Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: CPU critical bugs Meltdown and Spectre

  1. #1
    Join Date
    Jul 2008
    Location
    United Kingdom
    Posts
    307

    Default CPU critical bugs Meltdown and Spectre

    I am a little confused by this as some sites say all modern cpu's are affected... whilst AMD say they are only partly affected. I don't think Intel's press statements have helped. Anyway as someone who owns AMD based pc's do I need to do anything special with the kernel? Or has this been patched properly by openSUSE? I have had my kernel patched today along with "ucode-intel"; the latter has me puzzled as I have purely AMD...

  2. #2
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    1,536

    Cool Re: CPU critical bugs Meltdown and Spectre

    The following patches were issued today:
    Code:
     > zypper list-patches --all | grep 2018
    Hauptaktualisierungs-Repository | openSUSE-2018-1    | security    | important | ---         | applied    | Security update for kernel-firmware
    Hauptaktualisierungs-Repository | openSUSE-2018-2    | security    | important | reboot      | applied    | Security update for the Linux Kernel
    Hauptaktualisierungs-Repository | openSUSE-2018-4    | security    | important | ---         | applied    | Security update for ucode-intel
     >
    The AMD firmware is updated with "openSUSE-2018-1":
    Code:
     > zypper patch-info openSUSE-2018-1
    Loading repository data...
    Reading installed packages...
    
    
    Information for patch openSUSE-2018-1:
    --------------------------------------
    Repository  : Hauptaktualisierungs-Repository
    Name        : openSUSE-2018-1
    Version     : 1
    Arch        : noarch
    Vendor      : maint-coord@suse.de
    Status      : applied
    Category    : security
    Severity    : important
    Created On  : Thu Jan  4 11:41:53 2018
    Interactive : ---
    Summary     : Security update for kernel-firmware
    Description :
        This update for kernel-firmware fixes the following issues:
    
        - Add microcode_amd_fam17h.bin (bsc#1068032 CVE-2017-5715)
    
        This new firmware disables branch prediction on AMD family 17h
        processor to mitigate a attack on the branch predictor that could
        lead to information disclosure from e.g. kernel memory (bsc#1068032
        CVE-2017-5715).
    
        This update was imported from the SUSE:SLE-12-SP2:Update update project.
    Provides    : patch:openSUSE-2018-1 = 1
    Conflicts   : [3]
        kernel-firmware.noarch < 20170530-14.1
        kernel-firmware.src < 20170530-14.1
        ucode-amd.noarch < 20170530-14.1
    
     >
    The openSUSE standpoint is published here: <https://news.opensuse.org/2018/01/04...lnerabilities/>.
    The SUSE standpoint (pointed to by the openSUSE statement) is published here: <https://www.suse.com/c/suse-addresse...lnerabilities/>.

    This Raspberry Pi statement has some detailed background information: <https://www.raspberrypi.org/blog/why...e-or-meltdown/>.

    There's also a small discussion going on in "General Chit-Chat": <https://forums.opensuse.org/showthre...hinkin-R-Brown>.

  3. #3
    Join Date
    Jul 2008
    Location
    United Kingdom
    Posts
    307

    Default Re: CPU critical bugs Meltdown and Spectre

    Thanks for your in depth response; I will check out those links.... just to confuse myself further Actually it's quite fascinating when you dig into these bug fixes; or is it just me. And thanks for the zypper code, it looks like I'm patched; just confusing when I saw that intel install.....

  4. #4
    Join Date
    Apr 2013
    Location
    Frankfurt, Germany
    Posts
    49

    Default Re: CPU critical bugs Meltdown and Spectre

    Hi gentlefolks,

    a question to the patch.

    The patch info says:

    As this feature can have a performance impact,
    it can be disabled using the "nospec" kernel commandline option.

    This feature can be enabled / disabled by the "pti=[on|off|auto]"
    or "nopti" commandline options.
    Only if the options 'nospec' an 'nopti' are set the vulnerabilities are closed?

    Best regards.

  5. #5

    Default Re: CPU critical bugs Meltdown and Spectre

    Quote Originally Posted by AchimKl View Post
    Only if the options 'nospec' an 'nopti' are set the vulnerabilities are closed?
    No, it's exactly the opposite.

    These options *DISABLE* the fixes.

    They should be enabled by default (for affected CPUs), so there's nothing to be done manually.

  6. #6
    Join Date
    Jan 2016
    Location
    UK
    Posts
    450

    Default Re: CPU critical bugs Meltdown and Spectre

    I have just tried the list-patches command on my system after updating today and nothing shows. How do I find out why these patches have not been installed? Have I got something wrong in my setup? If I list the patches without the grep all I get is:-

    Code:
    zypper list-patches --all 
    Loading repository data...
    Reading installed packages...
    
    Repository                 | Name                                | Category    | Severity  | Interactive | Status     | Summary                            
    ---------------------------+-------------------------------------+-------------+-----------+-------------+------------+------------------------------------
    openSUSE-Tumbleweed-Update | update-test-32bit-pkg               | recommended | moderate  | ---         | not needed | Test-update for openSUSE Tumbleweed
    openSUSE-Tumbleweed-Update | update-test-affects-package-manager | recommended | moderate  | restart     | not needed | Test-update for openSUSE Tumbleweed
    openSUSE-Tumbleweed-Update | update-test-feature                 | feature     | moderate  | ---         | not needed | Test-update for openSUSE Tumbleweed
    openSUSE-Tumbleweed-Update | update-test-optional                | optional    | moderate  | ---         | not needed | Test-update for openSUSE Tumbleweed
    openSUSE-Tumbleweed-Update | update-test-reboot-needed           | recommended | important | reboot      | not needed | Test-update for openSUSE Tumbleweed
    openSUSE-Tumbleweed-Update | update-test-relogin-suggested       | recommended | moderate  | ---         | not needed | Test-update for openSUSE Tumbleweed
    openSUSE-Tumbleweed-Update | update-test-security                | security    | critical  | ---         | not needed | Test-update for openSUSE Tumbleweed
    openSUSE-Tumbleweed-Update | update-test-trival                  | recommended | low       | ---         | not needed | Test-update for openSUSE Tumbleweed
    Stuart

  7. #7
    Join Date
    Apr 2013
    Location
    Frankfurt, Germany
    Posts
    49

    Default Re: CPU critical bugs Meltdown and Spectre

    Thnaks for the answer.

    Quote Originally Posted by wolfi323 View Post
    No, it's exactly the opposite.

    These options *DISABLE* the fixes.

    They should be enabled by default (for affected CPUs), so there's nothing to be done manually.
    Ok, for the crazy guys who want more performance than security.

    Best regards.

  8. #8

    Default Re: CPU critical bugs Meltdown and Spectre

    Quote Originally Posted by broadstairs View Post
    I have just tried the list-patches command on my system after updating today and nothing shows. How do I find out why these patches have not been installed? Have I got something wrong in my setup? If I list the patches without the grep all I get is:-
    You are using Tumbleweed, and these security fixes have been released as normal kernel update in the main repo, like any other kernel update.

    "list-patches" only lists special updates (so-called "patches") from the official update repo though.

    Check the version of the kernel-default and ucode-intel/ucode-amd packages, and/or the package changelogs, to see whether you got the fixes.

    Or run "lscpu", it should either show "kaiser" or "pti" in the list of flags (if you are using an intel cpu).

  9. #9

    Default Re: CPU critical bugs Meltdown and Spectre

    Quote Originally Posted by AchimKl View Post
    Ok, for the crazy guys who want more performance than security.
    Yes, apparently.

    But likely also (partly at least) because the fixes may cause problems...
    http://bugzilla.opensuse.org/show_bug.cgi?id=1074869

  10. #10
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    17,384
    Blog Entries
    13

    Default Re: CPU critical bugs Meltdown and Spectre

    I must be lucky. Fully up to date TW, so patched, and experiencing no performance loss, at least not yet.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •