Learn about Centmin Mod LEMP Stack today
Register Now

Security Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 3, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Latest state of my OVH MC-32 Core i7 4790K kernel level spectre/meltdown fixes

    kernel
    Code (Text):
    uname -r
    3.10.0-862.2.3.el7.x86_64
    

    check boot log on CentOS 7
    Code (Text):
    journalctl -b | egrep -C1 -i 'spectre|meltdown|cve' | sed -e "s|$(hostname -f)|hostname|g"
    May 22 08:11:33 hostname kernel: FEATURE IBPB_SUPPORT Not Present
    May 22 08:11:33 hostname kernel: Spectre V2 : Vulnerable: Retpoline without IBPB
    May 22 08:11:33 hostname kernel: Freeing SMP alternatives: 24k freed
    --
    May 25 14:12:44 hostname DISCLAIMER[28517]: This updated microcode supersedes microcode provided by Red Hat with
    May 25 14:12:44 hostname DISCLAIMER[28517]: the CVE-2017-5715 (“Spectre”) CPU branch injection vulnerability
    May 25 14:12:44 hostname DISCLAIMER[28517]: mitigation.
    May 25 14:12:44 hostname kernel: Spectre V2 : Mitigation: Full retpoline
    May 25 14:12:44 hostname DISCLAIMER[28517]: Historically, Red Hat has provided updated microcode, developed by our
    --
    May 25 14:12:44 hostname unknown: This updated microcode supersedes microcode provided by Red Hat with
                                         the CVE-2017-5715 (“Spectre”) CPU branch injection vulnerability
                                         mitigation.
    

    CentOS microcode_ctl package change log
    Code (Text):
    rpm -q --changelog microcode_ctl | head -n12
    * Tue May 15 2018 Petr Oros <poros@redhat.com> - 2.1-29.2
    - Update disclaimer text
    - Resolves: #1575570
    
    * Mon May 07 2018 Petr Oros <poros@redhat.com> - 2.1-29.1
    - Intel CPU microcode update to 20180425.
    - Resolves: #1575570
    
    * Fri Jan 12 2018 Petr Oros <poros@redhat.com> - 2.1-29
    - Revert Microcode from Intel for Side Channel attack
    - Resolves: #1533939
    

    check logging for microcode related entries
    Code (Text):
    journalctl -b --no-pager | grep microcode | sed -e "s|$(hostname)|hostname|g"
    May 22 08:11:33 hostname kernel: microcode: microcode updated early to revision 0x22, date = 2017-01-27
    May 22 08:11:33 hostname kernel: microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
    May 22 08:11:35 hostname systemd[1]: Starting Load CPU microcode update...
    May 22 08:11:35 hostname systemd[1]: Started Load CPU microcode update.
    May 22 08:12:19 hostname dracut[3492]: *** Generating early-microcode cpio image contents ***
    May 22 08:12:19 hostname dracut[3492]: *** Creating microcode section ***
    May 22 08:12:19 hostname dracut[3492]: *** Created microcode section ***
    May 22 08:12:20 hostname dracut[3492]: drwxr-xr-x   2 root     root            0 May 22 08:12 kernel/x86/microcode
    May 22 08:12:20 hostname dracut[3492]: -rw-r--r--   1 root     root        22528 May 22 08:12 kernel/x86/microcode/GenuineIntel.bin
    May 25 14:12:44 hostname kernel: microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU0 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU1 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU2 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU3 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU4 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU5 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU6 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU7 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname DISCLAIMER[28517]: This updated microcode supersedes microcode provided by Red Hat with
    May 25 14:12:44 hostname DISCLAIMER[28517]: Historically, Red Hat has provided updated microcode, developed by our
    May 25 14:12:44 hostname DISCLAIMER[28517]: temporarily suspended this practice while microcode stabilized. Red
    May 25 14:12:44 hostname DISCLAIMER[28517]: Hat is once again providing an updated Intel microcode package
    May 25 14:12:44 hostname DISCLAIMER[28517]: (microcode_ctl) and AMD microcode package (linux-firmware) to customers
    May 25 14:12:44 hostname DISCLAIMER[28517]: continue to update these microcode packages as necessary. Please
    May 25 14:12:44 hostname DISCLAIMER[28517]: Intel and AMD microcode package versions.
    May 25 14:12:44 hostname yum[28281]: Updated: 2:microcode_ctl-2.1-29.2.el7_5.x86_64
    May 25 14:12:44 hostname unknown: This updated microcode supersedes microcode provided by Red Hat with
                                         Historically, Red Hat has provided updated microcode, developed by our
                                         temporarily suspended this practice while microcode stabilized. Red
                                         Hat is once again providing an updated Intel microcode package
                                         (microcode_ctl) and AMD microcode package (linux-firmware) to customers
                                         continue to update these microcode packages as necessary. Please
                                         Intel and AMD microcode package versions.
    May 25 14:13:05 hostname dracut[8202]: *** Generating early-microcode cpio image contents ***
    May 25 14:13:05 hostname dracut[8202]: *** Creating microcode section ***
    May 25 14:13:05 hostname dracut[8202]: *** Created microcode section ***
    May 25 14:13:06 hostname dracut[8202]: drwxr-xr-x   2 root     root            0 May 25 14:13 kernel/x86/microcode
    May 25 14:13:06 hostname dracut[8202]: -rw-r--r--   1 root     root        23552 May 25 14:13 kernel/x86/microcode/GenuineIntel.bin
    May 25 14:13:17 hostname dracut[18352]: *** Generating early-microcode cpio image contents ***
    May 25 14:13:17 hostname dracut[18352]: *** Creating microcode section ***
    May 25 14:13:17 hostname dracut[18352]: *** Created microcode section ***
    May 25 14:13:18 hostname dracut[18352]: drwxr-xr-x   2 root     root            0 May 25 14:13 kernel/x86/microcode
    May 25 14:13:18 hostname dracut[18352]: -rw-r--r--   1 root     root        23552 May 25 14:13 kernel/x86/microcode/GenuineIntel.bin
    

    Check Redhat/CentOS tunables explained here = 1 1 0
    Code (Text):
    cat /sys/kernel/debug/x86/pti_enabled
    1
    
    cat /sys/kernel/debug/x86/ibpb_enabled
    1
    
    cat /sys/kernel/debug/x86/ibrs_enabled
    0
    
    cat /sys/kernel/debug/x86/retp_enabled 
    1
    

    So
    • pti_enabled - Page Table Isolation is enabled
    • ibpb_enabled - Indirect Branch Predication Barriers is enabled
    • ibrs_enabled - Indirect Branch Restricted Speculation is disabled
    • retp_enabled - "retp_enabled" alteration is only available at runtime for RHEL7 systems. This tunable is read-only for RHEL 6 systems
    ibrs_enabled
    So since Core i7 4790K is Haswell based processor, Kernel level Retpolines are used to mitigate Spectre variant 2 instead of ibrs_enabled.

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    more Spectre fixes land in Google Chrome 67 Google Patches 34 Browser Bugs in Chrome 67, Adds Spectre Fixes

    Good to know, I already enabled Site Isolation using Chrome flags prior to Chrome 67 but good to know it's default now.
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    hmmm not all patched yet Rowhammer returns, Spectre fix unfixed, Wireguard makes a new friend, and much more

     
  4. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Intel cpus, the gift that keeps giving New "Spectre" Variant Hits Intel CPUs, Company Promises Quarterly Microcode Updates !

     
  5. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More security vulnerabilities for Intel
    Indeed a hot mess.. if there's any reason to force me off Cloud VPS onto bare metal dedicated hosting, this would probably be it.
     
    Last edited: Aug 15, 2018
  6. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  7. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Not over yet - 7 new meltdown and spectre vulnerabilities found Researchers discover seven new Meltdown and Spectre attacks | ZDNet !

     
  8. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    2:26 PM
    1.9.x
    10.1.x
    GPUs are vulnerable to side-channel attacks
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    wow now that's new !
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    New Spectre attack, SplitSpectre Researchers discover SplitSpectre, a new Spectre-like CPU attack | ZDNet

     
  11. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Good news Linux Networking Performance To Improve Thanks To Retpoline Overhead Reduction - Phoronix

     
  12. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Windows 10 also got a bunch of micro code updates today too https://support.microsoft.com/en-us...or-windows-10-version-1803-and-windows-server

     
  13. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    OPTPOLINES - Formerly Relpolines, Lower Overhead To Retpolines For Spectre Mitigation - Phoronix

     
  14. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yup more goodies from Intel Intel CPUs Reportedly Vulnerable To New "SPOILER" Speculative Attack - Phoronix :rolleyes:

     
  15. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Latest benchmarks with spectre and meltdown patch fixes in place Spectre/Meltdown Performance Impact Across Eight Linux Distributions - Phoronix

     
  16. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More updates coming for improvements in Linux Kernel handling/controlling of meltdown/spectre patch fixes https://www.phoronix.com/scan.php?page=news_item&px=Linux-Improve-CPU-Spec-Switches
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  18. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like Meltdown and it's subsequent software or cpu hardware mitigations might not be totally fixed with new EchoLoad and KASLR - Kernel Address Space Layout Randomization and pdf linked in researcher's twitter post at https://twitter.com/cc0x1f/status/1230876597969969152 outlines it including proposed solution FLARE (Fake Load Address REsponse).
    quoting from PDF
    jsg from LEB forum probably summarized the key points at Yet another serious attack on/vuln. of intel CPUs - "EchoLoad"
    Looks like more folks will be moving to AMD Zen2 Rome based EPYC cpus eventually.

    Cloudflare is making the move with their Gen X servers using AMD EPYC 7642 zen2 Rome based cpus Cloudflare - Cloudflare Outlines Gen X servers - AMD EPYC 7642 based :)
     
  19. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    2:26 PM
    1.9.x
    10.1.x



    The Brutal Performance Impact From Mitigating The LVI Vulnerability - Phoronix

    Ouch...
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,066
    12,176
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,734
    Local Time:
    12:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah you beat me to LVI posting LVI Attack Hits Intel SGX - Defeats Existing Mitigations, More Performance Hits - Phoronix :)

    Yes brutal overhead for mitigations if you compile software with the new mitigations - though most YUM package apps aren't compiled with those mitigations as yet The Brutal Performance Impact From Mitigating The LVI Vulnerability - Phoronix

    Look at the drop in OpenSSL performance when OpenSSL 1.1.1 compiled with the new mitigation fixes for LVI ! From 1,217.6 signs/sec to 138.1 signs/sec = 88.65% drop :eek:

    upload_2020-3-13_9-44-38.png