Problems? See this thread at archive.org.
To be fair, I'm leaving them on for a couple of test machines to see what happens.
-
-
You play with the fire
----------------------------------------------
Edit. Microcode revision guidance - February 12 2018Last edited: Feb 13, 2018 -
Microsoft Security Updates February 2018 release-Ghacks.net
As you all know... New is always better Direct update downloads in the link above (to the Microsoft Update Catalog website where you can download the updates as standalone files). I wish you good luck
I'm a Happy Camper with slow download speed. I will take my time
-
MS-DEFCON 2 for Feb 2018: Make sure Automatic Update is turned off
Posted on February 12th, 2018 at 08:24
https://www.askwoody.com/2018/ms-defcon-2-for-feb-2018-make-sure-automatic-update-is-turned-off/
![[IMG]](images/storyImages/Keystone-Kops-2.jpg)
"Last month’s Patch Tuesday (and Monday, Wednesday, Thursday, Friday, Saturday and Sunday) should prove, once again, that knowledgeable Windows users need to turn off Automatic Update.
Do me a favor, wouldja? If you bump into any of the self-proclaimed security “experts” who tell everyone to turn on Automatic Update, would you post a link to their drivel? I took a lot of guff for my posts a year ago, advising folks to turn off Automatic Update. If there’s anybody in the industry who’s still spreading that kind of hooey, I want to know who and why."
Security Vulnerability: "Meltdown" and "Spectre" side channel attacks against CPUs with speculative execution.
https://www.suse.com/de-de/support/kb/doc/?id=7022512
Modified Date: 12-FEB-18
SUSE, SUSE Linux Enterprise Desktop, SUSE Linux Enterprise Server
This document (7022512) is provided subject to the disclaimer at the end of this document.
Environment
Based on research from various groups and individuals a new family of side channel attacks against CPUs with speculative execution were identified that can be used by attackers to read content of otherwise inaccessible memory.
To help mitigating this hardware implementation related flaws on the software layer, SUSE as an operating system vendor has released and is continuing to work on mitigations for these side channel attacks in the Linux kernel and other packages.
For details on the vulnerability, please check : https://meltdownattack.com/
Situation
The following three attacks have been identified :
CVE-2017-5753: variant 1 - bounds check bypass
Local attackers could use speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets.
This problem is mitigated by fencing speculative execution on affected code paths throughout the Linux kernel and needs to be addressed for all SUSE Linux Enterprise processor architectures.
Fixes for this variant are contained in the SUSE Linux Kernel updates.
AMD/Intel x86-64, IBM Power and IBM Z have received mitigations, only ARM Arch64 has not yet received them yet.
As these mitigations need to be added to a lot of different places throughout the Linux Kernel and potentially even also other packages, future updates could be necessary.
CVE-2017-5715: variant 2 - branch target injection
Local attackers could use mis-predicted branches to speculatively execute code patterns that in turn could be made to leak otherwise non-readable content in the same address space, an attack similar to CVE-2017-5753.
There are two different approaches to mitigate this issue, both complement each other :
Approach 1 : Selectively restricting the indirect branch predictor
This first method is done by restricting predictive branches, depending on CPU architecture either by firmware updates and/or mitigations in the user-kernel privilege boundaries.
Terminologies used :
- IBPB: Indirect branch prediction barrier. Previous learned branch prediction targets are forgotten at this barrier, used when switching to a different privilege context.
- IBRS: Indirect branch restricted speculation. If set, indirect branches will not use previous speculation data from lower privilege levels.
- STIBP: Single thread indirect branch predictors prevents indirect branch predictions from being controlled by the sibling Hyperthread.
Further reading in this white paper from Intel: https://newsroom.intel.com/wp-conte...is-of-Speculative-Execution-Side-Channels.pdf
Fixes needed in / by CPU architecture :
Intel x86_64 : Linux Kernel and CPU Microcode (Microcode delivered by SUSE or vendor)
AMD x86_64 : Linux Kernel and CPU Microcode (Microcode delivered by SUSE or vendor)
IBM Z : Linux Kernel and CPU Microcode (Microcode delivered by IBM)
IBM Power : CPU Microcode (Microcode delivered by IBM)
ARM Arch64 : still in development
This mitigation has a performance impact, and as such, this will be made configurable via the kernel command line option "nospec" in later releases. Please note that disabling it will disable the mitigation for CVE-2017-5715 and should only be done on systems with trusted users executing only trusted code (!).
Note on Intel CPU Microcode :
As Intel reported increased system instabilities after applying the 20180108 Intel CPU Microcode updates, we have retracted those from our update servers. We are in close contact with Intel and will be releasing new microcode updates once Intel releases them.
A detailed technical Intel Microcode guidance document was published on :
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf
The last Intel microcode update can be force installed using :
On SLE 12 :
zypper in -f ucode-intel-20170707-13.5.1
On SLE 11 SP3 LTSS and SLES 11 SP4 we have released an incremental "microcode_ctl" package that again reverts to the 20170707 state of the Intel ucode, which is available from our update servers.
Approach 2 : Rebuilding the kernel without indirect jumps by using "retpolines"
SUSE is currently working on compiler and kernel support for the "retpolines" technology that replaces indirect jumps by return-trampolines and will be releasing kernel updates with those enabled for x86_64 in the next weeks.
These kernel updates will mitigate the Spectre variant 2 problem without a need for microcode updates on most of the AMD and Intel x86_64 systems.
Some new x86_64 platforms like Broadwell and Skylake will still need microcode updates even with a retpoline enabled kernel.
CVE-2017-5754: variant 3 - rogue data cache load
Local attackers could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.
This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach described in the "KAISER" paper and called "Page Table Isolation" / "PTI".
We have released updates that implement this mitigation on the Intel x86_64 and IBM Power architecture.
This mitigation is also necessary for the ARM architecture and will be delivered in the second round of updates.
This problem does not affect the AMD x86_64 and IBM Z processor architecture.
This mitigation can be enabled / disabled by the "pti=[on|off|auto]" or "nopti" command line options. More details can be found in the "Additional information" section. Please note that disabling it will disable the mitigation for this issue (!).
Resolution
SUSE has released kernel updates for all maintained SUSE products to mitigate the "Meltdown" attack.
SUSE has released kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 1" attack.
SUSE has released kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 2" attack, pending on availability of CPU Microcode updates.
SUSE has released CPU microcode updates for AMD Ryzen in the "ucode-amd" package on SLE 12 and "microcode_ctl" on SLE 11.
SUSE has released KVM and QEMU updates to allow passing through CPU flags and MSR registers to support controlling speculative branch handling.
SUSE has released system compiler updates including "retpoline" support.
SUSE is in the process of releasing kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 2" using the "retpoline" method on x86_64.
Going forward :
SUSE will be releasing kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 2" using the "retpoline" method on x86_64.
SUSE will also be releasing firmware updates for Intel x86_64 in the packages microcode_ctl on SUSE Linux Enterprise 11, ucode-intel on SUSE Linux Enterprise 12, once stable microcode updates from Intel are available.
The XEN Hypervisor also needs mitigations for the described problems, these are currently in development.
For further details on XEN, KVM and QEMU updates please review TID 7022514.
Performance Impact
The performance impact of these patches is highly dependent on the actual workload, but also on CPU vendor and family. We recommend to always validate the performance impact prior to deploying these updates to production systems.
For more detail on the performance aspect, please read this SUSE blog here : https://www.suse.com/c/meltdown-spectre-performance/
SUSE has released the following updates :
SLES 12 SP3
kernel-default-4.4.114-94.11.3 released Wednesday, 7th of February 2018
kernel-default-4.4.103-94.6.1 (IBM Z Series ONLY) released Tuesday, 16th of January 2018
kernel-default-4.4.103-6.38.1 released Thursday, 4th of January 2018
ucode-amd-20170530-21.16.1 released Thursday, 4th of January 2018
(**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
(**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
qemu-2.9.1-6.9.2 released Thursday, 4th of January 2018
SLES 12 SP3 Real Time
Original fixes were included in GA release. Future updates will be released via maintenance.
SLES 12 SP2
kernel-default-4.4.114-92.64.1 released Friday 9th of February 2018
kernel-default-4.4.103-92.59.1 (IBM Z Series ONLY) released Thursday, 11th of January 2018
kernel-default-4.4.103-92.56.1 released Thursday, 4th of January 2018
ucode-amd-20170530-21.16.1 released Thursday, 4th of January 2018
(**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
(**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
SLES 12 SP2 Real Time
kernel-rt-4.4.104-24.1 released Thursday, 25th of January 2018
SLES 12 SP1 - LTSS
kernel-default-3.12.74-60.64.72.1 (IBM Z Series ONLY) released Tuesday, 16th of January 2018
kernel-default-3.12.74-60.64.69.1 released Friday, 5th of January 2018
(**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
(**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
qemu-2.3.1-33.6.1 released Tuesday, 9th of January 2018
[*SLE-12-SP1 ppc64le customers, please see 'note 2' below.]
SLES 12 - LTSS
kernel-default-3.12.61-52.111.1 released Tuesday, 16th of January 2018
ucode-amd-20140807git-5.3.1 released Tuesday, 9th of January 2018
(**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
(**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
SLES 11 SP4
kernel-default-3.0.101-108.24.1 (IBM Z Series ONLY) released Thursday, 18th of January 2018
kernel-default-3.0.101-108.21.1 released Thursday, 4th of January 2018
microcode_ctl-1.17-102.83.12.1 released Friday ,19th of January 2018
(**obsoleted**) microcode_ctl-1.17-102.83.9.1 released Thursday,11th of January 2018
(**obsoleted**) microcode_ctl-1.17-102.83.6.1 released Thursday, 4th of January 2018
SLES 11 SP4 Real Time
kernel-rt-3.0.101.rt130-69.14.1 released Tursday, 23th of January 2018
SLES 11 SP3 - LTSS
kernel-default-3.0.101-0.47.106.11.1 released Monday, 8th of January 2018
microcode_ctl-1.17-102.83.12.1 released Friday ,19th of January 2018
(**obsoleted**) microcode_ctl-1.17-102.83.9.1 released Thursday,11th of January 2018
(**obsoleted**) microcode_ctl-1.17-102.83.6.1 released Thursday, 4th of January 2018
SUSE CaaS Platform
ucode-amd-20170530-21.16.1 released Thursday, 4th of January 2018
qemu-2.9.1-6.9.2 released Thursday, 4th of January 2018
Note 1: Observing multiple microcode-ctl and/or ucode-intel releases for the same SLE version :
As firmware updates continue to become available for other CPU models, this will show as another new microcode-ctl and/or ucode-intel release with the date released.
The microcode listed as (**obsoleted**)where removed from our maintenance updates and SUSE patch finder location here due to quality issues reported by customers and community.
Note 2 : An LTSS channel for SLE-12-SP1 ppc64le does not exist.
The patches for Spectre & Meltdown are available in the SLES-12-SP1-SAP channel. This channel is supported until May 2018 (as per the SUSE Product Life Cycle page here).
Important note : A valid SLES for SAP subscriptions is required to access this repository.
Cause
CVE-2017-5753 (Spectre - variant 1)
CVE-2017-5715 (Spectre - variant 2)
CVE-2017-5754 (Meltdown - variant 3)
Additional Information
Products running on top of SUSE Linux Enterprise Server, such as SUSE OpenStack Cloud, SUSE Enterprise Storage, SUSE Manager are not directly vulnerable. For these SUSE products, updating the the Host (running SUSE Linux Enterprise Server) with the updates detailed and listed here is sufficient.
Public Cloud:
SUSE has updated all (on-demand and BYOS) images that are actively maintained within the SUSE Public Cloud Image lifecycle guidelines. Image information can be retrieved with the "pint" tool.
All updated images have a timestamp of v20180104, i.e. January 4th 2018 or later.
For all running instances of SUSE images in production within public clouds, SUSE's advice to all customers is to apply all existing kernel updates available.
Enabling or Disabling Mitigations for Performance reasons
Mitigations that were applied can be selectively enabled or disabled.
SUSE Linux Enterprise chooses the default to be secure, meaning the mitigation's are enabled.
Spectre variant 2 kernel parameters :
For x86_64 architecture a new "spectre_v2" kernel commandline parameter has been added to control how the spectre variant 2 mitigations are enabled.
spectre_v2=<value>
<value> :
on - unconditionally enable the mitigation
off - unconditionally disable the mitigation
auto - kernel detects whether your CPU model is vulnerable
Selecting 'on' will, and 'auto' may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built.
Specific mitigations can also be selected manually:
retpoline - replace indirect branches
retpoline,generic - google's original retpoline
retpoline,amd - AMD-specific minimal thunk
nospectre_v2 - this is the same as spectre_v2=off
Not specifying any option is equivalent to using : spectre_v2=auto.
For x86_64 we also support the option:
nospec
This option disables the CPU microcode based Spectre variant 2 mitigations.
The retpoline enablement is not controlled by this option.
For s390x architecture, the parameter is called "nobp", and has following values :
nobp=<value>
<value> :
on - enable mitigation
off - disable mitigation
PTI kernel parameter:
The default value for x86-64 is "auto", meaning enabled for processors deemed vulnerable or unknown, and disabled on those known to be unaffected (AMD).
For ARM the default value is "off" for the time being as the "auto" trigger has not been implemented yet.
pti = auto
lets kernel decide, which means it turns PTI on when is's running on Intel and turns it off when running on AMD
pti = off
force-disable PTI even on Intel
pti = on
force-enables PTI even on AMD
Verifying if a system is protected :
Following updating the latest kernels, it is possible to check /proc/cpuinfo for 'kaiser' or 'pti' and 'spec_ctrl' or 'ibpb' information.
When the output includes :
'kaiser' or 'pti' flags, then v3 (Meltdown) protection is active.
'spec_ctrl' flag, then v2/v1 (Spectre) protection is active on Intel CPU's.
'ibpb' flag, then v2/v1 (Spectre) protection is active on AMD CPU's.
Additional detail :
- The 'kaiser' flag is used on SLE versions up to SLE 12, in turn, SLE 15 will use the 'pti' flag.
- The 'spec_ctrl' or 'ibpb' flag implies both v2 and v1 protection, but if it is not present, it means v2 is not active, but v1 still may, as it currently cannot be disabled in SLES - if the installed kernel has it, it's on.
Disclaimer
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND."
Linux Meltdown patch: 'Up to 800 percent CPU overhead', Netflix tests show the performance impact of Meltdown patches makes it essential to move systems to Linux 4.14.
By Liam Tung | February 12, 2018 -- 12:36 GMT (04:36 PST)
http://www.zdnet.com/article/linux-meltdown-patch-up-to-800-percent-cpu-overhead-netflix-tests-show/
"The Linux mitigation for Meltdown known as kernel page table isolation (KPTI) can cause a massive drain on CPU performance, according to an analysis by Brendan Gregg, a senior performance architect at Netflix.
While Intel's Spectre mitigations have attracted the most attention for causing performance and stability problems, Gregg finds that KPTI causes the "largest kernel performance regressions I've ever seen".
KPTI prevents Meltdown leaks by using completely separate page tables for user-mode execution and kernel-mode execution.
To test the impact of KPTI, Gregg created a microbenchmark and found that Netflix, one the largest users of AWS, is likely to see a performance overhead of between 0.1 percent and six percent due to KPTI. However, others may see much larger overheads.
"The KPTI patches to mitigate Meltdown can incur massive overhead, anything from one percent to over 800 percent," he writes.
"Where you are on that spectrum depends on your syscall and page fault rates, due to the extra CPU cycle overheads, and your memory working set size, due to TLB flushing on syscalls and context switches."
Gregg's analysis looks at five key factors that influence overhead, including system call rates, context switches, page fault rate, the working set size, and cache pattern access. Depending on the measurements for each factor, the performance overhead can balloon from two percent to 17 percent.
The circumstance where the overhead can exceed 800 percent is when using a version of Linux that didn't support PCID or process-context ID.
The Linux kernel added support for PCID in version 4.14, improving its handling of the Meltdown-fixing separate tables so long as the CPU supports PCID too.
Exactly how much the system is impacted depends on the characteristics of the application. As he notes, applications with higher system call, or syscall, rates, such as proxies and databases that do lots of tiny I/O, will suffer the largest losses. The impact also rises with higher context switch and page fault rates.
Gregg offered the following summary:
• Syscall rate: There are overheads relative to the syscall rate, although high rates are needed for this to be noticeable. At 50,000 syscalls per second per CPU, the overhead may be two percent, and climbs as the syscall rate increases. At Netflix, high rates are unusual in the cloud, with some exceptions, such as databases.
• Context switches: These add overheads similar to the syscall rate, and the context switch rate can simply be added to the syscall rate for the following estimations.
• Page fault rate: Adds a little more overhead as well, for high rates.
• Working set size, hot data: More than 10MB will cost additional overhead due to TLB flushing. This can turn a one percent overhead (syscall cycles alone) into a seven percent overhead. This overhead can be reduced by a) PCID, available in Linux 4.14, and b) huge pages.
• Cache access pattern: The overheads are exacerbated by certain access patterns that switch from caching well to caching a little less well. Worst case, this can add an additional 10 percent overhead, taking, say, the seven percent overhead to 17 percent.
He expects Netflix will be able to reduce the performance overhead to less than two percent by using Linux 4.14 with PCID support, huge pages, syscall reductions and other methods to fine-tune performance.
However, Gregg notes that KPTI is only one source of performance overheads in the fixes for Meltdown and Spectre, which include cloud hypervisor changes, Intel's microcode, and compilation changes such as Google's Retpoline fix.
![[IMG]](images/storyImages/linusmeltdowngreggkpti.png)
Brendan Gregg has set out the cost of extra CPU cycles in the syscall path.Last edited: Feb 13, 2018 -
Microsoft delivers free Meltdown-Spectre assessment tool for IT pros
Protecting an organization from attacks based on two widespread and potentially deadly security vulnerabilities requires monitoring software, firmware, and antivirus updates. New capabilities in Microsoft's Windows Analytics service display that status on a single dashboard.
By Ed Bott for The Ed Bott Report | February 13, 2018 -- 17:00 GMT (09:00 PST)
http://www.zdnet.com/article/microsoft-delivers-free-meltdown-spectre-assessment-tool-for-it-pros/
To address that acute problem, Microsoft announced today that it's releasing a new set of tools to help Windows admins assess what they need to do to protect their enterprise PCs from Meltdown and Spectre."If you're an IT pro and you haven't been sleeping soundly since the New Year, blame Meltdown and Spectre. These serious security flaws, more formally known as "speculative execution side-channel attacks," are present in all modern CPUs and represent the sort of problem that can keep any network admin up at night.
The biggest challenge is keeping track of all the pieces that need to be patched. To fully protect your Windows PCs from the inevitable attacks aimed at these vulnerabilities, you'll need to apply multiple software patches and update the BIOS or firmware on the underlying hardware.
(For more details, see "Meltdown-Spectre:Four things every Windows admin needs to do now.")
If your organization has standardized on third-party antivirus software, you'll also have to assess whether that software is compatible with those software and firmware patches. (You might also need to edit the registry on affected PCs to unblock security updates for those devices.)
Oh, and if you installed one of the early, defective firmware patches, which were the cause of " higher than expected reboots and other unpredictable system behavior," you might have still one more item to add to your checklist: Undo the January 2018 update (KB4078130) that temporarily disabled the software mitigations.
But don't do that until the PC maker pushes out a new firmware update to replace the defective one.
If you're responsible for a single PC, that checkup is easy to do manually. In a small office with a half-dozen PCs, it's a tedious but manageable task.
On a network with hundreds or thousands of Windows PCs, however, inspecting and patching every device by hand is impractical.
These capabilities are available through the free Windows Analytics service, which collects data from an organization's registered devices using the built-in Windows telemetry service and displays the aggregated protection status on a single dashboard like the one shown here.
![[IMG]](images/storyImages/windows-analytics-spectre-meltdown-assessment.jpg)
These capabilities are newly added to the Windows Analytics dashboard.
Image credit: Microsoft
The Windows Analytics capabilities are available on Pro, Enterprise, and Education editions of all supported desktop versions of Windows: Windows 7 with Service Pack 1, Windows 8.1, and Windows 10. Setting up the service requires an Azure Active Directory account, which is also free. (If your organization has a business or enterprise Office 365 subscription, you already have the Azure AD infrastructure in place.)
As the screenshot above illustrates, the dashboard displays three crucial pieces of information, called status insights:
- Antivirus software status: Most third-party antivirus software has been updated to be compatible with the Windows security updates for Spectre and Meltdown. This status insight should identify any devices that still require updates.
- Windows security update status: This panel shows which security updates have been installed on a device that's being monitored and also indicates whether any of those updates have been disabled. This status insight includes information for all original January 2018 updates as well as the updates released as part of the February 2018 Patch Tuesday release. (For a complete list of software updates by edition, see "Protect your Windows devices against Spectre and Meltdown" [KB4073757].)
- Firmware security update status: In an interview ahead of today's announcement, Klaus Diaconu, Partner Group Program Manager at Microsoft, acknowledged that this piece of the puzzle is "still evolving." Intel pulled its original microcode updates, and some of the PC makers who were burned with the initial batch of defective updates are being more cautious with the latest round of updates.
Most large organizations already have update management tools in place to deliver Windows security patches and antivirus updates as needed. Firmware updates are potentially the most problematic, as they don't always allow for automated updates from a centralized server.
This is not a problem for Microsoft's Surface devices, which deliver firmware and other system software updates through Windows Update. For other PC OEMs, the update workflow might be more challenging, and it might be weeks or months before the required updates are available.
In the short run, this service solves a serious problem for harried IT pros. In the long run, it also represents an opportunity for Microsoft to introduce its relatively new Windows Analytics service to a generation of admins who haven't tried it yet. Because, sadly, the Meltdown-Spectre cleanup is going to be a long process, with more updates to come.
Windows Analytics
Windows Analytics now provides insights into device status for Meltdown and Spectre
https://www.microsoft.com/en-us/windowsforbusiness/windows-analyticsajc9988, Vasudev, Raiderman and 1 other person like this. -
-
-
-
-
-
That's not even at the rumor stage then, just wishful thinking.
The problem is there are a lot of Motherboards out there, and we don't know - many worry - that there won't be enough depth in coverage for BIOS updates - but we've never had this level of problem before, going back 10+ years affecting every Intel motherboard, so it's a complete unknown.
It's possible vendors will be overwhelmed, and they will be forced due to a lack of resources to draw an imaginary line in time, say at the 1 year, or 2 year, or ? year warranty mark for BIOS updates. Out of warranty MB's may never get an update.
Or, there will be government - or Intel - subsidized funding to allow the motherboard makers to push back further in time to make BIOS updates to protect those older systems too. More wishful thinking
No one knows how this is going to work out short and long term.Last edited: Feb 21, 2018 -
-
-
I don't see papusan's posts, I am ignoring him. I posted it, including Intel's press release.
The point is nothing has changed from our earlier exchange, there are no new BIOS's to download, we are still waiting. That was the purpose of posting that whole article, so you will read it and notice it is dated 1 month after your BIOS downloads post - which was dated just before Intel pulled their Spectre microcode patches.
Intel just released Kabylake Spectre microcode, it'll take time for the vendors to build and test BIOS updates, and I'm sure they will take more time testing them before releasing them to customers this time, that is if they wise up and don't assume Intel is doing adequate testing before rushing them to vendors.
Hope springs eternal, but we can't download it.
Last edited: Feb 22, 2018 -
AMD Hit With Multiple Lawsuits Over Spectre Chip Exploits-Hothardware.com
Yeees. Amd is the only choice All talk about Intel's flaws, but AMD's micro architecture is almost brand new!!
"Despite its knowledge of the Spectre defect, AMD continued to sell its processors to unknowing customers at prices much higher than what customers would have paid had they known about the Spectre defect and its threat to critical security features as well as on the processing speeds of the devices they purchased," one of the lawsuits alleges.
"Defendant has been unable or unwilling to repair the security vulnerabilities in the subject CPUs or offer Plaintiff and class members a non-defective CPU or reimbursement for the cost of such CPU and the consequential damages arising from the purchase and use of such CPUs," reads another lawsuit.
The second lawsuit goes on to claim that AMD's software patches have not been adequate in protecting affected customers from all variants of Spectre, and that firmware updates will be required. "Even then, these 'patches' dramatically degrade CPU performance," the lawsuits states.Vistar Shook likes this. -
-
-
iGPU=Intel
-
OpenBSD releases Meltdown patch
And now to see if it's an unwelcome imposition or a mere inconvenience
By Richard Chirgwin 23 Feb 2018 at 05:30
https://www.theregister.co.uk/2018/02/23/openbsd_emits_meltdown_patch/
"OpenBSD's Meltdown patch has landed, in the form of a Version 11 code update that separates user memory pages from the kernel's – pretty much the same approach as was taken in the Linux kernel.
A few days after the Meltdown/Spectre bugs emerged in January, OpenBSD's Phillip Guenther responded to user concerns with a post saying the operating system's developers were working out what to do.
Now he's revealed the approach used to fix the free OS: “When a syscall, trap, or interrupt takes a CPU from userspace to kernel the trampoline code switches page tables, switches stacks to the thread's real kernel stack, then copies over the necessary bits from the trampoline stack. On return to userspace the opposite occurs: recreate the iretq frame on the trampoline stack, switch stack, switch page tables, and return to userspace.”
That explanation is somewhat obscure to non-developers, but there's a more readable discussion of what the project's developers had in mind from January, here.
Part of the OpenBSD solution used the approach employed by Matthew Dillon in his DragonFly BSD – the per-CPU page layout aspect.
It'll take testing for OpenBSD users to confirm the performance impact of the fix.
Gunther's commit note says the aim was to implement the fix “with only the minimum of kernel code and data required for the transitions to/from the kernel (still marked as supervisor-only, of course)”.
That's still challenging: earlier this month, Netflix (and dTrace) engineer Brendan Gregg ran tests on patched Linux, and found slowdowns between 0.1 per cent (bearable) and 6 per cent (important in big systems).
However, Gregg reckoned that skilled sysadmins would be able to tune their systems to cope; the same, we hope, will be true for OpenBSD."
Mitigating the Performance Impact of Meltdown / Spectre Kernel Patches
The performance issues introduced by the vulnerability mitigations can cripple developer machines performance
Attila Orosz, FEB 23, 2018
http://wayoflinux.com/blog/meltdown-spectre-performance
"Meltdown and Spectre took the world (but not the industry) by surprise after the carefully guarded information leaked into the public consciousness. While the revelation was not intentional (from the industry's side anyway), the lack of action was. Of course patches had to be issued in a hurry after the world learned about just how serious the vulnerabilities are, and given the short timeframe, the first patches are just, well, patchy...
A lot has been said and written about the performance penalty resulting from these patches. After all, the offending CPU "features" were meant to enhance performance, so disabling them were expected to have an impact. While most of the reporting was basically hype, and apparently served no other purpose than distract the public's attention from some far more serious implications, some have really felt the patches coming back to bite them on the rear-parts.
Particularly those working with software development tools feel a performance decrease, as compile and build times can greatly increase with the patched kernels. Managed languages such as Java might perform even worse, so if you are working with something like Java and/or doing Android development, you might have noticed your IDE locking up, freezing or just generally underperforming.
Of course the currently available patches are the first responses to the problem, cobbled together in record time. The primary focus was mitigation, performance issues are so far seen as a side effect. Once the dust settles, we can hopefully expect better, more efficient solutions to replace the current ones, and while no software solution can counterbalance the spectacularly stupid hardware design decisions that introduced the problems in the first place, there is still hope that eventually, we end up with something workable.
Until such time, however, developers can simply re-enable their machines, by turning off the patches.
BEFORE YOU PROCEED: MAKE SURE YOU UNDERSTAND THE RISKS
This Ubuntu Insights article discusses the issue in some detail, with additional resources provided for further reading. Despite its use of the same PR-esque language as your average hype-aggregator would (calling the vulnerabilities "attacks", as opposed to what they really are: vulnerabilities caused by deliberately idiotic, faulty hardware design), it's worth reading.
One important conclusion of said article is that average Desktop users will experience negligible slowdowns resulting from the patches, so minimal that most would probably not even notice if their attention had not been hijacked by overhyped reporting on how bad it will all get fo us.
If you do have real-time issues, e.g. the very noticeable performance decrease, and frequent freezes of Android Studio, IntelliJ or Eclipse (and other) IDEs, and the two-three times longer build times on larger projects, etc., you still want to do everything you can to lower the risks of going "patchless".
Physically securing the machines, using strong passwords, locking properly when leaving your workstation, using the latest browsers (as the most common attack surface might be your browsers JS engine), are absolutely necessary pre-requisites of going "patchless".
You should read everything you can on the vulnerabilities, and the risks associated with disabling the patches. This article is only meant to provide a quick way to do this, but the responsibility is ultimately your own.
DISABLE THE OFFENDING PATCHES
Once again, if you came here because you've read an article about the performance impact of the patches and now you fear for your life because Facebook might load slower, or you're looking to enhance PC performance because some stupid game might run faster, stop reading now, uninstall your browser, turn off the PC, tear out the hard-drive, and declare yourself unfit to operate computing equipment.
This cannot be repeated often enough: The meltdown/spectre patches are vital to keeping your PC and data safe, and disabling them will expose your computer to these vulnerabilities. Follow the below advice at your own risk. Any damage, loss of data, or any other negative outcome is your own responsibility. You have been warned.
If your concerns are genuine, however, such as your work is impacted by serious penalties on build/compilation time, IDE performance, etc. your solution is fortunately quite simple.
The current, or perhaps some future patches will eventually become part of the kernel, so you might want to HODL your current kernel after doing this, like it was some fancy new crypto, until everything properly settles or you can buy a less affected CPU.
FOUR COLOURFUL NOTICES LATER, THE SOLUTION
The current patches can be disabled with simple kernel command line parameters. (Yay!) This RedHat KB articleexplains the three main performance hogs and how they can be disabled, while this Ubuntu wiki article lists all relevant tunables, so that you can cherry-pick what is loaded, depending on your situation/evaluation.
The three most common performance "offenders", as per the above RH article are:
- Page Table Isolation (pti) — Use the parameter nopti or pti=off to disable it
- Indirect Branch Restricted Speculation (ibrs) — Use the parameter noibrs to disable it
- Indirect Branch Prediction Barriers (ibpb) — Use the parameter noibpb to disable it
sudo micro /etc/default/grub
(You can, of course, use nano, vi(m), and even emacs, if you feel masochistic, or whatever you fancy, this is just a text file)
...then change the line where it says GRUB_CMDLINE_LINUX_DEFAULT from something like:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
(It might not look exactly like that, but you being a developer n'all should already know this)
...to something like:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nopti noibrs noibpb"
(Of course you want to keep the original parameters, because why wouldn't you wanna keep them.)
...then update grub with:
sudo update grub
or
sudo update-grub2
depending on your setup.
If you're not loading with GRUB/2, you can find the most detailed guide to kernel parameters known to man on the Arch Linux Wiki, right here, with generic kernel boot-parameter instructions for just about any possible scenario.
And that's it. Reboot, and your PC should have its old performance once again. Now get back to work, but only afer you've shared this article on your favourite social media platform.
Happy coding.
Last edited: Feb 23, 2018Vasudev likes this. -
-
-
CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more
Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.
