Home | News | Download | Packages | Forum | Wiki | Github

[Solved] Meltdown and Spectre Vulnerabilities


(Ben Hsu) #1

Well, I’m gonna just put this here:

https://meltdownattack.com/

It looks like we might be taking some performance hits with Linux KPTI patches on 4.15.

Has anyone tried out any of the patches yet?
(As seen on the LKML: https://lkml.org/hot.xml, this is all over the place)

And this one from Linus on choosing the KPTI over the other names…
https://lkml.org/lkml/2017/12/4/709
and then:
https://lkml.org/lkml/2017/12/4/758

Google Project Zero explains:

Oh, and Linus is not happy:
https://lkml.org/lkml/2018/1/3/797


(R.J.) #2

Scary shit, I’m honestly saving money for a future build and ill make sure the processor is AMD (Not sure about the GPU, nvidia doesn’t have this… affinity for open source, but it works…so…). Fuck knows, maybe even AMD will fuck up in the future. I’m one of those cyberpunk enthusiasts security-loving creep, you know? These news really makes me think about the whole snowden mess in 2014.
About the 30% slowdown thing, i hope they find a better solution. You’re slowdin down BASICALLY THE WHOLE INTERNET by "5%-30%. It won’t affect much normal activity, except loading for no reason whatsoever the cpu, but eh there are a lot of things that I potentially want to do and that might get all screwed up by this


#3

@pobetiger
Thanks for the links. Scary stuff :scream:

@Raphy
I woundn’t feel much safer with AMD…


#4

KPTI is already in kernel 4.14.11, you check if you’re affected via:
cat /proc/cpuinfo | grep cpu_insecure

I’m doing a simple benchmark on my Intel laptop at the moment and will post the results later.

But at least my 80C88 system is unaffected :wink:

EDIT: Theo de Raadt of OpenBSD predicted the Meltdown situation over 10 years ago
https://www.linuxquestions.org/questions/*bsd-17/openbsd-devs-worked-on-meltdown-spectre-fixes-eleven-years-ago-4175620905/#post5801639

It might be best for us to move away from x86…


EDIT2: Results from my basic benchmark:
I used kernel 4.14.11 with KPTI enabled and kernel 4.14.10 without KPTI on Laptop with an Intel i3-3110M with 6GB ram

I ran time ./xbps-src -j 4 pkg linux4.13 for both kernels under the same conditions.

4.14.11 with KPTI:

real 91m03.741s
user 271m56.839s
sys 22m21.158s

4.14.10 without KTPI:
real 90m19.607s
user 266m41.933s
sys 20m49.025s

The performance decrease isn’t too bad for me, but I don’t know how the performance scales with different CPUs, as this is the most powerful Intel chip I own. I’ll have to see if KPTI has any affect on my laptop’s battery life as well.


EDIT3: Red Hat has done some proper performance analysis: https://access.redhat.com/articles/3307751

CPU-intensive workloads are affected the least with only 2-5%

Interesting how close my ‘benchmark’ performance decrease was to what Red Hat are saying.
I wonder if it has a noticeable impact on Void’s build server.

As @pobetiger said, the biggest slowdowns are when there are lots of kernel-to-user space transitions.

Fortunately this probably wont affect the average user too much.


(Benjamin) #5

The meltdown attack hasn’t been successfully done on amd chips, the current consensus is risk to systems with amd is minimal to none. It’s a been more complicated than that, but that’s the gist so far.

As far as specter goes amd is reproducibly vulnerable, but it’s much harder to do than meltdown is and the software fix is much less taxing on preformance.

There’s a level1techs forum thread with much more info on the situation, I’ll link both my sources and said thread once I finish getting my system working. (Though you can read the meltdown research paper to see the meltdown source)


(Richard DW Redcroft) #6

My understanding was that the Zen architecture isn’t vulnerable to either of these, only the other AMD’s are vulnerable to spectre and only intel vulnerable to everything…


#7

Unfortunately not, I believe Spectre affects any CPU that implements speculative execution, which is pretty much any modern CPU, and could affect architectures other than x86 and ARM.

https://spectreattack.com/spectre.pdf#subsection.4.1


(Ioan) #8

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability) + https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

decent place to start reading :slight_smile:


(jacky) #9

Spectre and Meltdown Attacks Against Microprocessors
good read
https://www.schneier.com/blog/archives/2018/01/spectre_and_mel_1.html


(Ben Hsu) #10

I think the slowdown had to be programs with lots of syscalls. Just doing kernel by itself may not show as much difference. Doing a crosstool-ng full 13-stage build of the glibc, gcc, binutils, and then the kernel or a buildroot build of a system we’ll probably see more differences in performance.

Another area is SQL accesses apparently also can be slowed down if there’s a lot of accesses.

I just upgraded to .11 kernel last night. I’ll see if I can get some comparisons also.


(Edmond Dantes ) #11

Thank you for your useful “benchmarks”.
What basically de Raadt did at the time, was being bold enough to point out the possibly exploitable vulnerabilities of Intel Core Duo, moving against the tide of the time which expected Intel x86 CPUs to be untouchable.
Anyway, OpenBSD on Meltdown:
https://marc.info/?l=openbsd-tech&m=151521435721902&w=2


#12

Here is a nice summary of the current situation, http://kroah.com/log/blog/2018/01/06/meltdown-status/


#13

So it’s on a per application basis perhaps. Firefox has implement some patches, but that version is not available on Void yet it seems.


(David) #14

So, for those of us who are already using Linux 4.14.12, should we still get cpu_insecure from this command? My CPU is a genuine Intel Q6600.


#15

If you are using 4.14.12 any Intel CPU should produce cpu_insecure


#16

I think the Firefox patches are mostly to address the horrifying javascript attack using Spectre:
https://spectreattack.com/spectre.pdf#subsection.4.3


(Silvernode) #17

So I tried looking in srcpkgs for the 4.14.12 template but couldn’t seem to find it. I am just looking to see if the build flag CONFIG_PAGE_TABLE_ISOLATION is in the template so I can be abolutely sure things are as good as they can get. Mind you I have a Ryzen chip and it isn’t seemingly clear that anyone knows whether these are subject to the recent security flaws. - Here’s what AMD said

Even so, I would still like to see if the build flag is in our kernel.

Thanks


#18



EDIT: Though KPTI isn’t necessary for AMD currently, and isn’t enabled by default for AMD either.


(Silvernode) #19

Thank you, I wasn’t in doubt that we had the flag, I just wanted to see it. :slight_smile:


(David) #20

But does that mean my computer is currently vulnerable, or not? :face_with_raised_eyebrow: