People who follow the news will be aware that big changes have been rushed into the linux kernel (and changes are/have been also rolled out by microsoft, and apparently by apple).
There are two vulnerabilities, with the shiny names of Meltdown and Spectre. Both refer to ways of userspace finding where the kernel has been mapped, to try to do harm. Page Table Isolation addresses the first of these. Google claim it affects some AMD processors, AMD deny this. This started out under the name of KAISER, as an apparently theoretical hardening, but at one point (I suppose once those in the know realised it was a real issue) Forcefully Unmap Complete Kernel With Interrupt Trampolines was suggested before Page Table Isolation became the preferred name. In particular, note that userspace in a VM can exploit this to read data from the host or other VMs, which is why cloud providers are updating. PTI has been pushed into 4.15-rc6 as a matter of urgency, and added to 4.14.11 with backports to 4.9 and 4.4 in progress. Most testing, particularly by the 0-day kernel bot, has been on Intel hardware and running this on AMD has uncovered some problems which have been addressed in linus's tree and which will be in 4.14.12. With 4.14.12, if PTI is selected it will not be used at runtime on an AMD machine with the default auto option, although I think it can be forced by specifying the 'pti' boot argument. If a kernel has been built with PTI, it can be disabled by specifying 'nopti' in the command line. Once a kernel has booted, PTI cannot be enabled or disabled until you reboot. If you are running with PTI enabled, dmesg will show Kernel/User page tables isolation: enabled Obviously, the effect of this will vary with the workload. Figures of 5% to 30% are being suggested. So, on my SandyBridge i3 I've been running some build tests, first on 4.14.0 and then on 4.14.11 with PTI. Please bear in mind that because of the length of time these tests take, I've only run each set once. Linux is not a RTOS, and I have noticed some variation in the past when repeating tests to measure build times. I *guess* that a variation of plus or minus 2% is normal. From these tests, the following points are perhaps worth noting: kernel compilation : within normal variation (ok, it was quicker on the newer kernel, but only by 2 seconds) Running my script to rebuild binutils pass 1 on a completed system to get an updated SBU : 135.083s became 135.498s so no change. Building rustc-1.22.1 with Python3, running the tests and doing a DESTDIR install - 1.2% slower which I regard as within normal variation. Building firefox-57.0.3 and installing it in /opt : for this I used a variation of my normal script (first I tried pasting all the commands, but obviously got something wrong because rust panicked). This showed a speed reduction of 5.8% which is significant, but random screensavers were running and maybe affected this. git-2.15.1 with the tests : 3.9% slower. openssl-1.1.0g including make test : 3.4% slower asymptote-2.41 : within normal variation QupZilla-2.2.3 : 2.4% slower ImageMagick-7.0.7-11 : 2.4% slower for the build, but 7.6% slower running tests/validate. ffmpeg-3.4.1 (without tests) : within normal variation My latex-test-20160905 tests : within normal variation. Summary - although it has been noted that running postgresql on a laptop was significantly affected by PTI, I think that for most BLFS users the effect will be slight. The Spectre vulnerability is more general, and apparently much harder to exploit. It is claimed to affect almost all modern processors. Apparently, anything using a JIT compiler, e.g. javascript, can be hacked. Steps to mitigate this in the kernel are now being discussed, but this might require additions to gcc. Intel are also in the process of releasing new firmware for processors released in the last 5 years. The current firmware is now 20171117 but I'm not sure if that is up to date (it might be!) https://downloadcenter.intel.com/download/27337/Linux-Processor-Microcode-Data-File?v=t ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style