Real fixes for Spectre and Meltdown?

Discussion in 'General Linux Discussion' started by cloasters, Jan 9, 2018.

  1. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Looks like we are stuck with the Meltdown insecurity in Intel CPU's from the last ten years. But Spectre is supposed to be addressable. But how? In easy to understand steps would be great. It would be fantastic if a Mint update has fixed this! But are we so lucky?
  2. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Read that it's Spectre that isn't addressable, but Meltdown is. It's always something. Anyone have a clue?
  3. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,347
    Likes Received:
    627
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
    Nope, no clue... this is the day I'm happy with my AMD processors. I do have two Intel Core 2 Duo's
  4. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Fraid that some AMD processors have these security holes as well. I sincerely wish this wasn't the case! I want to use an AMD CPU in my next machine.
  5. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    It seems like AMD is really aware of these pita's, and is serious about addressing them. Intel has released many straight lies about "fixing the problems" of Spectre and Meltdown.

    These are SERIOUS problems. Thanks Intel, you're always the best of behemoths.
  6. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,347
    Likes Received:
    627
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
    Dang... looks like Nvidia GPU's are affected as well.
  7. ThunderRd

    ThunderRd Irreverent Query Chairman Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    2,762
    Likes Received:
    88
    Trophy Points:
    48
    Location:
    Northern Thailand, the Land of Smiles
    Home page:
    Your first priority for defense is to make sure your kernel is patched to the latest version. If you build your own, then at this time it's 4.14.13. [Yours truly finished building 4.14.13 last night, and is expecting to build another version within the next week, with the rush of updates coming at a fast pace.]

    If you look at the kernel.org main page [ https://www.kernel.org/ ] you will see that even the 'longterm support' kernels currently in use have all been patched within the last week - so even those who are on older kernel versions are getting some patches for these exploits. 4.10.x - 4.13.x kernels are being phased out of use now, so it's a good idea to keep abreast of which version you are running.

    If you aren't building your own kernels, then make sure to check your package manager, and see that the latest available kernel for your Linux flavor is installed. Don't be running old kernels. That is asking for trouble. It's something akin to using "p a s s w o r d" as your login credential. It creates vulnerability through laziness.

    But that in itself does not completely eradicate the exploits from your machine. You will have to wait for the microcode updates, which are coming slowly as firmware updates, but will not be close to completion until mid February, according to most reports. Meltdown will be pretty much under control at that time, but Spectre is much, much tougher and may take a longer time to fully patch.

    This is some basic information: https://meltdownattack.com/
    Last edited: Jan 12, 2018
  8. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Thank you very much for this detailed information ThunderRd!
  9. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    My Synaptic Package Monitor has a lot of 4.4~54-122
    updates. It told me nothing about Kernel and Modules and they are not dated.

    This is confusing. Any elucidation about this would be greatly gracious and helpful.
  10. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,347
    Likes Received:
    627
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
    Go to System Settings and then click System Info
    That will tell you which Kernel you have.

    I'm on 4.10 with Mint 18.3

    Honestly I'm more worried about a kernel update breaking something in Linux than getting hacked.
    One thing I really love about Mint is stability, which is why we are always on an older kernel.
  11. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Fer sure, man! I don't REALLY know what Kernel I'm using. I don't have System Settings, System Monitor is as close to it as I have. No joy there. Under Synaptic Package Monitor it looks like I have many Kernel 4.10 updates/or they are being used.


    Thank you for the assistance, booman!
  12. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,285
    Likes Received:
    174
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    Ok, first, we need to differentiate the attacks, what they can do, and who's vulnerable.

    All three attacks are the based on the fact that modern CPUs engage in 'speculative execution' of instructions; basically, when a program comes to a code branch ("if this condition is true, then do this, otherwise do that"), the CPU tries to guess which branch will be taken, and starts fetching and decoding instructions for that branch. If the CPU guesses correctly, that's great; if it doesn't, then it has to flush the pipeline and start over.

    As you can guess, accurately predicting program flow can have a significant performance impact.

    The attacks work by taking advantage of the fact that under certain conditions, this behavior can leave behind DETECTABLE changes in system state, even though they don't actually change the program flow, or the data the program works with.

    Meltdown - Affects pretty much every Intel chip made this decade (and most made in the last 20 years), Apple's ARM chips, and ARM Cortex A75-based designs. AMD CPUs are not vulnerable due to an architectural difference in how they handle the Translation Lookaside Buffer (TLB). This attack results in the leakage of kernel memory, which means an attacker could gain access to encryption keys or other sensitive data held in kernel space. It can be mitigated with OS patches. For newer Intel CPUs (Haswell and later) the performance impact will be lower than for older ones, as the OS patches can take advantage of instructions that have existed for some time but haven't been implemented until now (because they weren't seen as offering anything useful, while being painful to use). Benchmarks have shown that for I/O heavy loads (databases, server virtualization), the performance penalty can be upwards of 50%, but for MOST workloads will be around 20% or less. For the average desktop, the performance penalty is likely not noticeable.

    Spectre Variant 1 - Bounds Check Bypass - All CPUs currently in use appear to be vulnerable to this. AMD believes the threat can be mitigated with an OS patch. For Intel and Apple, mitigating the threat requires changes in application code AS WELL AS OS updates. This means that POTENTIALLY EVERY PROGRAM has to be REWRITTEN with the necessary code changes. In practice, it probably isn't near that bad, but it's still not good. The performance penalty for the patch appears to be negligible.

    Spectre Variant 2 - Branch Target Injection - All CPUs currently in use appear to be vulnerable to this. It's worth noting that AMD believes there is a 'near zero chance to exploit this' on AMD CPUs. Regardless, AMD and Intel have both released microcode updates and OS patches to address the issue. As above, mitigation will probably require application changes ALSO, at least for Intel and Apple CPUs. Performance impact follows a similar pattern to the Meltdown patch. Apple have released software updates.

    So, net result?

    Meltdown screws Intel badly. Apple gets hit on the iPhone, and ARM gets hit on the A75. I don't think the A75 is widely used yet (it was only released around May of last year), so the impact there may not be too bad

    Spectre Variant 1 screws Intel and Apple pretty hard, and possibly hurts AMD some. For Intel and Apple, the issue really comes down to how many applications have to be recompiled. For AMD, it really depends on whether an OS patch is all that's needed.

    Spectre Variant 2 screws Intel pretty hard. Unclear about Apple. For AMD, there doesn't really appear to be an issue, they are just being cautious.

    For desktop users, the performance impacts, especially for Haswell and later Intel CPUs, should be negligible for most situations. For servers, it's really going to be a function of the workload; as you get more I/O intensive (particularly disk and network), you take a higher hit. Older CPUs are hit harder than newer CPUs.

    The one bright spot in all of this (if you can call it that) is that these vulnerabilities can only be exploited by programs running locally on your computer. Unfortunately, this includes javascript, running in a browser. Fortunately, there are ways to mitigate ALL of the above attacks with changes in browser code. Firefox and Chrome have already released updates, and Apple have put out an updated version of Safari with mitigations as well (I believe MS have also update Edge and IE). Since the browser is the primary attack point for most users, this means that installing the latest version of your browser SHOULD make it MUCH harder for a malicious javascript to exploit these issues.

    Also, these vulnerabilities do NOT allow someone to take over your computer. They DO, however, allow the leakage of sensitive information (passwords, encryption keys) which might be combined with OTHER attacks in some way.

    BTW, ARS wrote a good piece on this, if you want to read more details: https://arstechnica.com/gadgets/201...e-and-meltdown-patches-will-hurt-performance/
    booman likes this.
  13. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Thank you very much for taking the time and effort to help throw light on these pesky/scary processor design flaws, Gizmo!

    I still don't genuinely "get it," but that's all too usual.
  14. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,347
    Likes Received:
    627
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
    I was able to update my Mint 18.3 kernel and Nvidia 384 drivers this weekend.
    At first I noticed there was an Nvidia 390 driver available, but I didn't want to have any broken games. So I didn't apply it.
    I applied all of the other updates and rebooted...
    But, upon reboot, Cinnamon would crash and I was stuck with the old desktop in SafeMode.

    To fix this:
    1. Open Terminal
    2. type: sudo apt update
    3. Apt will check for all packages that need updates
    4. type: sudo apt upgrade
    5. Apt will upgrade all packages that were not upgraded during the GUI updates.
    6. Reboot
    Then I was greeted with my Cinnamon desktop.

    I'm not sure why some of the packages were missed just because I didn't install Nvidia 390?
    Apt Update seemed to handle all of it just fine.
  15. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,347
    Likes Received:
    627
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
    Thank you Gizmo for a detailed explanation!
    I'm happy to have mostly AMD processors and Linux Operating Systems.
  16. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    8,383
    Likes Received:
    82
    Trophy Points:
    48
    Thank you booman and Gizmo for your very helpful posts!

    Previous instructions I've tried to follow don't let me update my Mint Cinnamon 17.3.
    My machine refuses to see 18.1 and 18.3 updates. And doesn't ask for them either.

    Now that there seems to be a good fix available for 18.3 I'm in trouble for not updating my OS to 18.3. Arrgh.
  17. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,347
    Likes Received:
    627
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
    There are Terminal commands to install the newest upgrade, but I'm not sure if you are supposed to do them in sequence or not.
    If you are on 17.3 then there should be a specific command to install 18.1 or even 18.3
    I'll look it up. I've done it before and it worked.
  18. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,347
    Likes Received:
    627
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
  19. ThunderRd

    ThunderRd Irreverent Query Chairman Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    2,762
    Likes Received:
    88
    Trophy Points:
    48
    Location:
    Northern Thailand, the Land of Smiles
    Home page:
    The 965 Black Edition saga has been moved to the Hardware forum.

    Let's keep this thread for Spectre and Meltdown mitigation, boys.
    booman likes this.
  20. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,347
    Likes Received:
    627
    Trophy Points:
    113
    Location:
    Linux, Virginia
    Home page:
    Thanks! We couldn't control ourselves :p
    porporme likes this.

Share This Page