Page 1 of 3

Intel processors with a security bug

Posted: 06 Jan 2018, 22:52
by francois
Intel says processor bug isn’t unique to its chips ...
https://www.theverge.com/2018/1/3/16846 ... g-response

https://www.linuxquestions.org/question ... ost5802603
linux-4.9.75-gentoo contains finally the fix. Pulled in today the tree
Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [Y/n/?] (NEW) Y

But there is no reference to the original gentoo thread.

This thread is the place for any future development or fixes that would come on slackware or porteus.

Note: This thread has been motivated by wii07 question on the mchat. :)

Intel processors with a security bug

Posted: 06 Jan 2018, 23:14
by wii07
Before anything can be done, we need a new kernel for porteus 3.2.2, or can the page table isolation be somehow deactivated/removed in the actual 4.9.0-porteus kernel?

For the people using chrome or chromium, make sure updating them to the latest version (63.0.3239.108 at the moment) and then activate the site isolation in the settings:

chrome://flags/#enable-site-per-process

Image

Intel processors with a security bug

Posted: 07 Jan 2018, 00:18
by ncmprhnsbl
wii07 wrote:
06 Jan 2018, 23:14
can the page table isolation be somehow deactivated/removed in the actual 4.9.0-porteus kernel?
don't think so, it's a compile time option afaik
neko appears to be aware of it Porteus Kernel Builder (Post by neko #61508)
but seems not to have implemented it .. yet... ? or have i got that the wrong way round :%)
i suspect brokenman will be on to this, as soon as he returns from the wilderness

Intel processors with a security bug

Posted: 07 Jan 2018, 03:53
by wii07
i was trying for hours now to compile a new kernel with the version 4.9.75 and the PAGE_TABLE_ISOLATION fix but i did not get it to work.

my new 000-kernel.xzm created with the porteus kernel builder only hast around 19mb in size (the old one around 40mb) and when i replace it and reboot, i got a messed up resolution and no wlan adapter anymore and so on.

beside that i dont understand if the PAGE_TABLE_ISOLATION should be turned on or off. in my understanding neko writes, it should be set to on:

"Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [N/y/?] (NEW) n"

but in my understanding and after some google research it should be turned off, so you have to choose y instead of n als option?

https://www.linuxquestions.org/question ... 175620991/

im really confused now (beside the problem, that my new build 000-kernel.xzm isnt working properly anyway).

maybe someone has already a 000-kernel.xzm build in version 4.9.75 with the PAGE_TABLE_ISOLATION proper fixed and is willing to share it for porteus 3.2.2 64bit xfce?

Intel processors with a security bug

Posted: 07 Jan 2018, 06:32
by ncmprhnsbl
wii07 wrote:
07 Jan 2018, 03:53
my new 000-kernel.xzm created with the porteus kernel builder only hast around 19mb in size (the old one around 40mb) and when i replace it and reboot, i got a messed up resolution and no wlan adapter anymore and so on.
sounds like you're missing the firmware.. you might be able to use the /lib/firmware from the old kernel module.
wii07 wrote:
07 Jan 2018, 03:53
but in my understanding and after some google research it should be turned off, so you have to choose y instead of n als option?
yes

Code: Select all

CONFIG_PAGE_TABLE_ISOLATION=y
is what we want..
to test if it is working: (from the link above)(in my void install)

Code: Select all

dmesg | grep isolation
[    0.000000] Kernel/User page tables isolation: enabled

Intel processors with a security bug

Posted: 07 Jan 2018, 08:43
by neko
[PAGE_TABLE_ISOLATION]
It seems there is a problem of not understanding correctly and performance deterioration problem,
I did not turn on "PAGE_TABLE_ISOLATION".


https://www.theregister.co.uk/2018/01/0 ... sign_flaw/
Kernel page-table isolation
https://www.phoronix.com/scan.php?page= ... 6pti&num=1

Note:
About the performance comparison,
please refer to Porteus Kernel Builder (Post by neko #61534)


Thanks.

Intel processors with a security bug

Posted: 07 Jan 2018, 15:09
by francois
Hello neko,

Did you achieved to produce a patched kernel for the security issue?

Intel processors with a security bug

Posted: 07 Jan 2018, 15:43
by neko
@francois
For the performance comparison test,
I just turned on CONFIG_PAGE_TABLE_ISOLATION in the 4.15-rc6 version of the configuration and built the kernel.
Only that.

Please refer to Porteus Kernel Builder (Post by neko #61534)


Thanks.

Intel processors with a security bug

Posted: 08 Jan 2018, 13:53
by ncmprhnsbl
here's a kernel module(4.15rc6-x86_64) with page table isolation enabled made from nekos yes/no test compilations:
kernel-4.15
(link to folder) contains:
000-kernel-4.15-rc6.xzm 58mb md5sum: cc602c4b2fe2422656e9e799258c8248
vmlinuz , 3.5mb md5sum: ddf86dd2c9666c1fc040f75a61bc66e1
crippled_sources-4.15-rc6-64bit.xzm 19mb md5sum: ba57202af38264ae6c79fd588baef2d0
tested in 3.2, appears to work ok

Code: Select all

guest@porteus:~$ uname -a
Linux porteus 4.15.0-rc6-porteus #1 SMP PREEMPT Sun Jan 7 15:55:13 UTC 2018 x86_64 Intel(R) Core(TM) i7 CPU       Q 720  @ 1.60GHz GenuineIntel GNU/Linux
guest@porteus:~$ dmesg | grep isolation
[    0.000000] Kernel/User page tables isolation: enabled
broadcom networking probly not working

to turn it(page table isolation) off , boot with this kernel parameter(cheatcode) : nopti (not tried by me yet)

Intel processors with a security bug

Posted: 08 Jan 2018, 16:57
by wii07
Can i use this Kernel when i was on 4.9.0 till now?

If yes, do i just have to deactivate the old kernel in /mnt/sda1/porteus/base/ and replace it with this new one activating and than reboot, or is there more to do?

Sorry for this noob questions, i only activated/deactivated normal programs till now working that way.

Intel processors with a security bug

Posted: 08 Jan 2018, 22:34
by ncmprhnsbl
wii07 wrote:
08 Jan 2018, 16:57
Can i use this Kernel when i was on 4.9.0 till now?
yep, the only(hopefully) problem might be if your hardware requires the broadcom driver, which would need to be compiled.
at least afaik my hardware hasn't presented any problems for me..
wii07 wrote:
08 Jan 2018, 16:57
If yes, do i just have to deactivate the old kernel in /mnt/sda1/porteus/base/ and replace it with this new one activating and than reboot, or is there more to do?
if you boot to copy to ram:
1. place the new kernel module in /mnt/sda1/porteus/base/
2. rename(eg. remove the .xzm part so it doesn't load) or remove the old kernel(move it someplace safe) (don't deactivate a running kernel!)
3. replace /boot/syslinux/vmlinuz with the new one(from the download folder) (save the old one to someplace safe or rename it vmlinuz-old)
4. reboot
5. if alls well remove the old renamed kernel/vmlinuz
if you boot normally(not copy to ram)
1. place the new kernel module in /mnt/sda1/porteus/base/
2. rename(eg. remove the .xzm part so it doesn't load) (don't deactivate a running kernel!)
3. replace /boot/syslinux/vmlinuz with the new one(from the download folder) (save the old one to someplace safe or rename it vmlinuz-old)
4. reboot
5. if alls well remove the old renamed kernel/vmlinuz
wii07 wrote:
08 Jan 2018, 16:57
Sorry for this noob questions
that's okay, i should have provided instructions :)

Intel processors with a security bug

Posted: 08 Jan 2018, 22:57
by wii07
thx for the explanation, working perfekt. my wlan network adapter also works, so i guess its not from broadcom.

Image

with this new kernel and with latest chromium turned the strict site isolation on, i hope ill be safe (as save as you can be at the moment).

Intel processors with a security bug

Posted: 10 Jan 2018, 19:22
by Blaze

Intel processors with a security bug

Posted: 10 Jan 2018, 21:54
by Jack
I am using KERNEL 4.13.14 do I have a program or which one should I use? I don't understand about this problem.

Intel processors with a security bug

Posted: 10 Jan 2018, 22:00
by wii07
The Intel Site says the following for the use of Microcodes:

"While the regular approach to getting this microcode update is via a BIOS update, Intel realizes that this can be an administrative hassle. The Linux* operating system has a mechanism to update the microcode after booting. For example, this file will be used by the operating system mechanism if the file is placed in the /etc/firmware directory of the Linux system."

Does it work this way with Porteus? In the /etc folder there isn't a folder named firmware.