Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory

[PrSo]

So at the moment there is no protection for Spectre? Has anyone contacted James Bond?

LOL,

Funny, but it could be possible that this is backfire of "Three Letter Agency's" nonexistent backdoor. But if they are so generous to share with Brits I don't know...

[greyspoke]

So if AMD and ARM are affected by spectre, does that mean it exposes a flaw in the instruction set they are implementing? Or is there some shared code with a flaw in it?

[gengreen]

I was informed on this in freenode #musl

As far I understand, there is 2 vulnerability :


https://meltdownattack.com

Metldown : a security patch is available at https://github.com/IAIK/KAISER/tree/master/KAISER
Spectre : There is nothing available to prevent this vulnerability.

I had a hard feeling against intel since the story with Grsecurity, now I definitively ban intel (and all thing associated with this garbage corporate) from any future purchase.

Happy new year

Edit :

Not fixable by microcode ....

Also, nvidia-drivers-387.34 doesn't compile anymore with 4.14.11

Code: Select all

FATAL: modpost: GPL-incompatible module nvidia.ko uses GPL-only symbol 'cpu_tlbstate'
make[3]: *** [/usr/src/linux-4.14.11-gentoo/scripts/Makefile.modpost:92: __modpost] Error 1

Don't bother yourself with CONFIG_PAGE_TABLE_ISOLATION, it won't help since your system have already a backdoor called nvidia proprietary drivers

It's like driving a motocycle with glove for the protection of your hands but no helmet.

Edit 2 :

Response of intel available here :

https://newsroom.intel.com/news/intel-r ... -findings/

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.

At least, they have a sense of humor

[Tsigorf]

So at the moment there is no protection for Spectre? Has anyone contacted James Bond?

They just found a solution: https://twitter.com/attritionorg/status ... 3153856512

[Myu]

Don't bother yourself with CONFIG_PAGE_TABLE_ISOLATION, it won't help since your system have already a backdoor called nvidia proprietary drivers

It's like driving a motocycle with glove for the protection of your hands but no helmet.

While I understand your point, I would like to minimize the likeliness of having a security issue, hence why I will keep KPTI enabled.

If I could purchase an AMD GPU at a decent price, I would have done it already but with the crypto mining craze, I'm holding off still.

[gengreen]

Don't bother yourself with CONFIG_PAGE_TABLE_ISOLATION, it won't help since your system have already a backdoor called nvidia proprietary drivers

It's like driving a motocycle with glove for the protection of your hands but no helmet.

While I understand your point, I would like to minimize the likeliness of having a security issue, hence why I will keep KPTI enabled.

If I could purchase an AMD GPU at a decent price, I would have done it already but with the crypto mining craze, I'm holding off still.

There is no mention for now regarding the ibm power processor, only time will tell us if they are not affected by spectre, if you care about security you may be more interested by thoses processor.

Give a try to the drivers nouveau if you can

glxgears
Running synchronized to the vertical refresh. The framerate should be
approximately the same as the monitor refresh rate.
42173 frames in 5.0 seconds = 8434.567 FPS
42940 frames in 5.0 seconds = 8587.865 FPS

It's not that bad and it is opensource.

[yamabiko]

Is it possible to provide a patch for the current stable gentoo-sources? Manually patching it on 4.9.72 gives me an hunk fail.

[limn]

Monocultures are always bad.

[sligo]

While i understand the problem, i am still a little confused. Is there something that can be done already?

[Tsigorf]

There is a kernel patch for Linux you can apply to avoid Meltdown (the Kaiser patch set you can find here: https://lwn.net/Articles/738975/).

However for Spectre, that's an hardware issue. I don't even know if there's a way to patch our CPUs. That's why they're telling us to replace hardware.

[1clue]

It would be really neat if they fixed the bug with gcc 6.4 and recent kernels. The combination of this bug and the backported kernels is really unfortunate right now.

I appreciate anecdotal evidence is mostly useless, but just built 4.14.11 with 6.4 and it's working fine, nothing funky other than the ~amd64 for the kernel in package.use

I would be happy as a clam with that, except my attempt panics inside the first second of boot. No logs written.

[The Main Man]

Smells like a ploy to buy new hardware which will then have serious backdoors and kill switches.

[Watcom]

Spectre needs:

• A "victim" program which accepts input provided by the attacker (i.e. from the network or file). This input tricks the program to fetch cache lines based on data that is "secret".
• A program running in the same processor, devised by the attacker, to collect the "secret" data by measuring the time it takes to fetch data from its own addressing space that uses the same cache lines. Fast access means the data was cached, slow means it wasn't. From this alone the secret data can be inferred by seeing which bytes of an array are fast and which are slow (e.g. first byte being fast means 'A', second byte fast means 'B' and so on. Not exactly this simple but it's the basic idea).

So as you can see not running untrusted code goes a long way in preventing Spectre attacks.

[EasterParade]

(?)

[PrSo]

This is ridiculous.
I have also QNAP NAS with intel celeron on-board - (ts-251), and waiting to upgrade a firmware.

Maybe it is an exception narrowed to Ivy Bridge but KAISER patch (PTI) BRAKES kernel.

https://lkml.org/lkml/2018/1/3/864,

and

https://lkml.org/lkml/2018/1/3/105

Should I turn it off, cut of from internet and let it work only locally??

[Tony0945]

Should I turn it off, cut of from internet and let it work only locally??

Look at it this way - "Is it any worse than running Windoze XP & earlier?"

[sligo]

So as you can see not running untrusted code goes a long way in preventing Spectre attacks.

Does that include Javascript?

[Naib]

Should I turn it off, cut of from internet and let it work only locally??

Look at it this way - "Is it any worse than running Windoze XP & earlier?"

yes because the flaw existed with those CPU's as well. just use AMD Zen (Ryzen,threadripper)

[Myu]

There is no mention for now regarding the ibm power processor, only time will tell us if they are not affected by spectre, if you care about security you may be more interested by thoses processor.

Ah, I do care, but I can only go so deep in the rabbit hole, the more you know, the more it seems endless with stuff like Intel ME, ring -1 / -2 / -whatever and now this Spectre/Meltdown.

Give a try to the drivers nouveau if you can

I do some Linux 3D gaming and the poor GPU already struggles with the proprietary driver, I guess nouveau will be much worse. So yeah, an AMD GPU to pair with a nice open source driver is on my whishlist for sure !

[gengreen]

I remember how we chatted about major loop-holes built into the shipped hardware
more than a year ago ... for spying purposes mainly.

But theories of conspiracy plots aside if it wasn't so sad I'd
Also what's all the fuss about not activating security keys in UEFI!?
Who needs those keys at all if "anyone" can theoretically (?) milk anyone via a
leak built into the CPU itself!

Sorry. That was overly chatty.
And the Intel CEO sold Intel stocks before the news hit the world.

I started to accept a while ago the fact that the security will always be compromised by volontary bug in anyway, even in the opensource code, they can just cover it up by "we made a mistake". Now we known for fact that the hardware is targeted as well, the war is lost.

Sadly, like snowden, assange before, this news will be covered for fews days and most of the poeple won't give a damn, even they known that their smartphone / computer or connected device spy on them all the day, they are willing to abandon their freedom for some fancy technology

Stupidity is a more dangerous enemy of the good than malice

Ah, I do care, but I can only go so deep in the rabbit hole, the more you know, the more it seems endless with stuff like Intel ME, ring -1 / -2 / -whatever and now this Spectre/Meltdown.

That is also true for a lot of other thing in life

The more I learn, the less I known

[pjp]

Happened to see this article in today's Guardian (UK) newspaper:

https://www.theguardian.com/technology/ ... c-os-linux

Haven't looked around yet. Anyone know anything more, and when firmware updates -- I assume Intel will be fixing this via firmware updates -- will be available?

Merged this thread.

[Watcom]

So as you can see not running untrusted code goes a long way in preventing Spectre attacks.

Does that include Javascript?

Yes it does, unfortunately.

[toofied]

Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum after Rowhammer.

Definitely agree! Unfortunately, many sites now require JS to have basic usability. Wix and AngularJS come to mind. Hopefully people will start refusing to participate in websites which demand javascript for basic function...

[Myu]

Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum after Rowhammer.

Definitely agree! Unfortunately, many sites now require JS to have basic usability. Wix and AngularJS come to mind. Hopefully people will start refusing to participate in websites which demand javascript for basic function...

I did just that, installed µMatrix + NoScript, let's see how usable it is.

Sadly, like snowden, assange before, this news will be covered for fews days and most of the poeple won't give a damn, even they known that their smartphone / computer or connected device spy on them all the day, they are willing to abandon their freedom for some fancy technology

I've no words because I know you speak the truth... but having to change all my hardware because the damn Intel CPU MMU security was a lie since 20+ years... it's unbelievable.

[Naib]

Everyone should have NoScript/uMatrix plus an adblocker at a bare minimum after Rowhammer.

Definitely agree! Unfortunately, many sites now require JS to have basic usability. Wix and AngularJS come to mind. Hopefully people will start refusing to participate in websites which demand javascript for basic function...

umatrix does permit per site settings