Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Meltdown/Spectre: Unauthorized Disclosure of Kernel Memory
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 10, 11, 12 ... 21, 22, 23  Next  
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 132

PostPosted: Tue Jan 09, 2018 11:15 pm    Post subject: Reply with quote

Pearlseattle wrote:

E.g. my "Xeon(R) CPU E3-1260L v5" hasn't been patched yet :cry:


Telling the truth I have no idea why because Lenovo System x3250 M5 has E3-1200 v3 which is older.
Lenovo page was modified couple of times. If I remember correctly update for t530 should be done firstly on 26th or 28th of January. Maybe it is Lenovo fault or maybe Intel plays on time.

After bios update there could be a performance downgrade from 2% to 30% with current solution in software part, especially on servers.

If you apply Thistled's tin foil hat theory on that IMHO it comes to "money" or just to rework less resource-hungry way (I know that Intel and AMD were informed earlier about Meltdown and Spectre) and maybe those updated desktops/laptops cpu's are just the testing ground for code optimization. I presume that I could be wrong.

And that is a hell good question:

dmpogo wrote:

To those of you who have patched/upgraded everything - can you comment on the performance, is there a noticable hit ?
Back to top
View user's profile Send private message
Aiken
Apprentice
Apprentice


Joined: 22 Jan 2003
Posts: 224
Location: Toowoomba/Australia

PostPosted: Wed Jan 10, 2018 12:07 am    Post subject: Re: So how is the performance after patches ? Reply with quote

eccerr0r wrote:
I don't know if it's valid to run 32-in-64... that would be another interesting situation...


Do you mean 23 bit user space with a 64 bit kernel? Had a few 32 bit machines that I changed to a 64 kernel because I got fed up with the oom kill doing it's thing with low mem filling up while high mem and swap were mostly free. The only problem I had was the day I forgot to select 32 bit support in the 64 bit kernel and that machine promptly failed to boot. Nothing on those machines was in danger of hitting the address limit of 32 bit. Only reason I moved them to 64 bit user space was so I could use a single build server.

dmpogo wrote:
To those of you who have patched/upgraded everything - can you comment on the performance, is there a noticable hit ?


Cpu old enough to not get a microcode update and with the tool chain and statics libs now pie. These are my results on an old box I was testing with. Core2 e8500, 8G ram, 160G hd.

For a kernel compile was using the vanilla source for 4.14.11 and make oldconfig.
running 4.9.72 it took 11 min 22 sec
running 4.14.11 it took 11 min 45 sec
running 4.14.12 with a pie tool chain 11 min 57 sec.

With a database only had a look at loading a database. 9.5 million lines in the dump and on disk space 1.2G. Running kernel 4.1.4.12.
boot pti=off a db load takes 2 min 31 sec
boot pti=on a db load takes 2 min 32.5 sec

Doing a dna sequence search with a ncbi-blast on the nt dna set I download november 21 the searches were 11 min 28 sec and 11 min 30 sec. That is not a good machine for doing searches at the best of times.
_________________
Beware the grue.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7285
Location: almost Mile High in the USA

PostPosted: Wed Jan 10, 2018 12:11 am    Post subject: Re: So how is the performance after patches ? Reply with quote

Aiken wrote:
eccerr0r wrote:
I don't know if it's valid to run 32-in-64... that would be another interesting situation...


Do you mean 23 bit user space with a 64 bit kernel?

Yes, except that the concern is whether the 32-bit userland gets the security advantage of the patched 64-bit kernel. I would hope yes.

This hack unfortunately does not work for the ppro, p2, p3, etc. as they do not have 64-bit execution cores...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14398

PostPosted: Wed Jan 10, 2018 12:15 am    Post subject: Reply with quote

Regarding the lack of older microcode, there are several plausible innocuous explanations:
  • Perhaps some of the affected systems do so much of the work in pure hardware that a microcode fix is impossible
  • Perhaps the CPU's storage for microcode is too limited to accept the size increase that would come from augmenting the microcode with the fix. Since microcode is the dumping ground for all such fixes, it tends to grow over time, and rarely if ever shrink for a given CPU.
  • Perhaps the environment to build the microcode has bitrotted, and the vendor is no longer able to produce microcode for that chip
  • Perhaps the vendor has other projects that they consider higher priority (possibly even rightly so), so the people qualified to write the microcode fix are busy doing other work
Back to top
View user's profile Send private message
saboya
Guru
Guru


Joined: 28 Nov 2006
Posts: 474
Location: Brazil

PostPosted: Wed Jan 10, 2018 1:14 am    Post subject: Reply with quote

Hu wrote:
Regarding the lack of older microcode, there are several plausible innocuous explanations:
  • Perhaps some of the affected systems do so much of the work in pure hardware that a microcode fix is impossible
  • Perhaps the CPU's storage for microcode is too limited to accept the size increase that would come from augmenting the microcode with the fix. Since microcode is the dumping ground for all such fixes, it tends to grow over time, and rarely if ever shrink for a given CPU.
  • Perhaps the environment to build the microcode has bitrotted, and the vendor is no longer able to produce microcode for that chip
  • Perhaps the vendor has other projects that they consider higher priority (possibly even rightly so), so the people qualified to write the microcode fix are busy doing other work

I think it's much more likely that they won't support processors after their EOL. I believe it's 5 years for Intel CPUs, so neither Sandy Bridge or Ivy Bridge should receive new microcodes.
Back to top
View user's profile Send private message
Aiken
Apprentice
Apprentice


Joined: 22 Jan 2003
Posts: 224
Location: Toowoomba/Australia

PostPosted: Wed Jan 10, 2018 2:58 am    Post subject: Reply with quote

At least as far as meltdown goes even with the 32 bit user space I had expected meltdown to be dealt with using the an updated 64 bit kernel. I have one such system left. The checking tools not compiling under 32 bit does not help. This is a Prescott P4 and most of the checking I have done with it has been in a 64 bit chroot. I am getting mixed results. So far the Am-I-affected-by-Meltdown tool someone posted in this thread earlier has said it is safe no matter what kernel I have tried. Another tool looks for pti in the cpu cflags listed in /proc/cpuinfo. For me it is becoming academic as I am thinking time to retire that computer.

The core2 test box Am-I-affected-by-Meltdown gives the expected results depending on whether is booted with pti=on or pti=off.

Those sound like plausible reasons for no microcode update. I had taken the cynical approach and wondered how much of the decision was marketing with an arbitrary cut off date.
_________________
Beware the grue.
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 132

PostPosted: Wed Jan 10, 2018 8:52 am    Post subject: Reply with quote

New Intel microcodes:
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File

and:

https://bugs.gentoo.org/show_bug.cgi?id=643794
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 22716
Location: here

PostPosted: Wed Jan 10, 2018 10:26 am    Post subject: Reply with quote

krinn wrote:
As you see, no update for 306e4 cpu, so i suppose the version gentoo speak in the wiki, is a not yet release version that will have the fix.

With intel-microcode-20180108 now is ok
Code:
$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x42a, date = 2017-12-01
[    1.750161] microcode: sig=0x306e4, pf=0x4, revision=0x42a
[    1.750528] microcode: Microcode Update Driver: v2.2.

_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 22716
Location: here

PostPosted: Wed Jan 10, 2018 10:32 am    Post subject: Reply with quote

krinn wrote:
albright: you are right, the wiki page seems incorrect with 0xc2
Code:
iucode_tool  -l /lib/firmware/intel-ucode/* | grep 506e3
  066/001: sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304

New version of microcode report 0xc2 for skylake
Code:
# iucode_tool  -l /lib/firmware/intel-ucode/* | grep 506e3
  066/001: sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328

_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
Spargeltarzan
Guru
Guru


Joined: 23 Jul 2017
Posts: 300

PostPosted: Wed Jan 10, 2018 1:04 pm    Post subject: Reply with quote

So in the microcode upgrade 2017-01-08 we can excpect microcodes as of 2017-11-16 in v2.2? Shouldn't it be 2017-01-08 as shown here? (When I click on my CPU it still shows 2017-01-08, but with the upgrade from today my microcodes become firstly upgraded to 2017-11-16. Crazy?

ADD: I have got an i7-6500U, Skylake, so I guess currently the 2017-11-16 is the latest in Gentoo Repos, but on Intel Page the 2018-01-08 is available. Hope it becomes available soon.

ADD: Output from spectre-meltdown-checker
Code:

Spectre and Meltdown mitigation detection tool v0.21

Checking for vulnerabilities against live running kernel Linux 4.14.12-gentoo #2 SMP Sat Jan 6 23:12:20 CET 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO  (only 32 opcodes found, should be >= 70)
> STATUS:  VULNERABLE  (heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

I see cpu microcode is not vulnerable any more, so probably this was already fixed by microcodes v2.2 - 2017-11-16?
Is my test result the maximum fix at the moment?
_________________
___________________
Regards

Spargeltarzan

Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen
Back to top
View user's profile Send private message
mike155
Veteran
Veteran


Joined: 17 Sep 2010
Posts: 1738
Location: Frankfurt, Germany

PostPosted: Wed Jan 10, 2018 1:44 pm    Post subject: Reply with quote

Quote:
Is my test result the maximum fix at the moment?

Probably not. Look at the output from a RHEL 7 server I posted two days ago. The tool indicates that they already have Kernel support for IBRS and LFENCE opcodes.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7200

PostPosted: Wed Jan 10, 2018 2:24 pm    Post subject: Reply with quote

Here are results on my testing:
the variant 1 : i don't have the fix for that yet.
the variant 2 : microcode has fix it
the variant 3 : KPTI should fix it (i have KPTI, but nothing to test it).

the spectre and update spectre-thread spoke earlier are variant1 (and yes, they do work flawlessly)
the meltdown earlier is variant2 : (with the microcode update it fail, without it, it work)
on my core2 using x86: variant1 test fail, variant2 test fail (i even cannot build them, but my corei2 as done the job with -m32)
i also prefer those two tools, because they don't check your security, they just try to abuse you : no need for a script telling me: ok your microcode is update if anyone could still fuck me with that microcode.

expect variant1 virus incoming :)
guys: i suppose we have to find those IBRS LFENCE ready kernel.
Back to top
View user's profile Send private message
blopsalot
Apprentice
Apprentice


Joined: 28 Jan 2017
Posts: 231

PostPosted: Wed Jan 10, 2018 5:03 pm    Post subject: Reply with quote

FYI : I''ve been testing Gentoo Hardened Profile devices using the following the projects and I don't see it working on processors reported as vulnerable on other distros, kernels predate the Page Table/Kaiser inclusion.

https://github.com/paboldin/meltdown-exploit
reports not vulnerable on all tested

https://github.com/IAIK/meltdown
this one says it finds the offset of KASLR (its wrong). inputting correct offset, the reliability test is .4% and I still cannot read values from ./secret

https://github.com/Eugnis/spectre-attack
this one works at default but i don't see it sucessfully reading anything else
Back to top
View user's profile Send private message
Aiken
Apprentice
Apprentice


Joined: 22 Jan 2003
Posts: 224
Location: Toowoomba/Australia

PostPosted: Wed Jan 10, 2018 10:42 pm    Post subject: Reply with quote

The 2 newer desktops (i7 700k) got microcode updates from both 20171117_p20171215-r1 and 20180108. Everything else is outside that 5 year limit.

Anyone been trying kvm on older hardware? On the core2 having kpti enabled in the guest is a killer. Timing a kernel compile I am getting

Host 11 1/2 - 12 minutes depending on booting with pti=on/pti=off
Host pti=off, guest pti=off 21 - 25 min
Host pti=on, guest pti=off 27 min
Host pti=on, guest pti=on 41 - 53 min

This is hw old enough to not have the pcid instruction. At least on the older hw can not say I am happy if kpti gets enabled in the guest.
_________________
Beware the grue.
Back to top
View user's profile Send private message
blopsalot
Apprentice
Apprentice


Joined: 28 Jan 2017
Posts: 231

PostPosted: Thu Jan 11, 2018 5:58 am    Post subject: Reply with quote

blopsalot wrote:
FYI : I''ve been testing Gentoo Hardened Profile devices using the following the projects and I don't see it working on processors reported as vulnerable on other distros, kernels predate the Page Table/Kaiser inclusion.

https://github.com/paboldin/meltdown-exploit
reports not vulnerable on all tested

https://github.com/IAIK/meltdown
this one says it finds the offset of KASLR (its wrong). inputting correct offset, the reliability test is .4% and I still cannot read values from ./secret

https://github.com/Eugnis/spectre-attack
this one works at default but i don't see it sucessfully reading anything else


this one works, other two seem broken. im prett sure it had to do with catching the right cpu, but i'm still unsure. https://github.com/IAIK/meltdown
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 132

PostPosted: Thu Jan 11, 2018 11:49 am    Post subject: Reply with quote

Hi krinn,

as for Spectre v1 IMHO it is to early to adapt those patches, this is still a WIP and not even in linus git tree yet.

Lately Fedora has adopted them and I suppose that RHEL too as mike155 sad, but from the mailing list - those patches have problems i.e. during build on arm:

https://www.spinics.net/lists/netdev/msg477230.html

As the first commit says this series can be found on github:

https://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux.git/?h=nospec


Last edited by PrSo on Thu Jan 11, 2018 5:14 pm; edited 1 time in total
Back to top
View user's profile Send private message
queen
Veteran
Veteran


Joined: 19 Jul 2005
Posts: 1629

PostPosted: Thu Jan 11, 2018 12:35 pm    Post subject: Reply with quote

Hi Guys

With all the mess of the latest vulnerabilities, I decided not to upgrade the kernel and install all the new firmware, microcode etc. It's a totally waste of time, because the problem won't be solved anyway until they develop a new CPU(which will take around 5 years as a person from Intel told me). And definitely the performance will be affected. My question is how other packages will be affected?
What other packages might be affected (gcc)? emerge world? Normal programs will be affected?
Back to top
View user's profile Send private message
Spargeltarzan
Guru
Guru


Joined: 23 Jul 2017
Posts: 300

PostPosted: Thu Jan 11, 2018 2:42 pm    Post subject: Reply with quote

@ queen:

At least you can protect against Meltdown.

Further, I believe a Spectre upgrade which close this issue is possible. There are some performance test comparisons which differ from almost no hit to significant hit, let's wait a bit here. Desktop PCs might be less affected anyway.

All in all, do you have an alternative to upgrade currently, do you prefer abuse of your data?
_________________
___________________
Regards

Spargeltarzan

Notebook: Lenovo YOGA 900-13ISK: Gentoo stable amd64, GNOME systemd, KVM/QEMU
Desktop-PC: Intel Core i7-4770K, 8GB Ram, AMD Radeon R9 280X, ZFS Storage, GNOME openrc, Dantrell, Xen
Back to top
View user's profile Send private message
queen
Veteran
Veteran


Joined: 19 Jul 2005
Posts: 1629

PostPosted: Thu Jan 11, 2018 2:56 pm    Post subject: Reply with quote

Well, I heard the lecture of Daniel Genkin (one of the authors of the paper) this week. He said spectre will haunt us for years. Furthermore, one of the greatest cpu architests that worked until recently at intel said that it needs a new design of cpu which will take 5 years. So don't be naive about spectre. I might consider applying kaiser. Unfortunately, our data is abused all over. :cry:

BTW, the person who worked at intel, told me that they designed about 10 years ago a cpu that would have resolved some of the issues that were presented now, but intel refused it because the performance was only 10% and intel wanted only performance. The guy is a genius.
Back to top
View user's profile Send private message
kajzer
Guru
Guru


Joined: 27 Nov 2014
Posts: 490

PostPosted: Thu Jan 11, 2018 3:06 pm    Post subject: Reply with quote

Spectre and Meltdown aside, who knows what else is there that we don't know about.
Back to top
View user's profile Send private message
Myu
Apprentice
Apprentice


Joined: 22 Oct 2014
Posts: 164
Location: Belgium

PostPosted: Thu Jan 11, 2018 4:28 pm    Post subject: Reply with quote

Intel CPU's older than 5 years should get microcode security fixes : https://newsroom.intel.com/news-releases/security-first-pledge/

Quote:
By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January

_________________
Gentoo stable with bits of ~amd64 // Xfce 4.13 + Compiz Reloaded.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7285
Location: almost Mile High in the USA

PostPosted: Thu Jan 11, 2018 5:40 pm    Post subject: Reply with quote

Myu wrote:
Intel CPU's older than 5 years should get microcode security fixes : https://newsroom.intel.com/news-releases/security-first-pledge/

Quote:
By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January


Actually it probably meant,

90% of the last 5 years CPU: by Jan 15
10% of the last 5 years CPU: by Jan 31
100% of older than 5 years: SOL

ugh, don't know what to do about my Sandybridge i7...

queen wrote:
BTW, the person who worked at intel, told me that they designed about 10 years ago a cpu that would have resolved some of the issues that were presented now, but intel refused it because the performance was only 10% and intel wanted only performance. The guy is a genius.

I wonder if they meant Itanium since apparently it was not affected, and it wasn't just Intel that wanted performance, it's the customer that wanted performance and binary compatibility (power consumption comes later I suppose)...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
PrSo
Tux's lil' helper
Tux's lil' helper


Joined: 01 Jun 2017
Posts: 132

PostPosted: Thu Jan 11, 2018 5:53 pm    Post subject: Reply with quote

@ eccerr0r

Quote:
Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.
:wink:

Last edited by PrSo on Thu Jan 11, 2018 6:11 pm; edited 1 time in total
Back to top
View user's profile Send private message
mike155
Veteran
Veteran


Joined: 17 Sep 2010
Posts: 1738
Location: Frankfurt, Germany

PostPosted: Thu Jan 11, 2018 6:03 pm    Post subject: Reply with quote

The important word is "introduced" - and it was carefully chosen. It does not mean: "delivered" or "sold". :(
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 3314
Location: Illinois, USA

PostPosted: Thu Jan 11, 2018 6:09 pm    Post subject: Reply with quote

Quote:
remainder of these CPUs available by the end of January
Not remainder of our CPU's. It's clearly referring to CPU's from the last five years.
Back to top
View user's profile Send private message
Display posts from previous:   
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Goto page Previous  1, 2, 3 ... 10, 11, 12 ... 21, 22, 23  Next
Page 11 of 23

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum