Re: current status of spectre/meltdown

To: Fabian Grünbichler <fabian.gruenbichler@student.tuwien.ac.at>, Antoine Beaupré <anarcat@orangeseeds.org>, Moritz Mühlenhoff <jmm@inutil.org>
Cc: team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: current status of spectre/meltdown
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 24 Feb 2018 18:30:01 +0100
Message-id: <[🔎] 1519493401.2617.312.camel@decadent.org.uk>
In-reply-to: <[🔎] e6fac8e5-ea7b-b41a-146b-0fd311c58af4@student.tuwien.ac.at>
References: <[🔎] 20180208151003.GA24080@home.ouaza.com> <[🔎] 20180215113312.GA9304@home.ouaza.com> <[🔎] 20180215195642.GA22972@inutil.org> <[🔎] 1518917953.2617.161.camel@decadent.org.uk> <[🔎] 20180218111602.GB17608@pisco.westfalen.local> <[🔎] 87vaeqf7w7.fsf@curie.anarc.at> <[🔎] e6fac8e5-ea7b-b41a-146b-0fd311c58af4@student.tuwien.ac.at>

On Wed, 2018-02-21 at 21:12 +0100, Fabian Grünbichler wrote:
[...]
> > Meltdown
> > --------
> > 
> > We currently say that only amd64 is mitigated for Meltdown in the wiki -
> > is there work being done in the kernel to try and fix this in other
> > architectures? Or is the intersection of "vulnerable design + exotic
> > architecture" too small to bother?
> 
> there are threads discussing porting it to i386 IIRC, arm64 has a patch
> set as well (with various degrees of being applied upstream and in
> distro kernels).

Some PowerPC, MIPS and System z cores may also need fixes (thankfully
not in LTS).  I replicated the status table for each group of
architectures that is likely to be addressed separately.

> also, for Meltdown (v3) mitigation you absolutely want to pass through
> the PCID flag to your VMs in case your physical CPUs (i.e., Intel since
> Westmere) and guest OS support it. it makes a whole world of difference
> for syscall-heavy workloads. passing this through also requires support
> from your hypervisor stack.
> 
> it's also worth noting that KPTI in 3.16 (Jessie), 4.4 (Ubuntu 16.04),
> 4.9 (Stretch) is vastly different from KPTI in 4.13+ (Ubuntu 17.10,
> Ubuntu 16.04 HWE, current latest upstream LTS, current latest upstream
> stable). the former uses an adapted version of the original KAISER patch
> set, the latter use a much more heavily adapted mainline version.
> upstream stable (Greg K-H)'s recommendation is thus to use 4.14 or later
> if at all possible - it's likely that not all subsequent
> fixes/improvements are easily backportable to the KAISER-based kernels
> (IMHO this applies to performance, regression and security fixes).

The KAISER backports we are using in all our stable branches (wheezy,
jessie and stretch) map all kernel stack pages in the user-space page
tables.  This is a significant weakness that ought to be fixed.  In
4.14+, only small per-CPU entry stacks (and other essential data) are
included in the user-space page tables.

Ben.

> this got kinda long, sorry ;)
> 
-- 
Ben Hutchings
Life is what happens to you while you're busy making other plans.
                                                               - John
Lennon

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Better communication about spectre/meltdown
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Better communication about spectre/meltdown
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Better communication about spectre/meltdown
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Better communication about spectre/meltdown
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: Better communication about spectre/meltdown
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- current status of spectre/meltdown
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: current status of spectre/meltdown
  - From: Fabian Grünbichler <fabian.gruenbichler@student.tuwien.ac.at>

Prev by Date: LTS report for January
Next by Date: Re: Better communication about spectre/meltdown
Previous by thread: Re: current status of spectre/meltdown
Next by thread: Re: current status of spectre/meltdown
Index(es):
- Date
- Thread