Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
spectre and meltdown questions
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Atha
Apprentice
Apprentice


Joined: 22 Sep 2004
Posts: 159

PostPosted: Fri May 25, 2018 1:24 pm    Post subject: Reply with quote

Thanks, mv. I was not fully aware that spec_store_bypass_disable=on is needed to get a full i.e. real mitigation.
Code:
# grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline, IBPB

I didn't feel a real performance loss yet, but I've not yet had the demand to run such applications, like games. Anyway, how would I measure the real performance loss anyway? Is kompiling a kernel under the exact same conditions with the utility time enough to see the difference? Or is it the indicated FPS when playing a game?
Back to top
View user's profile Send private message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2161
Location: Germany

PostPosted: Mon May 28, 2018 9:50 pm    Post subject: Reply with quote

Atha wrote:
Or is it the indicated FPS when playing a game?

Hey thats not the issue. If you play your game offline. Start the Kernel without patches. If your game is Online. Start the patched Kernel or do not store important Data.

However, buy other Hardware. We need just more time for Hardware without this possible harm. And there will be new harm in the future if you stay online.

The performance loss should be a minior issue. Because new Hardware will be so fast that it is enough for the next X years of Gaming or Computing. Except some Mobile Power-Issues.

However, i am a little pissed about Intel. Its nearly like google or Qualcomm with there Hardware Support or Security Patches... you can't sell hardware and security as service at the owners expense as operate model.
Back to top
View user's profile Send private message
Atha
Apprentice
Apprentice


Joined: 22 Sep 2004
Posts: 159

PostPosted: Wed May 30, 2018 7:39 pm    Post subject: Reply with quote

ChrisJumper wrote:
Hey thats not the issue. If you play your game offline. Start the Kernel without patches. If your game is Online. Start the patched Kernel or do not store important Data.


I already do that. If I want to play a game, I restart with another kernel. Let me call it Windows 7/10. I play games on that other system that does not contain important data. I then have to restart to do stuff like E-Mails, Internet including Internet banking and all that other stuff that is not gaming, but sometimes gaming too (because there are Linux games, so why not play them?). Let me call this kernel Gentoo Linux.

But that is not a very satisfying situation. Restarts disturb your workflow. For instance, you might want to play a bit inbetween, then continue with "your work". I don't care if I have to restart into Windows or another not-so-safe Linux, it is a disruptive restart nevertheless and with Linux games available this restart would have been unneccessary, which is the great thing about Linux games!

Quote:
However, buy other Hardware. We need just more time for Hardware without this possible harm. And there will be new harm in the future if you stay online.


That's a big problem. I just (in 2017) spent >1800 $/€ on hardware. My system is a one year old (or less) Ryzen 7 1800X + Vega10 graphics card. I am not willing to invest this amount of money again for at least 4 more years to come. The longer the better. But the bugs are not even fixed yet in now new systems anyhow. AFAIK Ryzen 2 has the same issues. Fixes are in firmware, microcode and software only.

Quote:
The performance loss should be a minior issue. Because new Hardware will be so fast that it is enough for the next X years of Gaming or Computing. Except some Mobile Power-Issues.


The Ryzen 7 1800X is my new hardware. It has the performance loss, which may be or may not be minor, I don't know. But what is most important is that the security issues must finally be fixed!

Actually, why must it be new systems at all? I cannot understand why old systems are left out of this. They should be fixed as well. It is disastrous and a shame how older hardware doesn't get those firmware and microcode updates! And they should get them fast and free of charge! If I were the government, I would force the industry to release those updates. If they don't do it, I would force them to release the sources so others can fix it for them. Sadly, I am not a government, and I guess that lobbyist already convinced politicians to not intervene at all...

Quote:
However, i am a little pissed about Intel. Its nearly like google or Qualcomm with there Hardware Support or Security Patches... you can't sell hardware and security as service at the owners expense as operate model.


I'm not with Intel since they got caught using illegal methods to push AMD out of the market. In other words: I use AMD CPUs and GPUs because of what Intel did in the past.
(GPUs... Nvidia is also not an option since they will never provide free graphics drivers... Intel actually has great free driver support, but again, I choose AMD for the mentioned reasons.)
Back to top
View user's profile Send private message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2161
Location: Germany

PostPosted: Tue Jun 05, 2018 8:43 pm    Post subject: Reply with quote

There is a new Version through portage available: sys-firmware/intel-microcode-20180527-r1

As suggested i set in the bugreport for ebuild 20180426-r1 i set MICROCODE_SIGNATURES="-S" in make.conf, however it did not automatically install the File in /boot and i think thats the issue why it did not work on my system.

So i try to install it as suggested in wiki.gentoo.org/wiki/Intel_microcode but:
Code:
# iucode_tool -S --write-earlyfw=/boot/early_ucode.cpio /lib/firmware/intel-ucode/*
iucode_tool: system has processor(s) with signature 0x000906e9
iucode_tool: Writing selected microcodes to: /boot/early_ucode.cpio
iucode_tool: /boot/early_ucode.cpio: cannot write to, or create file: File exists


The script did not work too, i have to delete /boot/early_ucode.cpio to update it, i'll report later if it work as exacted.

Edit: Still no update for my processor, all the same.
Back to top
View user's profile Send private message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2161
Location: Germany

PostPosted: Thu Jun 14, 2018 10:00 pm    Post subject: Reply with quote

Thank you Intel that i am still vulnerable to the spec_store_bypass.

I write here cause of the new (14. June 2018) Lazy FP State Restore, Spectre Issue. That one that got famous by openBSD Mastermind Theo de Raadt.

However it seemed to be fixed in the Linux Kernel in early 2016:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58122bf1d856a4ea9581d62a07c557d997d46a19

Some more Links:

http://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3665 (as i post this, its still reserved and empty).
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 6740
Location: almost Mile High in the USA

PostPosted: Wed Jun 20, 2018 7:26 pm    Post subject: Reply with quote

Code:
chii /tmp # uname -a
Linux chii 4.9.95-gentoo #1 SMP Mon Jun 18 21:51:25 MDT 2018 i686 Intel(R) Atom(TM) CPU N270 @ 1.60GHz GenuineIntel GNU/Linux
chii /tmp # cat /sys/devices/system/cpu/vulnerabilities/*
Not affected
Not affected
Not affected

Woohoo! I don't really need this machine any slower than it already is :( (I just updated to profile 17, gcc-6.4. Took 3 days of just about constant compiling, no distcc, and still not quite done yet. VLC qt5 upgrade from qt4 is going to take a while still)
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1699

PostPosted: Wed Jun 20, 2018 7:34 pm    Post subject: Reply with quote

Alright, it's time to get some new laptop. Any idea what to look for so I can avoid recent vulnerabilities?
Any news about patched hardware?
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6188

PostPosted: Thu Jun 21, 2018 6:21 am    Post subject: Reply with quote

ChrisJumper wrote:
Thank you Intel that i am still vulnerable to the spec_store_bypass.

20180616 finally seems to fix it for most processors.
(Well, the corresponding processor bit can be set. Whether it really helps and how much is a different question.)
Back to top
View user's profile Send private message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2161
Location: Germany

PostPosted: Sun Jun 24, 2018 11:29 pm    Post subject: Reply with quote

mv wrote:

20180616 finally seems to fix it for most processors.
(Well, the corresponding processor bit can be set. Whether it really helps and how much is a different question.)


I got protection and updates on the important Servers.

Code:
 grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW


The System i posted in my previous post is still vulnerable. I just hope the Intel engineer's work slowly from top to bottom... and i will get some Update on Client Desktop Systems before the new hardware arrives hopefully early 2019 (10 nm technology).

However its a big mess, with the new announces and still unreleased spectre issues. The good part is - that make it easy to not (fully) trust a computer or to retain a good suspiciousness. Even if the probability of an incident is low.

@szatox
I am not sure. I think they announces some patched Hardware - like a small hot fix for the End of 2018. However i did not expect that the new announced 10nm Chips that delayed to mid or late 2019, will have hardware fixes. The time span is too short, but i hope that the new cpus have a fully patched mitigation microcode from the start.

I can't give a hardware advice.. because the unaffected baytrail Intel-CPU i have is just enough to read mails and open ssh connections or code with vim. Its not that fast satisfy today's desktop user. :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum