store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Jan 21, 2019 8:35 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: Intel CPU flaw
Unread postPosted: Wed Jan 03, 2018 4:03 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4067
Location: Chantilly, VA
As some may have seen on the various tech website, there is a vulnerability in most of the CPUs in use today. This is one of those "Unicorn" vulnerabilities that will require an update our kernel.
(every operating system out there running on Intel CPUs and probably others like AMD).

Thats right, every operating system (Windows, MacOS, Linux, Solaris, etc.) will need to be updated. This is a fundamental design flaw in what appears to be all CPUs in use in computers. Intel CPUs are confirmed to be effected, and while it not clear if AMD CPUs have this design flaw, some security folks think they may as well, right now only Intel has confirmed this flaw. If youre not using Intel based CPUs, this does not mean this does not effect you. It very likely does.

We're in testing with kernel updates now. The updates to all operating systems may incur a performance hit (Intel insists its minor, but testing by the Linux kernel community has shows 13-30% performance hits for vanilla Linux kernels). This performance issue isnt unique to our kernels or anyones for that matter. Its due to the fact that everyone has to fix this flaw in the CPU hardware in software, which means the CPU has to do more work to protect itself, from itself. And we're very sensitive to that for our customers, so before we release anything we want to make sure the kernel is performing optimally.

Unfortunately we cant share any other details than that at this point as the vulnerability details are still embargoed. At the moment there is no known active exploitation of this design flaw.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Wed Jan 03, 2018 5:05 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4067
Location: Chantilly, VA
And here is Intels response to this vulnerability and their assertion this effects other CPU manufacturers.

https://newsroom.intel.com/news/intel-r ... -findings/

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Thu Jan 04, 2018 1:23 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 309
Looks like patches/details have started to come out (appears that Jan 9 was the initial coordinated release date) today for RHEL/CentOS stock kernels, etc.

Is there an ETA for the ASL kernel update now that details appear to have been released?

Thanks.


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Thu Jan 04, 2018 7:28 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4067
Location: Chantilly, VA
Tomorrow. The updates that are out there are incomplete, and because this leaked before the embargo date on the 9th some of the solutions have really bad performance problems (and some vendor products, like antivirus, are causing full kernel panics, including on Windows). So a lot is still in motion on the kernel side up and downstream. We do not want to release anything that would cause adverse impact to your systems.

At the moment, there are no active exploits against the Meltdown vulnerability (thats the more serious of the two that relevant to servers). Spectre isnt actually new, its just being addressed at the same time and isnt as relevant for server attack surfaces. Its more applicable to shared application attacks, like tab to tab attacks in browsers. So client side. Meltdown is also much harder to carry out remotely than Spectre, so despite the press this has gotten its not as bad as it sounds, while its worse its also hard to do. In the words of SANS earlier today, the sky is not falling.

Its better that the updates be done right, as the performance hit from KPTI isnt trivial, there are no known attacks at this time and the implementations out there are causing other more serious problems like outright crashing systems.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Fri Jan 05, 2018 8:49 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 309
Great. Thanks for the analysis and perspective!


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Thu Jan 11, 2018 6:15 am 
Offline
New Forum User
New Forum User

Joined: Thu Jan 11, 2018 6:09 am
Posts: 1
Location: Manchester, UK
mikeshinn wrote:
Tomorrow.


That was posted a week ago. Any thoughts on when you might be releasing a patched kernel?


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Thu Jan 11, 2018 5:46 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4067
Location: Chantilly, VA
The kernel was released this past weekend. It uses UDEREF and not the slow and buggy KPTI in the mainline kernel. So you wont experience performance impacts like the mainline kernel or kernel panics.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Fri Jan 12, 2018 12:50 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 309
Mike:

Just to make sure I'm clear, what is said kernel patched against (meltdown only, meltdown and some spectre variants, etc.)?

Some of the vendor kernels needed microcode updates for their patches as well and not sure if that was related to the method used or if the ASL kernel would need as well.

Thanks!


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Fri Jan 12, 2018 2:17 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4067
Location: Chantilly, VA
Both. If a microcode update was needed for that CPU it would also be updated.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Fri Mar 30, 2018 12:13 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 309
Mike:

Could you please post a current status as to what mitigations were introduced in what kernels (so those who don't update their kernel with each release will know the minimum needed updates)?

TIA!


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Thu Apr 12, 2018 12:27 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 309
Just in case it wasn't seen, a bump of:

__

Mike:

Could you please post a current status as to what mitigations were introduced in what kernels (so those who don't update their kernel with each release will know the minimum needed updates)?

TIA!

__

Thanks!


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Mon Apr 16, 2018 3:58 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4067
Location: Chantilly, VA
All of the Meltdown and Spectre mitigations were available in the last 4.4.x release (we've since retired 4.4.x and moved to 4.14.x tree). That last version is 4.4.109. We do recommend upgrading to the 4.14.x kernel as it contains significant performance enhancements over the 4.4.x kernels. All of the 4.14.x kernels contain all mitigations (again the newer kernels will be faster, so we recommend upgrading).

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Tue Apr 17, 2018 5:54 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Sep 25, 2010 2:46 pm
Posts: 309
Thank you. Not sure if I'm reading you correctly but are you saying that 4.4.109 has all of the same mitigations as the 4.14.x releases?


Top
 Profile  
Reply with quote  
 Post subject: Re: Intel CPU flaw
Unread postPosted: Tue Dec 04, 2018 7:51 am 
Offline
New Forum User
New Forum User

Joined: Tue Dec 04, 2018 7:44 am
Posts: 1
Location: PARIS
mikeshinn wrote:
All of the Meltdown and Spectre mitigations were available in the last 4.4.x release (we've since retired 4.4.x and moved to 4.14.x tree). That last version is 4.4.109. We do recommend upgrading to the 4.14.x kernel as it contains significant performance enhancements over the 4.4.x kernels. All of the 4.14.x kernels contain all mitigations (again the newer kernels will be faster, so we recommend upgrading).

We're in trying with part refreshes now. The updates to every working framework may bring about an execution hit (Intel demands its minor, yet testing by the Linux part network has indicates 13-30% execution hits for vanilla Linux bits). This execution issue isnt novel to our pieces or anyones besides. Its because of the way that everybody needs to settle this blemish in the CPU equipment in programming, which implies the CPU needs to accomplish more work to ensure itself, from itself. What's more, we're exceptionally delicate to that for our clients, so before we discharge anything we need to ensure the part is performing ideally.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group