Announcement

Collapse
No announcement yet.

OpenSUSE Adds Option To Installer For Toggling Performance-Hitting CPU Mitigations

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • mike_g
    replied
    This Intel pollution option was introduced in Tumbleweed installer in March and is/was available in Yast under bootloader. The big question is, does Ryzen 2700U needs that on mainline Kernel that gets a live update? Rc1 second patch (mitigation is turned OFF):

    Code:
    cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.2.0-rc1-2.gb225e5a-default root=UUID=b6d59d21-b22b-427e-a648-d3bb42e4ddb1 splash=silent iommu=soft resume=/dev/disk/by-id/ata-SanDisk_SDSSDH3256G_183756420226-part3 quiet mitigations=off
    Code:
    cat  /sys/devices/system/cpu/vulnerabilities/mds
Not affected
    Code:
    cat /sys/devices/system/cpu/vulnerabilities/*
Not affected
Not affected
Not affected
Vulnerable
Mitigation: __user pointer sanitization
Vulnerable, IBPB: disabled, STIBP: disabled

    Leave a comment:

  • k1e0x
    replied
    Originally posted by zxy_thf View Post
    Those mitigations make little sense if only trusted code will be executed.
    I've seen this argument going around and ppl.. no.. Do you know you're running trusted code? Do you know your web browser is executing trusted code? Anti-virus has existed for ~40 years because people can't solve this problem.

    Enable them.

    Also on the placement of the option on the installer. It's actually not a very prominent option. (but available)

    Leave a comment:

  • starshipeleven
    replied
    Originally posted by useless View Post
    Maybe he/she was referring to IoT devices. Now, they're a minefield.
    IoT is the modern buzzword for "embedded".

    And no, what I said still applies, IoT isn't (supposed to be) running untrusted software. They have their own firmware, and that's it.

    That said, yes I agree on his statement that IoT is "a dumpster fire of a shitshow".
    • Likes 1

    Leave a comment:

  • useless
    replied
    Originally posted by starshipeleven View Post
    Are you aware of what these vulns actually need to be exploited?

    You need to be running untrusted software, be it javascript in a browser or whatever.

    Most embedded aren't running untrusted software.
    Maybe he/she was referring to IoT devices. Now, they're a minefield.

    Leave a comment:

  • Charlie68
    replied
    I confirm that it is possible to change this setting also post-installation, via Yast - Bootloader.
    • Likes 4

    Leave a comment:

  • starshipeleven
    replied
    Originally posted by brad0 View Post
    That's the worst possible place to disable it. But if you want to make a dumpster fire of shitshow even more shitshow go ahead.
    Are you aware of what these vulns actually need to be exploited?

    You need to be running untrusted software, be it javascript in a browser or whatever.

    Most embedded aren't running untrusted software.
    • Likes 1

    Leave a comment:

  • starshipeleven
    replied
    Originally posted by yurikoles View Post
    On Linux.org.ru there is a mem: SUSE-Router
    I don't know what you mean.

    But "router" is a networking job. Smaller routers are embedded devices, bigger ones are true server hardware. Server-grade distros are also used to make a high-end router. Not everyone is running Cisco.

    Leave a comment:

  • brad0
    replied
    Originally posted by starshipeleven View Post
    Also for many embedded devices. Not that SUSE runs any significant amount.
    That's the worst possible place to disable it. But if you want to make a dumpster fire of shitshow even more shitshow go ahead.
    • Likes 1

    Leave a comment:

  • yurikoles
    replied
    Originally posted by starshipeleven View Post
    Also for many embedded devices. Not that SUSE runs any significant amount.
    On Linux.org.ru there is a mem: SUSE-Router

    Leave a comment:

  • zxy_thf
    replied
    Originally posted by RahulSundaram View Post

    That's not the case. "Trusted" code can have security vulnerabilities.
    In order to exploit those hardware bugs, the attacker must be run able to run custom code that does crazy things.
    If the attacker could run arbitrary code on the server, the sys admin certainly would have more important things to worry about.
    • Likes 2

    Leave a comment:

Previous 1 2 3 template Next
Working...
X