Intel processors with a security bug
- francois
- Contributor
- Posts: 6435
- Joined: 28 Dec 2010, 14:25
- Distribution: xfce plank porteus nemesis
- Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.
Intel processors with a security bug
Intel says processor bug isn’t unique to its chips ...
https://www.theverge.com/2018/1/3/16846 ... g-response
https://www.linuxquestions.org/question ... ost5802603
linux-4.9.75-gentoo contains finally the fix. Pulled in today the tree
Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [Y/n/?] (NEW) Y
But there is no reference to the original gentoo thread.
This thread is the place for any future development or fixes that would come on slackware or porteus.
Note: This thread has been motivated by wii07 question on the mchat.
https://www.theverge.com/2018/1/3/16846 ... g-response
https://www.linuxquestions.org/question ... ost5802603
linux-4.9.75-gentoo contains finally the fix. Pulled in today the tree
Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [Y/n/?] (NEW) Y
But there is no reference to the original gentoo thread.
This thread is the place for any future development or fixes that would come on slackware or porteus.
Note: This thread has been motivated by wii07 question on the mchat.
Prendre son temps, profiter de celui qui passe.
-
- White ninja
- Posts: 20
- Joined: 28 Dec 2016, 23:25
- Distribution: Porteus 3.2.2 64 bit
- Location: Germany
Intel processors with a security bug
Before anything can be done, we need a new kernel for porteus 3.2.2, or can the page table isolation be somehow deactivated/removed in the actual 4.9.0-porteus kernel?
For the people using chrome or chromium, make sure updating them to the latest version (63.0.3239.108 at the moment) and then activate the site isolation in the settings:
chrome://flags/#enable-site-per-process
For the people using chrome or chromium, make sure updating them to the latest version (63.0.3239.108 at the moment) and then activate the site isolation in the settings:
chrome://flags/#enable-site-per-process
- ncmprhnsbl
- DEV Team
- Posts: 3936
- Joined: 20 Mar 2012, 03:42
- Distribution: v5.0-64bit
- Location: australia
- Contact:
Intel processors with a security bug
don't think so, it's a compile time option afaik
neko appears to be aware of it Porteus Kernel Builder (Post by neko #61508)
but seems not to have implemented it .. yet... ? or have i got that the wrong way round
i suspect brokenman will be on to this, as soon as he returns from the wilderness
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44
-
- White ninja
- Posts: 20
- Joined: 28 Dec 2016, 23:25
- Distribution: Porteus 3.2.2 64 bit
- Location: Germany
Intel processors with a security bug
i was trying for hours now to compile a new kernel with the version 4.9.75 and the PAGE_TABLE_ISOLATION fix but i did not get it to work.
my new 000-kernel.xzm created with the porteus kernel builder only hast around 19mb in size (the old one around 40mb) and when i replace it and reboot, i got a messed up resolution and no wlan adapter anymore and so on.
beside that i dont understand if the PAGE_TABLE_ISOLATION should be turned on or off. in my understanding neko writes, it should be set to on:
"Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [N/y/?] (NEW) n"
but in my understanding and after some google research it should be turned off, so you have to choose y instead of n als option?
https://www.linuxquestions.org/question ... 175620991/
im really confused now (beside the problem, that my new build 000-kernel.xzm isnt working properly anyway).
maybe someone has already a 000-kernel.xzm build in version 4.9.75 with the PAGE_TABLE_ISOLATION proper fixed and is willing to share it for porteus 3.2.2 64bit xfce?
my new 000-kernel.xzm created with the porteus kernel builder only hast around 19mb in size (the old one around 40mb) and when i replace it and reboot, i got a messed up resolution and no wlan adapter anymore and so on.
beside that i dont understand if the PAGE_TABLE_ISOLATION should be turned on or off. in my understanding neko writes, it should be set to on:
"Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [N/y/?] (NEW) n"
but in my understanding and after some google research it should be turned off, so you have to choose y instead of n als option?
https://www.linuxquestions.org/question ... 175620991/
im really confused now (beside the problem, that my new build 000-kernel.xzm isnt working properly anyway).
maybe someone has already a 000-kernel.xzm build in version 4.9.75 with the PAGE_TABLE_ISOLATION proper fixed and is willing to share it for porteus 3.2.2 64bit xfce?
- ncmprhnsbl
- DEV Team
- Posts: 3936
- Joined: 20 Mar 2012, 03:42
- Distribution: v5.0-64bit
- Location: australia
- Contact:
Intel processors with a security bug
sounds like you're missing the firmware.. you might be able to use the /lib/firmware from the old kernel module.
yes
Code: Select all
CONFIG_PAGE_TABLE_ISOLATION=y
to test if it is working: (from the link above)(in my void install)
Code: Select all
dmesg | grep isolation
[ 0.000000] Kernel/User page tables isolation: enabled
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44
-
- DEV Team
- Posts: 2109
- Joined: 09 Feb 2013, 09:55
- Distribution: APorteus-FVWM-ja-x86_64.iso
- Location: japan
Intel processors with a security bug
[PAGE_TABLE_ISOLATION]
It seems there is a problem of not understanding correctly and performance deterioration problem,
I did not turn on "PAGE_TABLE_ISOLATION".
https://www.theregister.co.uk/2018/01/0 ... sign_flaw/
Kernel page-table isolation
https://www.phoronix.com/scan.php?page= ... 6pti&num=1
Note:
About the performance comparison,
please refer to Porteus Kernel Builder (Post by neko #61534)
Thanks.
It seems there is a problem of not understanding correctly and performance deterioration problem,
I did not turn on "PAGE_TABLE_ISOLATION".
https://www.theregister.co.uk/2018/01/0 ... sign_flaw/
Kernel page-table isolation
https://www.phoronix.com/scan.php?page= ... 6pti&num=1
Note:
About the performance comparison,
please refer to Porteus Kernel Builder (Post by neko #61534)
Thanks.
- francois
- Contributor
- Posts: 6435
- Joined: 28 Dec 2010, 14:25
- Distribution: xfce plank porteus nemesis
- Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.
Intel processors with a security bug
Hello neko,
Did you achieved to produce a patched kernel for the security issue?
Did you achieved to produce a patched kernel for the security issue?
Prendre son temps, profiter de celui qui passe.
-
- DEV Team
- Posts: 2109
- Joined: 09 Feb 2013, 09:55
- Distribution: APorteus-FVWM-ja-x86_64.iso
- Location: japan
Intel processors with a security bug
@francois
For the performance comparison test,
I just turned on CONFIG_PAGE_TABLE_ISOLATION in the 4.15-rc6 version of the configuration and built the kernel.
Only that.
Please refer to Porteus Kernel Builder (Post by neko #61534)
Thanks.
For the performance comparison test,
I just turned on CONFIG_PAGE_TABLE_ISOLATION in the 4.15-rc6 version of the configuration and built the kernel.
Only that.
Please refer to Porteus Kernel Builder (Post by neko #61534)
Thanks.
- ncmprhnsbl
- DEV Team
- Posts: 3936
- Joined: 20 Mar 2012, 03:42
- Distribution: v5.0-64bit
- Location: australia
- Contact:
Intel processors with a security bug
here's a kernel module(4.15rc6-x86_64) with page table isolation enabled made from nekos yes/no test compilations:
kernel-4.15
(link to folder) contains:
000-kernel-4.15-rc6.xzm 58mb md5sum: cc602c4b2fe2422656e9e799258c8248
vmlinuz , 3.5mb md5sum: ddf86dd2c9666c1fc040f75a61bc66e1
crippled_sources-4.15-rc6-64bit.xzm 19mb md5sum: ba57202af38264ae6c79fd588baef2d0
tested in 3.2, appears to work ok
broadcom networking probly not working
to turn it(page table isolation) off , boot with this kernel parameter(cheatcode) : nopti (not tried by me yet)
kernel-4.15
(link to folder) contains:
000-kernel-4.15-rc6.xzm 58mb md5sum: cc602c4b2fe2422656e9e799258c8248
vmlinuz , 3.5mb md5sum: ddf86dd2c9666c1fc040f75a61bc66e1
crippled_sources-4.15-rc6-64bit.xzm 19mb md5sum: ba57202af38264ae6c79fd588baef2d0
tested in 3.2, appears to work ok
Code: Select all
guest@porteus:~$ uname -a
Linux porteus 4.15.0-rc6-porteus #1 SMP PREEMPT Sun Jan 7 15:55:13 UTC 2018 x86_64 Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz GenuineIntel GNU/Linux
guest@porteus:~$ dmesg | grep isolation
[ 0.000000] Kernel/User page tables isolation: enabled
to turn it(page table isolation) off , boot with this kernel parameter(cheatcode) : nopti (not tried by me yet)
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44
-
- White ninja
- Posts: 20
- Joined: 28 Dec 2016, 23:25
- Distribution: Porteus 3.2.2 64 bit
- Location: Germany
Intel processors with a security bug
Can i use this Kernel when i was on 4.9.0 till now?
If yes, do i just have to deactivate the old kernel in /mnt/sda1/porteus/base/ and replace it with this new one activating and than reboot, or is there more to do?
Sorry for this noob questions, i only activated/deactivated normal programs till now working that way.
If yes, do i just have to deactivate the old kernel in /mnt/sda1/porteus/base/ and replace it with this new one activating and than reboot, or is there more to do?
Sorry for this noob questions, i only activated/deactivated normal programs till now working that way.
- ncmprhnsbl
- DEV Team
- Posts: 3936
- Joined: 20 Mar 2012, 03:42
- Distribution: v5.0-64bit
- Location: australia
- Contact:
Intel processors with a security bug
yep, the only(hopefully) problem might be if your hardware requires the broadcom driver, which would need to be compiled.
at least afaik my hardware hasn't presented any problems for me..
if you boot to copy to ram:
1. place the new kernel module in /mnt/sda1/porteus/base/
2. rename(eg. remove the .xzm part so it doesn't load) or remove the old kernel(move it someplace safe) (don't deactivate a running kernel!)
3. replace /boot/syslinux/vmlinuz with the new one(from the download folder) (save the old one to someplace safe or rename it vmlinuz-old)
4. reboot
5. if alls well remove the old renamed kernel/vmlinuz
if you boot normally(not copy to ram)
1. place the new kernel module in /mnt/sda1/porteus/base/
2. rename(eg. remove the .xzm part so it doesn't load) (don't deactivate a running kernel!)
3. replace /boot/syslinux/vmlinuz with the new one(from the download folder) (save the old one to someplace safe or rename it vmlinuz-old)
4. reboot
5. if alls well remove the old renamed kernel/vmlinuz
that's okay, i should have provided instructions
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44
-
- White ninja
- Posts: 20
- Joined: 28 Dec 2016, 23:25
- Distribution: Porteus 3.2.2 64 bit
- Location: Germany
Intel processors with a security bug
thx for the explanation, working perfekt. my wlan network adapter also works, so i guess its not from broadcom.
with this new kernel and with latest chromium turned the strict site isolation on, i hope ill be safe (as save as you can be at the moment).
with this new kernel and with latest chromium turned the strict site isolation on, i hope ill be safe (as save as you can be at the moment).
- Blaze
- DEV Team
- Posts: 3885
- Joined: 28 Dec 2010, 11:31
- Distribution: ⟰ Porteus current ☯ all DEs ☯
- Location: ☭ Russian Federation, Lipetsk region, Dankov
- Contact:
Intel processors with a security bug
Intel Releases Processor Microcode Patch for Linux OSes, Here's How to Update
Greg Kroah-Hartman on Meltdown and Spectre Bugs: Go Update Your Linux Kernel
Greg Kroah-Hartman on Meltdown and Spectre Bugs: Go Update Your Linux Kernel
Linux 6.6.11-porteus #1 SMP PREEMPT_DYNAMIC Sun Jan 14 12:07:37 MSK 2024 x86_64 Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz GenuineIntel GNU/Linux
MS-7A12 » [AMD/ATI] Navi 23 [Radeon RX 6600] [1002:73ff] (rev c7) » Vengeance LPX 16GB DDR4 K2 3200MHz C16
MS-7A12 » [AMD/ATI] Navi 23 [Radeon RX 6600] [1002:73ff] (rev c7) » Vengeance LPX 16GB DDR4 K2 3200MHz C16
-
- Contributor
- Posts: 1857
- Joined: 09 Aug 2013, 14:25
- Distribution: Porteus and Nemesis
- Location: USA
Intel processors with a security bug
I am using KERNEL 4.13.14 do I have a program or which one should I use? I don't understand about this problem.
I just like Slackware because I think it teach you about Linux to build packages where Ubuntu is like Windows you just install programs you want.
-
- White ninja
- Posts: 20
- Joined: 28 Dec 2016, 23:25
- Distribution: Porteus 3.2.2 64 bit
- Location: Germany
Intel processors with a security bug
The Intel Site says the following for the use of Microcodes:
"While the regular approach to getting this microcode update is via a BIOS update, Intel realizes that this can be an administrative hassle. The Linux* operating system has a mechanism to update the microcode after booting. For example, this file will be used by the operating system mechanism if the file is placed in the /etc/firmware directory of the Linux system."
Does it work this way with Porteus? In the /etc folder there isn't a folder named firmware.
"While the regular approach to getting this microcode update is via a BIOS update, Intel realizes that this can be an administrative hassle. The Linux* operating system has a mechanism to update the microcode after booting. For example, this file will be used by the operating system mechanism if the file is placed in the /etc/firmware directory of the Linux system."
Does it work this way with Porteus? In the /etc folder there isn't a folder named firmware.