[PLUG] Meltdown, Spectre and Debian

[Siddhesh Poyarekar]

On 5 January 2018 at 23:02, shirish शिरीष <shirishag75 at gmail.com> wrote:
> Dear all,
>
> While I don't want to be the paranoid one here, the situation here
> seems to demand it.
>
> 3 Days back the Register broke the story of a chip vulnerability -
>
> https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
>
> While it seeked to paint only Intel, it is now learnt that the issue
> is across the board, i.e. Intel, AMD, ARM all have the same
> vulnerability

>From my very superficial reading (I hope to get some time to read this
weekend), the bad news here is that it's not just one vulnerability,
it is a whole class of vulnerabilities exposed by speculative
execution in most modern microprocessors.  There are a couple of words
thrown around, viz. meltdown and spectre.  Meltdown is fixed with the
kernel patches but Spectre still remains largely unfixed since it is a
whole bunch of vulnerabilities related to branch target prediction and
speculative execution.  I believe there's a linker patch floating
around that tries to fix one of them.  I don't know what the microcode
fixes do, although I suspect they probably add a barrier to block
speculative execution across privilege boundaries so that they're at
least as secure as AMD.

Meltdown is strictly x86-specific while Spectre is what affects all
modern out-of-order execution based microprocessors.

We'll probably see many many papers and exploits in the coming months
because this is basically a new research area that's opened up.

Siddhesh
-- 
http://siddhesh.in