| View previous topic :: View next topic |
| Author |
Message |
EasterParade
l33t
Joined: 26 Jul 2003
Posts: 938
|
 Posted: Thu Jan 04, 2018 6:46 pm Post subject: |
 |
|
[b]
Last edited by EasterParade on Fri Jan 05, 2018 10:09 pm; edited 1 time in total |
|
| Back to top |
|
 |
Jaglover
Watchman
Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana
|
|
| Back to top |
|
|
NightMonkey
Guru
Joined: 21 Mar 2003
Posts: 357
Location: Philadelphia, PA
|
| Posted: Thu Jan 04, 2018 7:04 pm Post subject: Mitigation? |
|
|
Is there any mitigation possible, perhaps in either the kernel config, or via CFLAGs, that removes some feature that is allowing this exploitable path in our chipsets? Pretty ugly stuff - and I wonder who has been exploiting this for years without the public knowing...
_________________
 |
|
| Back to top |
|
|
PrSo
Tux's lil' helper
Joined: 01 Jun 2017
Posts: 136
|
|
| Back to top |
|
|
Myu
Apprentice
Joined: 22 Oct 2014
Posts: 164
Location: Belgium
|
| Posted: Thu Jan 04, 2018 7:07 pm Post subject: |
|
|
| Quote: | | Is there any mitigation possible, perhaps in either the kernel config, or via CFLAGs, that removes some feature that is allowing this exploitable path in our chipsets? Pretty ugly stuff - and I wonder who has been exploiting this for years without the public knowing... |
Kernel 4.14.11 has CONFIG_PAGE_TABLE_ISOLATION=y but that only for Meltdown attack. Spectre is a different beast
(edited)
_________________
Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded.
Last edited by Myu on Thu Jan 04, 2018 7:08 pm; edited 1 time in total |
|
| Back to top |
|
|
CPUFan
n00b
Joined: 21 May 2015
Posts: 58
|
| Posted: Thu Jan 04, 2018 7:08 pm Post subject: |
|
|
Just FYI: This is "part" of a solution:
| /etc/portage/package.accept_keywords: | # Meltdown:
=sys-kernel/gentoo-sources-4.14.11-r2 ~amd64
|
(followed by an update)
There will be 3 GLSAs about the full solution.
Thanks to grknight from #gentoo for confirming.
Last edited by CPUFan on Thu Jan 04, 2018 8:01 pm; edited 1 time in total |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9824
Location: almost Mile High in the USA
|
| Posted: Thu Jan 04, 2018 7:08 pm Post subject: |
|
|
Anyone have the PoC code, and whether disabling L1/L2 caches would mitigate the problem?
Granted, this would kill performance really badly, but it's a stopgap solution? heh heh heh
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6065
Location: Removed by Neddy
|
| Posted: Thu Jan 04, 2018 7:09 pm Post subject: Re: Mitigation? |
|
|
| NightMonkey wrote: | | Is there any mitigation possible, perhaps in either the kernel config, or via CFLAGs, that removes some feature that is allowing this exploitable path in our chipsets? Pretty ugly stuff - and I wonder who has been exploiting this for years without the public knowing... |
yes, buy a ryzen setup
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
Myu
Apprentice
Joined: 22 Oct 2014
Posts: 164
Location: Belgium
|
| Posted: Thu Jan 04, 2018 7:10 pm Post subject: |
|
|
@CPUFan :
Have an Intel CPU and 4.14.11 ? Then run
| Code: | | cat /proc/cpuinfo | grep -i insecure |
If you have something like this, the KPTI patch is enabled :
| Code: |
bugs : cpu_insecure
bugs : cpu_insecure
... |
_________________
Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded. |
|
| Back to top |
|
|
ycUygB1
Apprentice
Joined: 27 Jul 2005
Posts: 276
Location: Portland, Oregon
|
| Posted: Thu Jan 04, 2018 8:15 pm Post subject: |
|
|
| CPUFan wrote: |
There will be 3 GLSAs about the full solution.
Thanks to grknight from #gentoo for confirming. |
Thank you. |
|
| Back to top |
|
|
Cyker
Veteran
Joined: 15 Jun 2006
Posts: 1746
|
| Posted: Thu Jan 04, 2018 8:16 pm Post subject: |
|
|
Wooo! Time for the C64 to RISE AGAIN!!!!!  |
|
| Back to top |
|
|
EasterParade
l33t
Joined: 26 Jul 2003
Posts: 938
|
| Posted: Thu Jan 04, 2018 8:23 pm Post subject: |
|
|
[b]
Last edited by EasterParade on Fri Jan 05, 2018 10:09 pm; edited 1 time in total |
|
| Back to top |
|
|
Joseph Powers
n00b
Joined: 26 Nov 2017
Posts: 41
|
| Posted: Thu Jan 04, 2018 9:08 pm Post subject: |
|
|
| Can I patch the Meltdown bug with Gentoo hardened sources? |
|
| Back to top |
|
|
papas
Tux's lil' helper
Joined: 01 Dec 2014
Posts: 141
Location: Athens
|
| Posted: Thu Jan 04, 2018 9:20 pm Post subject: |
|
|
| great news for me 2 days ago I ordered a i7 8700k just to avoid the AMD segfault |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Thu Jan 04, 2018 9:39 pm Post subject: |
|
|
| It's going to take awhile before any fixed hardware reaches the market. First the design needs to be fixed, then it needs to be tested and then boards need to be designed around the newer chips. We're all screwed for awhile. |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6065
Location: Removed by Neddy
|
| Posted: Thu Jan 04, 2018 9:45 pm Post subject: |
|
|
| 1clue wrote: | | It's going to take awhile before any fixed hardware reaches the market. First the design needs to be fixed, then it needs to be tested and then boards need to be designed around the newer chips. We're all screwed for awhile. |
You can take the risk with present Ryzen stock & you might be lucky not to pick up with early fab issues OR wait a couple of months an Zen2 is due out
If you want to stick with intel then sure... might take some time *if* they actually fix it (note they never actually fixed the fpu issue) as they have to gut their entire arch rather than building on it
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Thu Jan 04, 2018 9:52 pm Post subject: |
|
|
| Naib wrote: | | 1clue wrote: | | It's going to take awhile before any fixed hardware reaches the market. First the design needs to be fixed, then it needs to be tested and then boards need to be designed around the newer chips. We're all screwed for awhile. |
You can take the risk with present Ryzen stock & you might be lucky not to pick up with early fab issues OR wait a couple of months an Zen2 is due out
If you want to stick with intel then sure... might take some time *if* they actually fix it (note they never actually fixed the fpu issue) as they have to gut their entire arch rather than building on it |
FWIW I'm sticking with Intel.
The idea that they don't fix this is insane. The FPU issue was a minor irritant with an easy software fix. This decimates the security or speed of their entire processor line for the last 15 years. |
|
| Back to top |
|
|
gengreen
Apprentice
Joined: 23 Dec 2017
Posts: 150
|
| Posted: Thu Jan 04, 2018 10:28 pm Post subject: |
|
|
Better to directly turn off the javascript in about:config than use some plugins
javascript is a general useflag, I will put it in my make.conf (-javascript)
it's better than nothing... |
|
| Back to top |
|
|
roki942
Apprentice
Joined: 18 Apr 2005
Posts: 285
Location: Seattle
|
|
| Back to top |
|
|
luiztux
n00b
Joined: 31 Aug 2015
Posts: 27
Location: /usr/portage/distfiles
|
| Posted: Thu Jan 04, 2018 11:17 pm Post subject: |
|
|
Who knows now is the chance of Open Source Hardware gaining momentum? Or live like Stallman ...  |
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1171
Location: /run/user/1000
|
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6065
Location: Removed by Neddy
|
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1171
Location: /run/user/1000
|
| Posted: Thu Jan 04, 2018 11:52 pm Post subject: |
|
|
It's easier to copy the PoC code from here instead of the link I posted above:
https://github.com/Eugnis/spectre-attack
Anyway, I've executed this code on 4.14.11-gentoo-r2 with cpu_insecure and got this :
| Code: | $ ./a.out
Putting 'The Magic Words are Squeamish Ossifrage.' in memory
Reading 40 bytes:
zsh: illegal hardware instruction ./a.out |
Would be interesting to see the result on non-patched system but I can't do it atm. |
|
| Back to top |
|
|
gengreen
Apprentice
Joined: 23 Dec 2017
Posts: 150
|
|
| Back to top |
|
|
The Main Man
Veteran
Joined: 27 Nov 2014
Posts: 1171
Location: /run/user/1000
|
| Posted: Fri Jan 05, 2018 12:46 am Post subject: |
|
|
| gengreen wrote: | | https://paste.pound-python.org/show/X9OyOjgzkEMCgOKMTwTc/ |
Interesting, so the code actually works. On patched or non-patched system?
I just had to try it and on the same machine I have another gentoo installation that hasn't been updated in awhile (couple of months) , and I get the same result (zsh: illegal hardware instruction ./a.out), thought maybe it's zsh so I tried to execute in bash but I got the same thing. Maybe I'm doing something wrong, I've compiled the source with "gcc Source.c" |
|
| Back to top |
|
|
|
Kernel & Hardware
