Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 6, 7, 8 ... 21, 22, 23  Next  
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 130

PostPosted: Sat Jan 06, 2018 9:05 am    Post subject: Reply with quote

sligo wrote:

Looking at the issues on Github, it seems like that this tool is not yet finished and people getting this kind of message on multiple affected Intel CPUs. For now i'll better wait for the patches on that Meltdown Checker tool.


The code has been already updated against TSX support.

On my AMD rig I have:
Code:
Unable to find symbol sys_call_table in /proc/kallsyms
Falling back on the alternative symbol map file (usually requires root permission): /boot/System.map-4.14.11-gentoo...
Checking whether system is affected by Variant 3: rogue data cache load (CVE-2017-5754), a.k.a MELTDOWN ...
Checking syscall table (sys_call_table) found at address 0xffffffff81e00120 ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...

System not affected. Congratulations!


so as AMD sad, my cpu isnt affected by meltdown.

@Hu

Thanks for clarifying that it is default option on my cpu architecture.

Checking config file for BPF produces:

Code:
cat /boot/config-4.14.11-gentoo | grep BPF
CONFIG_BPF=y
# CONFIG_BPF_SYSCALL is not set
# CONFIG_NET_CLS_BPF is not set
# CONFIG_NET_ACT_BPF is not set
# CONFIG_BPF_JIT is not set
CONFIG_HAVE_EBPF_JIT=y
# CONFIG_TEST_BPF is not set


Maybe "non standard" settings means CONFIG_BPF_JIT and CONFIG_BPF_SYSCALL are enabled.
Back to top
View user's profile Send private message
gengreen
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2017
Posts: 84

PostPosted: Sat Jan 06, 2018 11:25 am    Post subject: Reply with quote

Any patch available against meltdown for the branch 4.9.x ? I could not make the KAISER patch work...

Thank you HU for your precision about my question btw
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 22458
Location: here

PostPosted: Sat Jan 06, 2018 11:34 am    Post subject: Reply with quote

gengreen wrote:
Any patch available against meltdown for the branch 4.9.x ? I could not make the KAISER patch work...

kernel 4.9.75 should be backport KPTI patch

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.75 wrote:
commit ea6cd39d230f71e27facc0667c1986504e5b0f54
Author: Kees Cook <keescook@chromium.org>
Date: Wed Jan 3 10:18:01 2018 -0800

KPTI: Report when enabled

Make sure dmesg reports when KPTI is enabled.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
kajzer
Guru
Guru


Joined: 27 Nov 2014
Posts: 484

PostPosted: Sat Jan 06, 2018 12:07 pm    Post subject: Reply with quote

Meltdown checker works fine now with core2

Code:
./meltdown-checker                                                                                                                                                                                                         
Checking whether system is affected by Variant 3: rogue data cache load (CVE-2017-5754), a.k.a MELTDOWN ...
Checking syscall table (sys_call_table) found at address 0xffffffffa3a00180 ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...

System not affected. Congratulations!


Edit: Just tested this on unpatched system :
Code:
./meltdown-checker                                                                                                                                                                                                   
Checking whether system is affected by Variant 3: rogue data cache load (CVE-2017-5754), a.k.a MELTDOWN ...
Checking syscall table (sys_call_table) found at address 0xffffffffa36001c0 ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
0xffffffffa2e22980 -> That's SyS_mmap

System affected! Please consider upgrading your kernel to one that is patched with KAISER
Check https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html for more details
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7193

PostPosted: Sat Jan 06, 2018 2:07 pm    Post subject: Reply with quote

if you want find your kernel is running KPTI
Code:
dmesg | grep iso
[    0.000000] Kernel/User page tables isolation: enabled


And to answer your question: i think no gentoo-sources will have any patches against "Meltdown" attack, gentoo-sources without KPTI will be certainly mask and put out of the tree, and no patches will be use, but only KPTI kernels.
It wouldn't really make sense to patch end of life kernels to use KPTI, because KPTI certainly isn't something tiny to add to a kernel (lot of changes for sure).
So the more reasonable thing to do is kick off kernels without KPTI, and stabilize any kernel with it you may think is "good enough" to get stable.

stabilization rules is always crush when security is in the game ; you can wait x times to stabilize or wait for a version that has less open bugs to stabilize ; but when security mean "updating" ; all rules are off, and you stabilize anything that even work on one feet, solely base on "it have the needed security update".
Back to top
View user's profile Send private message
t3k0
n00b
n00b


Joined: 27 Nov 2007
Posts: 39

PostPosted: Sat Jan 06, 2018 5:27 pm    Post subject: Reply with quote

I installed the microcode update as described in the gentoo wiki. However, since I own an Intel core i5 with Sandy Bridge architecture, I believe this is pretty useless?

After updating I get:

Code:

dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x29, date = 2013-06-12
[    0.520508] microcode: sig=0x206a7, pf=0x2, revision=0x29
[    0.522882] microcode: Microcode Update Driver: v2.2.


Does anybody know if there will be an update for older architectures than Haswell, Skylake, or Broadwell or won't an update for older processors be delivered?
Back to top
View user's profile Send private message
gengreen
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2017
Posts: 84

PostPosted: Sat Jan 06, 2018 6:07 pm    Post subject: Reply with quote

Code:
sys-firmware/intel-microcode 20171117_p20171215


Processor Skylake

Code:

vendor_id   : GenuineIntel
cpu family   : 6
model      : 94
model name   : Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz


Code:
dmesg |grep microcode
[    0.000000] microcode: microcode updated early to revision 0xba, date = 2017-04-09
[    2.691311] microcode: sig=0x506e3, pf=0x20, revision=0xba
[    2.691416] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba



Doesn't work...

Code:
meltdown-poc $ ./a.out
poke buffer: 0x385411eb000, page size: 4096
0x000000497ab0e180 | 48 6D 6D 2C 20 74 68 69  73 20 64 6F 65 73 20 72  |  Hmm, this does r
0x000000497ab0e190 | 65 61 6C 6C 79 20 77 6F  72 6B 21                 |  eally work!


Quote:

kernel 4.9.75 should be backport KPTI patch


Good news, thanks


Last edited by gengreen on Sat Jan 06, 2018 9:00 pm; edited 2 times in total
Back to top
View user's profile Send private message
wrc1944
Advocate
Advocate


Joined: 15 Aug 2002
Posts: 3260
Location: Gainesville, Florida

PostPosted: Sat Jan 06, 2018 6:12 pm    Post subject: Reply with quote

@Tony0945,
I looked in make xconfig. and found this in the "Search Config" dialog box:

The option in config is called "Remove the kernel mapping in user mode", and is checked "y" so as to "enable."

Quote:
Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION)

CONFIG_PAGE_TABLE_ISOLATION:

This feature reduces the number of hardware side channels by
ensuring that the majority of kernel addresses are not mapped
into userspace.

See Documentation/x86/pagetable-isolation.txt for more details.

Symbol: PAGE_TABLE_ISOLATION [=y]
Type : boolean
Prompt: Remove the kernel mapping in user mode
Location:
-> Security options
Defined at security/Kconfig:57
Depends on: X86_64 [=y] && !UML


I'm confused as to what you wrote in your post on Page 1, where you said:
Quote:
Watch out when updating your kernel if you have an AMD chip. Once you enable PAGE_TABLE_ISOLATION via make oldconfig you can;t turn it off with make menuconfig.

I wondered why my Athlon II was suddenly really slow launching X. I had to reboout with 4.14-10-r1 and update it again to 4.14.11 to choose "n" instead of "y" in make oldconfig.

Unless someone knows that this is needed for AMD too. Other sources on the web say this is for Intel only not AMD. But I'd like to hear it from our kernel experts.

In my 4.14.11-gentoo config, it's set CONFIG_PAGE_TABLE_ISOLATION=y (apparently by default), which I take to mean saying "y" removes and does NOT enable for kernel mapping in user mode. So, if you choose "n" for this option, one would NOT be removing kernel mapping in user mode, but in reality be enabling it.

Maybe I'm just missing something? I guess a better way to understand this is to just ask if we have an amd cpu, do we currently want this option to be checked "y", or "n"?

I'm currently doing 4.11.12-gentoo, and guess I'll for now leave it checked "y" as I didn't notice any performance hit on my 4.14.11-gentoo where default was "y", which I had installed before I read much on this. I too would appreciate an expert elightenment on this, "y," or "n," and maybe a little "why" as to either.
_________________
Main box- AsRock x370 Gaming K4
Ryzen 1700, 3.0GHz, 16GB GSkill Flare DDR4 3200mhz
Samsung SATA 1000GB, Radeon HD R7 350 2GB DDR5
Gentoo ~amd64 plasma, glibc-2.30-r2, gcc-9.2.0 kernel-5.3.9-gentoo USE=experimental
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1571
Location: KUUSANKOSKI, Finland

PostPosted: Sat Jan 06, 2018 6:39 pm    Post subject: Reply with quote

I'm little late to the "party", but where can I obtain that meltdown-checker?
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1769
Location: United Kingdom

PostPosted: Sat Jan 06, 2018 6:45 pm    Post subject: Reply with quote

Zucca wrote:
I'm little late to the "party", but where can I obtain that meltdown-checker?

https://forums.gentoo.org/viewtopic-p-8165726.html#8165726
_________________
Clevo W230SS: amd64 nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64 xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC eudev elogind & KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 130

PostPosted: Sat Jan 06, 2018 7:09 pm    Post subject: Reply with quote

Here is a patch for spectre v1 WIP:

https://lkml.org/lkml/2018/1/5/769
https://lkml.org/lkml/2018/1/5/383

It's worth to mention that for AMD change of microcode probably wont be needed:

https://lkml.org/lkml/2018/1/5/383

https://lkml.org/lkml/2018/1/5/405
Back to top
View user's profile Send private message
mahdi1234
Guru
Guru


Joined: 19 Feb 2005
Posts: 539
Location: far from new world orderia

PostPosted: Sat Jan 06, 2018 8:01 pm    Post subject: Why PAGE_TABLE_ISOLATION requires X86_64? Reply with quote

Hi,

I'm not sure but why is sys-kernel/gentoo-sources-4.14.12 having PAGE_TABLE_ISOLATION being dependent on X86_64?

Does it mean there never will be fix for x86 (32bits)?

I would like to understand this.

Code:
config PAGE_TABLE_ISOLATION
   bool "Remove the kernel mapping in user mode"
   depends on X86_64 && !UML
   default y
   help
     This feature reduces the number of hardware side channels by
     ensuring that the majority of kernel addresses are not mapped
     into userspace.


cheers ...
_________________
http://gentoo.mahdi.cz <-- gentoo package search engine
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7251
Location: almost Mile High in the USA

PostPosted: Sat Jan 06, 2018 8:42 pm    Post subject: Reply with quote

I wish the "meltdown checker" had less dependencies so that it's easier to prove the older machines are equally affected.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 783
Location: usually offline

PostPosted: Sat Jan 06, 2018 9:03 pm    Post subject: Why PAGE_TABLE_ISOLATION requires X86_64? Reply with quote

http://github.com/torvalds/linux/blob/master/arch/x86/boot/compressed/pagetable.c says
Code:
/* No PAGE_TABLE_ISOLATION support needed either: */
#undef CONFIG_PAGE_TABLE_ISOLATION

_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey


Last edited by josephg on Sat Jan 06, 2018 10:06 pm; edited 1 time in total
Back to top
View user's profile Send private message
mahdi1234
Guru
Guru


Joined: 19 Feb 2005
Posts: 539
Location: far from new world orderia

PostPosted: Sat Jan 06, 2018 9:19 pm    Post subject: Reply with quote

Ok, so the bottom line is 32bits are not affected by meltdown?

It's quite strage as Greg here http://kroah.com/log/blog/2018/01/06/meltdown-status/ says x86 ...
_________________
http://gentoo.mahdi.cz <-- gentoo package search engine
Back to top
View user's profile Send private message
Pearlseattle
Apprentice
Apprentice


Joined: 04 Oct 2007
Posts: 162
Location: Switzerland

PostPosted: Sat Jan 06, 2018 9:35 pm    Post subject: Reply with quote

Thank you both!
Back to top
View user's profile Send private message
gengreen
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2017
Posts: 84

PostPosted: Sat Jan 06, 2018 9:35 pm    Post subject: Reply with quote

Code:
Unable to find symbol sys_call_table in /proc/kallsyms
Falling back on the alternative symbol map file (usually requires root permission): /boot/System.map-4.9.74-minipli...
Checking whether system is affected by Variant 3: rogue data cache load (CVE-2017-5754), a.k.a MELTDOWN ...
Checking syscall table (sys_call_table) found at address 0xffffffff82201140 ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...
so far so good (i.e. meltdown safe) ...

System not affected (take it with a grain of salt though as false negative may be reported for specific environments; Please consider running it once again).


It is really reliable ?
Back to top
View user's profile Send private message
Pearlseattle
Apprentice
Apprentice


Joined: 04 Oct 2007
Posts: 162
Location: Switzerland

PostPosted: Sat Jan 06, 2018 9:43 pm    Post subject: Reply with quote

Fyi:

Alice (kernel maintainer) forwarded this URL:
https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre#sys-kernel.2Fgentoo-sources

Very useful - has the overview of the current status of the integration of KPTI into "gentoo-sources", and some more stuff.[/url]
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7193

PostPosted: Sat Jan 06, 2018 9:56 pm    Post subject: Reply with quote

it's usual to speak about x86 cpu as x86 without making the distinction between x86 and x86-64 cpus, because you speak about the architecture, which name was given by first cpu, the 8086. It's funny to say that your kick ass 16 cores cpu is just an 8086 on steroids :D
you must also be use to this kind of shortcut : if you see them saying x86-64 are affect, it's all good for you no?
well it's not, amd x86-64 cpu are not affect, but you don't see a problem speaking about x86-64 that include them in that list.
Back to top
View user's profile Send private message
Wallsandfences
Guru
Guru


Joined: 29 Mar 2010
Posts: 368

PostPosted: Sat Jan 06, 2018 10:06 pm    Post subject: Reply with quote

I'm not sure I'm using the meltdownchecker correctly, but while compiling I get:

Code:
gcc meltdown_checker.cc
In file included from /usr/lib/gcc/x86_64-pc-linux-gnu/6.4.0/include/immintrin.h:83:0,
                 from meltdown_checker.cc:43:
/usr/lib/gcc/x86_64-pc-linux-gnu/6.4.0/include/rtmintrin.h: In Funktion »uint8_t probe_one_syscall_table_address_byte(uintptr_t, char*, int&)«:
/usr/lib/gcc/x86_64-pc-linux-gnu/6.4.0/include/rtmintrin.h:50:1: Fehler: »inline« beim Aufruf von always_inline »unsigned int _xbegin()« gescheitert: target specific option mismatch
 _xbegin (void)
 ^~~~~~~
meltdown_checker.cc:122:24: Anmerkung: von hier aufgerufen
             if (_xbegin() == _XBEGIN_STARTED) {
                 ~~~~~~~^~
In file included from /usr/lib/gcc/x86_64-pc-linux-gnu/6.4.0/include/immintrin.h:83:0,
                 from meltdown_checker.cc:43:
/usr/lib/gcc/x86_64-pc-linux-gnu/6.4.0/include/rtmintrin.h:61:1: Fehler: »inline« beim Aufruf von always_inline »void _xend()« gescheitert: target specific option mismatch
 _xend (void)
 ^~~~~
meltdown_checker.cc:124:24: Anmerkung: von hier aufgerufen
                 _xend();
                        ^
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 783
Location: usually offline

PostPosted: Sat Jan 06, 2018 10:10 pm    Post subject: Reply with quote

you have to refer to the context to understand who means what when they say something. as krinn says, in this case greg is being inclusive. linus does not separate amd64 from x86 in his kernel architectures: http://github.com/torvalds/linux/tree/master/arch

Last edited by josephg on Sat Jan 06, 2018 10:44 pm; edited 2 times in total
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Sat Jan 06, 2018 10:19 pm    Post subject: Reply with quote

mahdi1234, et al ...

posted by Pearlseattle (in another thread): Vulnerabilities: Meltdown and Spectre (gentoo wiki) should help to answer that question.

HTH & best ... khay
Back to top
View user's profile Send private message
kajzer
Guru
Guru


Joined: 27 Nov 2014
Posts: 484

PostPosted: Sat Jan 06, 2018 10:23 pm    Post subject: Reply with quote

Use make instead of gcc
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Sat Jan 06, 2018 10:24 pm    Post subject: Reply with quote

Wallsandfences ...

though your gcc speaks German fluently, many here do not ... which is why the use of LC_ALL=C is often a good idea :) ... anyhow, you should probably be using 'make' (as there is a Makefile included) rather than call gcc directly

Code:
# LC_ALL=C make

HTH & best ... khay
Back to top
View user's profile Send private message
salmander
n00b
n00b


Joined: 19 Oct 2015
Posts: 5

PostPosted: Sat Jan 06, 2018 10:26 pm    Post subject: Reply with quote

I test with meldown-checker and wonder i5 4670 isn't affected?

could this be false positiv? or can anyone explain this?
Back to top
View user's profile Send private message
Display posts from previous:   
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Goto page Previous  1, 2, 3 ... 6, 7, 8 ... 21, 22, 23  Next
Page 7 of 23

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum