SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IIRC you need a microcode update that allows you to disable the speculative store bypass. However, there is a noticeable performance penalty to doing this.
The performance impact depends on how you use your machine.
Compiled and installed 4.4.148 on Slackware64 14.2 + MultiLib.
I've got the 'Page Table Inversion' mitigation for the l1tf vulnerability with the 4.4.148 kernel.
-- kjh
Can you please check if you have anything related to the l1tf (&co) in the kernel log (dmesg). Maybe you remember our recent discussion about the CVE-2018-3639 (SSB) and the need for a capable microcode for full mitigation. If I understood it correctly, mitigating CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 also require an updated microcode, not sure if the (latest) Q2 2018 microcode updates, that are mentioned on some web pages as required, contain what is actually needed for the mitigation.
I'm also not sure what CPUs are actually affected, Intel apparently doesn't know that either:
(bottom list - The following Intel-based platforms are potentially impacted by these issues. Intel may modify this list at a later time.) https://www.intel.com/content/www/us...-sa-00161.html
In my original post in the Slackware security thread I mentioned that these bugs came with the introduction of the Intel SGX technology in 2015 and considered that due to the architectural changes only the CPUs manufactured after that were vulnerable. Also understood that CVE-2018-3620, CVE-2018-3646 were discovered by investigating the bugs related to Intel SGX, first reported in March. I edited that post twice, because I wanted to keep it clear and unbiased by my understanding/confusion. But maybe we should have a separated thread about this issue without polluting this kernel related thread - however, a dmesg output can provide some details here.
Thanks!
RedHat published some details about these vulnerabilities (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646) and are stating, without mentioning the exact CVE - sloppy work, that only CVE-2018-3615 - the one related solely for Intel SGX - needs a microcode update: https://access.redhat.com/security/vulnerabilities/L1TF
"There are three pieces to this vulnerability. The first affects only Intel “SGX” secure enclaves and is mitigated through microcode updates independently of the operating system. "
and:
"CVE-2018-3620 is the CVE identifier assigned to the operating system vulnerability for this issue. CVE-2018-3646 is the CVE identifier assigned to the virtualization aspect of the flaw. This issue is referred to as L1 Terminal Fault (L1TF) by the larger industry and as “Foreshadow” by the security researcher."
Which reads that only CVE-2018-3620 needs to be mitigated by the kernel, CVE-2018-3646 being only the "virtualization aspect of the flaw".
Unless someone else comes with a better understanding about the "pieces" (of sh...?), or Intel publishes some more concrete details and the CPUs actually affected, I take this RedHat view of the facts as satisfactory ATM.
Please disconsider my request for the dmesg related output, carry on with the good work on compiling and testing the kernels.
I suppose I can update my report, since it was useful to a few users...
I'm running an Intel "Lynnfield" Xeon x3450 CPU released in 2009. I have installed the latest ucode 0xa (microcode-20180807 SBo, from slackbuilds.org). Now, with the latest 4.4.148 kernel on slackware64-14.2, I get the following mitigations:
for FNAME in $( ls /sys/devices/system/cpu/vulnerabilities/* )
do
echo -e $( basename $FNAME ):"\t" $( cat $FNAME )
done
Note that, I use the kernel parameter spec_store_bypass_disable=on in lilo:
addappend = " spec_store_bypass_disable=on "
This makes all processes/threads "globally mitigated" when you look at their status with cat /proc/<pid>/status. Otherwise, the default is that they are vulnerable. There may be a performance impact, but I am not noticing it while running my ordinary desktop apps and older games (GeForce GT240). My CPU governor (cpufreq-set/info) is ondemand.
For Intel Lynnfield CPUs, the ucode 0xa adds CPU feature flags listed in /proc/cpuinfo. With kernel 4.4.148, a new CPU flag appears: flush_l1d. According to information that I read elsewhere, if flush_l1d is present, then the l1tf mitigation (Page Table Inversion) will use the flush_l1d feature for optimized performance or minimal performance impact.
The conclusion is that, the old Lynnfield has ucode 0xa and mitigations for the latest CPU bugs. The Xeon x3450 has been running stable, with no problems. The system normally runs 24/7 with ECC RDIMM and never has errors or lockups.
Can you please check if you have anything related to the l1tf (&co) in the kernel log (dmesg). Maybe you remember our recent discussion about the CVE-2018-3639 (SSB) and the need for a capable microcode for full mitigation. If I understood it correctly, mitigating CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 also require an updated microcode, not sure if the (latest) Q2 2018 microcode updates, that are mentioned on some web pages as required, contain what is actually needed for the mitigation.
I'm also not sure what CPUs are actually affected, Intel apparently doesn't know that either:
(bottom list - The following Intel-based platforms are potentially impacted by these issues. Intel may modify this list at a later time.) https://www.intel.com/content/www/us...-sa-00161.html
In my original post in the Slackware security thread I mentioned that these bugs came with the introduction of the Intel SGX technology in 2015 and considered that due to the architectural changes only the CPUs manufactured after that were vulnerable. Also understood that CVE-2018-3620, CVE-2018-3646 were discovered by investigating the bugs related to Intel SGX, first reported in March. I edited that post twice, because I wanted to keep it clear and unbiased by my understanding/confusion. But maybe we should have a separated thread about this issue without polluting this kernel related thread - however, a dmesg output can provide some details here.
Thanks!
BEGIN EDIT:
oops ... should have read your next post:
Quote:
Originally Posted by abga
@kjhambrick
RedHat published some details about these vulnerabilities (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646) and are stating without mentioning the exact CVE - sloppy work, that only CVE-2018-3615 - the one related solely for Intel SGX - needs a microcode update ...
<<snip>>
Unless someone else comes with a better understanding about the "pieces" (of sh...?), or Intel publishes some more concrete details and the CPUs actually affected, I take this RedHat view of the facts as satisfactory ATM.
Please disconsider my request for the dmesg related output, carry on with the good work on compiling and testing the kernels.
For those of us staying on 14.2 -
I have updated to the latest 4.4 kernel (4.4.148) provided at Dave’s Unofficial Slackbuilt Kernels ( https://blog.idlemoor.tk/dusk/ ) plus updated to the latest firmware (20180807) applicable to my CPU (x86_64 Intel(R) Core(TM) i5-2540M) via an updated SBo intel-microcode SlackBuild ( https://slackbuilds.org/repository/1...tel-microcode/. )
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
* Vulnerable to Variant 3a: YES
* Vulnerable to Variant 4: YES
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
Please note that [L1 terminal fault] was not reported as NOT VULNERABLE until 4.4.148, and that the previous intel-microcode (20180703) did not correct the [rogue system register read] issue for my situation.
I really must thank this forum and all contributors to this thread (especially those who contribute to the urls I mentioned) for helping to keep my setup safer.
@kjhambrick
Thanks for providing those dmesg snippets, as you've noticed, there's not much info to be found there related to these new vulnerabilities and no connection with the microcode in the kernel patch that made it to the release stage.
I was confused by this latest "coordinated disclosure of security vulnerabilities" together with the "partners". There are even pledges: https://www.intel.com/content/www/us...-security.html
@All
Thanks for all the details provided in this thread related to these new Intel CPU issues.
I did myself provide some updates on the (more appropriate) Slackware security thread: https://www.linuxquestions.org/quest...ml#post5892385
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.