Welcome to Centmin Mod Community
Become a Member

Security Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 3, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yup looks like it's starting soon .. all my linodes still show 'Maintenance is not yet scheduled' right now

    upload_2018-1-14_20-32-6.png

     
  2. Jon Snow

    Jon Snow Active Member

    795
    159
    43
    Jun 30, 2017
    Ratings:
    +236
    Local Time:
    1:24 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Do we just have to wait for the times to be revealed or are we supposed to create a ticket to schedule it ourselves?
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Believe it's on their schedule as they have to take entire host node server down.

    More on Kernel updates to come Retpoline Backported To Linux 4.9, Linux 4.14 Kernels - Phoronix
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    more Retpoline Is Still Being Improved Upon For Intel Skylake/Kabylake - Phoronix
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Retpoline Support Backport Lands In GCC 7 - Phoronix

     
  6. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, The Jan 14th, 2018 GCC 8 snapshot adds the new GCC Retpoline patches to address Spectre variant 2 vulnerabilities. I confirmed they exist in my custom build GCC 8 RPM binary installations.

    For Intel i7 4790K native supported options now show the 3 new options for -mindirect-branch, -mindirect-return and -mindirect-branch-register
    Code (Text):
    /opt/gcc8/bin/gcc -c -Q -march=native --help=target
    The following options are target specific:
      -m128bit-long-double                  [enabled]
      -m16                                  [disabled]
      -m32                                  [disabled]
      -m3dnow                               [disabled]
      -m3dnowa                              [disabled]
      -m64                                  [enabled]
      -m80387                               [enabled]
      -m8bit-idiv                           [disabled]
      -m96bit-long-double                   [disabled]
      -mabi=                                sysv
      -mabm                                 [enabled]
      -maccumulate-outgoing-args            [disabled]
      -maddress-mode=                       long
      -madx                                 [disabled]
      -maes                                 [enabled]
      -malign-data=                         compat
      -malign-double                        [disabled]
      -malign-functions=                    0
      -malign-jumps=                        0
      -malign-loops=                        0
      -malign-stringops                     [enabled]
      -mandroid                             [disabled]
      -march=                               haswell
      -masm=                                att
      -mavx                                 [enabled]
      -mavx2                                [enabled]
      -mavx256-split-unaligned-load         [disabled]
      -mavx256-split-unaligned-store        [disabled]
      -mavx5124fmaps                        [disabled]
      -mavx5124vnniw                        [disabled]
      -mavx512bitalg                        [disabled]
      -mavx512bw                            [disabled]
      -mavx512cd                            [disabled]
      -mavx512dq                            [disabled]
      -mavx512er                            [disabled]
      -mavx512f                             [disabled]
      -mavx512ifma                          [disabled]
      -mavx512pf                            [disabled]
      -mavx512vbmi                          [disabled]
      -mavx512vbmi2                         [disabled]
      -mavx512vl                            [disabled]
      -mavx512vnni                          [disabled]
      -mavx512vpopcntdq                     [disabled]
      -mbionic                              [disabled]
      -mbmi                                 [enabled]
      -mbmi2                                [enabled]
      -mbranch-cost=<0,5>                   3
      -mcall-ms2sysv-xlogues                [disabled]
      -mcet                                 [disabled]
      -mcet-switch                          [disabled]
      -mcld                                 [disabled]
      -mclflushopt                          [disabled]
      -mclwb                                [disabled]
      -mclzero                              [disabled]
      -mcmodel=                             [default]
      -mcpu=                           
      -mcrc32                               [disabled]
      -mcx16                                [enabled]
      -mdispatch-scheduler                  [disabled]
      -mdump-tune-features                  [disabled]
      -mf16c                                [enabled]
      -mfancy-math-387                      [enabled]
      -mfentry                              [disabled]
      -mfma                                 [enabled]
      -mfma4                                [disabled]
      -mforce-drap                          [disabled]
      -mforce-indirect-call                 [disabled]
      -mfp-ret-in-387                       [enabled]
      -mfpmath=                             sse
      -mfsgsbase                            [enabled]
      -mfunction-return=                    keep
      -mfused-madd                     
      -mfxsr                                [enabled]
      -mgeneral-regs-only                   [disabled]
      -mgfni                                [disabled]
      -mglibc                               [enabled]
      -mhard-float                          [enabled]
      -mhle                                 [enabled]
      -miamcu                               [disabled]
      -mibt                                 [disabled]
      -mieee-fp                             [enabled]
      -mincoming-stack-boundary=            0
      -mindirect-branch-register            [disabled]
      -mindirect-branch=                    keep
      -minline-all-stringops                [disabled]
      -minline-stringops-dynamically        [disabled]
      -mintel-syntax                   
      -mlarge-data-threshold=<number>       65536
      -mlong-double-128                     [disabled]
      -mlong-double-64                      [disabled]
      -mlong-double-80                      [enabled]
      -mlwp                                 [disabled]
      -mlzcnt                               [enabled]
      -mmemcpy-strategy=               
      -mmemset-strategy=               
      -mmitigate-rop                        [disabled]
      -mmmx                                 [enabled]
      -mmovbe                               [enabled]
      -mmpx                                 [disabled]
      -mms-bitfields                        [disabled]
      -mmusl                                [disabled]
      -mmwaitx                              [disabled]
      -mno-align-stringops                  [disabled]
      -mno-default                          [disabled]
      -mno-fancy-math-387                   [disabled]
      -mno-push-args                        [disabled]
      -mno-red-zone                         [disabled]
      -mno-sse4                             [disabled]
      -mnop-mcount                          [disabled]
      -momit-leaf-frame-pointer             [disabled]
      -mpc32                                [disabled]
      -mpc64                                [disabled]
      -mpc80                                [disabled]
      -mpclmul                              [enabled]
      -mpcommit                             [disabled]
      -mpku                                 [disabled]
      -mpopcnt                              [enabled]
      -mprefer-avx128                   
      -mprefer-vector-width=                none
      -mpreferred-stack-boundary=           0
      -mprefetchwt1                         [disabled]
      -mprfchw                              [disabled]
      -mpush-args                           [enabled]
      -mrdpid                               [disabled]
      -mrdrnd                               [enabled]
      -mrdseed                              [disabled]
      -mrecip                               [disabled]
      -mrecip=                         
      -mrecord-mcount                       [disabled]
      -mred-zone                            [enabled]
      -mregparm=                            6
      -mrtd                                 [disabled]
      -mrtm                                 [disabled]
      -msahf                                [enabled]
      -msgx                                 [disabled]
      -msha                                 [disabled]
      -mshstk                               [disabled]
      -mskip-rax-setup                      [disabled]
      -msoft-float                          [disabled]
      -msse                                 [enabled]
      -msse2                                [enabled]
      -msse2avx                             [disabled]
      -msse3                                [enabled]
      -msse4                                [enabled]
      -msse4.1                              [enabled]
      -msse4.2                              [enabled]
      -msse4a                               [disabled]
      -msse5                           
      -msseregparm                          [disabled]
      -mssse3                               [enabled]
      -mstack-arg-probe                     [disabled]
      -mstack-protector-guard-offset=   
      -mstack-protector-guard-reg=     
      -mstack-protector-guard-symbol=   
      -mstack-protector-guard=              tls
      -mstackrealign                        [disabled]
      -mstringop-strategy=                  [default]
      -mstv                                 [enabled]
      -mtbm                                 [disabled]
      -mtls-dialect=                        gnu
      -mtls-direct-seg-refs                 [enabled]
      -mtune-ctrl=                     
      -mtune=                               haswell
      -muclibc                              [disabled]
      -mvaes                                [disabled]
      -mveclibabi=                          [default]
      -mvect8-ret-in-mem                    [disabled]
      -mvpclmulqdq                          [disabled]
      -mvzeroupper                          [enabled]
      -mx32                                 [disabled]
      -mxop                                 [disabled]
      -mxsave                               [enabled]
      -mxsavec                              [disabled]
      -mxsaveopt                            [enabled]
      -mxsaves                              [disabled]
    
      Known assembler dialects (for use with the -masm= option):
        att intel
    
      Known ABIs (for use with the -mabi= option):
        ms sysv
    
      Known code models (for use with the -mcmodel= option):
        32 kernel large medium small
    
      Valid arguments to -mfpmath=:
        387 387+sse 387,sse both sse sse+387 sse,387
    
      Known indirect branch choices (for use with the -mindirect-branch=/-mfunction-return= options):
        keep thunk thunk-extern thunk-inline
    
      Known data alignment choices (for use with the -malign-data= option):
        abi cacheline compat
    
      Known vectorization library ABIs (for use with the -mveclibabi= option):
        acml svml
    
      Known address mode (for use with the -maddress-mode= option):
        long short
    
      Known preferred register vector length (to use with the -mprefer-vector-width= option)
        128 256 512 none
    
      Known stack protector guard (for use with the -mstack-protector-guard= option):
        global tls
    
      Valid arguments to -mstringop-strategy=:
        byte_loop libcall loop rep_4byte rep_8byte rep_byte unrolled_loop
        vector_loop
    
      Known TLS dialects (for use with the -mtls-dialect= option):
        gnu gnu2
    

    note the output for
    Code (Text):
    /opt/gcc8/bin/gcc -c -Q -march=native --help=target | egrep 'indirect|function-return'
      -mforce-indirect-call                    [disabled]
      -mfunction-return=                       keep
      -mindirect-branch-register               [disabled]
      -mindirect-branch=                       keep
      Known indirect branch choices (for use with the -mindirect-branch=/-mfunction-return= options):
    


    From Benchmarking Linux With The Retpoline Patches For Spectre - Phoronix
    GCC 8 Patches Posted For Spectre Mitigation - Phoronix
     
    Last edited: Jan 17, 2018
  7. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    AMD Retpoline Benchmarks From FX To Threadripper & EPYC - Phoronix

     
  8. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Benchmarks from Phoronix for GCC 8 new patches Benchmarking Retpoline-Enabled GCC 8 With -mindirect-branch=thunk - Phoronix

     
  9. buik

    buik “The best traveler is one without a camera.”

    2,008
    521
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,658
    Local Time:
    6:24 PM
    Hopefully these will also be ported to Red Hat EL product line.

    Red Hat employs several core developers of GCC. So it is certainly possible. Question is whether they are going to do it.
     
    Last edited by a moderator: Jan 18, 2018
  10. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Indeed.. hope it forces Redhat to think about moving to newer Linux 4.1x Kernels as a base too. Must be a pain to be backporting all the time given Kernel and GCC changes. Oh not to mention glibc improvements available in upstream latest versions !
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like new firmware and microcode updates are available on Redhat/CentOS 6/7 at least Red Hat Customer Portal

    Code (Text):
    yum list updates -q
    Updated Packages
    linux-firmware.noarch                                    20170606-58.gitc990aae.el7_4                                     updates
    microcode_ctl.x86_64                                     2:2.1-22.5.el7_4                                                 updates
    

    on my Intel i7 4790K OVH server
    Code (Text):
    journalctl -b --no-pager | grep microcode | sed -e "s|$(hostname)|hostname|g"
    Jan 17 17:51:09 hostname kernel: microcode: microcode updated early to revision 0x22, date = 2017-01-27
    Jan 17 17:51:09 hostname kernel: microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
    Jan 17 17:51:10 hostname systemd[1]: Starting Load CPU microcode update...
    Jan 17 17:51:10 hostname systemd[1]: Started Load CPU microcode update.
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Benchmarking Retpoline Underflow Protection With Intel Skylake/Kabylake - Phoronix

     
  13. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  14. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Intel Offers Enterprise Meltdown and Spectre Benchmarks A Gift for AMD

     
  15. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    looks like Redhat/CentOS and other distros will have more fun backporting newer patches from Linux 4.16 kernel Spectre Variant One Mitigations Will Be Sent In For Linux 4.16 - Phoronix
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  17. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners

    Intel says you should NOT install its Meltdown firmware fixes

     
  18. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  19. eva2000

    eva2000 Administrator Staff Member

    53,818
    12,160
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,712
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+