Hot news - Major flaw in Intel CPUs
In the news today:
It seems that a serious flaw has been discovered in Intel chips, which allows userspace processes to potentially access kernel memory areas that are supposed to be protected. Both Windows and Linux developers are scrambling to patch the flaw, which is apparently going to reduce performance by up to 30%. Bad stuff.
I haven't been able to find a definitive list of precisely which Intel chips will be affected (please post if anyone can find it). Seems like another good reason to avoid Intel, if we can.
As if Intel directly supporting appartheid wasn't enough.
https://www.stopthewall.org/2005/08/05/boycott-intel-products-setting-factory-palestinian-stolen-lands
But you know, tech over lives, right?
This article in PC World provides some interesting details:
It seems like the kernel developers are keeping the details under wraps until they get the fix released; however, the article suggests that the issue will probably affect all 64-bit Intel CPUs and older ones may be affected more than newer ones (which may not be a good thing for fully free systems using Core 2 Duos).
'The Core i7-8700K saw a massive performance decrease in FS-Mark 3.3 and Compile Bench, a pair of synthetic I/O benchmarks.' --- yuck!
Intel is a big company with a lot of smart people working for them. This bug fix is likely just banged out as a stop-gap. I am sure they will come out with a more efficient solution over time to make the performance decrease negligible. Obviously this sucks now but great solutions are not always possible on short notice.
From what I read in the news articles, it sounds like the issue is a flaw in the chip design, which can't be simply fixed by updating the microcode. In which case, the only way that Intel can fix it is with a new chip design, which will almost certainly include their horrible Management Engine.
Not good news for free computing. I think this highlights even more how much we need viable alternatives to Intel. :-(
daaaaamn this is so bad for us,i just read the news
This is what happens when you gift ME(Spywarement Engine), Intel Boot Guard(Backdoor Boot Guard), AMT(Active NSAgement Engine) with your chips.
PowerPC is the way to go on desktop or laptops.
You mentioned Talos, but it is not really available per purchase yet, is it? Also, there is an issue with graphics cards too. Which ones will go with power PC if you have graphics (intensive) related tasks?
https://www.raptorcs.com/TALOSII/ <---that is what you are talking about.
You are right.
But when I say PowerPC I mean everything with PowerPC, not only TalosII. Computers like Powermac with 2 CPUs (I have one)(yes I know is crApple). Also project like:
https://www.powerpc-notebook.org/en/
The problem is, obviously GPU, PowerPC won't have Intel integrated GPU, AMD chips need blob for work, and newest Nvidia need signed firmware (I don't know if these chips works fine without signed firmware).
Well that's a problem that needs to be adressed. There are bigger demands now and these manufacturers need to think about graphics, not just CPU's.
Spectre has nothing to do with 'Management Engines" and the like. It deals with "speculative execution" (e.g., "branch prediction") that aims at faster executions: https://en.wikipedia.org/wiki/Speculative_execution
The POWER architecture uses speculative pipelines too: https://en.wikichip.org/wiki/ibm/microarchitectures/power9 (see "Speculative" in the info box). I believe researchers only verified Intel/AMD and ARM architectures because they are far more widespread. POWER processors are probably affected too.
AMD processors seem not affected.
Word. But AMD gots to free the GPU code, son. Let my drivah's growww!
They are. By Spectre. See RMK's post: https://trisquel.info/forum/hot-news-major-flaw-intel-cpus#comment-125812
If I understand it correctly there are three vulnerabilities, two spectre and one meltdown bugs. Intel processors are affected by all of them and on all operating systems. AMD is affected by one spectre vulerability only on GNU/Linux and only if you use non-default kernel settings. Correct me if I am wrong.
As far as I understand, there are two vulnerabilities, Meltdown and Spectre, but two different ways to exploit Spectre were shown. And Spectre cannot be solved through software (so no kernel configuration helps, neither does a firmware update): only the next generation of CPUs will be immune.
It might be senility or I suddenly can not understand English, so I will just copy and paste here..
The bounds check bypass has also been shown to read kernel memory on Intel and AMD processors. Importantly, this does not work on AMD processors in default configurations. The proof-of-concept requires BPF JIT to be manually enabled in the Linux kernel for AMD processors. (It is not, by default.) The tested Intel processor was vulnerable independent of the BPF JIT setting.
And this is from the goobles zero study directly:
A PoC for variant 1 that, when running with normal user privileges under a modern Linux kernel with a distro-standard config, can perform arbitrary reads in a 4GiB range [3] in kernel virtual memory on the Intel Haswell Xeon CPU. If the kernel's BPF JIT is enabled (non-default configuration), it also works on the AMD PRO CPU.
And yep, the variant one is -> Variant 1: bounds check bypass (CVE-2017-5753)
That is the only one exploit AMD says it can represent a problem for their CPUs, meltdown does not affect it due to architecture differences and the second variant according to AMD has "near zero risk of exploitation".
If so, I am a happy guy :)
Well, in each case it would appear that exploiting spectre is quite tough and to my understanding nowhere near as grave as meltdown.
Imagine how nice must it be to have a ready cross-platform exploit for every single Intel CPU ever made for 20 years.. Not that I wish to imply that Intel did this on purpose or to gain single core performance advantage over AMD. :P
I indeed did not understand it right. There are currently three demonstrated ways to do a Spectre attack. AMD is quite fine ("near zero risk") after a kernel patch solves one of these ways (which can therefore be solved through a software update, unlike the other ways): https://www.amd.com/en/corporate/speculative-execution
However, https://spectreattack.com/spectre.pdf says:
Further attacks can be designed by varying both the method of achieving speculative execution and the method used to leak the information. Examples of the former include mistraining return instructions or return from interrupts. Examples of the latter include leaking information through timing variations or by generating contention on arithmetic units.
It looks like all modern processors (including AMD's) will be at risk. Without a way to solve the problem through software updates.
Well, in each case it would appear that exploiting spectre is quite tough and to my understanding nowhere near as grave as meltdown.
Well, Meltdown is grave (any data in the RAM can be read at a rather high speed)... but can be solved once and for all with the KPTI patch (accepting performance regressions). A Spectre attack only allows to read data in the kernel space (but there are private keys there!) at a slower speed (50 times slower than Meltdown according to the original publications). Nevertheless, it basically affects all processors in use and cannot be entirely solved by software update. In the medium/long term, it looks far more problematic than Meltdown: to be immune, everybody will have to throw their current hardware and spends money on a newer processors that do not exist yet!
>I indeed did not understand it right.
Yeah, me too (and I even read, well read not understood, the pdf from goobles0)
What I find interesting is the wording from AMD's post about the issue, I guess they don't know fore sure yet. We'll see.
Here better information: https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
Also arm cpus are affected and amd as well.
Time for risc?
There are two distinct, albeit related, CPU vulnerabilities making recent news. One of them, "Meltdown," is Intel-specific. The other, "Spectre," is present in all recent Intel, AMD, and ARM CPUs (and potentially, any CPU that uses branch prediction and speculative execution). Meltdown can be repaired with kernel updates (there's already a patch for it in the Linux source repository), but the fix can slow performance by as much as 30%. Spectre is a more difficult vulnerability to exploit, but it has no fix short of replacing the CPU outright. Apparently not even a microcode update will suffice--Spectre is a flaw in the fundamental hardware design.
I think Spectre may be the greater cause for concern in the libre-software community. A lot of us are using relatively old Intel CPUs that predate the Intel Management Engine, but Spectre is thought to be present in ALL modern CPUs designed by Intel, AMD, and ARM, and the only fix for it is to replace the processor. And of course, replacing your CPU with a new one from Intel or AMD is going to get you the Intel ME or the AMD PSP.
NYT article: https://www.nytimes.com/2018/01/03/business/computer-flaws.html
The Guardian article: https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-computer-processor-intel-security-flaws-explainer
Google Project Zero blog post, with links to the Meltdown and Spectre papers: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
This is a great reply - thank you for providing these details. Yes, I agree that Spectre seems to be a big concern for free computing. Does anyone know what the implications may be for the EOMA68 project? I assume POWER9 isn't affected, as I haven't seen it mentioned anywhere?
I believe the researchers only verified Intel/AMD and ARM architectures because they are far more widespread. POWER9 processors use speculative pipelines: https://en.wikichip.org/wiki/ibm/microarchitectures/power9 (see "Speculative" in the info box). That is why I believe Spectre affects them, like all modern processors.
I think the best thing that can come out of this mess is an increased drive to develop viable alternatives to Intel/x86.
(Edit: Linus has had a nice rant about it: http://uk.businessinsider.com/linus-torvalds-linux-inventor-is-furious-at-intel-2018-1?r=US&IR=T)
Pretty much this is the case, alternatives to the juggernauts who are actively against software freedom and all about cosolidating control and power, must be built. AMD and Intel can easily make free (as in freedom) friendly hardware (or not exploit labor or build fabrication plants on stolen land), even though they know there are issues with proprietary software and security-through-obscurity means and violating human rights on all levels. The rest of the world could care less about 30% performance cut in CPU's power or lack of software freedom; a tweet from Trump will make headlines and the world moves on. I/We continue to beg/plead hardware manufacturers to make something libre friendly or release graphics drivers, and they continually ignore. It would be great to pay them in their own coin. There is a demand for free soft/hardware, so let us fulfill that demand. Talos is a step, but that is all it is. If my next hardware upgrade is freedom friendly, we have made progress.
So Windows, linux kernel, iOS, macOS are all getting patches to help mitigate until we can get all new chips lol. Can anyone tell me if the Trisquel update engine has picked up anything for itself or will soon? I just want to do what I can for my Ministry of Freedom Libreboot Trisquel Lenovo laptop. :)
They are getting patches against Meltdown. No software (including firmware) update can solve Spectre.
Oh! But according to:
---
https://spectreattack.com/#faq-fix
Is there a workaround/fix?
There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre ( LLVM patch, ARM speculation barrier header).
---
I guess "hardening" isn't patching? ;)
Hardening is, well, making harder, not impossible, to make a Spectre attack, whereas the KPTI patch makes Meltdown attacks impossible... at the cost of a performance penalty.
But, yes, you are right, "hardening" is "modifying the code, i.e., patching.
Everyone is having a meltdown over meldown because Canonical has not released fixes yet.
The bigger question is: When will Canonical fix it in Ubuntu? Trisquel inherits security updates from Ubuntu so *THAT* is the question you really want to be asking.
Good thinking! Thanks! That's what I'll look for.
https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/
Ubuntu users of the 64-bit x86 architecture (aka, amd64) can expect updated kernels by the original January 9, 2018 coordinated release date, and sooner if possible. Updates will be available for:
Ubuntu 17.10 (Artful) — Linux 4.13 HWE
Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE)
Ubuntu 14.04 LTS (Trusty) — Linux 3.13
Ubuntu 12.04 ESM** (Precise) — Linux 3.2
Note that an Ubuntu Advantage license is required for the 12.04 ESM kernel update, as Ubuntu 12.04 LTS is past its end-of-life
Ubuntu 18.04 LTS (Bionic) will release in April of 2018, and will ship a 4.15 kernel, which includes the KPTI patchset as integrated upstream.
What? Why would it take so long? Debian released the patched kernel for meltdown on January 4.
Re EOMA-68 computer cards & devices. Luke has opportunity for some
interesting cpu cards and theres a team developing risc cpus in India
which i believe have a mandate and the money from the gov to make free
cpu’s targeted for things like laptops and other computers a society needs.
See for india risc cpu details:
http://lists.phcomp.co.uk/pipermail/arm-netbook/2017-December/015062.html
When I click on the techcrunch link in your post I just get redirected to this post, anyone else got this issue?
edit
Also your pcworld-link gets me redirected to this thread.
I guess their HTML foo is even worse than mine :P
Just highlight the link with your mouse and copy it and paste it in your url bar
HTML who? :p
Yes, sorry, I keep doing this ...
I thought that www.link.com
should give a hyperlink to that address, but it doesn't. Unfortunately, it seems that it is also not possible to edit a post on the forum here, unless it is a reply to someone else's post (which both of my earlier posts containing those links are not).
I'll try to stop doing it in future ... :-(
God, my html skills are truly terrible. How do I quote some html code, without it being interpreted? Arg!
It should work. One one your extension must interfere. Disable them and see. Then, by disabling half of them, then half of the incriminated half, ... you can spot the problematic extension.
Found this series of articles:
*Processor/CPU Speculative Execution Patching on Linux Tutorial* series:
1. How to patch Meltdown CPU Vulnerability CVE-2017-5754 on Linux
2. How to patch Spectre Vulnerability CVE-2017-5753/CVE-2017-5715 on
Linux
3. How to check Linux for Spectre and Meltdown vulnerability
4. How to install/update Intel microcode firmware on Linux
I find the last part to be disturbing. It is listed in the series
even though it doesn't mention Meltdown or Spectre, as it was a
requirement to patch them.
Why updating the Intel microcode firmware would be disturbing to
me? Because my computer is Librebooted and...:
"Coreboot does distribute microcode updates for Intel and AMD CPUs, but
libreboot cannot, because the whole point of libreboot is to be 100%
free software ."
--
Ignacio Agulló · name at domain
security: a software patch can always be exploited or reversed. Hardware fixes are much more secure !!!
what you think about this?
well if I'm hungry! I do scoffer from a software patch , because my brains think of a good meal. but if I suffer a security breakdown in my colon it means a bad digestion, ..about that madness@