Announcement

Collapse
No announcement yet.

Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations

    Phoronix: Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations

    The in-development Linux 4.16 kernel has already received a few rounds of updates for the mitigation work on the Spectre and Meltdown CPU vulnerabilities while more is on the way...

    http://www.phoronix.com/scan.php?pag...e-Spectre-Melt

  • #2
    Is it really needed for AMD

    Linux 4.15.6-1.g06f0b06-default #1 SMP PREEMPT Sun Feb 25 18:51:57 UTC 2018 (06f0b06) x86_64 x86_64 x86_64 GNU/Linux
    more /sys/devices/system/cpu/vulnerabilities/meltdown
    Not affected

    more /sys/devices/system/cpu/vulnerabilities/spectre_v1
    Mitigation: __user pointer sanitization
    more /sys/devices/system/cpu/vulnerabilities/spectre_v2
    Mitigation: Full AMD retpoline


    ?

    Comment


    • #3
      Originally posted by Peter Fodrek View Post
      Is it really needed for AMD

      Linux 4.15.6-1.g06f0b06-default #1 SMP PREEMPT Sun Feb 25 18:51:57 UTC 2018 (06f0b06) x86_64 x86_64 x86_64 GNU/Linux
      more /sys/devices/system/cpu/vulnerabilities/meltdown
      Not affected

      more /sys/devices/system/cpu/vulnerabilities/spectre_v1
      Mitigation: __user pointer sanitization
      more /sys/devices/system/cpu/vulnerabilities/spectre_v2
      Mitigation: Full AMD retpoline


      ?
      spectre v1 yes
      spectre v2 no, amd processor aren't affected unless you change the jit parameters, add nospectre_v2 to boot options to get the performance back
      Last edited by davidbepo; 26 February 2018, 01:30 PM. Reason: typo

      Comment


      • #4
        what will happen after all these optimization if you turn the security off but keep the patches on? Also, are these required for a server not running any vm with a browser on it?

        Comment


        • #5
          Originally posted by sireangelus View Post
          what will happen after all these optimization if you turn the security off but keep the patches on? Also, are these required for a server not running any vm with a browser on it?
          for meltdown, any process can read kernel memory. if you control all the code running on it, it might be safe to disable.

          but, as you said "browser" leave it on, you do not control the code that runs in a browser

          Comment


          • #6
            the shitshow continues

            Comment


            • #7
              The fix for meltdown was moving from having all kernel memory mapped into every process to having virtually no kernel memory mapped into user mode page tables. I wonder if there are more parts of kernel memory which could benefit from being mapped globally without leaking sensitive information.

              Comment


              • #8
                Originally posted by boxie View Post

                for meltdown, any process can read kernel memory. if you control all the code running on it, it might be safe to disable.

                but, as you said "browser" leave it on, you do not control the code that runs in a browser
                what about a wordpress server. Or a firewall(running snort)?

                Comment


                • #9
                  Originally posted by sireangelus View Post

                  what about a wordpress server. Or a firewall(running snort)?
                  even if it is all your own code with no 3rd party plugins but still end user facing, then you would still need these mitigations for when there is an exploit.

                  if (and only if) it is a server running an internal workload with no outward facing network connections - then you could get away with it.

                  one example might be a database server that only has internal network connections, not internet facing. but only if you have a write heavy workload and cannot afford the performance hit. and even then that's a weak excuse!

                  Comment

                  Working...
                  X