LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-07-2018, 03:56 AM   #1
TL_CLD
Member
 
Registered: Sep 2006
Posts: 356

Rep: Reputation: 44
Greg Kroah-Hartman on Meltdown, Spectre and the Linux kernel


http://kroah.com/log/blog/2018/01/06/meltdown-status/

As the admin of a small "fleet" of Slackware desktops and servers, I can honestly say that I'm not looking forward to this:

Quote:
And then keep updating them over the next few weeks, we are still working out lots of corner case bugs given that the testing involved here is complex given the huge variety of systems and workloads this affects
Yoinks!

I'm glad though that a lot of very clever people are hard at work resolving this whole mess. Also I'm happy that most of the boxes at my company are AMD. I think I'm down to a measly 9-10 Intel boxes, so that's a good thing at least.

But yea, interesting times ahead indeed.

What is your plan/experience with all this? I for one intend to just apply whatever patches Pat + crew put out.
 
Old 01-07-2018, 04:48 AM   #2
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware Gentoo ARM (eval)
Posts: 206

Rep: Reputation: 83
Indeed a lot of people are hard at work, Intel is releasing patches the following days:
https://newsroom.intel.com/news-rele...rity-exploits/

Linus & Kernel Team are working hard (Parental Advisory! - NSFW!):
https://lkml.org/lkml/2018/1/3/797
(if the original Link containing his E-Mail is not opening)
http://www.businessinsider.com/linus...t-intel-2018-1

And your AMD systems are also affected by Spectre:
https://www.amd.com/en/corporate/speculative-execution

Last edited by abga; 01-07-2018 at 04:51 AM. Reason: typo
 
2 members found this post helpful.
Old 01-07-2018, 06:11 AM   #3
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 16,106

Rep: Reputation: 2255Reputation: 2255Reputation: 2255Reputation: 2255Reputation: 2255Reputation: 2255Reputation: 2255Reputation: 2255Reputation: 2255Reputation: 2255Reputation: 2255
More relevant for me ...
Quote:
Right now, there are a lot of very overworked, grumpy, sleepless, and just generally pissed off kernel developers working as hard as they can to resolve these issues that they themselves did not cause at all. Please be considerate of their situation right now. They need all the love and support and free supply of their favorite beverage that we can provide them to ensure that we all end up with fixed systems as soon as possible.
Poor bastards get no appreciation ...
 
7 members found this post helpful.
Old 01-07-2018, 09:32 AM   #4
OldHolborn
Member
 
Registered: Jul 2012
Distribution: Slackware!
Posts: 144

Rep: Reputation: 119Reputation: 119
Quote:
Originally Posted by TL_CLD View Post
What is your plan/experience with all this? I for one intend to just apply whatever patches Pat + crew put out.
Use the publicity around this to encourage people to run ad-blockers (ublock-origin / NoScript etc), after all the web browser is the No1 introducer of untrusted content on to the average computer and if that has the side effect of also blocking the trackers then that's just the cherry on top.

Segment networks more - look at what does what - for example that Kodi box attached to the telly is as bad as the web browser and possibly worse, yes it's nice to be able to stream from the NAS but really it doesn't need unfettered access to the rest of the network. This I'm happy to firewall off from the rest of the network but have to accept that's not a solution many will bear.

IOT, if you have any, deserve a very close look indeed. If a phone manufacturer/provider whose business model is selling the latest shiny thing fails to support your phone after 2-3 years, how well maintained will your internet connected television/refrigerator/washing-machine be? Again, wall it off to the greatest extent you can.

Act fast - Grandma & Grandpa will soon forget about all these headlines - act while the news is still fresh - it's your best chance of introducing sensible security measures, especially if they cost a little in convenience.
 
6 members found this post helpful.
Old 01-08-2018, 12:28 AM   #5
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 Multilib
Posts: 426

Rep: Reputation: 95
Thanks for the update and link to Greg K-H's blog. One person wrote that Meltdown and Spectre require both a kernel and microcode update. Is this true or simply a best practice?

Anyone have a link to a Intel's microcode release that is later than the 20171117?
 
Old 01-08-2018, 01:45 AM   #6
nobodino
Member
 
Registered: Jul 2010
Location: in France
Distribution: slackware, slackware from scratch, LFS, linux Mint, Niresh (MacOS)...
Posts: 208

Rep: Reputation: 163Reputation: 163
Either follow intel microcode page: https://downloadcenter.intel.com/dow...le?product=873
or debian page: "git clone git://git.debian.org/users/hmh/intel-microcode.git"
or : http://de-mirror.org/gentoo/distfile...0171215-r1.tgz
debian page seems to have partial updated microcode.

Last edited by nobodino; 01-08-2018 at 02:11 AM.
 
Old 01-08-2018, 03:42 AM   #7
FlinchX
Member
 
Registered: Nov 2017
Distribution: Slackware Linux
Posts: 113

Rep: Reputation: Disabled
Quote:
Originally Posted by TL_CLD View Post
I'm glad though that a lot of very clever people are hard at work resolving this whole mess.
I am pretty sure that the CPU industry has a lot of very hard working clever people as well. And they aren't ethically defective. I guess most of them (if not all) are tied up by NDAs and this makes me feel pity for them. Wasn't Linus himself involved in CPU design at Transmeta? We are so lucky to have him doing what he does now.
 
Old 01-08-2018, 11:23 AM   #8
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 Multilib
Posts: 426

Rep: Reputation: 95
Quote:
Originally Posted by nobodino View Post
Either follow intel microcode page: https://downloadcenter.intel.com/dow...le?product=873
or debian page: "git clone git://git.debian.org/users/hmh/intel-microcode.git"
or : http://de-mirror.org/gentoo/distfile...0171215-r1.tgz
debian page seems to have partial updated microcode.
Unforunately all these links are to 20171117 code. Debian and Gentoo are simply distribution specific packages of the 20171117 code.

Does anyone have link to microcode later than 20171117?
 
Old 01-08-2018, 01:35 PM   #9
bassmadrigal
Senior Member
 
Registered: Nov 2003
Location: Newport News, VA
Distribution: Slackware
Posts: 4,759

Rep: Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639
Did you check the links? There are newer files with different sizes in at least the gentoo link compared to the original (didn't check the debian), so something has definitely changed between the two. I did an ls -lart in both intel-ucode directories and redirected the output into files. I then compared the files and the output is below:

Code:
diff --git a/microcode-1117 b/microcode-1215
index 87adf1a..732d86b 100644
--- a/microcode-1117
+++ b/microcode-1215
@@ -1,4 +1,4 @@
-total 1672
+total 1684
 drwxr-xr-x 2 jbhansen users  4096 Nov 16 12:28 ./
 drwxr-xr-x 3 jbhansen users  4096 Jan  8 13:26 ../
 -rw-r--r-- 1 jbhansen users  2048 Nov 16 12:27 06-06-05
@@ -68,30 +68,30 @@ drwxr-xr-x 3 jbhansen users  4096 Jan  8 13:26 ../
 -rw-r--r-- 1 jbhansen users 14336 Nov 16 12:27 06-1a-04
 -rw-r--r-- 1 jbhansen users 24576 Nov 16 12:27 06-17-0a
 -rw-r--r-- 1 jbhansen users  4096 Nov 16 12:27 06-17-07
--rw-r--r-- 1 jbhansen users 32768 Nov 16 12:27 06-3f-02
 -rw-r--r-- 1 jbhansen users 15360 Nov 16 12:27 06-3e-07
 -rw-r--r-- 1 jbhansen users 11264 Nov 16 12:27 06-3e-06
 -rw-r--r-- 1 jbhansen users 13312 Nov 16 12:27 06-3e-04
--rw-r--r-- 1 jbhansen users 17408 Nov 16 12:27 06-3d-04
--rw-r--r-- 1 jbhansen users 22528 Nov 16 12:27 06-3c-03
 -rw-r--r-- 1 jbhansen users 12288 Nov 16 12:27 06-3a-09
 -rw-r--r-- 1 jbhansen users 13312 Nov 16 12:27 06-2f-02
 -rw-r--r-- 1 jbhansen users 17408 Nov 16 12:27 06-2d-07
--rw-r--r-- 1 jbhansen users 98304 Nov 16 12:27 06-4e-03
 -rw-r--r-- 1 jbhansen users 11264 Nov 16 12:27 06-47-01
 -rw-r--r-- 1 jbhansen users 24576 Nov 16 12:27 06-46-01
--rw-r--r-- 1 jbhansen users 20480 Nov 16 12:27 06-45-01
 -rw-r--r-- 1 jbhansen users 16384 Nov 16 12:27 06-3f-04
--rw-r--r-- 1 jbhansen users 16384 Nov 16 12:27 06-5c-09
 -rw-r--r-- 1 jbhansen users 21504 Nov 16 12:27 06-56-04
 -rw-r--r-- 1 jbhansen users 20480 Nov 16 12:27 06-56-03
 -rw-r--r-- 1 jbhansen users 28672 Nov 16 12:27 06-56-02
--rw-r--r-- 1 jbhansen users 26624 Nov 16 12:27 06-55-04
--rw-r--r-- 1 jbhansen users 26624 Nov 16 12:27 06-4f-01
 -rw-r--r-- 1 jbhansen users 72704 Nov 16 12:27 06-7a-01
 -rw-r--r-- 1 jbhansen users 98304 Nov 16 12:27 06-5e-03
--rw-r--r-- 1 jbhansen users 97280 Nov 16 12:27 06-8e-09
--rw-r--r-- 1 jbhansen users 97280 Nov 16 12:27 06-9e-09
 -rw-r--r-- 1 jbhansen users 96256 Nov 16 12:27 06-8e-0a
 -rw-r--r-- 1 jbhansen users 97280 Nov 16 12:27 06-9e-0b
 -rw-r--r-- 1 jbhansen users 95232 Nov 16 12:27 06-9e-0a
+-rw-r--r-- 1 jbhansen users 33792 Dec 15 07:59 06-3f-02
+-rw-r--r-- 1 jbhansen users 27648 Dec 15 07:59 06-4f-01
+-rw-r--r-- 1 jbhansen users 27648 Dec 15 07:59 06-55-04
+-rw-r--r-- 1 jbhansen users 98304 Jan  4 17:35 06-9e-09
+-rw-r--r-- 1 jbhansen users 98304 Jan  4 17:35 06-8e-09
+-rw-r--r-- 1 jbhansen users 16384 Jan  4 17:35 06-5c-09
+-rw-r--r-- 1 jbhansen users 99328 Jan  4 17:35 06-4e-03
+-rw-r--r-- 1 jbhansen users 22528 Jan  4 17:35 06-45-01
+-rw-r--r-- 1 jbhansen users 18432 Jan  4 17:35 06-3d-04
+-rw-r--r-- 1 jbhansen users 23552 Jan  4 17:35 06-3c-03
However, on the SBo mailing list, 55020 gave some insight on what's likely going on. Here's his message:

Quote:
Some distros seem to have mysteriously got a 20171215 release, it must
have come from Intel but it is not available from Intel's page. Maybe
a bit more information is below, from the Debian bugreport.

Gentoo:
https://gitweb.gentoo.org/repo/gento...ntel-microcode

Mageia:
http://svnweb.mageia.org/packages/cauldron/microcode/

Debian:
https://bugs.debian.org/cgi-bin/bugr...cgi?bug=886367
https://sources.debian.org/src/intel...E-2017-5715.d/

In particular see https://bugs.debian.org/cgi-bin/bugr...?bug=886367#37
"The current plans are for stable to wait for Intel's official microcode
update pack. It is not like this set of microcode updates will get you anything
without the kernel IBRS and IPBP support, which is still being
stabilized. These updates are currently necessary for people doing the
kernel work
and for testing and stabilization. Ditto for AMD microcode updates,
which I will upload soon now that the kernel support for loading them
has made it to Linux mainline."

So I hope this is a partial answer -- there is a supplementary set of
20171215 files circulating amongst the kernel devs so they can prepare
kernel fixes that depend on them. Those kernel fixes are not yet
ready, and 20171215 isn't useful on its own.
Long story short, microcode updates probably won't help until you have a kernel that has the required fixes in it. Just wait for the kernel devs to do their thing, then Intel will release the official update and hopefully we'll see updated kernels for Slackware relatively quick.
 
2 members found this post helpful.
Old 01-08-2018, 03:09 PM   #10
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 Multilib
Posts: 426

Rep: Reputation: 95
@bassmadrigal I had looked at these links on 01/03/18 and they did not contain the updates now showing as being added on 01/04/18. Wonder why Gentoo didn't bump the file name, but added updates for a later date? I did not do the compare as you did, which is showing the six updates for recent processors. What isn't known and isn't mentioned in the "releasenote" file is what these updates address. So it is a guess that these updates address Meltdown or Spectre, when in fact they may address something totally different.

I agree with your final analysis..."...wait for kernel devs to do their thing, then Intel will release the official update...". In the meantime, I'm going to use the 20171117 with my currently running kernel 4.4.106 to see if I can do the microcode upgrade correctly in preparation for the microcode fixes for Meltdown and Spectre. I'll then after 24 hours running with the newer microcode update to 4.4.110 with the Kaiser updates and TPKI switch and see how that functions. It is probably better to do the earlier update since it should be stable and not cause issues. Then later this month maybe Slackware will have an official release of a kernel that more completely addresses the issues. Although Greg K-H in his 01/06/18 blog stated that the LTS kernels already had shipped with updates, although more would be coming, what ever that is addressing. CHeers.
 
Old 01-08-2018, 03:27 PM   #11
Darth Vader
Senior Member
 
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 1,968

Rep: Reputation: 698Reputation: 698Reputation: 698Reputation: 698Reputation: 698Reputation: 698
To completely address the issues, also the entire operating system should be rebuilt using a patched GCC.

This is the single way to address the Spectre in a effective way.
 
1 members found this post helpful.
Old 01-08-2018, 03:42 PM   #12
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware Gentoo ARM (eval)
Posts: 206

Rep: Reputation: 83
I've read many references in the articles describing these vulnerabilities in the online media (especially in the German one) in which it was suggested that Intel has had these microcode updates prepared and due to be released on the 9th of January. However, I couldn't find any official statement on Intel's site about this. Intel's latest update is on the 5th of January:
https://security-center.intel.com/ad...nguageid=en-fr
(check Revision history)
On the Debian forum these "pre release" Intel updates are also discussed:
https://bugs.debian.org/cgi-bin/bugr...cgi?bug=886367
Whereas, theoretically, nobody but Intel can modify/update the microcode, this being protected/signed with RSA:
https://www.dcddcc.com/docs/2014_paper_microcode.pdf

I'm still not sure if the latest modification to the Linux kernel, mitigating these vulnerabilities on a SW level, will be necessarily needed or the CPU microcode will handle the issues all by itself. I, hope for the latter, whereas the kernel patches have their value for systems that are not being patched (operational issues) at CPU level (microcode). We'll wait & see.
 
1 members found this post helpful.
Old 01-08-2018, 03:46 PM   #13
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware Gentoo ARM (eval)
Posts: 206

Rep: Reputation: 83
Quote:
Originally Posted by Darth Vader View Post
To completely address the issues, also the entire operating system should be rebuilt using a patched GCC.

This is the single way to address the Spectre in a effective way.
I fear that this will be the ARM solution and it will be definitely an overkill. Not sure how Android (mobile devices manufacturers) will handle that.
(mentioned it here)
https://www.linuxquestions.org/quest...ml#post5801910
 
Old 01-09-2018, 10:28 AM   #14
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.2 (4.14.14) UEFI enabled
Posts: 459

Rep: Reputation: 139Reputation: 139
An Interesting Read

along with GKH's comments I found this interesting:
https://groups.google.com/forum/m/#!...hy/L9mHTbeQLNU

John

Last edited by AlleyTrotter; 01-09-2018 at 10:34 AM.
 
2 members found this post helpful.
Old 01-09-2018, 08:39 PM   #15
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 Multilib
Posts: 426

Rep: Reputation: 95
New microcode from Intel released Monday. See https://downloadcenter.intel.com/dow...-Data-File?v=t
Testing with my old Penium D 820... Cheers

hmm.. not seeing anything new applied. Going back to my "How to upgrade Intel microcode" thread because something isn't working correct.

Last edited by bamunds; 01-09-2018 at 09:52 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Linus Torvalds and Greg Kroah-Hartman both have new Linux in mind LXer Syndicated Linux News 0 06-20-2017 09:31 AM
Linux 4.9 Will Be the Next LTS Kernel Branch, Says Greg Kroah-Hartman jeremy Linux - News 0 08-12-2016 03:10 PM
What is th latest version of linux device driver book by Greg Kroah-Hartman ? pradiptart Linux - Newbie 3 09-11-2012 06:16 PM
LXer: Man vs. Myth: Greg Kroah-Hartman and the Kernel Driver Project LXer Syndicated Linux News 1 07-22-2008 03:46 AM
LXer: Greg Kroah-Hartman on kernel development LXer Syndicated Linux News 0 06-19-2006 03:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration