Announcement

Collapse
No announcement yet.

Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • boxie
    replied
    Originally posted by sireangelus View Post

    what about a wordpress server. Or a firewall(running snort)?
    even if it is all your own code with no 3rd party plugins but still end user facing, then you would still need these mitigations for when there is an exploit.

    if (and only if) it is a server running an internal workload with no outward facing network connections - then you could get away with it.

    one example might be a database server that only has internal network connections, not internet facing. but only if you have a write heavy workload and cannot afford the performance hit. and even then that's a weak excuse!

    Leave a comment:


  • sireangelus
    replied
    Originally posted by boxie View Post

    for meltdown, any process can read kernel memory. if you control all the code running on it, it might be safe to disable.

    but, as you said "browser" leave it on, you do not control the code that runs in a browser
    what about a wordpress server. Or a firewall(running snort)?

    Leave a comment:


  • michael-vb
    replied
    The fix for meltdown was moving from having all kernel memory mapped into every process to having virtually no kernel memory mapped into user mode page tables. I wonder if there are more parts of kernel memory which could benefit from being mapped globally without leaking sensitive information.

    Leave a comment:


  • quaz0r
    replied
    the shitshow continues

    Leave a comment:


  • boxie
    replied
    Originally posted by sireangelus View Post
    what will happen after all these optimization if you turn the security off but keep the patches on? Also, are these required for a server not running any vm with a browser on it?
    for meltdown, any process can read kernel memory. if you control all the code running on it, it might be safe to disable.

    but, as you said "browser" leave it on, you do not control the code that runs in a browser

    Leave a comment:


  • sireangelus
    replied
    what will happen after all these optimization if you turn the security off but keep the patches on? Also, are these required for a server not running any vm with a browser on it?

    Leave a comment:


  • davidbepo
    replied
    Originally posted by Peter Fodrek View Post
    Is it really needed for AMD

    Linux 4.15.6-1.g06f0b06-default #1 SMP PREEMPT Sun Feb 25 18:51:57 UTC 2018 (06f0b06) x86_64 x86_64 x86_64 GNU/Linux
    more /sys/devices/system/cpu/vulnerabilities/meltdown
    Not affected

    more /sys/devices/system/cpu/vulnerabilities/spectre_v1
    Mitigation: __user pointer sanitization
    more /sys/devices/system/cpu/vulnerabilities/spectre_v2
    Mitigation: Full AMD retpoline


    ?
    spectre v1 yes
    spectre v2 no, amd processor aren't affected unless you change the jit parameters, add nospectre_v2 to boot options to get the performance back
    Last edited by davidbepo; 26 February 2018, 01:30 PM. Reason: typo

    Leave a comment:


  • Peter Fodrek
    replied
    Is it really needed for AMD

    Linux 4.15.6-1.g06f0b06-default #1 SMP PREEMPT Sun Feb 25 18:51:57 UTC 2018 (06f0b06) x86_64 x86_64 x86_64 GNU/Linux
    more /sys/devices/system/cpu/vulnerabilities/meltdown
    Not affected

    more /sys/devices/system/cpu/vulnerabilities/spectre_v1
    Mitigation: __user pointer sanitization
    more /sys/devices/system/cpu/vulnerabilities/spectre_v2
    Mitigation: Full AMD retpoline


    ?

    Leave a comment:


  • Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations

    Phoronix: Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations

    The in-development Linux 4.16 kernel has already received a few rounds of updates for the mitigation work on the Spectre and Meltdown CPU vulnerabilities while more is on the way...

    http://www.phoronix.com/scan.php?pag...e-Spectre-Melt
Working...
X