Announcement

Collapse
No announcement yet.

Linux Kernel Updated To Add Zenbleed Fix For Valve's Steam Deck

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux Kernel Updated To Add Zenbleed Fix For Valve's Steam Deck

    Phoronix: Linux Kernel Updated To Add Zenbleed Fix For Valve's Steam Deck

    Last month when the Linux kernel was mitigated for Zenbleed as a CPU vulnerability affecting AMD Zen 2 processors, it turns out the Steam Deck APU was accidentally left without coverage. An x86/urgent pull request sent out today for the Linux 6.5 kernel and for back-porting to current stable Linux kernel releases will extend the Zenbleed mitigation to protect Steam Deck gamers...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    Were there any benches on whether or not the zenbleed patch affects perf?

    Comment


    • #3
      how necessary is this on a gaming appliance? i only play single player and would rather not take the performance hit

      Comment


      • #4
        Originally posted by ziguana View Post
        how necessary is this on a gaming appliance? i only play single player and would rather not take the performance hit
        That's a good point, I wouldn't be surprised if someone found that mitigations=off was being passed in the kernel boot parameters for the Steam Deck kernel, or it was compiled without mitigation support. For a mobile gaming device running on battery, every optimization matters.
        Last edited by damentz; 12 August 2023, 11:05 AM.

        Comment


        • #5
          Originally posted by damentz View Post

          That's a good point, I wouldn't be surprised if someone found that mitigations=off was being passed in the kernel boot parameters for the Steam Deck kernel, or it was compiled without mitigation support. For a mobile gaming device running on battery, every optimization matters.
          It wasn't that.

          I was reading the latest round of x86 vulnerability patches when I got curious about exactly what models the Zen 1 #DE bug applied to, which led to me seeing the list of models that the Zenbleed mitigation is applied to for Zen 2. Notably, I remembered that Van Gogh in the Steam Deck uses a different model number (90h) from the rest of the Zen 2 lineup, and after checking with Wikichip and on my Deck I found that it wasn't included in the range check for whether the mitigation should be enabled.

          I then ran the Zenbleed PoC on both SteamOS (that doesn't have the mitigation) and on Fedora Rawhide (that has the mitigation) and determined that the Deck was vulnerable to Zenbleed, and that the mitigation wasn't be enabled. I created a patch that adds the model and stepping range for the Deck, rebuilt the kernel, and determined that the mitigation now works and that the device is still functioning properly.

          I sent it in a couple days ago to the mailing list and x86 maintainers however I probably sent it at the wrong time as the x86 maintainers were busy hashing out DOWNFALL and INCEPTION mitigations, so it got missed. Probably also doesn't help that I'm just a random unaffiliated person. I reached out to Valve yesterday about the stalled patch and they brought a new patch forward and it was picked up.

          My first patch to the kernel didn't get to make it in, but at least I got to contribute indirectly and help patch a vulnerability for a few million users, so I'm not losing any sleep over it. The new patch notably does include a new model number, 91h, that my patch didn't. I don't know of any released hardware with that model number, but Valve does, so take of that as you will.

          Comment


          • #6
            Okay, so Steam Deck is a gaming machine. Freakin' single-purpose gaming machine. Why is it not running with mitigations=off out-of-the-box?!?!

            Comment


            • #7
              Originally posted by intelfx View Post
              Okay, so Steam Deck is a gaming machine. Freakin' single-purpose gaming machine. Why is it not running with mitigations=off out-of-the-box?!?!
              Because it's not just some locked-down console? The Steam Deck is a fully functional computer. It has a web browser, it downloads and runs code. It is exploitable.

              Why would you think that "mitigations=off" was a *GOOD* idea?

              Comment


              • #8
                Originally posted by Forge View Post

                Because it's not just some locked-down console? The Steam Deck is a fully functional computer. It has a web browser, it downloads and runs code. It is exploitable.

                Why would you think that "mitigations=off" was a *GOOD* idea?
                The fact that it can run a browser doesn't mean that it's supposed to.

                It's a gaming machine, for fsck's sake. It runs proprietary code 99% of the time, and it is not supposed to work with any kind of sensitive data.

                Comment


                • #9
                  Originally posted by intelfx View Post

                  The fact that it can run a browser doesn't mean that it's supposed to.

                  It's a gaming machine, for fsck's sake. It runs proprietary code 99% of the time, and it is not supposed to work with any kind of sensitive data.
                  Oh! I didn't realize, this is one of those "I am talking all about a thing that I have little to no first hand experience of" moments!

                  Steam Decks use the web browser. It's included by default. Shows up in the apps list very easily. Used to default to loading up Chrome, I think it currently defaults to Firefox, could be wrong, haven't seen the clean OOBE in a while.

                  It's open. Getting to a command prompt or launching a web browser doesn't take jailbreaking or any arcane knowledge whatsoever.

                  While I'd agree about keeping sensitive data away from your Steam Deck as much as possible, it *does* retain payment information, and I maintain that forcing off all mitigations for a little extra theoretical performance is a Bad Idea and should not be endorsed.

                  Proprietary or open code makes no difference here. If you're not correcting your *hardware* vulnerabilities, you're going to have a bad time no matter what you're running.

                  Comment


                  • #10
                    Originally posted by Forge View Post
                    While I'd agree about keeping sensitive data away from your Steam Deck as much as possible, it *does* retain payment information, <...>
                    Look who's talking about first-hand experience FYI, the payment information is retained on Steam (and its partners') servers, not your device.

                    Originally posted by Forge View Post
                    <...> and I maintain that forcing off all mitigations for a little extra theoretical performance is a Bad Idea and should not be endorsed.
                    Well then — I maintain that protecting from theoretical exploits that do not really fit into any sane threat model (for a Steam Deck) at the expense of very practical, real performance is a Bad Idea and should not be endorsed.
                    Last edited by intelfx; 13 August 2023, 12:05 AM.

                    Comment

                    Working...
                    X