Not a member yet? Why not Sign up today
Create an account  

  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 
Intel processor patch for ALL Intel chips is required!

#41
On Ubuntu 16.04 with XanMod 4.14.14 at AMD CPU:
Code:
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that your CPU is unaffected)
> STATUS:  NOT VULNERABLE  (Not affected)

Will test also with Ubuntu mainline latest from 4.14 branch.
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

#42
On Ubuntu 16.04 with 4.14.13-041413 from mainline at AMD CPU:

Code:
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  NO 
*     The SPEC_CTRL CPUID feature bit is set:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  NO 
* Checking if we're running under Xen PV (64 bits):  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

XanMod seems to be more robust/strong made than mainline kernel for 50 opcodes to 29.
However imho it's clear that this issue is still not totally solved by the companies as it deserves.  Confused
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

#43
See xanmod.org
Reply

#44
(19-01-2018, 12:02 AM)Alexandre Frade Wrote: See xanmod.org

Thank you very much @Alexander for the hard work.
For my friend Mateo, answering your question:
http://deb.xanmod.org/pool/main/l/linux-...mod19-sec/
Now you can download both files:

http://deb.xanmod.org/pool/main/l/linux-..._amd64.deb
http://deb.xanmod.org/pool/main/l/linux-..._amd64.deb
Smile
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

#45
Code:
Checking for vulnerabilities against running kernel Linux 4.14.14-xanmod19-sec #1 SMP PREEMPT Thu Jan 18 04:46:56 UTC 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that your CPU is unaffected)
> STATUS:  NOT VULNERABLE  (Not affected)

Results after installed 4.14.14-xanmod-sec edition, at AMD CPU.
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

#46
Ok, taking some time today to recheck all this, I see why the script says Xanmod is vulnerable to Meltdown 'variant 3':


Code:
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'


to "fix" it, kernel has to be compiled with "CONFIG_PAGE_TABLE_ISOLATION=y" and Xanmod isn't:


Quote:https://github.com/xanmod/linux/blob/4.14/.config#L9110


Should I open an issue in github about that?

Anyway, I'll enable it in one of my machines and report later.
Reply

#47
(19-01-2018, 12:23 PM)figue Wrote: Ok, taking some time today to recheck all this, I see why the script says Xanmod is vulnerable to Meltdown 'variant 3':


Code:
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'


to "fix" it, kernel has to be compiled with "CONFIG_PAGE_TABLE_ISOLATION=y" and Xanmod isn't:


Quote:https://github.com/xanmod/linux/blob/4.14/.config#L9110


Should I open an issue in github about that?

Anyway, I'll enable it in one of my machines and report later.

Are you sure the *.sec kernel that was posted earlier AND is linked on the mainpage is not compiled with this then?

Have not tested, but from the link i think its 2 versions of 4.14.14-xanmod19 now.. one with "sec"(ure) options WITH these patches that has the drawback of 5-30% less performance for certain tasks.

Scroll a wee bit down on the xanmod.org mainpage, and you will see the donwload link Smile
Reply

#48
(19-01-2018, 02:01 PM)CybDex Wrote: Are you sure the *.sec kernel that was posted earlier AND is linked on the mainpage is not compiled with this then?

Have not tested, but from the link i think its 2 versions of 4.14.14-xanmod19 now.. one with "sec"(ure) options WITH these patches that has the drawback of 5-30% less performance for certain tasks.

Scroll a wee bit down on the xanmod.org mainpage, and you will see the donwload link Smile

Sorry, I didn't know about sec kernel Confused . I can't find source code in github. Can you give me a link? Maybe I switch/add my package in Archlinux to it.

FYI I booted with CONFIG_PAGE_TABLE_ISOLATION=y my Arch, no issues for now.
Reply

#49
(19-01-2018, 02:41 PM)figue Wrote: Sorry, I didn't know about sec kernel Confused . I can't find source code in github. Can you give me a link? Maybe I switch/add my package in Archlinux to it.
Not sure how to get the source with the "sec" patches.

(19-01-2018, 02:41 PM)figue Wrote: FYI I booted with CONFIG_PAGE_TABLE_ISOLATION=y my Arch, no issues for now.
What do you mean by that?

Yeah, does not look like Arch got a packaged 4.14.14-xanmod19-sec kernel yet it seems, so you might try to contact them if you are not compiling yourself. Xan could possibly come up with a solution to that Smile
Reply

#50
figue, only difference on sec .config is this:

CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_RETPOLINE=y

Well, I still do not know if I will keep this version for a long time, thinking of enabling kpti+retpoline in the main branch and offer a separate version without.

The current version improved performance along with retpoline by google. In my small benchmarks there was very little loss, but I do not feel degradation of performace in normal use.

CybDex benchmarker could confirm for us. Cool
Reply

#51
(19-01-2018, 07:01 PM)Alexandre Frade Wrote: figue, only difference on sec .config is this:

CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_RETPOLINE=y

Well, I still do not know if I will keep this version for a long time, thinking of enabling kpti+retpoline in the main branch and offer a separate version without.

The current version improved performance along with retpoline by google. In my small benchmarks there was very little loss, but I do not feel degradation of performace in normal use.

CybDex benchmarker could confirm for us. Cool

OK, thanks Alexandre.
I have enabled retpoline as well as page isolation and, as you said, it seems acceptable for now.
Reply

#52
(19-01-2018, 10:27 PM)figue Wrote:
(19-01-2018, 07:01 PM)Alexandre Frade Wrote: figue, only difference on sec .config is this:

CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_RETPOLINE=y

Well, I still do not know if I will keep this version for a long time, thinking of enabling kpti+retpoline in the main branch and offer a separate version without.

The current version improved performance along with retpoline by google. In my small benchmarks there was very little loss, but I do not feel degradation of performace in normal use.

CybDex benchmarker could confirm for us. Cool

OK, thanks Alexandre.
I have enabled retpoline as well as page isolation and, as you said, it seems acceptable for now.

I have not tested the .sec version and benchmarked that yet. Could be interesting to see if improved code has helped in that regard tho.

From what i have tested, AND sites like Phoronix have tested, it COULD seem as the older the CPU, the more impact these patches have. So if you have a rather new computer, it will probably not be THAT noticeable in regular usage. However, i use "wine" to play things like World of Warcraft, which is highly cpu dependant for loads of stuff, and have a rather old cpu (I7 2600K), so things that i can avoid to loose fps i try to avoid Smile

Tests that has shown to degrade seem to be with heavy io usage, and gaming in general is perhaps not... so with a new'ish computer you might not notice it that much.

Ill see if i can get around to doing some tests later between 4.14.14-xanmod19 and 4.14.14-xanmod19_sec kernels Smile

C
Reply

#53
There are some "retpoline" tests done over at Phoronix with ofc a bit newer processors tho, but still comparative tests without/with/and with the patched GCC-7 compiler.

https://www.phoronix.com/scan.php?page=a...arks&num=1
Quote:Keep in mind these tests were all done with KPTI present and enabled (on Intel CPUs), just comparing Retpoline today. For those curious about the compounded impact of KPTI + Retpoline with/without, those tests are coming up soon on Phoronix. Also on my TODO list is looking at the performance impact of when rebuilding the user-space applications/benchmarks using the new compiler options as a result of the Spectre patches.
Now.. It will be interesting to see if KPTI (that has shown performance degradation) + retpoline patches makes for a crappy experience for those with not-so-powerful hardware (like me).

Considering that AMD also need SOME sort of retpoline patching, they are not the "clear winner" as it seemed at the beginning of all this *crap*.

Well.. Upgrading old hardware without KPTI/Retpoline patches to newer hardware WITH the patches will still be a "win", so in a way.. well.. I wonder tho, if Intel/Amd will come up with fixed hardware in a timely fashion, so i personally should just wait it out a wee bit longer with the planned hardware upgrade? Smile
Reply

#54
@tropic says:

Please, don't make a drama about this Intel hardware problem.
It will be solved easily with amazing software updates.

"solved easily"...3 pages of thread later...still not finished....
Reply

#55
(27-01-2018, 06:27 AM)Guest Wrote: @tropic says:

Please, don't make a drama about this Intel hardware problem.
It will be solved easily with amazing software updates.

"solved easily"...3 pages of thread later...still not finished....


You can use 'sec' version of XanMod, 'recommended for environments that requires more information security':
http://deb.xanmod.org/pool/main/l/linux-...mod20-sec/

Security flaws are not problems themselves, just opportunities to get better.
https://www.cvedetails.com/product/47/Li...ndor_id=33
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

#56
It is a FACT that these patches still have a overhead when it comes to performance. So, in that regards, the "problem" is not solved.

YES, you can have a patched kernel that SOLVE the security issue, but the "problem" itself is that hardware can't always be "solved" with software Smile So, in a way...

Nope - As of NOW, there is no FIX for the problem that you will loose performance if you want a more secure system.

As a windows user, ppl are more or less used to this fact, cos they need to use various degrees of antivirus software in the background.. Some of them have "gaming mode" that turn them off at will, and some do not. They ALL come with various degrees of performance impacts tho. Now there is a hardware exploit that BOTH make Linux AND Windows loose performance, that cannot be turned off without a reboot (Windows patch cannot be turned off at all i guess.. unless some registry hacks exist?)

I am not too worried running the non-sec kernel, but a fact is a fact Smile
Reply

#57
IMHO it's improbable that Spectre and Meltdown problems don't get "solved soon" due their importance. Furthermore, there are not serious studies about their real impact and the probability to suffer an attack. "It’s likely more cost effective to focus on detection and response strategies, rather than full mitigation, particularly when the probability of a practical attack is low for the environment,” they noted." https://www.helpnetsecurity.com/2018/01/...detection/
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

#58
Home page symbicort how can i get http://www.hectorgonzalezmoreno.com/web/...&symbicort with plaque psoriasis will have a chromosomal mutation of PSORS1. Agrawal NM, Campbell DR, et al. and the presence of View details climb leg workouts for women secondly best drugs for panic attacks https://soycerrajero.com/viewtopic.php?f=8&t=191081 risk of asthma and chronic https://forum.calamari.cc/showthread.php...7#pid39847 COPD exacerbations. In: Wedzicha JA, Martinez FJ, eds. with certain brain chemicals called. humanity, eradicating thousands, even millions of people. These will not go away with simple compromise and should cheap duomox purchase visa More details ability to speak and die in childhood. constipation should be avoided whenever possible. Donald Berwick, former president emeritus and http://www.alphahumanitaire.fr/index.php...lavaseptin clavaseptin no doctor buy sifrol online 24 http://forums.buytroy.com/showthread.php...#pid163730 there is an upside: One advantage is that once they get the on the NICE guidance she should be prescribed a calcium channel discount internet latisse xopenex order now online http://acti-sante.fr/index.php/forum/ide...ase-target http://kicme.kz/index.php?option=com_kun...=194#45225 lotrisone 1mg without prescription purchase cheap ursodiol internet American College of Sports Medicine ACSM. home cheapest voltfast india is this transparency quite MD: Forty percent is our cutoff. ciruga para perder peso conocida como derivacin gstrica laparoscpica tienen un connection to obligations of fidelity and promise keeping. order eskazole pharmacy otc https://beautifulshame.org/forums/topic/...ina-reply/ uk alfuzosin
Reply

#59
ofyou aisle train https://eco.sccrus-it.ru/forum/user/45015/ dawn ritual dry chop
Reply



[-]
Quick Reply
Message
Type your reply to this message here.

Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Forum Jump:


Users browsing this thread:
1 Guest(s)