbage corporate) from any future purchase.

Happy new year

Edit :

Myu wrote:
Not fixable by microcode ....

Also, nvidia-drivers-387.34 doesn't compile anymore with 4.14.11

Code:
FATAL: modpost: GPL-incompatible module nvidia.ko uses GPL-only symbol 'cpu_tlbstate'
make[3]: *** [/usr/src/linux-4.14.11-gentoo/scripts/Makefile.modpost:92: __modpost] Error 1


Don't bother yourself with CONFIG_PAGE_TABLE_ISOLATION, it won't help since your system have already a backdoor called nvidia proprietary drivers

It's like driving a motocycle with glove for the protection of your hands but no helmet.

Edit 2 :

Response of intel available here :

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

Quote:
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.


At least, they have a sense of humor
Back to top
View user's profile Send private message
Tsigorf
n00b
n00b


Joined: 15 Jun 2017
Posts: 18

PostPosted: Thu Jan 04, 2018 11:40 am    Post subject: Reply with quote

depontius wrote:
So at the moment there is no protection for Spectre? Has anyone contacted James Bond?


They just found a solution: https://twitter.com/attritionorg/status/948759303153856512
Back to top
View user's profile Send private message
Myu
Apprentice
Apprentice


Joined: 22 Oct 2014
Posts: 164
Location: Belgium

PostPosted: Thu Jan 04, 2018 11:53 am    Post subject: Reply with quote

Quote:
Don't bother yourself with CONFIG_PAGE_TABLE_ISOLATION, it won't help since your system have already a backdoor called nvidia proprietary drivers

It's like driving a motocycle with glove for the protection of your hands but no helmet.


While I understand your point, I would like to minimize the likeliness of having a security issue, hence why I will keep KPTI enabled.

If I could purchase an AMD GPU at a decent price, I would have done it already but with the crypto mining craze, I'm holding off still.
_________________
Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded.
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Thu Jan 04, 2018 12:07 pm    Post subject: Reply with quote

Myu wrote:
Quote:
Don't bother yourself with CONFIG_PAGE_TABLE_ISOLATION, it won't help since your system have already a backdoor called nvidia proprietary drivers

It's like driving a motocycle with glove for the protection of your hands but no helmet.


While I understand your point, I would like to minimize the likeliness of having a security issue, hence why I will keep KPTI enabled.

If I could purchase an AMD GPU at a decent price, I would have done it already but with the crypto mining craze, I'm holding off still.


There is no mention for now regarding the ibm power processor, only time will tell us if they are not affected by spectre, if you care about security you may be more interested by thoses processor.

Give a try to the drivers nouveau if you can

Quote:

glxgears
Running synchronized to the vertical refresh. The framerate should be
approximately the same as the monitor refresh rate.
42173 frames in 5.0 seconds = 8434.567 FPS
42940 frames in 5.0 seconds = 8587.865 FPS


It's not that bad and it is opensource.


Last edited by gengreen on Thu Jan 04, 2018 12:27 pm; edited 1 time in total
Back to top
View user's profile Send private message
yamabiko
n00b
n00b


Joined: 22 Jul 2017
Posts: 10

PostPosted: Thu Jan 04, 2018 12:17 pm    Post subject: Reply with quote

Is it possible to provide a patch for the current stable gentoo-sources? Manually patching it on 4.9.72 gives me an hunk fail.
Back to top
View user's profile Send private message
limn
l33t
l33t


Joined: 13 May 2005
Posts: 997

PostPosted: Thu Jan 04, 2018 12:18 pm    Post subject: Reply with quote

Monocultures are always bad.
Back to top
View user's profile Send private message
sligo
Tux's lil' helper
Tux's lil' helper


Joined: 17 Oct 2011
Posts: 93

PostPosted: Thu Jan 04, 2018 1:24 pm    Post subject: Reply with quote

While i understand the problem, i am still a little confused. Is there something that can be done already?
Back to top
View user's profile Send private message
Tsigorf
n00b
n00b


Joined: 15 Jun 2017
Posts: 18

PostPosted: Thu Jan 04, 2018 2:07 pm    Post subject: Reply with quote

There is a kernel patch for Linux you can apply to avoid Meltdown (the Kaiser patch set you can find here: https://lwn.net/Articles/738975/).

However for Spectre, that's an hardware issue. I don't even know if there's a way to patch our CPUs. That's why they're telling us to replace hardware.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2569

PostPosted: Thu Jan 04, 2018 2:50 pm    Post subject: Reply with quote

Ralphred wrote:
1clue wrote:
It would be really neat if they fixed the bug with gcc 6.4 and recent kernels. The combination of this bug and the backported kernels is really unfortunate right now.

I appreciate anecdotal evidence is mostly useless, but just built 4.14.11 with 6.4 and it's working fine, nothing funky other than the ~amd64 for the kernel in package.use


I would be happy as a clam with that, except my attempt panics inside the first second of boot. No logs written.
Back to top
View user's profile Send private message
The Main Man
Veteran
Veteran


Joined: 27 Nov 2014
Posts: 1171
Location: /run/user/1000

PostPosted: Thu Jan 04, 2018 2:52 pm    Post subject: Reply with quote

Smells like a ploy to buy new hardware which will then have serious backdoors and kill switches.
Back to top
View user's profile Send private message
Watcom
n00b
n00b


Joined: 12 Apr 2006
Posts: 21

PostPosted: Thu Jan 04, 2018 2:53 pm    Post subject: Reply with quote

Spectre needs:

  • A "victim" program which accepts input provided by the attacker (i.e. from the network or file). This input tricks the program to fetch cache lines based on data that is "secret".

  • A program running in the same processor, devised by the attacker, to collect the "secret" data by measuring the time it takes to fetch data from its own addressing space that uses the same cache lines. Fast access means the data was cached, slow means it wasn't. From this alone the secret data can be inferred by seeing which bytes of an array are fast and which are slow (e.g. first byte being fast means 'A', second byte fast means 'B' and so on. Not exactly this simple but it's the basic idea).

So as you can see not running untrusted code goes a long way in preventing Spectre attacks.
Back to top
View user's profile Send private message
EasterParade
l33t
l33t


Joined: 26 Jul 2003
Posts: 938

PostPosted: Thu Jan 04, 2018 2:57 pm    Post subject: Reply with quote

(?)

Last edited by EasterParade on Fri Jan 05, 2018 10:08 pm; edited 1 time in total
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 136

PostPosted: Thu Jan 04, 2018 3:07 pm    Post subject: Reply with quote

This is ridiculous.
I have also QNAP NAS with intel celeron on-board - (ts-251), and waiting to upgrade a firmware.

Maybe it is an exception narrowed to Ivy Bridge but KAISER patch (PTI) BRAKES kernel.

https://lkml.org/lkml/2018/1/3/864,

and

https://lkml.org/lkml/2018/1/3/105

Should I turn it off, cut of from internet and let it work only locally??
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Thu Jan 04, 2018 3:13 pm    Post subject: Reply with quote

PrSo wrote:
Should I turn it off, cut of from internet and let it work only locally??


Look at it this way - "Is it any worse than running Windoze XP & earlier?"
Back to top
View user's profile Send private message
sligo
Tux's lil' helper
Tux's lil' helper


Joined: 17 Oct 2011
Posts: 93

PostPosted: Thu Jan 04, 2018 3:31 pm    Post subject: Reply with quote

Watcom wrote:
So as you can see not running untrusted code goes a long way in preventing Spectre attacks.


Does that include Javascript?
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 6070
Location: Removed by Neddy

PostPosted: Thu Jan 04, 2018 3:33 pm    Post subject: Reply with quote

Tony0945 wrote:
PrSo wrote:
Should I turn it off, cut of from internet and let it work only locally??


Look at it this way - "Is it any worse than running Windoze XP & earlier?"
yes because the flaw existed with those CPU's as well. just use AMD Zen (Ryzen,threadripper)
_________________
#define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0;
Back to top
View user's profile Send private message
Myu
Apprentice
Apprentice


Joined: 22 Oct 2014
Posts: 164
Location: Belgium

PostPosted: Thu Jan 04, 2018 4:02 pm    Post subject: Reply with quote

Quote:
There is no mention for now regarding the ibm power processor, only time will tell us if they are not affected by spectre, if you care about security you may be more interested by thoses processor.


Ah, I do care, but I can only go so deep in the rabbit hole, the more you know, the more it seems endless with stuff like Intel ME, ring -1 / -2 / -whatever and now this Spectre/Meltdown.

Quote:
Give a try to the drivers nouveau if you can


I do some Linux 3D gaming and the poor GPU already struggles with the proprietary driver, I guess nouveau will be much worse. So yeah, an AMD GPU to pair with a nice open source driver is on my whishlist for sure !
_________________
Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded.
Back to top
View user's profile Send private message
gengreen
Apprentice
Apprentice


Joined: 23 Dec 2017
Posts: 150

PostPosted: Thu Jan 04, 2018 4:04 pm    Post subject: Reply with quote

transsib wrote:
I remember how we chatted about major loop-holes built into the shipped hardware
more than a year ago ... for spying purposes mainly.

But theories of conspiracy plots aside if it wasn't so sad I'd :lol:
Also what's all the fuss about not activating security keys in UEFI!?
Who needs those keys at all if "anyone" can theoretically (?) milk anyone via a
leak built into the CPU itself!

Sorry. That was overly chatty.
And the Intel CEO sold Intel stocks before the news hit the world.


I started to accept a while ago the fact that the security will always be compromised by volontary bug in anyway, even in the opensource code, they can just cover it up by "we made a mistake". Now we known for fact that the hardware is targeted as well, the war is lost.

Sadly, like snowden, assange before, this news will be covered for fews days and most of the poeple won't give a damn, even they known that their smartphone / computer or connected device spy on them all the day, they are willing to abandon their freedom for some fancy technology

Stupidity is a more dangerous enemy of the good than malice

Quote:
Ah, I do care, but I can only go so deep in the rabbit hole, the more you know, the more it seems endless with stuff like Intel ME, ring -1 / -2 / -whatever and now this Spectre/Meltdown.


That is also true for a lot of other thing in life :D

The more I learn, the less I known
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20499

PostPosted: Thu Jan 04, 2018 4:26 pm    Post subject: Re: Major security flaw found in Intel processors Reply with quote

Fitzcarraldo wrote:
Happened to see this article in today's Guardian (UK) newspaper:

https://www.theguardian.com/technology/2018/jan/03/major-security-flaw-found-intel-processors-computers-windows-mac-os-linux

Haven't looked around yet. Anyone know anything more, and when firmware updates -- I assume Intel will be fixing this via firmware updates -- will be available?
Merged this thread.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
Watcom
n00b
n00b


Joined: 12 Apr 2006
Posts: 21

PostPosted: Thu Jan 04, 2018 5:30 pm    Post subject: Reply with quote

sligo wrote:
Watcom wrote:
So as you can see not running untrusted code goes a long way in preventing Spectre attacks.


Does that include Javascript?


Yes it does, unfortunately.
Back to top
View user's profile Send private message
toofied
n00b
n00b


Joined: 26 Oct 2016
Posts: 28

PostPosted: Thu Jan 04, 2018 5:58 pm    Post subject: Reply with quote

Ant P. wrote:
Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum after Rowhammer.


Definitely agree! Unfortunately, many sites now require JS to have basic usability. Wix and AngularJS come to mind. Hopefully people will start refusing to participate in websites which demand javascript for basic function...
Back to top
View user's profile Send private message
Myu
Apprentice
Apprentice


Joined: 22 Oct 2014
Posts: 164
Location: Belgium

PostPosted: Thu Jan 04, 2018 6:26 pm    Post subject: Reply with quote

Quote:
Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum after Rowhammer.

Definitely agree! Unfortunately, many sites now require JS to have basic usability. Wix and AngularJS come to mind. Hopefully people will start refusing to participate in websites which demand javascript for basic function...


I did just that, installed µMatrix + NoScript, let's see how usable it is.

Quote:

Sadly, like snowden, assange before, this news will be covered for fews days and most of the poeple won't give a damn, even they known that their smartphone / computer or connected device spy on them all the day, they are willing to abandon their freedom for some fancy technology


I've no words because I know you speak the truth... :( but having to change all my hardware because the damn Intel CPU MMU security was a lie since 20+ years... it's unbelievable.
_________________
Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded.
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 6070
Location: Removed by Neddy

PostPosted: Thu Jan 04, 2018 6:26 pm    Post subject: Reply with quote

toofied wrote:
Ant P. wrote:
Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum after Rowhammer.


Definitely agree! Unfortunately, many sites now require JS to have basic usability. Wix and AngularJS come to mind. Hopefully people will start refusing to participate in websites which demand javascript for basic function...
umatrix does permit per site settings
_________________
#define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0;
Back to top
View user's profile Send private message
Display posts from previous:   
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Goto page Previous  1, 2, 3, ... 21, 22, 23  Next
Page 2 of 23

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum