Message: 1
Subject: [lfs-dev] The latest Intel problems
As people who read one or more of El Reg || Phoronix || Toms Hardware
will be aware, there have been some announcements by Intel on
Tuesday.
The first is described as the 'Jump Conditional Code (JCC) Erratum'.
This is not technically listed as a vulnerability. Quoting from
Phoronix:
"Intel is today making public the Jump Conditional Code (JCC) erratum.
This is a bug involving the CPU's Decoded ICache where on Skylake
and derived CPUs where unpredictable behavior could happen when jump
instructions cross cache lines."
Apparently, the new microcode (20191112) fixes this, at the cost of
various slowdowns in both kernel and userspace.
The second and third items _are_ listed as vulnerabilities:
TSX Async Abort (TAA) CVE-2019-11135 (another mds-style vulnerability,
only now disclosed) - according to Toms Hardware this affects certain
Whiskey Lake, Cascade Lake and Coffee Lake R CPUs.
ilTLB Multihit CVE-2018-12207 (malicious guests in a virtualized system)
Further details of these vulnerabilities are at
https://www.kernel.org/doc/html/latest/ ... index.html
None of this applies to AMD processors.
There are workarounds for the vulnerabilities in kernels 5.3.11,
4.19.84, 4.14.154, 4.9.201 and 4.4.201 (and I hope nobody here is
using those last three).
>From the release notes for the new microcode I don't think that
anything older than Skylake has got new microcode.
ĸen
---
cut and cleaned up
---
Message: 2
Subject: Re: [lfs-dev] The latest Intel problems
On Wed, Nov 13, 2019 at 02:53:28AM +0000, Ken Moffat via lfs-dev wrote:
> As people who read one or more of El Reg || Phoronix || Toms Hardware
> will be aware, there have been some announcements by Intel on
> Tuesday.
>
And another, again from phoronix: potential privilege escalation or
denial of service by an unprivileged local user on (at least) gen 8/9
graphics hardware (Broadwell to pre Cannonlake / Icelake),
CVE-2019-015{4,5}.
Commits merged in trunk:
https://git.kernel.org/pub/scm/linux/ke ... c5bcb92d60
and new graphics firmware is being made available.
A quick look suggests these fixes are not yet in any released kernels.
ĸen
--
Whilst all mushrooms are edible, the trick is to eat only those which will prove to be edible more than once. The Celebrated Discworld Almanak recommends you play safe and eat beans on toast.
------------------------------
Intel problems -This is not technically listed as a vulnerab
- Mike Walsh
- Posts: 6351
- Joined: Sat 28 Jun 2014, 12:42
- Location: King's Lynn, UK.
Errm.....what; because they're (gasp) *whispers*....'old'?scsijon wrote:There are workarounds for the vulnerabilities in kernels 5.3.11, 4.19.84, 4.14.154, 4.9.201 and 4.4.201 (and I hope nobody here is
using those last three).
God in heaven, man, I don't think I'm using a kernel that new anywhere in the kennels. Most of mine are 3-series, with the odd, early 4-series here & there, plus an assortment of 2-series floating around for good measure.
Explain to me, willya; what IS this near-obsession with 'must use the newest kernel the instant it's released', huh? I mean, okay; I consider myself 'tech-savvy', yes.....but I tend to wait and let tech 'prove' itself, y'know?
I didn't invest in my first CD player till the early years of this millennium....
Yes, I know; there's always 'security vulnerabilities being addressed'. My hardware is nearly 16 yrs old; it's not Intel, it's always been AMD.....and, just like the malware writers/crackers/hackers, they always tend to target those investing in the newer tech. With the kernel being like 90+% nowt but drivers, there isn't a kernel newer than a 3-series that will support my hardware better than it already is. And the newer you get, they're having to drop support for really old tech simply to stop the damned thing getting too unwieldy.
Nah, I'm sorry, but you'll have to prove the earth will fall down around my ears before I start worrying about all that guff...I've never had the slightest bit of trouble with my 'puters, even back when I was running Windoze.....and definitely not since using Puppy.
Mike.
- Mike Walsh
- Posts: 6351
- Joined: Sat 28 Jun 2014, 12:42
- Location: King's Lynn, UK.
Oh, you're probably right there, Nic, on both counts.We're all the same when it comes to summat brand-new; we fuss over them like a mother hen, and worry about everything under the sun.....nic007 wrote:People with new computers will want to use the newest available. They will worry about things like that. Most puppy users (well probably, I'm guessing) use older machines.
Hah. My newest is at least 15 yrs old.....the oldest, getting on for nearly 18.ozsouth wrote:My laptops range from 9 years to 1 year old.
Fair comment. My main rig is a pretty elderly, first-gen dual-core Athlon 64.....and I don't think early, 'cooking' P4s even come into this kinda stuff, do they?ozsouth wrote:All my Intel CPUs need it.
I could be wrong...
EDIT:-
Correction; I've told a 'porky' here. I do have one 5-series, running in peebee's UPupBB; it's one of rockedge's compiles.....I came across it on his website, and thought to myself, 'Ah, what the hell; why not?'Mike Walsh wrote:God in heaven, man, I don't think I'm using a kernel that new anywhere in the kennels. Most of mine are 3-series, with the odd, early 4-series here & there, plus an assortment of 2-series floating around for good measure.
Every other Pup has an "oldie-but-goodie".....
Mike.
Re: Intel problems -This is not technically listed as a vulnerab
I'm running 4.14.154 (with the latest stable busybox). Is there a particular reason why you suggest that is unwise? (I track it primarily for its kernel.org Jan 2024 EOL date).scsijon wrote:There are workarounds for the vulnerabilities in kernels 5.3.11, 4.19.84, 4.14.154, 4.9.201 and 4.4.201 (and I hope nobody here is using those last three)
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]
Re: Intel problems -This is not technically listed as a vulnerab
Not personally, that was just what the announcements said, I am just passing it on. Have a look again at the first message as it relates to intel processors only, amd are ok. How you update the microcode in linux I don't know though, I haven't looked at that. And as it says above there are workarounds in your kernel so maybe your ok. Have a look at the changelog on kernel.org for yours is really all I can sugest.rufwoof wrote:I'm running 4.14.154 (with the latest stable busybox). Is there a particular reason why you suggest that is unwise? (I track it primarily for its kernel.org Jan 2024 EOL date).scsijon wrote:There are workarounds for the vulnerabilities in kernels 5.3.11, 4.19.84, 4.14.154, 4.9.201 and 4.4.201 (and I hope nobody here is using those last three)
See: http://murga-linux.com/puppy/viewtopic. ... 15#1030115How you update the microcode in linux I don't know though, I haven't looked at that.
thanks ozsouth, as I said i hadn't needed it so i hadn't try to find out, it's nice that someone has, maybe rutwolf can followit if he finds he needs it.ozsouth wrote:See: http://murga-linux.com/puppy/viewtopic. ... 15#1030115How you update the microcode in linux I don't know though, I haven't looked at that.
And to make some jelous, i've got a Ryzen 9 16core on loan till christmas and been promised the loan of a threadripper after they come out next year. Funny thing is the Ryzen 9 isn't using all it's cores so i suspect there is need for a kernel setting or two, and what a threadripper is going to do with 32 cores/64threads/80meg primary cache I'm not sure, but I don't plan on buying one at present, your most likely going to be talking over $10K for a basic box and double that for a real world one.