On Fri, Jan 05, 2018 at 02:28:04PM -0800, Paul Rogers wrote:
> I have been searching and reading intently for the past day also. I am
> disappointed by the rush to republish and dearth of solid data beyond the
> Proof of Concept.
>
Yes, it's hard finding accurate information - the whole thing was
originally under NDA until, I believe, 9th January - but it filtered
out earlier after somebody worked out what some of it was about.
> Apparently in theory Spectre haunts all processors back to the Pentium Pro.
> There is very little solid evidence of what steppings of what processors are
> vulnerable. Intel changes masks often enough that it's NOT clear that every
> processors will have similar exposure, e.g. the infamous ancient FDIV bug
> only affected certain steppings of one of the P54 CPUs. I'm not betting
> anybody will critically evaluate the older CPUs still in service, e.g. my two
> Core2 Duos and one Core2 Quad Extreme, i7/940 & 870, even a few Pentium 3's,
> Coppermine, Tualatin and even Esther.
>
Please distinguish the two named vulnerabilities :
Meltdown (one CVE, worked around by PTI and apparently only applying
to Intel, although AMD users who enabled BPF in the kernel might be
affected)
Spectre (two CVEs, apparently affects all Intel CPUs since the
PP, except for some Atoms from before 2013, and similarly all modern
AMD processors, as well as many other architectures).
Meltdown is the initial issue, for Spectre I think it is safe to
assume that all recent x86 except those Atoms can be cracked, given
time. On a desktop, the main line of attack is probably JIT
compilers such as javascript. On servers, an attacker running in a
VM to attack the host and other users is probably the most urgent
problem.
Where Intel release new firmware, it will be to mitigate Spectre.
Kernel developers are now able to talk to each other and possible
mitigating steps are under discussion - but I doubt any of them will
be in the 4.15.0 kernel. But hopefully something will eventually
get into later 4.14 kernels.
> Likewise, I'm not betting kernel patches will get pushed down to the kernels
> that support those old systems. ext3 is not supported in the latest kernels,
> so instructions to install the latest kernels will leave many systems
> non-functional. I think patches need to be pushed back to 3.19 kernels.
>
The ext3 filesystem is still available in 4.14.
But from reading recent posts on lkml, the PTI code in 4.14/4.15 is
very different from the earlier KAISER code that was backported to
4.9 and 4.4 - there seem to be nasty areas, and I would recommend
moving to 4.14 (the current longterm stable release) if you can.
> I'm making plans for patching kernels, and identifying systems that CAN be.
> But I'll wait a few days for patches to solidify. There are significant
> infrastructure issues all around. Not to mention (Windows & Linux) "kernel"
> support for all the systems in commercial service in hospitals, grocery
> stores, and offices that will never be updated.
For all the systems that will never be updated (including most
phones), there isn't a lot we can do.
As for waiting a few days - yes, there are still problems. I'll be
moving my (home) server (currently LFS-8.1 but running a 4.9 kernel)
to 4.14.12 over the weekend if I have time (and that is not certain),
but I'm expecting that I might have to revert to the current kernel.
This has all been rushed, and much of the rationale was secret, so
it's inevitable that issues will continue to show up for a while.
When this first surfaced, there was talk of using the nopti boot
argument - I am now very reluctant to recommend that unless people
fully understand the vulnerability (I don't) and what they are
running and who can access it.
ĸen
--
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
- Unseen Academicals
--
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
Do not top post on this list.
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
http://en.wikipedia.org/wiki/Posting_style
