Intel CPU flaw

Security annoucements of interest to the AtomiCorp community, such as vulnerabilities in third party applications.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Intel CPU flaw

Unread post by mikeshinn »

As some may have seen on the various tech website, there is a vulnerability in most of the CPUs in use today. This is one of those "Unicorn" vulnerabilities that will require an update our kernel.
(every operating system out there running on Intel CPUs and probably others like AMD).

Thats right, every operating system (Windows, MacOS, Linux, Solaris, etc.) will need to be updated. This is a fundamental design flaw in what appears to be all CPUs in use in computers. Intel CPUs are confirmed to be effected, and while it not clear if AMD CPUs have this design flaw, some security folks think they may as well, right now only Intel has confirmed this flaw. If youre not using Intel based CPUs, this does not mean this does not effect you. It very likely does.

We're in testing with kernel updates now. The updates to all operating systems may incur a performance hit (Intel insists its minor, but testing by the Linux kernel community has shows 13-30% performance hits for vanilla Linux kernels). This performance issue isnt unique to our kernels or anyones for that matter. Its due to the fact that everyone has to fix this flaw in the CPU hardware in software, which means the CPU has to do more work to protect itself, from itself. And we're very sensitive to that for our customers, so before we release anything we want to make sure the kernel is performing optimally.

Unfortunately we cant share any other details than that at this point as the vulnerability details are still embargoed. At the moment there is no known active exploitation of this design flaw.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Intel CPU flaw

Unread post by mikeshinn »

And here is Intels response to this vulnerability and their assertion this effects other CPU manufacturers.

https://newsroom.intel.com/news/intel-r ... -findings/
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: Intel CPU flaw

Unread post by Imaging »

Looks like patches/details have started to come out (appears that Jan 9 was the initial coordinated release date) today for RHEL/CentOS stock kernels, etc.

Is there an ETA for the ASL kernel update now that details appear to have been released?

Thanks.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Intel CPU flaw

Unread post by mikeshinn »

Tomorrow. The updates that are out there are incomplete, and because this leaked before the embargo date on the 9th some of the solutions have really bad performance problems (and some vendor products, like antivirus, are causing full kernel panics, including on Windows). So a lot is still in motion on the kernel side up and downstream. We do not want to release anything that would cause adverse impact to your systems.

At the moment, there are no active exploits against the Meltdown vulnerability (thats the more serious of the two that relevant to servers). Spectre isnt actually new, its just being addressed at the same time and isnt as relevant for server attack surfaces. Its more applicable to shared application attacks, like tab to tab attacks in browsers. So client side. Meltdown is also much harder to carry out remotely than Spectre, so despite the press this has gotten its not as bad as it sounds, while its worse its also hard to do. In the words of SANS earlier today, the sky is not falling.

Its better that the updates be done right, as the performance hit from KPTI isnt trivial, there are no known attacks at this time and the implementations out there are causing other more serious problems like outright crashing systems.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: Intel CPU flaw

Unread post by Imaging »

Great. Thanks for the analysis and perspective!
merlin83b
New Forum User
New Forum User
Posts: 1
Joined: Thu Jan 11, 2018 6:09 am
Location: Manchester, UK

Re: Intel CPU flaw

Unread post by merlin83b »

mikeshinn wrote:Tomorrow.
That was posted a week ago. Any thoughts on when you might be releasing a patched kernel?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Intel CPU flaw

Unread post by mikeshinn »

The kernel was released this past weekend. It uses UDEREF and not the slow and buggy KPTI in the mainline kernel. So you wont experience performance impacts like the mainline kernel or kernel panics.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: Intel CPU flaw

Unread post by Imaging »

Mike:

Just to make sure I'm clear, what is said kernel patched against (meltdown only, meltdown and some spectre variants, etc.)?

Some of the vendor kernels needed microcode updates for their patches as well and not sure if that was related to the method used or if the ASL kernel would need as well.

Thanks!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Intel CPU flaw

Unread post by mikeshinn »

Both. If a microcode update was needed for that CPU it would also be updated.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: Intel CPU flaw

Unread post by Imaging »

Mike:

Could you please post a current status as to what mitigations were introduced in what kernels (so those who don't update their kernel with each release will know the minimum needed updates)?

TIA!
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: Intel CPU flaw

Unread post by Imaging »

Just in case it wasn't seen, a bump of:

__

Mike:

Could you please post a current status as to what mitigations were introduced in what kernels (so those who don't update their kernel with each release will know the minimum needed updates)?

TIA!

__

Thanks!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Intel CPU flaw

Unread post by mikeshinn »

All of the Meltdown and Spectre mitigations were available in the last 4.4.x release (we've since retired 4.4.x and moved to 4.14.x tree). That last version is 4.4.109. We do recommend upgrading to the 4.14.x kernel as it contains significant performance enhancements over the 4.4.x kernels. All of the 4.14.x kernels contain all mitigations (again the newer kernels will be faster, so we recommend upgrading).
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: Intel CPU flaw

Unread post by Imaging »

Thank you. Not sure if I'm reading you correctly but are you saying that 4.4.109 has all of the same mitigations as the 4.14.x releases?
titykouki
New Forum User
New Forum User
Posts: 1
Joined: Tue Dec 04, 2018 7:44 am
Location: PARIS

Re: Intel CPU flaw

Unread post by titykouki »

mikeshinn wrote:All of the Meltdown and Spectre mitigations were available in the last 4.4.x release (we've since retired 4.4.x and moved to 4.14.x tree). That last version is 4.4.109. We do recommend upgrading to the 4.14.x kernel as it contains significant performance enhancements over the 4.4.x kernels. All of the 4.14.x kernels contain all mitigations (again the newer kernels will be faster, so we recommend upgrading).
We're in trying with part refreshes now. The updates to every working framework may bring about an execution hit (Intel demands its minor, yet testing by the Linux part network has indicates 13-30% execution hits for vanilla Linux bits). This execution issue isnt novel to our pieces or anyones besides. Its because of the way that everybody needs to settle this blemish in the CPU equipment in programming, which implies the CPU needs to accomplish more work to ensure itself, from itself. What's more, we're exceptionally delicate to that for our clients, so before we discharge anything we need to ensure the part is performing ideally.
Post Reply