Announcement

Collapse
No announcement yet.

Linux Update Acknowledges Your Old Intel CPUs Might Be Vulnerable To MMIO Stale Data

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux Update Acknowledges Your Old Intel CPUs Might Be Vulnerable To MMIO Stale Data

    Phoronix: Linux Update Acknowledges Your Old Intel CPUs Might Be Vulnerable To MMIO Stale Data

    Made public back in June by Intel was the MMIO Stale Data vulnerabilities. The disclosure noted affected Intel products range from Haswell up through Rocket Lake on the client side or Xeon Scalable Ice Lake servers. However, pre-Haswell Intel CPUs might be impacted too while the Linux kernel to this point was incorrectly stating older CPUs are "not affected" by MMIO Stale Data...

    https://www.phoronix.com/news/Linux-...-Data-Old-CPUs

  • #2
    Are all these vulnerabilities because the microarchitectures uses speculative execution?
    Or does the ISA matter? Are RISC-V and AArch64 any less vulnerable than x86?

    Comment


    • #3
      Originally posted by uid313 View Post
      Are all these vulnerabilities because the microarchitectures uses speculative execution?
      Or does the ISA matter? Are RISC-V and AArch64 any less vulnerable than x86?
      As I have understood it (but others here, please feel free to chime in), some of these vulnerabilities have been known to be specific only to processors of a specific manufacturer, whereas others tend to have a much broader impact and affect not only other manufacturers, but even other architectures, for instance both x86 and ARM.

      Comment


      • #4
        When did ivybridge go out of support? Potentially suspicious timing with this from intel to avoid having to produce a microcode patch for that gen too.
        I also notice they've removed ivybridge from their spreadsheet of processors with vulnerabilities, so they don't even want to continue documenting them.

        Comment


        • #5
          Originally posted by Developer12 View Post
          When did ivybridge go out of support?
          End of 2019 (or thereabouts, as there are a couple of exceptions for some Xeon processors that were middle of 2020).

          Potentially suspicious timing
          Your tin foil hat may need a bit of adjustment in the detecting of conspiracies.

          Comment


          • #6
            Originally posted by CommunityMember View Post

            End of 2019 (or thereabouts, as there are a couple of exceptions for some Xeon processors that were middle of 2020).



            Your tin foil hat may need a bit of adjustment in the detecting of conspiracies.
            Yeah, ~7-8 years of support is pretty good, actually.

            Also, this makes the decision to run these chips with mitigations=off even easier...

            Comment


            • #7
              I am glad I have used AMD since 2005. I am running Ryzen 7 now. Intel seems to have a lot of issues.

              Comment


              • #8
                Originally posted by uid313 View Post
                Are all these vulnerabilities because the microarchitectures uses speculative execution?
                Speculative execution is an important part, but only one part of the complete issue (CPU caches/TLBs and shared resources can be others).

                There is an old adage (in the crypto field) that attacks only get better over time.

                For simple values, any CPU designed in quite a few decades uses one or more acceleration technologies that can turn out to leak information. Sometimes that leak can exfiltrate thousands of bits of information per second, other times only a few, but with time, even 1 bit per second can compromise something important.

                Researchers (and three letter agencies) spend their efforts on the most prevalent architectures (and OS's), and that has been Intel x86_64 (biggest "bang" (in press or exploitation capability) for their buck). This is, for example, mostly the same reason that virus/exploitation writers used to mostly ignore MacOS, or Linux, as no one used them (everyone used Windows), but that has changed.

                That does not mean that other implementations are immune, just that that we (mostly) do not have research and press releases. While I have not done the research, I would not be surprised if PA-RISC is also exploitable, but as an essentially dead architecture, most do not care.

                Comment


                • #9
                  Originally posted by CommunityMember View Post
                  This is, for example, mostly the same reason that virus/exploitation writers used to mostly ignore MacOS, or Linux, as no one used them (everyone used Windows), but that has changed.
                  Even if they were trying they wouldn't be able to write Linux viruses comparable to Windows one.

                  Comment


                  • #10
                    Originally posted by Volta View Post
                    Even if they were trying they wouldn't be able to write Linux viruses comparable to Windows one.
                    They can, and do, but it's mostly irrelevant anyway: malware overwhelmingly spreads through social engineering, not 1337 hax0rz.

                    You know the lie that gets trotted out every time some website leaks a few hundred thousand credit card numbers, SSNs, etc? The one about how "this was a highly sophisticated attack", etc etc. What they mean is, some idiot got an email from "I.T." saying "We've updated out password policy, you need to pick a new one, here's a link to make it easier for you, www.company.totallynotcompany.com/passwordreset/", and fell for it. That's it.

                    It's not a genius in a hoodie chaining exploits and privilege escalations, predicting ASLR and bypassing DEP. That's Hollywood and mediocre TV shows trying to deal with a topic they don't understand and the audience doesn't understand either. It's just normal people being out of their depth and making stupid mistakes, because either "magic box says so" and they're "no good with computers", or "magic box says so" and they massively over-estimate how computer-savvy they are. No prizes for guessing which of those groups you fall into.

                    Windows does make it easier, because MS's insistence on integrating Office with IE with the OS opens up a few shortcuts to get there - so what's your excuse for all the malware on Android? After all, that's Linux too, so it must be immune.
                    Last edited by arQon; 19 August 2022, 05:15 AM.

                    Comment

                    Working...
                    X