Not a member yet? Why not Sign up today
Create an account  

Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Intel processor patch for ALL Intel chips is required!

#1
Hi there,

Just wondering how to look at this new found flaw in ALL intel processors and the xanmod kernels.

Will you guys issue a patch, or, do we just take one offered by our original distro?  If I understand correctly, the patch/fix will be kernel specific.

For more information, in case you have not yet heard about this problem, please see howtogeek.com here (no, I am not affiliated, I am a subscriber):

https://www.howtogeek.com/338269/a-huge-...r-pc-soon/

by Chris Hoffman on January 2nd, 2018


Intel chips have a massive design flaw, and both Microsoft and the Linux kernel developers are scrambling to fix it. The security hole can be patched, but the patches will make PCs (and Macs) with Intel chips slower.
We don’t know how much slowdown you’ll see yet, but one developer says a 5% slowdown will be fairly typical—at least on Linux—while certain tasks could experience slowdowns as high as 30%."
Reply

#2
From what i see it is implemented in 4.14.11... so 4.14.11-xanmod15 have this.

Can be disabled with the kernel option "nopti" (without quotes ofc).

Tool to check if your cpu is vulnerable: https://downloadcenter.intel.com/download/27150?v=t

Not sure if the test will pass if you are running a patched kernel tho, so should perhaps be tested against an older kernel to be sure?

https://en.wikipedia.org/wiki/Kernel_pag..._isolation
Quote:to be released in early 2018, and backported into Linux Kernel 4.14.11

So i would assume that 4.14.11-xanmod15 HAS this patch.
Reply

#3
Hi CybDex,

OK, BIG thanks for that, I was not aware a test existed.  Running it I find my i5-3427U running on an HP 2170p is vulnerable (using v.1.0.0.152).

-  Processor Name: Intel® Core™ i5-3427U CPU @ 1.80GHz
-  OS Version: Ubuntu 16.04 xenial (4.11.12-xanmod16)

-  *** Intel® ME Information ***
-  Engine: Intel® Management Engine
-  Version: 8.1.0.1265
-  SVN: 0

It seems this is the problem in my case.

-  *** Risk Assessment ***
-  Based on the analysis performed by this tool: This system is vulnerable.
-  Explanation:
-  The detected version of the Intel® Management Engine firmware
-    is considered vulnerable for INTEL-SA-00086.

In my case (and for those running HP 2170p with i5-3427U) there is an older (but still from 2017) update for the ME firmware, issued for Windows, on the HP driver site.  I am going to install this and see if the vulnerability will be patched.

I will post back with the result very soon for anyone interested.

EDIT: The update (newer, from Nov 19, 2017) was for the recent WPA/WPA2 flaw, not for this flaw. So will keep watch on the HP site. But if I patch this from Windows, is it sorted, or would I have to patch from Linux anyway?
Reply

#4
In not 100% sure this INTEL-SA-00086 is the exact same bug tho.. Hmm..

I might have jumped the gun and kinda accepted the test as THE current test? Cos its mentioned that some upgrade exist, and from what i gather, the KTPI bug is only fixable by software, and is a design flaw in the processor?

Always nice to get IME fixed anyway i guess, but as i said.. take it with some grains of salt that THIS is it tho.
Reply

#5
You might be right that the test for INTEL-SA-00086 is not for the serious flaw I was showing via the howtogeek piece, since they claim it has not yet been announced publicly.

This might then mean there is two serious flaws we are dealing with for intel processors. Nice.

Anyway, I have just installed 4.14.11-xanmod15 and will reboot, re-run the INTEL-SA-00086 test, and report back.
Reply

#6
Well, I can confirm the INTEL-SA-00086 test also indicates my HP 2170p with i5-3427U running 4.14.11-xanmod15 is STILL vulnerable. So, that kernel and 4.11.12-xanmod16 are both vulnerable to whatever INTEL-SA-00086 is. And it seems the IME version has not changed from 4.11 to 4.14.

- Model: HP EliteBook 2170p
- Processor Name: Intel® Core™ i5-3427U CPU @ 1.80GHz
- OS Version: Ubuntu 16.04 xenial (4.14.11-xanmod15)

- *** Intel® ME Information ***
- Engine: Intel® Management Engine
- Version: 8.1.0.1265
- SVN: 0

- *** Risk Assessment ***
- Based on the analysis performed by this tool: This system is vulnerable.
- Explanation:
- The detected version of the Intel® Management Engine firmware
- is considered vulnerable for INTEL-SA-00086.

It remains to be seen if INTEL-SA-00086 is the same flaw being covered in the howtogeek article (see post #1).

I can also comment that 4.14.11-xanmod15 ran very slowly on my system, and my browser became so slow that I decided to re-boot into 4.11 to post this! Now to go and remove 4.14.11!
Reply

#7
Also had some perceived slowdown when browsing++ with 4.14.11-xanmod15, so i guess ill sit on the fence a wee bit more Tongue

Reading more about this stuff, it seems as the discovered exploit does not have any public proof of concept just yet, so for all i know its still a wee bit "in the wild" when it comes to actual exploits... On the other hand, this has been a bug for numerous years if it is infact just as they say.. And we could just as well have had hacks/exploits based on this around for years Smile

Well.. we shall see how this pans out during the next weeks. I have a rather old cpu - I7 2600K, so was planning on a brand spanking new I7 this year, but depending, I might just end up with an AMD Smile

And for all we know, the current code and method to "fix it" might be slower than needed...
Reply

#8
4.14.11-xanmod15 rev 2.180103 without KPTI! Sleepy
At moment.
Reply

#9
I think "fuckwit" is the better acronym (Forcefully Unmap Complete Kernel With Interrupt Trampolines)! Perhaps more meaningful than kpti! Sorry...couldn't resist! : )

https://lkml.org/lkml/2017/12/4/709

Has anyone used the patch issued on the above link (see links therein, at the page bottom)?

Should we apply it? Or would that be living dangerously?

EDIT: after extracting the "patch", the question becomes, which one to install? There are 61 patches sitting there! And seemingly no "read me" file has been included for guidance!
Reply

#10
Quote:EDIT: after extracting the "patch", the question becomes, which one to install? There are 61 patches sitting there! And seemingly no "read me" file has been included for guidance!
I have no clue to that.. Quite a lot of fiddling to do to self-compile the xanmod kernel with all patches and stuff that makes things guuud Smile

Anyway.. Dangerous or not. So far.. unless it has already been done during the last 15+ years.. i have not read anything other than "may" and "could" when it comes to things like eg. a malicious script on a webpage being able to read this info. And i have seen some indications of browsers being updated to tackle any dangerous scripts exploiting this tho. I think thats not far away.

The most dangerous exploitability in MY PERSONAL opinion would perhaps be a serverpark running multiple VM's, where you could run exploit code on "your" rented VM, and then read info from OTHER persons rented VM's... Something like that.
Or.. ofc you running malicious code on your local computer that exploit this. I highly doubt any exploitable code will pop up any time soon from the official ubuntu repositories and the likes, so if you are feeling a bit insecure atm i guess my advise would be to:

1. Use only official packets - stay away from 3rd party PPA's you dont trust.
2. Dont run scripts/code locally you dont really trust.

Im not really that worried tho, but if you are really concerned about security issues - chill the internet browsing a couple of days until Firefox/Chrome/Chromium++ is updated?

And from what i gather, the 4.14.11-xanmod15_1 kernel HAS theese patches, while as posted above the 4.14.11-xanmod15_2 do not.
When i ran 4.14.11-xanmod15_1, i could easily figure out the "kernel page table isolation" line in dmesg.. Dont remember exactly what the line said, but something you actually could verify.

C

Right. Booting the 4.14.11-xanmod15_1 kernel give the line:
Code:
Kernel/User page tables isolation: enabled
using dmesg.

That line is not there in 4.14.11-xanmod15_2, so the patch is not there Smile

You CAN however try the "nopti" kernel option (without quotes) in your grub config, and you should get: (with a KPTI patch-enabled kernel like 4.14.11-xanmod15_1 that is)
Code:
Kernel/User page tables isolation: disabled on command line.
using dmesg.

Now what COULD be interesting to test is if there is any kind of performance difference between 4.14.11-xanmod15_2 and 4.14.11-xanmod15_1 with the "nopti" option...

C
Reply

#11
It seems, that in less than 24 hrs, there is now a claim to have utilised this flaw (see: https://www.bleepingcomputer.com/news/se...urity-bug/)

"Earlier today, Erik Bosman, a security researcher with VUSec (Systems and Network Security Group at Vrije Universiteit Amsterdam) claimed he was able to exploit the supposed Intel bug to read data from privileged kernel memory.

Bingo! #kpti #intelbug pic.twitter.com/Dml9g8oywk
— brainsmoke (@brainsmoke) January 3, 2018"

I have been reading that patches are available for linux, but there was no further info.

Can follow developments for ubuntu here: https://www.cyberciti.biz/faq/patch-melt...754-linux/

here: https://usn.ubuntu.com/usn/xenial/

and for the specific cve (cve-2017-5754) here: http://people.canonical.com/~ubuntu-security/cve/

and specifically, here: https://people.canonical.com/~ubuntu-sec...-5754.html

Assuming there are better targets (i.e.cloud servers), I'm not terribly worried about being a victim of this, but still, this is quite the SNAFU.
Reply

#12
o.O

Please, don't make a drama about this Intel hardware problem.
It will be solved easily with amazing software updates. 
As always important enterprises do.

Sleepy
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

#13
Ya, "drama"...as ever, you are correct Tropic!

Meltdown and spectre, are mere nuisances. No biggy. Afterall, it isn't like they effect almost all computers world-wide.

You can take this pointless thread down. I'm sure this will all blow-over in a couple days.
Reply

#14
"According to the Verge, Microsoft has already issued an emergency patch, which it apparently had been testing in earlier Windows Insider builds, to address the issue. Google has also provided a fix in the latest Android security updates, which so far have primarily rolled out to Google’s Nexus and Pixel smartphones, and more generally, ARM has provided patches to companies using its processors. Linux and MacOS will also need to be updated, meaning this is an equal-opportunity bug, although AMD has stated that there is “near zero risk to AMD products at this time. (...) As always, you’ll want to keep your system updated no matter its OS or CPU. As it turns out, this story isn’t about one manufacturer’s problems but apparently more about the industry’s rapid response to a widespread issue."

https://www.digitaltrends.com/computing/...ucing-fix/
https://www.theverge.com/2018/1/3/168467...ows-10-fix
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

#15
Tongue 
Well... Drama or not, why would somewhat computer interested nerds NOT care about a thing like this? Smile 

Yeah, ppl spend loads of time and effort to tweak and gain every little bit of performance out of their computers, and suddely some bug crap makes you possibly loose some of it.. IT IS INTERESTING!
Not to mention who it really might change things for... serverparks and the likes. If you have 1000 servers that serve 100 million people at every second 24/7, that hardware cost + power cost +++ makes you not sneeze at a "mere 30% performance loss". Sure, it MAY not be that bad, and i can agree with you that it may be fixed in a way that wont be a problem.

But as of NOW, it IS something to talk about, even if you dont really bother with it Tropic Smile

So.. I did some benchies with a couple of phoronix tests - Redis (GET and LPUSH), and Stress-NG (Context Switching and Socket Activity).
[Image: KPTI_Real.jpg]

The "Without KPTI" is the 4.14.11-xanmod15_2 kernel, the "With KPTI" is the 4.14.11-xanmod15_1 kernel, and "Kernel option nopti" is by adding the "nopti" kernel option to disable the patch. And ofc a comparison with 4.14.10-xanmod14.

Now, xept for Stress-NG Context Switching, where KPTI patch actually gave a performance increase, the "nopti" option vs. the kernel compiled without the patch is more or less the same.

Just to do a VM test, i fired up my Ubuntu 16.04 inside VirtualBox, and did some more tests there.. Mostly to check if some sort of "double-trouble" would happen if the KPTI patch was enabled on both the host AND the guest.. but luckily it did not.
[Image: KPTI_VM.jpg]

This is kinda interesting (cos i actually did not know), and that is the KPTI patch does not in any horrible way "double-dip" if you have it running on the host aswell as the guest  Tongue  Anyway, the difference is somewhat huge atleast on my crummy old computer.

Guess the 4.14.11-xanmod15_2 is the current "best" of them tho.. and there are millions of other tests to be done i guess.. Just from the 4 i did, its crystal clear that the performance drops if you enable the KPTI patch.
Reply

#16
No news can surprise me from "the devastating problems that could happen by the Year 2000 effect".
Since 2000 I'm very calm about alarmist news of any kind from any source. 
Intel (and probably other companies) is in serious trouble. Not us. 
Just enjoy XanMod kernel and a warm chocolate.
Sleepy
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

#17
When it comes to the Y2K problem, loads of harware WAS swapped, and we cant really tell for sure what would have happened if EVERYONE had just said "take some warm chocolate" Smile

Sure, the company i worked for back then milked it for everything we could... sold loads of computers back then Smile Same might happen now, where some might just buy a AMD cpu the next upgrade. The likelyhood of a mass classaction suit is high, and with the Intel CEO suspiciously dropping his stock a few weeks back.. well.. Things might happen Smile

Nope, my computer wont stop working... And sure, there may be more effective patches on the way.. its just that MEANWHILE it sucks donkeyballs Smile

C
Reply

#18
(04-01-2018, 09:15 PM)CybDex Wrote: When it comes to the Y2K problem, loads of harware WAS swapped, and we cant really tell for sure what would have happened if EVERYONE had just said "take some warm chocolate" Smile

Sure, the company i worked for back then milked it for everything we could... sold loads of computers back then Smile Same might happen now, where some might just buy a AMD cpu the next upgrade. The likelyhood of a mass classaction suit is high, and with the Intel CEO suspiciously dropping his stock a few weeks back.. well.. Things might happen Smile

Nope, my computer wont stop working... And sure, there may be more effective patches on the way.. its just that MEANWHILE it sucks donkeyballs Smile

C

Please, don't underestimate the power of a good warm chocolate:

"Patches arrive for Intel’s ‘Meltdown’ flaw — here’s how to protect your device."
_____Posted on January 4, 2018 3:57 pm____
https://www.digitaltrends.com/computing/...ucing-fix/

"Well, there you have it. Desktop users have little to worry about in terms of performance loss, particularly gamers. We've yet to test older CPUs, but given the type of workloads we’re seeing impacted by the patch, I don’t think there’s going to be an issue with any desktop hardware, but we’ll certainly report back if there is. The reduction in 4K read performance for high speed NVMe drives is a concern and while this shouldn’t impact any games, any application that is sensitive to this might show a reduction in performance. Of course the brief list of applications I tested showed no real reduction in performance period. The issue nonetheless remains and is one that has a far bigger potential in affecting servers. It's a serious concern for data centers both on the side of performance and more importantly, security. That's not our area of expertise or interest, so we'll leave that testing to those better equipped to tackle it."
https://www.techspot.com/article/1554-me...e-windows/

Anyway, I liked your Phoronix tests, all kind of tests are welcome here.
Probably it would be a good idea a Phoronix tests section IMHO.
Sleepy
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply

#19
(05-01-2018, 12:43 AM)tropic Wrote: Anyway, I liked your Phoronix tests, all kind of tests are welcome here.
Probably it would be a good idea a Phoronix tests section IMHO.
Sleepy

Yeah, i would not mind that.. Some kind of compare kernel performance things and such could be posted for those interested Smile I guess 4.15 is not too far away, and we will get a brand spanking new set of Xanmod kernels to test... and benchmark Smile

I see there has been updates to both Chrome and Firefox. Could not immediately find the changelog for Chrome, but Firefox indicated a fix for "Speculative execution side-channel attack ("Spectre") " with tuning some parameters.
Quote:Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5μs to 20μs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.
Reply

#20
(05-01-2018, 07:23 AM)CybDex Wrote:
Quote:(...)
I see there has been updates to both Chrome and Firefox. Could not immediately find the changelog for Chrome, but Firefox indicated a fix for "Speculative execution side-channel attack ("Spectre") " with tuning some parameters.
Quote:Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5μs to 20μs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.

Nice information about Firefox updates... Very interesting, thanks! Smile
"(...) the grandest occasion the past or present has seen, or the future can hope to see." -- Cervantes.
Reply


[-]
Quick Reply
Message
Type your reply to this message here.

Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Forum Jump:


Users browsing this thread:
1 Guest(s)