Kernel Page-Table Isolation (KPTI) - severe ARM + Intel CPU bug, hits partly AMD

kernel
intel
security
kpti
kaiser

#352

Here is your answer you only should know about this:

If you want to dig deeper, you may look at this.


#353

Hi Philm
Saw the cartoon elsewhere but good contribution summing things up. CEO’s stock proceeds should go toward replacing all of the vulnerable procs with non vulnerable replacements. At no charge. I share sothis6881’s laughter, derision and revulsion about this crap.

Thing is with this and the management engine vulnerabilities combined,need or want a secure system you are screwed. And as you nailed it, there are no log traces, the only time you find out you have been pwned is when the balances on some of your accounts begin to look wrong or you see signs of identity theft. I have friends that trade crypto on their cell phones and have told a number of them that given the abortion that stock Android is, they are crazy to trust money to such a crappy OS but…looks like this has leveled the playing field yes?

Back to my typewriter.


#354

Greg is just mentioned that v4.1 LTS won’t get any KPTI patches …


#355

I can’t imagine how Intel is going to come out of this alive…free “secure” cpu’s provided by Intel seems a stretch. This could bring the whole ship down.
It does graphically illustrate to everyone that “security” is basically an illusion…a badly shattered one at that.
I’m not going to make myself sick over it…it is what it is.

Best regards.


#356

philm
Thanks for the info on 4.1 LTS. One wonders when the 4.14.13-1 LTS (version I am using) patches might be seen. I also have 4.15 on the machine but am not running it for stability concerns, anywhere to find which kernels already have the patches? If not no worries, imagine you are pretty busy these days.
Regards and thanks for keeping us updated from behind the curtain.


#357

@expat: I just released a new testing update including v4.14.14. Maybe you switch to that branch for faster updates.


#358

So please keep this in mind and we (can) dump it in May, 2018 - even it may be supported longer by another distro/kernel maintainer.


#359

I agree, this sort of catastrophic design failure is a lawyer’s wet dream.

Hopefully the CEO gets pinged for insider trading and jailed.


#360

sueridgepipe
+100. Agree totally… I’ll bring the matches and gasoline if that will help…accountability for a change yes? However as with many things in the US, this will make a bunch of attorneys wealthy as hell and the damaged parties (if this starts to be exploited in the wild) wont see much of anything.
Tinfoil hat friend proposed that this maybe was a known vuln that was specifically left in place in the architecture since exploits would leave no log traces. Interesting conjecture considering the vuln is probably in what 90+% of the processors in use today? Course we can wander off in the weeds with this line of conspiratorial thinking so maybe lets not eh? Anyone ever remember as widespread a hardware vuln as this? I sure dont. Like all the cell mfgrs are gonna patch this as well right? Right. Jesus. More an idle mind considers this the more wonders about the possibility of intentionality…

“All ur data belongs to us”

philm
Thanks very much for the info. Curious what, given the list of changes, the recommended install method is… Again thanks greatly for taking the time and trouble for the release and for posting it here… I bet you are four eyed from staring at code…we all need to do something really nice for philm and his crew we are lucky to have such great distro stewards! Cudos to you all!


#361

Meltdown in action - reading memory and reassembly of image


SelfreliantDistantEyelashpitviper

Source


#362

Thank You Mel… what worried me…naked cat photos!


#363

Having been alerted to this additional problem by your post, i’ve been waiting to see what public announcements / actions Oracle might undertake. Just now i went to launch one of my many VB VMs [for an unrelated matter] & it popped-up its standard alert that a new version of VB was available. Whilst i use the Stable repo versions, hence for now i remain on 5.2.4, i was keen to read what 5.2.6 brings. Hopeful that it might rectify the hitherto omission of PCID, i went to https://www.virtualbox.org/wiki/Changelog#6 & was disappointed to read… total silence on this issue. Bummer.

VirtualBox 5.2.6 (released 2018-01-15)

This is a maintenance release. The following items were fixed and/or added:

GUI: fixed occasional screen corruption when host screen resolutio n is changed
User interface: increase proposed disk size when creating new VMs for Windows 7 and newer
User interface: various improvements for high resolution screens
VMM: Fixed problems using 256MB VRAM in raw-mode VMs
Audio: implemented support for audio playback and recording for macOS guests
Audio: further timing improvements for Windows 10 guests
Linux hosts: fixed problem accessing mini-toolbar under XFCE (bug #17280, contributed by Dusan Gallo)


#364

First patches just released by Oracle for bunch of their products.

http://www.securityweek.com/oracle-fixes-spectre-meltdown-flaws-critical-patch-update

Seems Virtualbox is included, though no details here on which version it will be incorporated into.

A patch for the same bug was also included in the security updates for Oracle VM VirtualBox.

EDIT :

More detailed Oracle Virtualization security advisary info, per CVE.

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixOVIR


#365

Had not even thought about the VM’s. Damn. Thanks to you both for bringing this here.


#366

FYI … https://groups.google.com/forum/m/#!topic/mechanical-sympathy/L9mHTbeQLNU

So, how/why would you not have PCID?

It turns out that because PCID was so boring and non-exciting, and Linux didn’t even use it until a couple of months ago, it’s been withheld from many guest-OS instances when running on modern hardware and modern hypervisors. In my quick and informal polling I so far found that:

  • Most of the KVM guests I personally looked in did NOT have pcid
  • All the VMWare guests I personally looked in DID have pcid
  • About half the AWS instances I l personally looked in did NOT have pcid, and the other half did.

The remainder of the article is similarly informative + wrist-slittingworthy :sunny:


#367

Oh Jesus H Christ. Great article but horrible consequences. Seems like this gets worse with every passing hour. One can only wonder aside from Manjo, what other guest OS may or may not through VB, implement this. Given this and the possbile problems with system calls being lost on flushes, and things slowing to a crawl…

So to be clear on this-- it’s the responsibility of VB to handle PCID being used? Or is this shared with whatever the guest OS is? This is an area I dont know that much about.
Thanks for the link. (looks for a razor blade)


#368

Much more info will come out over the following months / years, few of it will be good.


#369

My offer of gasoline and matches still stands. Hell, I’ll help stack the wood…
So is the hypervisor responsible for implementing PCID? Or the Host OS? Or the guest OS, given that the processor is new enough to be PCID capable? Can one consider that running Manjo host on bare metal that PCID is used depending on the kernel yes? A vulnerability like this makes me realize how ignorant I am.

Another thing I have been considering is after we leave our own systems, how many parts of the chain, say between myip and forum.manjaro.org or between myip and mybroker.com are vulnerable to this (like how many hops on a tracert yes?), and what implications of that may be.


#370

These questions, & others will be answered in next week’s enthralling episode of Soap / [or] As The Stomach Turns [depending on one’s possible preference for TCBS].

Sorry for OT flippancy. I can’t supply actual tech answers to your questions.


#371

LOL thanks kdemeoz. Understand. We all are getting educated. I feel like a primitive sapien being shown fire for the first time.