[PLUG] Meltdown, Spectre and Debian

Vikas Tara vik at hamaralinux.org
Fri Jan 5 23:20:19 IST 2018 

On 05/01/18 17:40, shirish शिरीष wrote:
> addition at bottom :-
>
> On 05/01/2018, shirish शिरीष <shirishag75 at gmail.com> wrote:
>> Dear all,
>>
>> While I don't want to be the paranoid one here, the situation here
>> seems to demand it.
>>
>> 3 Days back the Register broke the story of a chip vulnerability -
>>
>> https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
>>
>> While it seeked to paint only Intel, it is now learnt that the issue
>> is across the board, i.e. Intel, AMD, ARM all have the same
>> vulnerability
>>
>> It defeats or compromises KASLR which itself is just 4 years old
>> technology.
>>
>> AFAIK it would need two solutions, one is the appropriate microcode
>> for your chip architecture, I know Intel and AMD have the respective
>> intel-microcode and amd64-microcode
>>
>> % aptitude search microcode
>> p   amd64-microcode
>>              - Processor microcode firmware for AMD CPUs
>> i   intel-microcode
>>              - Processor microcode firmware for Intel CPUs
>> p   microcode.ctl
>>              - Intel IA32/IA64 CPU Microcode Utility (transitional
>> package)
>>
>> % apt-cache policy intel-microcode
>> intel-microcode:
>>   Installed: 3.20171215.1
>>   Candidate: 3.20171215.1
>>   Version table:
>>  *** 3.20171215.1 100
>>           1 http://httpredir.debian.org/debian unstable/non-free amd64
>> Packages
>>         100 /var/lib/dpkg/status
>>      3.20171117.1 900
>>         900 http://httpredir.debian.org/debian buster/non-free amd64
>> Packages
>>
>>
>> According to Henrique it would take another week to have the whole
>> thing on the microcode side of the things -
>>
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367
>>
>> On top of that you would need a newer kernel which mitigates some more
>> of the effects.
>>
>> Techcrunch did a detailed blog post on the subject alongwith some idea
>> of the timeline
>>
>> https://techcrunch.com/2018/01/03/kernel-panic-what-are-meltdown-and-spectre-the-bugs-affecting-nearly-every-computer-and-device/
>>
>> The only good thing is that it doesn't increase any remote attack
>> vector than before but it does mean that people should be more
>> circumspect about any software they download at least till the next
>> couple of weeks when kernel updates and cpu-microcodes should take
>> some of the steam off.
>>
>> The bad news is that it will take some of the performance of the table
>> but that is to be expected.
>>
>> An interesting side-story which has developed also talks about the
>> current Intel CEO's doings
>>
>> https://techcrunch.com/2018/01/04/after-meltdown-and-spectre-revelation-questions-arise-about-timing-of-intel-ceos-stock-sales/
>>
>> Hope everybody does the right thing, get the latest microcodes and
>> update your kernel as fast as you can.
>>
>> --
>>           Regards,
>>           Shirish Agarwal  शिरीष अग्रवाल
>>   My quotes in this email licensed under CC 3.0
>> http://creativecommons.org/licenses/by-nc/3.0/
>> http://flossexperiences.wordpress.com
>> EB80 462B 08E1 A0DE A73A  2C2F 9F3D C7A4 E1C4 D2D8
>>
Nice post!

The retpoline approach suggested yesterday looks like it provides a
better approach wrt performance so may be worth waiting:
https://www.phoronix.com/scan.php?page=news_item&px=Linux-Kernel-Retpoline-Patches

More information about the plug-mail mailing list