Kernel Page-Table Isolation (KPTI) - severe ARM + Intel CPU bug, hits partly AMD

kernel
intel
security
kpti
kaiser

#120

The final paragraph is not encouraging: “Do not expect quick fixes, especially for Spectre. Speculative execution is as fundamental to the working of modern chips as assembly lines are to a modern factory. Redesigning, testing and manufacturing billions of replacement devices would take years. At the same time, the economic incentives within the computing business still favour speed and sharing over security. There are good economic reasons for the lack of diversity in processors, too, chiefly the benefits of standardisation, which makes computers compatible and lowers costs. But all that also promotes brittleness and fragility. In other words, this double blow will be almost certainly be followed by other, equally painful ones.”


#121

Where is VIA CPU? :kr:
No one answered here yet:

But probably not, becaue they are so old.

Edit: They implement out-of-order execution as well, therefore might be affected, too.


Spectre v2 - Status of fixes for different CPU vendors and generations
#122

Contact your laptop manufacturer.


#123

if intel-ucode is installed from the extra repository (which it seems to be on my notebook), shouldn’t the microcode update apply during boot as and when it is made available by Intel and updated accordingly by the package maintainer?

I didn’t enable it, it was set by default during installation and it is working according to dmesg | grep microcode.


#124

when I run that from a command line I get
grep: and: No such file or directory
grep: zcat: No such file or directory

So even though I am running 4.14.11-1-MANJARO #1 SMP PREEMPT Wed Jan 3 I am not sure the requisite patch is/has been applied?


#125

Two separate statements

$ dmesg | grep isolation
[    0.000000] Kernel/User page tables isolation: enabled
$ zcat /proc/config.gz | grep -i page_table
CONFIG_PAGE_TABLE_ISOLATION=y

:wink:


How to know if my Kernel version contains mitigation of "Intel Meltdown vulnerability"
#126

According the Intel’s list my old Intel Core2 Quad Q6600 seems not affected by Meltdown not Spectre. Am I right?

:smiley:


#127

Thanks sueridgepipe I’m set then but still find this whole saga a worriesome event. Of course, if there’s any solace to be had it must be in those words of philm above “…Well, it is known for a while (June 2017) and therefore communicated to those of interest…” Which is akin I suppose to “what you don’t know won’t hurt you” :grin::grin:


#128

Meltdown: All Intels since the first Pentium are affected, with the exception of some Atom processors and the Itaniums (-> different architecture).

Spectre: Also affects AMD and some ARM.

EDIT:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Yes, according to that list, your CPU is not affected, but that seems a bit contradictory to what is written on meltdownattack.com


#129

You should work on the assumption that all Intel CPUs are affected.


#130

I agree, Intel hasn’t been very trustworthy in the last few days with their statements…to say the least.

Here’s what Linus Torvalds thinks: https://lkml.org/lkml/2018/1/3/797


#131

My thoughts:

There are 2 Security issues: Meltdown and Spectre.

Meltdown is a critical security breach that allows every application to read every memory bit of other applications which is only fixable with affecting performance. That one affects ONLY Intel but apparently every “modern” CPU they made in the last decade.

The second one is Spectre, which needs highly modified, application-specific malware to be usable for exploits and thus “only” a regular security breach. This one is partially valid for AMD and ARM, too. However, Spectre can be fixed without affecting performance.

So yeah, big bugs, extremely bad for Intel and their users. I don’t really care much for Spectre. It needs to be fixed, but its nature does not expose such a big threat like Meltdown does.

Edit: Seems like my general favour for AMD on desktop usage pays off more and more for me and my friends ^^


#132

Intel announces updates:




#133

Phoronix Linux KPTI Tests Using Linux 4.14 vs. 4.9 vs. 4.4


BTW:
I think we should open up another Topic about this to collect outputs and posts about affected/not affected CPUs.
This topic should be straight about the 2 hardware bugs and comments; thanks.


#134

Ok, on that case I’ll apply the update.

Thank you very much!! :smiley:


#135

Thank you very much for the link!! :smiley:


#136

Ad-blockers are the next anti-virus. Some have already started blocking malware scripts like crypto-mining ones, i’d expect they also block such scripts in the future.


#137

I curious how critical these bugs really are for the normal home user? Reading them they sound critical for cloud providers where different customers are on the same hardware…but for a desktop user who is the only person using the computer?

I guess a virus could use these flaws to access data, but if it’s already running on your computer wouldn’t it be easier to screen scrape and key log to gather information?

I’m guessing if you can use JavaScript to exploit the issues, but then I’m not sure how I would use javascript to try to access kernel memory with out of order execution in the cpu.


#138

With Firefox these settings could help (note the conditional):

user_pref("javascript_options.shared_memory", false)
user_pref("privacy.firstparty.isolate", true)

#139

Then…there is this
https://xkcd.com/