[SOLVED]Strange problem! cpu_insecure bug appeared after update!Trying to get rid of it?


#1

As in title, my cpuinfo output had no bugs with previous kernel release.
Now, after the latest update which brought KPTI. cpuinfo outputs cpu_insecure bug!.
Any solutions?
Update: Ok my cpu is affected, is there any way to get rid of this “cpu_insecure”?


#2

Buy next time a AMD processor?

No because your CPU is affected by this bug.


#3

Got it. So this bug affects even 5th gen cpus.


#4

it affects ALL Intel CPU’s.

There are 2 Security issues: Meltdown and Spectre.

Meltdown is a critical security breach that allows every application to read every memory bit of other applications which is only fixable with affecting performance. That one affects only Intel.

The second one is Spectre, which needs highly modified, application-specific malware to be usable for exploits and thus “only” a regular security breach. This one is partially valid for AMD, too. However, Spectre can be fixed without affecting performance.


#5

So now this bug correction will affect performace on next releases?
What about KAISER?


#6

Where do you see this at? I have intel on stable updated and I do not see that.

[lee@Z77M ~]$ uname -a
Linux Z77M 4.14.11-3-MANJARO #1 SMP PREEMPT Thu Jan 4 13:28:20 UTC 2018 x86_64 GNU/Linux
[lee@Z77M ~]$ cpuinfo
Vendor ID: GenuineIntel
Hardware Raw: 
Brand: Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz
Hz Advertised: 3.5000 GHz
Hz Actual: 3.4999 GHz
Hz Advertised Raw: (3500000000, 0)
Hz Actual Raw: (3499859000, 0)
Arch: X86_64
Bits: 64
Count: 8
Raw Arch String: x86_64
L2 Cache Size: 8192 KB
L2 Cache Line Size: 0
L2 Cache Associativity: 0
Stepping: 9
Model: 58
Family: 6
Processor Type: 0
Extended Model: 0
Extended Family: 0
Flags: acpi, aes, aperfmperf, apic, arat, arch_perfmon, avx, bts, clflush, cmov, constant_tsc, cpuid, cpuid_fault, cx16, cx8, de, ds_cpl, dtes64, dtherm, dts, epb, ept, erms, est, f16c, flexpriority, fpu, fsgsbase, fxsr, ht, ida, lahf_lm, lm, mca, mce, mmx, monitor, msr, mtrr, nonstop_tsc, nopl, nx, pae, pat, pbe, pcid, pclmulqdq, pdcm, pebs, pge, pln, pni, popcnt, pse, pse36, pti, pts, rdrand, rdtscp, rep_good, sep, smep, smx, ss, sse, sse2, sse4_1, sse4_2, ssse3, syscall, tm, tm2, tpr_shadow, tsc, tsc_deadline_timer, vme, vmx, vnmi, vpid, x2apic, xsave, xsaveopt, xtopology, xtpr

#7

grep cpu_insecure /proc/cpuinfo


#8

Yup bummer.

[lee@Z77M ~]$ grep cpu_insecure /proc/cpuinfo
bugs		: cpu_insecure
bugs		: cpu_insecure
bugs		: cpu_insecure
bugs		: cpu_insecure
bugs		: cpu_insecure
bugs		: cpu_insecure
bugs		: cpu_insecure
bugs		: cpu_insecure

#9

see my reply one above yours.


#10

So no way to soften performance impact?


#11

only by replacing it with an AMD CPU.


#12

You can disable PTI, previously known as KAISER. Set this Kernel Boot parameter.

pti=off

But without, it might be insecure and it is not recommended for Intel CPUs.


#13

AFAIK performance impact in real life applications is negligible. You probably won’t even notice it.


#14

Anyway, I’ll try to live with it over time…
But now! I feel it’s a shame to boot with bugs:cpu_insecure flag on a 5th gen intel cpu!


#15

Got no info back, but then, my system may be too old…


#16

You want the KPTI mitigations enabled if you use your computer online.

Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins.
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

You know people will eventually find a creative use that enables a drive-by attack.


#17

Nothing from my cpu eiter


#18

2 Cases for you:
-An amd cpu(note: some amds are affected aswell!)
-Your kernel isn’t updated to have this correctibility ON.
-And(seems untrusted, As it affected the earliest pentium series) and old cpu (10+ years)


#19

Yeah, It’s included in latest update.


#20

Same cases I told before.