SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
An associate at a company we would all recognize says they have tested their AMD systems for both vulnerabilities (Spectre and Meltdown) and found them vulnerable to both.
This is of course hearsay and I cannot be more specific without violating his trust, so take it with a grain of salt.
As bad as these vulnerabilities are, I am still more concerned about Rowhammer2. Spectre and Meltdown will be fixed, eventually, in hardware. To the best of my knowledge there are no plans to address Rowhammer.
AMD states they are not vulnerable to this. Tom Lendacky, who is a software engineer at AMD, states:
However, with the quick fixes that went into the kernel, AMD CPUs are still flagged as "insecure", so it will be hit with the performance penalty unless you pass the nopti kernel option when booting. But the patch to disable this automatically on AMD CPUs has apparently been pulled "in mainline for Linux 4.15", I assume to be included in the next release.
The verbiage used by Tom Lendacky seems to be carefully constructed, specifically "that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault." I wonder if this means they aren't affected specifically by the PTI vulnerability, which is why they submitted the patch to the kernel to prevent PTI from being used on AMD processors. I haven't been able to do a ton of research, but I assume the embargo is still in place and this a lot of the information out there is (very smart) speculation done by those in the industry?
The verbiage used by Tom Lendacky seems to be carefully constructed, specifically "that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault." I wonder if this means they aren't affected specifically by the PTI vulnerability, which is why they submitted the patch to the kernel to prevent PTI from being used on AMD processors. I haven't been able to do a ton of research, but I assume the embargo is still in place and this a lot of the information out there is (very smart) speculation done by those in the industry?
I don't really believe it was only his words, more likely the AMD lawyers composition together with his technical inputs. And, he (they) referred only to the Meltdown vulnerability (PTI): https://en.wikipedia.org/wiki/Meltdo...vulnerability)
which, is a particularity of the speculative execution (out-of-order execution) really only affecting the Intel Chips. The general and aggravating vulnerability is Spectre and it's apparently affecting all CPUs that have HW engines for speculative execution. Mitigating Spectre would maybe require some more complex and deeper approach - modifying compilers and recompiling not only the kernel but the entire OS. We'll see, there are armies of paid engineers at these CPU manufacturers that should (hopefully) come up with some solutions.
Yeah, I don't doubt it was just his words in that statement.
Looks like I have a lot of reading to do to try and get fully in the loop. I'll probably just wait a few days and see what the wikipedia pages for these cover. I don't have a ton of free time right now
I just hope this grim outlook won't materialize:
"
Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.
" https://www.schneier.com/blog/archiv...and_mel_1.html
Don't be too optimistic.
If you knew that some microcontroller manufacturer embeds backdoor into a chip targeted at avionics,
probably nothing would surprise you.
I just found a page that keeps track of the updates related to Meltdown/Spectre. Although the article is in German, from a well known IT/Tech related online publication, the list points to links in English (Intel,AMD,ARM,Linux, HW Manufacturers, etc..): https://www.heise.de/newsticker/meld...n-3936141.html
Funny enough, I own an Intel powered Dell laptop, a few years old, that is vulnerable but doesn't appear in Dell's list of affected systems/updates.
I just found a page that keeps track of the updates related to Meltdown/Spectre. Although the article is in German, from a well known IT/Tech related online publication, the list points to links in English (Intel,AMD,ARM,Linux, HW Manufacturers, etc..): https://www.heise.de/newsticker/meld...n-3936141.html
Good list, thank you!
Quote:
Originally Posted by abga
Funny enough, I own an Intel powered Dell laptop, a few years old, that is vulnerable but doesn't appear in Dell's list of affected systems/updates.
There seem to be two camps in this -
1) The only admit to the stuff we know others have proven broken camp ( hardware manufacturers )
2) The shitlist everything until proven safe camp ( Linux kernel developers )
I know which ones I trust
Last edited by OldHolborn; 01-08-2018 at 04:56 PM.
1) The only admit to the stuff we know others have proven broken camp ( hardware manufacturers )
There are obvious legal and marketing concerns/strategies that are defining the game. Business as usual.
Quote:
Originally Posted by OldHolborn
2) The shitlist everything until proven safe camp ( Linux kernel developers )
I was a little confused about why Linus channeled his rant only towards Intel, being known that all modern CPUs that have speculative execution can be affected, but in his forum post he dropped a valuable piece of information: http://www.businessinsider.com/linus...t-intel-2018-1
(original link doesn't work all the time: https://lkml.org/lkml/2018/1/3/797 )
" Why is this all done without any configuration options?
A *competent* CPU engineer would fix this by making sure speculation doesn't happen across protection domains. Maybe even a L1 I$ that is keyed by CPL. "
My speculation, without knowing too much about the complex algorithms that are embedded in this speculative execution, is that the Spectre issue might be mitigated with microcode only, imposing some discipline/configuration on these algorithms so that they cannot be influenced.
There is another question floating around about why all the speculative execution engines are affected, as they were copycat-ing each other, my view on this is that the compiler guys (SW) have dictated this uniformity and the HW guys just complied.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.