Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 21, 22, 23  
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Hossie
Tux's lil' helper
Tux's lil' helper


Joined: 08 Dec 2005
Posts: 108

PostPosted: Thu Mar 29, 2018 8:35 am    Post subject: Reply with quote

1: Skylake and later are not fully fixed with retpoline alone:

https://lwn.net/Articles/743019/

Quote:
Speculation on Skylake and later requires these patches ("dynamic IBRS")
be used instead of retpoline[1].


2: IBRS is needed for KVM and guests that do not use retpoline, for example RHEL/CentOS. They depend on IBRS being available and passed through to the guest.
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 122

PostPosted: Wed Apr 11, 2018 7:18 am    Post subject: Reply with quote

AMD released microcode updates with mitigation against Spectre v2 which covers all CPU's since 2011 (Bulldozer family), but I wonder if it will be included in linux firmware package tough.
https://www.amd.com/en/corporate/security-updates
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2614
Location: Illinois, USA

PostPosted: Wed Apr 11, 2018 8:05 am    Post subject: Reply with quote

PrSo wrote:
AMD released microcode updates with mitigation against Spectre v2 which covers all CPU's since 2011 (Bulldozer family), but I wonder if it will be included in linux firmware package tough.
https://www.amd.com/en/corporate/security-updates

Thanks for the heads up. How can we avoid these microcode updates?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5235

PostPosted: Wed Apr 11, 2018 10:53 am    Post subject: Reply with quote

If you don't want them, USE=savedconfig on linux-firmware can take care of that.
Back to top
View user's profile Send private message
v_andal
Guru
Guru


Joined: 26 Aug 2008
Posts: 519
Location: Germany

PostPosted: Sun Apr 29, 2018 9:17 am    Post subject: Reply with quote

Today I've tried to install gentoo-sources-4.4.95. It just refuses to boot on my PC. It freezes early in the boot process and I have to pull the plug, otherwise PC reacts to nothing. Now I guess I understand why newest Windows 10 does not work on my PC, most likely it has the same fixes and brings it to the same absolute freeze :)

I've also tried to build kernel without new option, but it didn't help. So far I had to mask this version.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2614
Location: Illinois, USA

PostPosted: Sun Apr 29, 2018 1:49 pm    Post subject: Reply with quote

v_andal wrote:
Today I've tried to install gentoo-sources-4.4.95. It just refuses to boot on my PC. It freezes early in the boot process and I have to pull the plug, otherwise PC reacts to nothing. Now I guess I understand why newest Windows 10 does not work on my PC, most likely it has the same fixes and brings it to the same absolute freeze :)

I've also tried to build kernel without new option, but it didn't help. So far I had to mask this version.

I can boot 4.4.129 on my Bristol Ridge which is a bulldozer derivative. I have not knowingly installed any microcode updates, although I have MSI's latest AM4 BIOS which may have installed some. It does seem slower than when I first got it. Is it the kernel? Profile 17.0? Microcode? Or am I just getting used to the speed and wanting more? NO RETPOLINE or any other mitigation that I know of. The earlier kernels were dropped out of portage and I have heard (hear-say) that some kernel developers are bypassing instructions that would speed up but are Spectre vulnerable regardless of CONFIG settings. Another possibility is that Intel Meltdown vulnerabilities are patched even for AMD processors. After all, everyone uses Intel, don't they?

Try building 4.4.95 for a generic CPU. If that boots then possibly microcode has crippled your CPU.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 41417
Location: 56N 3W

PostPosted: Sun Apr 29, 2018 3:06 pm    Post subject: Reply with quote

Tony0945,

If the Intel microcode update is being done by the kernel, it does not matter what CPU the kernel is built for.
The microcode updater identifies the CPU its running on and if there is an update it can apply, it does it.

Conversely, its enough to disable kernel microcode updating to test the theory.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5140
Location: The Peanut Gallery

PostPosted: Sun Apr 29, 2018 4:42 pm    Post subject: Reply with quote

Ant P. wrote:
Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum
I totally agree, and have for years; but it bugs me, that there aren't at least 2 or 3 FLOSS browsers which do not give away any info, as a default.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2614
Location: Illinois, USA

PostPosted: Sun Apr 29, 2018 5:52 pm    Post subject: Reply with quote

NeddySeagoon wrote:
Tony0945,

If the Intel microcode update is being done by the kernel, it does not matter what CPU the kernel is built for.
The microcode updater identifies the CPU its running on and if there is an update it can apply, it does it.

Conversely, its enough to disable kernel microcode updating to test the theory.

The main reason that I suggested building for generic was in case the kernel was using an opcode that the CPU hung on.

The rest of the post was just describing my setup that works with the later kernel. I may have had trouble with .75 also. I'm not sure. I know that at some fairly recent time I also blocked a kernel because it wouldn't build.
Back to top
View user's profile Send private message
roki942
Apprentice
Apprentice


Joined: 18 Apr 2005
Posts: 277
Location: Seattle

PostPosted: Sat May 05, 2018 5:29 am    Post subject: Reply with quote

Intel Spectre-NG announced.
https://www.guru3d.com/news-story/eight-new-spectre-variant-vulnerabilities-for-intel-discovered-four-of-them-critical.html

https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html


edited to add 2nd link
Back to top
View user's profile Send private message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2170
Location: Germany

PostPosted: Thu Jun 28, 2018 7:07 pm    Post subject: Reply with quote

And one more POC Code for Browsers and Spectre 1. alephsecurity - Overcoming (some) Spectre browser mitigations released a Paper and a javascript proof of concept Code for your Browser.

Right now just the mitigation in the firefox Browser work fine. It runs minutes here without a pair value.

On the stable chromium the poc work and deliver a functional working poc.

Code:
original value: 1100110011001100110011001100110
restored value: 1100110011001100110011001100110


Download poc as zip file. And open Spectre.html with your browser and its web developer Console to show the output of the javascript.
Shortcuts to open the console:
Firefox: ctrl + shift + j
Chromium: ctrl + shift + i
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 17415

PostPosted: Fri Jul 27, 2018 8:07 pm    Post subject: Reply with quote

Continued in Meltdown/Spectre: Read Arbitrary Memory over Network.
_________________
Slowly I turned. Step by step.
Back to top
View user's profile Send private message
Display posts from previous:   
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Goto page Previous  1, 2, 3 ... 21, 22, 23
Page 23 of 23

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum