Get the most out of your Centmin Mod LEMP stack
Become a Member

Security Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 3, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    If at first you don't succeed, you're likely Intel: Second Spectre microcode fix emitted

    upload_2018-2-23_18-47-48.png

    upload_2018-2-23_18-48-10.png

    upload_2018-2-23_18-48-33.png

    upload_2018-2-23_18-48-58.png

    upload_2018-2-23_18-49-24.png

    upload_2018-2-23_18-49-51.png

    upload_2018-2-23_18-50-21.png

    Holy moses! That's only some of the ones that are relevant to us hosting users. I bet Intel wishes they didn't have that many SKU models for each family ! Massive effort to update them all firmware wise !
     
    Last edited: Feb 23, 2018
  2. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Smart minds working together to get post-KPTI performance back on track Another Potential Performance Optimization For KPTI Meltdown Mitigation - Phoronix

     
  3. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Intel giving Broadwell and Haswell processors some love Intel gives Broadwells and Haswells their Meltdown medicine

     
  4. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Latest 4.16 Linux Kernel KPTI benchmarks Fresh Linux 4.16 Kernel Benchmarks With KPTI & Retpolines - Phoronix

     
  5. bassie

    bassie Well-Known Member

    1,025
    246
    63
    Apr 29, 2016
    Ratings:
    +726
    Local Time:
    1:29 AM
    Red Hat has released an update for GCC "retpoline support for spectre mitigation" support for both EL6 and EL7.
    Advice: Update your system and rebuild your stack with this latest GCC.

     
    • Like Like x 1
  6. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    wow surprised RHEL was quite fast at getting this backported into their GCC packages !

    Thanks for heads up !

    I already built GCC 8 compiler RPMs for testing with have reptoline support as well :)

    Benchmarks from Phoronix for GCC 8 new patches Benchmarking Retpoline-Enabled GCC 8 With -mindirect-branch=thunk - Phoronix
     
  7. bassie

    bassie Well-Known Member

    1,025
    246
    63
    Apr 29, 2016
    Ratings:
    +726
    Local Time:
    1:29 AM
    Internal release was set on Wed Jan 24 2018 ;)
    rpms/gcc.git - git.centos.org
     
    • Informative Informative x 1
  8. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    interesting though last 2 versions in that gcc spec file aren't available yet still on 4.8.5-16 not 4.8.5-16.2 heh
    Code (Text):
    gcc --version
    gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-16)
    Copyright (C) 2015 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
     
  9. bassie

    bassie Well-Known Member

    1,025
    246
    63
    Apr 29, 2016
    Ratings:
    +726
    Local Time:
    1:29 AM
    CentOS is slow. The latest CentOS update is from 2018-02-28 11:52
    Upstream GCC update is available on the Red Hat network.

    When I speak about el7, this is.: gcc-4.8.5-16.el7_4.2.src.rpm
     
    • Like Like x 1
  10. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    ah forgot about the Redhat > CentOS delays heh
     
  11. bassie

    bassie Well-Known Member

    1,025
    246
    63
    Apr 29, 2016
    Ratings:
    +726
    Local Time:
    1:29 AM
    gcc-4.8.5-16.el7_4.2 is available for CentOS 7 right now.
     
    • Like Like x 1
  12. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    ah I see it now :)
    CentOS 7.4 GCC 4.8.5-16.el7_4.2 updated with Spectre v2 supported directives
    Code (Text):
    yum info gcc -q
    Installed Packages
    Name        : gcc
    Arch        : x86_64
    Version     : 4.8.5
    Release     : 16.el7_4.2
    Size        : 37 M
    Repo        : installed
    From repo   : updates
    Summary     : Various compilers (C, C++, Objective-C, Java, ...)
    URL         : http://gcc.gnu.org
    License     : GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD
    Description : The gcc package contains the GNU Compiler Collection version 4.8.
                : You'll need this package in order to compile C code.

    checking to see if they're there and yup they exist just like in my GCC 8.0.1 compiler built RPMs

    GCC 4.8.5 updated check
    Code (Text):
    gcc -c -Q -march=native --help=target | egrep 'indirect|function-return'      
      -mfunction-return=                    keep
      -mindirect-branch-register            [disabled]
      -mindirect-branch=                    keep
      Known indirect branch choices (for use with the -mindirect-branch=/-mfunction-return= options):
    

    similar to GCC 8.0.1
    Code (Text):
    /opt/gcc8/bin/gcc -c -Q -march=native --help=target | egrep 'indirect|function-return'
      -mforce-indirect-call                    [disabled]
      -mfunction-return=                       keep
      -mindirect-branch-register               [disabled]
      -mindirect-branch=                       keep
      Known indirect branch choices (for use with the -mindirect-branch=/-mfunction-return= options):
    

    From GCC 8 Patches Posted For Spectre Mitigation - Phoronix
    From Benchmarking Retpoline-Enabled GCC 8 With -mindirect-branch=thunk - Phoronix
    Current status of my OVH MC-32 i7 4790K Haswell server

    microcode
    Code (Text):
    journalctl -b --no-pager | grep microcode | sed -e "s|$(hostname)|hostname|g"
    Mar 09 01:27:16 hostname kernel: microcode: microcode updated early to revision 0x22, date = 2017-01-27
    Mar 09 01:27:16 hostname kernel: microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x22
    Mar 09 01:27:16 hostname kernel: microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x22
    Mar 09 01:27:16 hostname kernel: microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x22
    Mar 09 01:27:16 hostname kernel: microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x22
    Mar 09 01:27:16 hostname kernel: microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x22
    Mar 09 01:27:16 hostname kernel: microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x22
    Mar 09 01:27:16 hostname kernel: microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x22
    Mar 09 01:27:16 hostname kernel: microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x22
    Mar 09 01:27:16 hostname kernel: microcode: Microcode Update Driver: v2.01 <[email protected]>, Peter Oruba
    Mar 09 01:27:17 hostname systemd[1]: Starting Load CPU microcode update...
    Mar 09 01:27:17 hostname systemd[1]: Started Load CPU microcode update.
    Mar 09 01:28:02 hostname dracut[3411]: *** Generating early-microcode cpio image contents ***
    Mar 09 01:28:02 hostname dracut[3411]: *** Creating microcode section ***
    Mar 09 01:28:02 hostname dracut[3411]: *** Created microcode section ***
    Mar 09 01:28:03 hostname dracut[3411]: drwxr-xr-x   2 root     root            0 Mar  9 01:28 kernel/x86/microcode
    Mar 09 01:28:03 hostname dracut[3411]: -rw-r--r--   1 root     root        22528 Mar  9 01:28 kernel/x86/microcode/GenuineIntel.bin
    

    Code (Text):
    dmesg | grep microcode
    [    0.000000] microcode: microcode updated early to revision 0x22, date = 2017-01-27
    [    0.523126] microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x22
    [    0.523149] microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x22
    [    0.523174] microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x22
    [    0.523195] microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x22
    [    0.523217] microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x22
    [    0.523237] microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x22
    [    0.523255] microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x22
    [    0.523274] microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x22
    [    0.523354] microcode: Microcode Update Driver: v2.01 <[email protected]>, Peter Oruba
    

    Tunables in CentOS/RHEL
    Code (Text):
    cat /sys/kernel/debug/x86/pti_enabled
    cat /sys/kernel/debug/x86/ibpb_enabled
    cat /sys/kernel/debug/x86/ibrs_enabled
    

    Code (Text):
    cat /sys/kernel/debug/x86/pti_enabled
    1
    
    cat /sys/kernel/debug/x86/ibpb_enabled
    0
    
    cat /sys/kernel/debug/x86/ibrs_enabled
    0
    

    spectre-meltdown-checker.sh
    Code (Text):
    ./spectre-meltdown-checker.sh
    Spectre and Meltdown mitigation detection tool v0.35
    
    Checking for vulnerabilities on current system
    Kernel is Linux 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64
    CPU is Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz
    
    Hardware check
    * Hardware support (CPU microcode) for mitigation techniques
      * Indirect Branch Restricted Speculation (IBRS)
        * SPEC_CTRL MSR is available:  NO
        * CPU indicates IBRS capability:  NO
      * Indirect Branch Prediction Barrier (IBPB)
        * PRED_CMD MSR is available:  NO
        * CPU indicates IBPB capability:  NO
      * Single Thread Indirect Branch Predictors (STIBP)
        * SPEC_CTRL MSR is available:  NO
        * CPU indicates STIBP capability:  NO
      * Enhanced IBRS (IBRS_ALL)
        * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
        * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
      * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
      * CPU microcode is known to cause stability problems:  NO  (model 60 stepping 3 ucode 0x22)
    * CPU vulnerability to the three speculative execution attacks variants
      * Vulnerable to Variant 1:  YES
      * Vulnerable to Variant 2:  YES
      * Vulnerable to Variant 3:  YES
    

    Code (Text):
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    * Kernel has array_index_mask_nospec:  NO
    * Kernel has the Red Hat/Ubuntu patch:  YES
    > STATUS:  NOT VULNERABLE  (Mitigation: Load fences)
    

    Code (Text):
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
    * Mitigation 1
      * Kernel is compiled with IBRS/IBPB support:  YES
      * Currently enabled features
        * IBRS enabled for Kernel space:  NO
        * IBRS enabled for User space:  NO
        * IBPB enabled:  NO
    * Mitigation 2
      * Kernel compiled with retpoline option:  YES
      * Kernel compiled with a retpoline-aware compiler:  UNKNOWN
    > STATUS:  VULNERABLE  (Vulnerable: Retpoline without IBPB)
    

    Code (Text):
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    * Kernel supports Page Table Isolation (PTI):  YES
    * PTI enabled and active:  YES
    * Running as a Xen PV DomU:  NO
    > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
    
    A false sense of security is worse than no security at all, see --disclaimer
    
     
  13. bassie

    bassie Well-Known Member

    1,025
    246
    63
    Apr 29, 2016
    Ratings:
    +726
    Local Time:
    1:29 AM
    Upstream Devtools GCC is updated to.
    Problem with CentOS Devtools is that they most likely don't care about it.
    For example Devtools binutils released January 2018 upstream.
    CentOS Devtools binutils released only a few days ago, March 2018.
     
    • Informative Informative x 1
  14. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    noticed that, CentOS devtoolset gcc might be next to update ? :)
     
  15. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Phoronix checks out latest Linux 4.16 kernel with KPTI patches + Reptoline with AMD EPYC 7601 cpu An Early Look At The Linux 4.16 Kernel Performance With AMD EPYC - Phoronix. Interesting to see how Linux 4.16 kernel does considering my early Linux 4.15 tests with AMD 7401P showed much better performance compared to CentOS 7.4's 3.10 Kernels for AMD EPYC.

    Interesting comment brought up on the Phoronix forums for this article is that while AMD EPYC isn't affected by Kernel KPTI for Meltdown like Intel is, but CentOS/RHEL yum RPM packages themselves maybe built on Intel based systems initially so the resulting RPM binaries might be affected even if they are installed on AMD EPYC systems ! Luckily, for Centmin Mod users at least Nginx, PHP-FPM, Memcached server and some select PHP extensions are all source compiled rather than using YUM provided RPM binaries so can retain some of that performance on AMD EPYC systems. Also both GCC 8 and Clang 6 have further optimisations for AMD EPYC which will help for Centmin Mod Nginx, PHP-FPM source builds thanks to my work on GCC 8 and Clang 6 :)

     
  16. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  17. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  18. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Intel Details CPU 'Virtual Fences' Fix As Safeguard Against Spectre, Meltdown Flaws

    Advancing Security at the Silicon Level | Intel Newsroom

     
  19. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    More wonderful benchmarks from Phoronix this time for CentOS Fresh Benchmarks Of CentOS 7 On Xeon & EPYC With/Without KPTI/Retpolines - Phoronix

     
  20. eva2000

    eva2000 Administrator Staff Member

    37,189
    8,123
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,508
    Local Time:
    10:29 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    A Look At The Relative Spectre/Meltdown Mitigation Costs On Windows vs. Linux - Phoronix

     
..