Announcement

**schmidtbag** · 18 November 2018, 10:34 PM

Originally posted by Weasel View Post

I'm talking about the nonsense people spread about "Intel cut corners that's why they have higher IPC than AMD". Repeating that, in various forms, is not going to turn it into a fact, sorry.

I never said anything about cutting corners, nor did I imply it... I'm actually not blaming Intel for all these flaws (some of them they should've known better about). That being said, my point was that if Intel had proper security from the very beginning, their IPC lead against Zen wouldn't be that great.

**trek** · 18 November 2018, 10:43 PM

Originally posted by birdie View Post

Meanwhile a request in LKML to enable to disable (sic!) all these mitigations was and met with an utter indifference and now if you want to reach previously available performance you have to peruse a ton of documentation and you also have to recompile the kernel since some mitigations are compiled-in regardless, without a runtime option to disable them.

if you want performance, you can run DOS

**trek** · 18 November 2018, 10:47 PM

Originally posted by Azrael5 View Post

AMD processors are immune?

to meltdown? yes
for spectre v2 they don't need STIBP

**trek** · 18 November 2018, 10:50 PM

Originally posted by NotMine999 View Post

I find it interesting to note that "impact on kernel performance" was not considered/challenged by the person(s) replying to the original poster (Artem) in the thread.
Are Linux kernel developers not concerned with performance impacts of their coding?

if you give up on address space separation, you don't need at all a kernel with virtual memory support

**trek** · 18 November 2018, 10:54 PM

Originally posted by birdie View Post

And this is pure BS for over 95% of users out there who only run a web browser, a document processor and a spreadsheet.
Both Firefox and Chrome have long implemented protections against Meltdown/Spectre class exploits, so there's really no way such users could be hacked.

what about virus/malware? the address space separation is the foundation for any type of security measure, if you don't need it, you don't need Linux at all

**birdie** · 19 November 2018, 04:31 AM

Originally posted by trek View Post

what about virus/malware? the address space separation is the foundation for any type of security measure, if you don't need it, you don't need Linux at all

How will viruses get into your PC in the first place? And after they've done that, do you really think Meltdown/Spectre are even required? Fuck no, because a virus can trivially scan all your keypresses/mouse movements and get all your passwords. A virus might replace your launchers, may inject DLLs, might do dozens of known things to circumvent your workflow and get everything from you. Using STIBP to steal passwords is insanity.

Damn, 99% of users here don't fucking understand what these vulnerabilities are about and how hellishly difficult is using them for anything.

**Azrael5** · 19 November 2018, 06:55 AM

Originally posted by trek View Post

to meltdown? yes
for spectre v2 they don't need STIBP

so AMD processors are less affected from the hardware bugs and from slowness of the patches. Right?

**ryao** · 20 November 2018, 07:53 AM

Originally posted by birdie View Post

Spectre/Meltdown vulnerabilities have been known for almost a year already. Not a single actual exploit has been found yet.

Still, 100% of users must suffer tremendously because in theory someone could be hacked.

Also, tell me how home users could be theoretically hacked using these vulnerabilities. Chaining and everything - I'm all ears.

There's a load of BS going on in this thread and people mindlessly "like" certain posts without understanding shit about the issue at hand.

Again BS on top of BS. Certain vulnerabilities are baked-in during compilation using GCC flags and you cannot even disable them using `make config`, you there's no way you can disable them using boot arguments.

If you think people are suffering with this patch, then you ought to try out Windows. Using Windows is suffering. This is nothing in comparison. As for not understanding the issue, I do not think you understand it. I am willing to defer to mainline developers who have access to what is likely confidential information about processor design. I don’t have access to that information and neither do you.

**ryao** · 20 November 2018, 07:54 AM

Originally posted by birdie View Post

Have you read the actual article? Because it says, "that try to exploit Meltdown and Spectre, although most appear to be proof-of-concept code". Also this article is from Fabruary 2018, i.e. when Firefox/Chrome hadn't yet had protections in place and it was just three weeks after the revelations were made.

In short try harder.

Also, you still haven't revealed even a theoretical attack vector which involves using Meltdown/Spectre vulnerabilities.

What I posted was enough. No amount of digging can change the mind of someone who decided to be a champion of poor security hygiene.

**0Yg7pQpFGiwcw** · 20 November 2018, 12:40 PM

Originally posted by ryao View Post

What I posted was enough. No amount of digging can change the mind of someone who decided to be a champion of poor security hygiene.

Indeed, that guy actually claims in his attack piece on Linux (won't get a link, 'cos there's no such thing like bad publicity) he actually purprots that you can judge the security of software simply by comparing the number of CVEs (thus ignoring things like severity of vulnerabilities and the vulnerabilities that haven't got CVE). The more you think about such an idea, the more kooky it feels. Really, what purpose does chastising vendors that properly report their vulnerabilities serve?

Announcement

The Spectre/Meltdown Performance Impact On Linux 4.20, Decimating Benchmarks With New STIBP Overhead

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment