Intel processors with a security bug

Non release banter
User avatar
francois
Contributor
Contributor
Posts: 5291
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Y fait frette et on gèle

Intel processors with a security bug

Post#1 by francois » 06 Jan 2018, 22:52

Intel says processor bug isn’t unique to its chips ...
https://www.theverge.com/2018/1/3/16846 ... g-response

https://www.linuxquestions.org/question ... ost5802603
linux-4.9.75-gentoo contains finally the fix. Pulled in today the tree
Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [Y/n/?] (NEW) Y

But there is no reference to the original gentoo thread.

This thread is the place for any future development or fixes that would come on slackware or porteus.

Note: This thread has been motivated by wii07 question on the mchat. :)
Carpe diem.




wii07
White ninja
White ninja
Posts: 17
Joined: 28 Dec 2016, 23:25
Distribution: Porteus 3.2.2 64 bit
Location: Germany

Intel processors with a security bug

Post#2 by wii07 » 06 Jan 2018, 23:14

Before anything can be done, we need a new kernel for porteus 3.2.2, or can the page table isolation be somehow deactivated/removed in the actual 4.9.0-porteus kernel?

For the people using chrome or chromium, make sure updating them to the latest version (63.0.3239.108 at the moment) and then activate the site isolation in the settings:

chrome://flags/#enable-site-per-process

Image

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 1182
Joined: 20 Mar 2012, 03:42
Distribution: 3.2.2-64bit xfce/openbox
Location: australia
Contact:

Intel processors with a security bug

Post#3 by ncmprhnsbl » 07 Jan 2018, 00:18

wii07 wrote:
06 Jan 2018, 23:14
can the page table isolation be somehow deactivated/removed in the actual 4.9.0-porteus kernel?
don't think so, it's a compile time option afaik
neko appears to be aware of it Porteus Kernel Builder (Post by neko #61508)
but seems not to have implemented it .. yet... ? or have i got that the wrong way round :%)
i suspect brokenman will be on to this, as soon as he returns from the wilderness
Forum Rules : http://forum.porteus.org/viewtopic.php?f=35&t=44

wii07
White ninja
White ninja
Posts: 17
Joined: 28 Dec 2016, 23:25
Distribution: Porteus 3.2.2 64 bit
Location: Germany

Intel processors with a security bug

Post#4 by wii07 » 07 Jan 2018, 03:53

i was trying for hours now to compile a new kernel with the version 4.9.75 and the PAGE_TABLE_ISOLATION fix but i did not get it to work.

my new 000-kernel.xzm created with the porteus kernel builder only hast around 19mb in size (the old one around 40mb) and when i replace it and reboot, i got a messed up resolution and no wlan adapter anymore and so on.

beside that i dont understand if the PAGE_TABLE_ISOLATION should be turned on or off. in my understanding neko writes, it should be set to on:

"Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [N/y/?] (NEW) n"

but in my understanding and after some google research it should be turned off, so you have to choose y instead of n als option?

https://www.linuxquestions.org/question ... 175620991/

im really confused now (beside the problem, that my new build 000-kernel.xzm isnt working properly anyway).

maybe someone has already a 000-kernel.xzm build in version 4.9.75 with the PAGE_TABLE_ISOLATION proper fixed and is willing to share it for porteus 3.2.2 64bit xfce?

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 1182
Joined: 20 Mar 2012, 03:42
Distribution: 3.2.2-64bit xfce/openbox
Location: australia
Contact:

Intel processors with a security bug

Post#5 by ncmprhnsbl » 07 Jan 2018, 06:32

wii07 wrote:
07 Jan 2018, 03:53
my new 000-kernel.xzm created with the porteus kernel builder only hast around 19mb in size (the old one around 40mb) and when i replace it and reboot, i got a messed up resolution and no wlan adapter anymore and so on.
sounds like you're missing the firmware.. you might be able to use the /lib/firmware from the old kernel module.
wii07 wrote:
07 Jan 2018, 03:53
but in my understanding and after some google research it should be turned off, so you have to choose y instead of n als option?
yes

Code: Select all

CONFIG_PAGE_TABLE_ISOLATION=y
is what we want..
to test if it is working: (from the link above)(in my void install)

Code: Select all

dmesg | grep isolation
[    0.000000] Kernel/User page tables isolation: enabled
Forum Rules : http://forum.porteus.org/viewtopic.php?f=35&t=44

neko
DEV Team
DEV Team
Posts: 1064
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Intel processors with a security bug

Post#6 by neko » 07 Jan 2018, 08:43

[PAGE_TABLE_ISOLATION]
It seems there is a problem of not understanding correctly and performance deterioration problem,
I did not turn on "PAGE_TABLE_ISOLATION".


https://www.theregister.co.uk/2018/01/0 ... sign_flaw/
Kernel page-table isolation
https://www.phoronix.com/scan.php?page= ... 6pti&num=1

Note:
About the performance comparison,
please refer to Porteus Kernel Builder (Post by neko #61534)


Thanks.

User avatar
francois
Contributor
Contributor
Posts: 5291
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Y fait frette et on gèle

Intel processors with a security bug

Post#7 by francois » 07 Jan 2018, 15:09

Hello neko,

Did you achieved to produce a patched kernel for the security issue?
Carpe diem.

neko
DEV Team
DEV Team
Posts: 1064
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Intel processors with a security bug

Post#8 by neko » 07 Jan 2018, 15:43

@francois
For the performance comparison test,
I just turned on CONFIG_PAGE_TABLE_ISOLATION in the 4.15-rc6 version of the configuration and built the kernel.
Only that.

Please refer to Porteus Kernel Builder (Post by neko #61534)


Thanks.

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 1182
Joined: 20 Mar 2012, 03:42
Distribution: 3.2.2-64bit xfce/openbox
Location: australia
Contact:

Intel processors with a security bug

Post#9 by ncmprhnsbl » 08 Jan 2018, 13:53

here's a kernel module(4.15rc6-x86_64) with page table isolation enabled made from nekos yes/no test compilations:
kernel-4.15
(link to folder) contains:
000-kernel-4.15-rc6.xzm 58mb md5sum: cc602c4b2fe2422656e9e799258c8248
vmlinuz , 3.5mb md5sum: ddf86dd2c9666c1fc040f75a61bc66e1
crippled_sources-4.15-rc6-64bit.xzm 19mb md5sum: ba57202af38264ae6c79fd588baef2d0
tested in 3.2, appears to work ok

Code: Select all

guest@porteus:~$ uname -a
Linux porteus 4.15.0-rc6-porteus #1 SMP PREEMPT Sun Jan 7 15:55:13 UTC 2018 x86_64 Intel(R) Core(TM) i7 CPU       Q 720  @ 1.60GHz GenuineIntel GNU/Linux
guest@porteus:~$ dmesg | grep isolation
[    0.000000] Kernel/User page tables isolation: enabled
broadcom networking probly not working

to turn it(page table isolation) off , boot with this kernel parameter(cheatcode) : nopti (not tried by me yet)
Forum Rules : http://forum.porteus.org/viewtopic.php?f=35&t=44

wii07
White ninja
White ninja
Posts: 17
Joined: 28 Dec 2016, 23:25
Distribution: Porteus 3.2.2 64 bit
Location: Germany

Intel processors with a security bug

Post#10 by wii07 » 08 Jan 2018, 16:57

Can i use this Kernel when i was on 4.9.0 till now?

If yes, do i just have to deactivate the old kernel in /mnt/sda1/porteus/base/ and replace it with this new one activating and than reboot, or is there more to do?

Sorry for this noob questions, i only activated/deactivated normal programs till now working that way.

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 1182
Joined: 20 Mar 2012, 03:42
Distribution: 3.2.2-64bit xfce/openbox
Location: australia
Contact:

Intel processors with a security bug

Post#11 by ncmprhnsbl » 08 Jan 2018, 22:34

wii07 wrote:
08 Jan 2018, 16:57
Can i use this Kernel when i was on 4.9.0 till now?
yep, the only(hopefully) problem might be if your hardware requires the broadcom driver, which would need to be compiled.
at least afaik my hardware hasn't presented any problems for me..
wii07 wrote:
08 Jan 2018, 16:57
If yes, do i just have to deactivate the old kernel in /mnt/sda1/porteus/base/ and replace it with this new one activating and than reboot, or is there more to do?
if you boot to copy to ram:
1. place the new kernel module in /mnt/sda1/porteus/base/
2. rename(eg. remove the .xzm part so it doesn't load) or remove the old kernel(move it someplace safe) (don't deactivate a running kernel!)
3. replace /boot/syslinux/vmlinuz with the new one(from the download folder) (save the old one to someplace safe or rename it vmlinuz-old)
4. reboot
5. if alls well remove the old renamed kernel/vmlinuz
if you boot normally(not copy to ram)
1. place the new kernel module in /mnt/sda1/porteus/base/
2. rename(eg. remove the .xzm part so it doesn't load) (don't deactivate a running kernel!)
3. replace /boot/syslinux/vmlinuz with the new one(from the download folder) (save the old one to someplace safe or rename it vmlinuz-old)
4. reboot
5. if alls well remove the old renamed kernel/vmlinuz
wii07 wrote:
08 Jan 2018, 16:57
Sorry for this noob questions
that's okay, i should have provided instructions :)
Forum Rules : http://forum.porteus.org/viewtopic.php?f=35&t=44

wii07
White ninja
White ninja
Posts: 17
Joined: 28 Dec 2016, 23:25
Distribution: Porteus 3.2.2 64 bit
Location: Germany

Intel processors with a security bug

Post#12 by wii07 » 08 Jan 2018, 22:57

thx for the explanation, working perfekt. my wlan network adapter also works, so i guess its not from broadcom.

Image

with this new kernel and with latest chromium turned the strict site isolation on, i hope ill be safe (as save as you can be at the moment).

User avatar
Blaze
DEV Team
DEV Team
Posts: 1645
Joined: 28 Dec 2010, 11:31
Distribution: ⟰ Porteus 3.2 Cinnamon x86_64
Location: ☭ Russian Federation, Lipetsk region, Dankov
Contact:

Intel processors with a security bug

Post#13 by Blaze » 10 Jan 2018, 19:22

Linux porteus 4.13.3-porteus #1 SMP PREEMPT Sat Sep 23 18:22:13 x86_64 Intel(R) Core(TM) i5-6600K CPU @ 3.50GHz GenuineIntel GNU/Linux
MS-7A12 » [AMD/ATI] Tobago PRO [Radeon R7 360 / R9 360 OEM] (rev 81) » Vengeance LPX 16GB DDR4 K2 3200MHz C16

Jack
Contributor
Contributor
Posts: 1455
Joined: 09 Aug 2013, 14:25
Distribution: Porteus 4.0rc4 My Mate 64 bit
Location: USA

Intel processors with a security bug

Post#14 by Jack » 10 Jan 2018, 21:54

I am using KERNEL 4.13.14 do I have a program or which one should I use? I don't understand about this problem.
I just like Slackware because I think it teach you about Linux to build packages where Ubuntu is like Windows you just install programs you want.

wii07
White ninja
White ninja
Posts: 17
Joined: 28 Dec 2016, 23:25
Distribution: Porteus 3.2.2 64 bit
Location: Germany

Intel processors with a security bug

Post#15 by wii07 » 10 Jan 2018, 22:00

The Intel Site says the following for the use of Microcodes:

"While the regular approach to getting this microcode update is via a BIOS update, Intel realizes that this can be an administrative hassle. The Linux* operating system has a mechanism to update the microcode after booting. For example, this file will be used by the operating system mechanism if the file is placed in the /etc/firmware directory of the Linux system."

Does it work this way with Porteus? In the /etc folder there isn't a folder named firmware.

Post Reply