Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Meltdown/Spectre vulnerabilities and Tumbleweed

  1. #1

    Default Meltdown/Spectre vulnerabilities and Tumbleweed

    I just read in opensuse news that the long-term support 4.4 kernel has been patched against Meltdown/Spectre vulnerabilities, but that the 4.14.12 kernel hasn't.


    https://news.opensuse.org/2018/01/11...in-tumbleweed/


    I also read that Intel has released a new microcode patch to address Meltdown/Spectre --


    http://news.softpedia.com/news/intel...e-519316.shtml


    -- and that this microcode is available in the openSUSE repositories.


    http://news.softpedia.com/news/opens...0-519339.shtml


    So-oo, I took a look in Yast, found ucode-intel with a date of 20171117-2.1. I tried to update; nothing happened. Will a later version arrive with upcoming Tumbleweed snapshots? Will I even need to care about the microcode, if an upcoming kernel addresses Meltdown/Spectre in other ways?


    Fellow Tumblweed users, I'm confused about what to do, if anything! I know a rolling distro lives in a different world than conventional releases. How are you dealing with the vulnerability on your systems?

  2. #2

    Default Re: Meltdown/Spectre vulnerabilities and Tumbleweed

    Quote Originally Posted by Tuner View Post
    I just read in opensuse news that the long-term support 4.4 kernel has been patched against Meltdown/Spectre vulnerabilities, but that the 4.14.12 kernel hasn't.


    https://news.opensuse.org/2018/01/11...in-tumbleweed/
    That must be a mistake.
    Both 4.14.11 and 4.14.12 do have patches for these vulnerabilities, they even caused problems for users (32bit applications crashing on AMD CPUs, system not booting/freezing).
    4.14.13 should have some more fixes (for the problems in particular).

    So-oo, I took a look in Yast, found ucode-intel with a date of 20171117-2.1. I tried to update; nothing happened. Will a later version arrive with upcoming Tumbleweed snapshots?
    The latest update is in the queue and should be in one of the next Tumbleweed snapshots.
    https://lists.opensuse.org/opensuse/.../msg00422.html

    IIANM, that 20171117 does contain fixes already, for some CPUs.

    Will I even need to care about the microcode, if an upcoming kernel addresses Meltdown/Spectre in other ways?
    Sure.
    The MELTDOWN vulnerability is a "bug" in the CPUs themselves, and can only be fixed wih a firmware update AIUI. (although part of the fix is in the kernel)

    How are you dealing with the vulnerability on your systems?
    Not at all.
    Except for installing available updates as usual.
    Last edited by wolfi323; 12-Jan-2018 at 05:43.

  3. #3

    Default Re: Meltdown/Spectre vulnerabilities and Tumbleweed

    Thanks for the response, Wolf. In that case, it sounds like I should keep an eye out for new snapshots, run zypper dup as usual, and take no other measures.

    One less worry!

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: Meltdown/Spectre vulnerabilities and Tumbleweed

    At the moment,
    Based on varied reports it's likely that patches will be replaced as time goes one due to many reasons, among them that we're discovering that designs and implementations haven't always been exactly as publicized, and the installed features of the many CPUs affected. In fact, because of some of these heretofore unknown inconsistencies, some systems have been crashing... And this is without regard of the running OS.

    Some openSUSE Forum discussions on this topic, current up to a few days ago so probably very little change as of this post

    https://forums.opensuse.org/showthre...ybe-noticeable
    https://forums.opensuse.org/showthre...hinkin-R-Brown

    The second link is to a thread that points to a script that evaluates your system's exposure and vulnerability, both software and hardware.
    Because it's likely that there will be new patches and patches replaced, you will likely want to run the script multiple times for he forseeable future to regularly check your current status.

    IMO,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #5
    Join Date
    Sep 2012
    Posts
    7,098

    Default Re: Meltdown/Spectre vulnerabilities and Tumbleweed

    Quote Originally Posted by wolfi323 View Post
    The MELTDOWN vulnerability is a "bug" in the CPUs themselves, and can only be fixed wih a firmware update AIUI.
    Sorry, that's wrong. Meltdown is avoided (not really fixed) in software by hiding kernel address space from user programs. Microcode updates are not related to Meltdown, but are used by one of mitigation techniques for one Spectre variant - disabling branch prediction across critical code. This requires new microcode that implements support for new instructions (and CPU features).

  6. #6
    Join Date
    Sep 2013
    Location
    Norfolk, UK
    Posts
    2,033

    Default Re: Meltdown/Spectre vulnerabilities and Tumbleweed

    Quote Originally Posted by tsu2 View Post
    The second link is to a thread that points to a script that evaluates your system's exposure and vulnerability, both software and hardware.
    Because it's likely that there will be new patches and patches replaced, you will likely want to run the script multiple times for he forseeable future to regularly check your current status.
    The use of that evaluation script received rather short shrift on bugzilla: https://bugzilla.opensuse.org/show_b...d=1068032#c159
    Regards, Paul

  7. #7

    Default Re: Meltdown/Spectre vulnerabilities and Tumbleweed

    Quote Originally Posted by arvidjaar View Post
    Microcode updates are not related to Meltdown, but are used by one of mitigation techniques for one Spectre variant - disabling branch prediction across critical code. This requires new microcode that implements support for new instructions (and CPU features).
    Yeah, that's what I was thinking of actually.
    Seems I confused the two...

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: Meltdown/Spectre vulnerabilities and Tumbleweed

    Quote Originally Posted by tannington View Post
    The use of that evaluation script received rather short shrift on bugzilla: https://bugzilla.opensuse.org/show_b...d=1068032#c159
    Is why in my post I described what I saw the script doing... at the time I posted, the script did not run PoC.

    BUT,
    I don't agree with the evaluation that such scripts give people a false sense of security.
    At the time I posted, the script does plenty while depending on the the work of people we already trust... The openSUSE and kernel maintainers and possibly other trusted contributors. It's not much different than any other code we trust when running openSUSE.

    And,
    As I pointed out in that second thread,
    By the time I posted again only a couple days later, the script had changed substantially to reflect evolving input to the author of the script.

    Bottom line,
    The script is not meant to be a PoC of any vulnerability, and even today I would consider even a PoC possibly suspect depending on how it's written because these vulnerabilities might be susceptible to other vectors than are tested (eg published Javascript Spectre PoC, but what about other languages and vector, eg pipes instead of networking?)

    IMO even today it's possibly too early to understand the scope of possible attack vectors and this is important when current Spectre patches appear to try to block only the attack vector when we don't yet know how to fix the source of the problem.

    As ordinary Users (assuming my audience doesn't include people actually trying to write code), IMO a scanning tool like the script can serve a useful purpose, to know if you're protected as best as possible at that moment (but, keep checking until some announcement that the vulnerabilities are fixed once and for all).

    IMO,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  9. #9

    Default Re: Meltdown/Spectre vulnerabilities and Tumbleweed

    So what is happening about openSUSE Tumbleweed and these vulnerabilities ?

    because CPUINFO still claim it is there

    bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass
    bogomips : 6384.00
    clflush size : 64
    cache_alignment : 64
    address sizes : 39 bits physical, 48 bits virtual
    power management:

    uname -a
    Linux ra 4.17.5-1-default #1 SMP PREEMPT Mon Jul 9 07:29:02 UTC 2018 (3ff6a16) x86_64 x86_64 x86_64 GNU/Linux

  10. #10

    Default Re: Meltdown/Spectre vulnerabilities and Tumbleweed

    what does
    cat /sys/devices/system/cpu/vulnerabilities/*
    say?

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •