LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-05-2018, 09:41 AM   #481
Darth Vader
Senior Member
 
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 2,727

Rep: Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235

There is something which I do not understand. Someone can enlighten me?

The KPTI is NOT available for the 32-bit kernels, or I miss something?

Not that I miss it so much, considering that I have 7 AMDs and only one Intel, and it is somewhat ancient.

BUT, this one Intel (a mini-PC) I use as router and it runs Slackware 32-bit, and I would like to enable KPTI on it.

Last edited by Darth Vader; 01-05-2018 at 09:55 AM.
 
1 members found this post helpful.
Old 01-05-2018, 09:56 AM   #482
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,483

Rep: Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916
All --

Head's up !

A new Kernel 4.4.110 Parameter that paused my `make oldconfig` is below my signature line.

-- kjh

Code:
scripts/kconfig/conf  --oldconfig Kconfig
*
* Restart config...
*
*
* Security options
*
Enable access key retention support (KEYS) [Y/?] y
  Enable register of persistent per-UID keyrings (PERSISTENT_KEYRINGS) [N/y/?] n
  Large payload keys (BIG_KEYS) [N/y/?] n
  TRUSTED KEYS (TRUSTED_KEYS) [M/n/?] m
  ENCRYPTED KEYS (ENCRYPTED_KEYS) [Y/?] y
Restrict unprivileged access to the kernel syslog (SECURITY_DMESG_RESTRICT) [Y/n/?] y
Enable different security models (SECURITY) [Y/n/?] y
Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [Y/n/?] (NEW)

Enable the securityfs filesystem (SECURITYFS) [Y/?] y
Socket and Networking Security Hooks (SECURITY_NETWORK) [Y/n/?] y
  XFRM (IPSec) Networking Security Hooks (SECURITY_NETWORK_XFRM) [Y/n/?] y
Security hooks for pathname based access control (SECURITY_PATH) [N/y/?] n
Enable Intel(R) Trusted Execution Technology (Intel(R) TXT) (INTEL_TXT) [N/y/?] n
NSA SELinux Support (SECURITY_SELINUX) [N/y/?] n
Simplified Mandatory Access Control Kernel Support (SECURITY_SMACK) [N/y/?] n
TOMOYO Linux Support (SECURITY_TOMOYO) [N/y/?] n
AppArmor support (SECURITY_APPARMOR) [N/y/?] n
Yama support (SECURITY_YAMA) [N/y/?] n
Integrity subsystem (INTEGRITY) [N/y/?] n
Default security module
> 1. Unix Discretionary Access Controls (DEFAULT_SECURITY_DAC)
choice[1]: 1
#
# configuration written to .config
#
 
2 members found this post helpful.
Old 01-05-2018, 10:00 AM   #483
Darth Vader
Senior Member
 
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 2,727

Rep: Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235
This thing would be to be expected. Of course they backport that Intellitard workaround to all LTS kernels.
 
Old 01-05-2018, 10:01 AM   #484
GazL
Senior Member
 
Registered: May 2008
Posts: 4,971
Blog Entries: 15

Rep: Reputation: 2571Reputation: 2571Reputation: 2571Reputation: 2571Reputation: 2571Reputation: 2571Reputation: 2571Reputation: 2571Reputation: 2571Reputation: 2571Reputation: 2571
Quote:
Originally Posted by Darth Vader View Post
There is something which I do not understand. Someone can enlighten me?

The KPTI is NOT available for the 32-bit kernels, or I miss something?
I guess they figure that 32bit processors are old enough not to be doing speculative execution and don't need it and that anyone with a 64 bit capable processor should be using a 64 bit kernel anyway.

While I'm sure one can make an argument for running a 32bit OS on 64bit hardware, I'm not going to make it, so I'll leave that as a thought exercise for the reader.

Last edited by GazL; 01-05-2018 at 10:02 AM.
 
Old 01-05-2018, 10:41 AM   #485
Petri Kaukasoina
Member
 
Registered: Mar 2007
Posts: 402

Rep: Reputation: 256Reputation: 256Reputation: 256
Quote:
Originally Posted by Darth Vader View Post
BUT, this one Intel (a mini-PC) I use as router and it runs Slackware 32-bit, and I would like to enable KPTI on it.
Your Core 2 Duo runs fine on a 64-bit kernel. Just try the 64 bit kernels from slackware64-current in your 32 bit slackware system. (It's possible that /usr/bin/update-gdk-pixbuf-loaders or something like that is confused because uname -m tells it's x86_64 and not i686 but it should be simple to fix.)
 
1 members found this post helpful.
Old 01-05-2018, 11:03 AM   #486
ttk
Member
 
Registered: May 2012
Location: Sebastopol, CA
Distribution: Slackware64
Posts: 795
Blog Entries: 26

Rep: Reputation: 1030Reputation: 1030Reputation: 1030Reputation: 1030Reputation: 1030Reputation: 1030Reputation: 1030Reputation: 1030
All Intel x86 processors since the introduction of the Pentium Pro (i686 core) in 1995 use speculative execution. Unless you're running ancient i586 hardware or earlier, KPTI is of security interest. Whether it makes sense given your use-case is an entirely other matter.

At a guess, fixes for 32-bit systems will be coming eventually and they've merely prioritized fixing 64-bit systems (which makes sense).

I will be updating my 14.1 and 14.2 systems to use the 4.4.110 kernel, but would prefer to use Pat's build if one is forthcoming.
 
3 members found this post helpful.
Old 01-05-2018, 11:41 AM   #487
bassplayer69
Member
 
Registered: Jul 2007
Location: In a van down by the river...
Distribution: Linux Mint 19.1 & Slackware64-Current
Posts: 222

Rep: Reputation: 50
New 4.14.12, 4.9.75 and 4.4.110 kernels are out: https://www.kernel.org/
Attached Thumbnails
Click image for larger version

Name:	kernels.jpg
Views:	34
Size:	137.9 KB
ID:	26677  
 
1 members found this post helpful.
Old 01-05-2018, 01:05 PM   #488
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 XDM/WMaker
Posts: 621

Rep: Reputation: 179Reputation: 179
Maybe I'm not reading the changelog correctly.

KPTI: Report when enabled
KPTI: Rename to PAGE_TABLE_ISOLATION


It seems that in 4.4.110 that KPTI is simply a rename of the feature enable button while Kaiser is heavily implemented. Maybe Greg K-H is saying KPTI is already in the kernel but not reported by DMESG?

Including a
KAISER: Kernel Address Isolation

Are these different issues than Meltdown and Spectre? So we still don't have the Meltdown solution added to the kernel? OR as I said, I'm just not understanding the issues and mixing security problems? Thanks
 
Old 01-05-2018, 01:35 PM   #489
BratPit
Member
 
Registered: Jan 2011
Posts: 237

Rep: Reputation: 85
Quick and dirty explanation of Meltdown.

https://medium.com/@pwnallthethings/...n-1189548f1e1d

Some PTI and nonPTI benchmarks from Grsec:

https://grsecurity.net/~spender/?C=M;O=D

For 32 bits MAthias Krause say that grsecurity patch :

Quote:
I think it‘s UDEREF/i386 that safes the day here
source:

https://twitter.com/grsecurity/statu...74995942977536
 
3 members found this post helpful.
Old 01-05-2018, 01:57 PM   #490
Aeterna
Member
 
Registered: Aug 2017
Location: Terra Mater
Distribution: VM Host: Slackware-current, VM Guests: Artix, CRUX, FreeBSD, Funtoo, HardenedBSD, OpenIndiana
Posts: 184

Rep: Reputation: Disabled
Quote:
Originally Posted by kjhambrick View Post
All --

Head's up !

A new Kernel 4.4.110 Parameter that paused my `make oldconfig` is below my signature line.

-- kjh

Code:
scripts/kconfig/conf  --oldconfig Kconfig
*
* Restart config...
*
*
* Security options
*
Enable access key retention support (KEYS) [Y/?] y
  Enable register of persistent per-UID keyrings (PERSISTENT_KEYRINGS) [N/y/?] n
  Large payload keys (BIG_KEYS) [N/y/?] n
  TRUSTED KEYS (TRUSTED_KEYS) [M/n/?] m
  ENCRYPTED KEYS (ENCRYPTED_KEYS) [Y/?] y
Restrict unprivileged access to the kernel syslog (SECURITY_DMESG_RESTRICT) [Y/n/?] y
Enable different security models (SECURITY) [Y/n/?] y
Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [Y/n/?] (NEW)

Enable the securityfs filesystem (SECURITYFS) [Y/?] y
Socket and Networking Security Hooks (SECURITY_NETWORK) [Y/n/?] y
  XFRM (IPSec) Networking Security Hooks (SECURITY_NETWORK_XFRM) [Y/n/?] y
Security hooks for pathname based access control (SECURITY_PATH) [N/y/?] n
Enable Intel(R) Trusted Execution Technology (Intel(R) TXT) (INTEL_TXT) [N/y/?] n
NSA SELinux Support (SECURITY_SELINUX) [N/y/?] n
Simplified Mandatory Access Control Kernel Support (SECURITY_SMACK) [N/y/?] n
TOMOYO Linux Support (SECURITY_TOMOYO) [N/y/?] n
AppArmor support (SECURITY_APPARMOR) [N/y/?] n
Yama support (SECURITY_YAMA) [N/y/?] n
Integrity subsystem (INTEGRITY) [N/y/?] n
Default security module
> 1. Unix Discretionary Access Controls (DEFAULT_SECURITY_DAC)
choice[1]: 1
#
# configuration written to .config
#
not good enough: you need the latest firmware:
linux-firmware-20180103-r1
or latest intel microcode

so for this to work patched kernel plus latest firmware/intel microcode is required. Slackware has kernel-firmware-20180102git-noarch-1
if numbers are correct Slackware is one version behind I think
 
Old 01-05-2018, 02:06 PM   #491
Darth Vader
Senior Member
 
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 2,727

Rep: Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235
Quote:
Originally Posted by Petri Kaukasoina View Post
Your Core 2 Duo runs fine on a 64-bit kernel. Just try the 64 bit kernels from slackware64-current in your 32 bit slackware system. (It's possible that /usr/bin/update-gdk-pixbuf-loaders or something like that is confused because uname -m tells it's x86_64 and not i686 but it should be simple to fix.)
Brilliant, logical and obviously idea! Thank you!
 
Old 01-05-2018, 02:11 PM   #492
Darth Vader
Senior Member
 
Registered: May 2008
Location: Romania
Distribution: DARKSTAR Linux 2008.1
Posts: 2,727

Rep: Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235Reputation: 1235
Quote:
Originally Posted by Aeterna View Post
so for this to work patched kernel plus latest firmware/intel microcode is required. Slackware has kernel-firmware-20180102git-noarch-1
if numbers are correct Slackware is one version behind I think
I bet that our BDFL already works on that kernel-firmware.
 
1 members found this post helpful.
Old 01-05-2018, 02:26 PM   #493
Petri Kaukasoina
Member
 
Registered: Mar 2007
Posts: 402

Rep: Reputation: 256Reputation: 256Reputation: 256
Quote:
Originally Posted by Aeterna View Post
not good enough: you need the latest firmware:
linux-firmware-20180103-r1
or latest intel microcode

so for this to work patched kernel plus latest firmware/intel microcode is required. Slackware has kernel-firmware-20180102git-noarch-1
if numbers are correct Slackware is one version behind I think
No, kernel-firmware contains binary blobs to be loaded in the ethernet card and so on.

You get the latest Intel microcode via BIOS updates from the PC vendor, or you can install intel-microcode from slackbuilds.org. Intel has given out new microcode only for some cpus. If you have installed iucode_tool from slackbuilds.org, "iucode_tool -S" prints the processor signature, like 0x000206a7. Only these new microcodes are ready:
Code:
2017-12-15 (unofficial bundle with CVE-2017-5715 mitigation):
  * Updated Microcodes:
    sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
    sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
    sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
    sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
    sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
    sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648
    sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648
    sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384
    sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304
    sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304
CVE-2017-5715 is SPECTRE. The page table isolation fixes MELTDOWN.
 
3 members found this post helpful.
Old 01-05-2018, 02:40 PM   #494
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 5,963

Rep: Reputation: 3656Reputation: 3656Reputation: 3656Reputation: 3656Reputation: 3656Reputation: 3656Reputation: 3656Reputation: 3656Reputation: 3656Reputation: 3656Reputation: 3656
Quote:
Originally Posted by Petri Kaukasoina View Post
No, kernel-firmware contains binary blobs to be loaded in the ethernet card and so on.
For those who may not be aware, kernel-firmware does contain microcode, but only for AMD (or at least, as you stated not for Intel... I'm not sure if other microcode for other CPUs is in there).
 
1 members found this post helpful.
Old 01-05-2018, 02:41 PM   #495
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,483

Rep: Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916Reputation: 916
Quote:
Originally Posted by Aeterna View Post
not good enough: you need the latest firmware:
linux-firmware-20180103-r1
or latest intel microcode

so for this to work patched kernel plus latest firmware/intel microcode is required. Slackware has kernel-firmware-20180102git-noarch-1
if numbers are correct Slackware is one version behind I think
Thanks for the Head's up Aeterna !

I've been running the Slackware64 14.2 kernel-firmware SlackBuild on occasion for a while now ( source/a/kernel-firmware/kernel-firmware.SlackBuild )

The SlackBuild invokes `git` to 'get' the latest kernel-firmware.

How does one tell the kernel-firmware version ?

The SlackBuild simply appends a `date` stamp when the SlackBuild was run.

Thanks !

-- kjh

Last edited by kjhambrick; 01-05-2018 at 02:43 PM. Reason: oops ... double .sig
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux.conf.au: Latest Linux kernel release due early March DragonSlayer48DX Linux - News 0 01-18-2010 10:43 PM
No video on latest kernel release Tralce Linux - Kernel 3 11-30-2006 07:48 AM
What is the latest Redhat release TILEMANN Linux - Software 5 11-20-2006 10:48 PM
LXer: News: OpenVZ To Release Support, Patches for Latest Kernel LXer Syndicated Linux News 0 11-01-2006 10:54 PM
latest debian release? doralsoral Linux - Software 5 12-25-2004 12:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 10:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration