Real fixes for Spectre and Meltdown?

cloasters

Moderator
Looks like we are stuck with the Meltdown insecurity in Intel CPU's from the last ten years. But Spectre is supposed to be addressable. But how? In easy to understand steps would be great. It would be fantastic if a Mint update has fixed this! But are we so lucky?
 
Nope, no clue... this is the day I'm happy with my AMD processors. I do have two Intel Core 2 Duo's
 
Fraid that some AMD processors have these security holes as well. I sincerely wish this wasn't the case! I want to use an AMD CPU in my next machine.
 
It seems like AMD is really aware of these pita's, and is serious about addressing them. Intel has released many straight lies about "fixing the problems" of Spectre and Meltdown.

These are SERIOUS problems. Thanks Intel, you're always the best of behemoths.
 
Dang... looks like Nvidia GPU's are affected as well.
 
Your first priority for defense is to make sure your kernel is patched to the latest version. If you build your own, then at this time it's 4.14.13. [Yours truly finished building 4.14.13 last night, and is expecting to build another version within the next week, with the rush of updates coming at a fast pace.]

If you look at the kernel.org main page [ https://www.kernel.org/ ] you will see that even the 'longterm support' kernels currently in use have all been patched within the last week - so even those who are on older kernel versions are getting some patches for these exploits. 4.10.x - 4.13.x kernels are being phased out of use now, so it's a good idea to keep abreast of which version you are running.

If you aren't building your own kernels, then make sure to check your package manager, and see that the latest available kernel for your Linux flavor is installed. Don't be running old kernels. That is asking for trouble. It's something akin to using "p a s s w o r d" as your login credential. It creates vulnerability through laziness.

But that in itself does not completely eradicate the exploits from your machine. You will have to wait for the microcode updates, which are coming slowly as firmware updates, but will not be close to completion until mid February, according to most reports. Meltdown will be pretty much under control at that time, but Spectre is much, much tougher and may take a longer time to fully patch.

This is some basic information: https://meltdownattack.com/
 
Last edited:
My Synaptic Package Monitor has a lot of 4.4~54-122
updates. It told me nothing about Kernel and Modules and they are not dated.

This is confusing. Any elucidation about this would be greatly gracious and helpful.
 
Go to System Settings and then click System Info
That will tell you which Kernel you have.

I'm on 4.10 with Mint 18.3

Honestly I'm more worried about a kernel update breaking something in Linux than getting hacked.
One thing I really love about Mint is stability, which is why we are always on an older kernel.
 
Fer sure, man! I don't REALLY know what Kernel I'm using. I don't have System Settings, System Monitor is as close to it as I have. No joy there. Under Synaptic Package Monitor it looks like I have many Kernel 4.10 updates/or they are being used.


Thank you for the assistance, booman!
 
Looks like we are stuck with the Meltdown insecurity in Intel CPU's from the last ten years. But Spectre is supposed to be addressable. But how? In easy to understand steps would be great. It would be fantastic if a Mint update has fixed this! But are we so lucky?

Ok, first, we need to differentiate the attacks, what they can do, and who's vulnerable.

All three attacks are the based on the fact that modern CPUs engage in 'speculative execution' of instructions; basically, when a program comes to a code branch ("if this condition is true, then do this, otherwise do that"), the CPU tries to guess which branch will be taken, and starts fetching and decoding instructions for that branch. If the CPU guesses correctly, that's great; if it doesn't, then it has to flush the pipeline and start over.

As you can guess, accurately predicting program flow can have a significant performance impact.

The attacks work by taking advantage of the fact that under certain conditions, this behavior can leave behind DETECTABLE changes in system state, even though they don't actually change the program flow, or the data the program works with.

Meltdown - Affects pretty much every Intel chip made this decade (and most made in the last 20 years), Apple's ARM chips, and ARM Cortex A75-based designs. AMD CPUs are not vulnerable due to an architectural difference in how they handle the Translation Lookaside Buffer (TLB). This attack results in the leakage of kernel memory, which means an attacker could gain access to encryption keys or other sensitive data held in kernel space. It can be mitigated with OS patches. For newer Intel CPUs (Haswell and later) the performance impact will be lower than for older ones, as the OS patches can take advantage of instructions that have existed for some time but haven't been implemented until now (because they weren't seen as offering anything useful, while being painful to use). Benchmarks have shown that for I/O heavy loads (databases, server virtualization), the performance penalty can be upwards of 50%, but for MOST workloads will be around 20% or less. For the average desktop, the performance penalty is likely not noticeable.

Spectre Variant 1 - Bounds Check Bypass - All CPUs currently in use appear to be vulnerable to this. AMD believes the threat can be mitigated with an OS patch. For Intel and Apple, mitigating the threat requires changes in application code AS WELL AS OS updates. This means that POTENTIALLY EVERY PROGRAM has to be REWRITTEN with the necessary code changes. In practice, it probably isn't near that bad, but it's still not good. The performance penalty for the patch appears to be negligible.

Spectre Variant 2 - Branch Target Injection - All CPUs currently in use appear to be vulnerable to this. It's worth noting that AMD believes there is a 'near zero chance to exploit this' on AMD CPUs. Regardless, AMD and Intel have both released microcode updates and OS patches to address the issue. As above, mitigation will probably require application changes ALSO, at least for Intel and Apple CPUs. Performance impact follows a similar pattern to the Meltdown patch. Apple have released software updates.

So, net result?

Meltdown screws Intel badly. Apple gets hit on the iPhone, and ARM gets hit on the A75. I don't think the A75 is widely used yet (it was only released around May of last year), so the impact there may not be too bad

Spectre Variant 1 screws Intel and Apple pretty hard, and possibly hurts AMD some. For Intel and Apple, the issue really comes down to how many applications have to be recompiled. For AMD, it really depends on whether an OS patch is all that's needed.

Spectre Variant 2 screws Intel pretty hard. Unclear about Apple. For AMD, there doesn't really appear to be an issue, they are just being cautious.

For desktop users, the performance impacts, especially for Haswell and later Intel CPUs, should be negligible for most situations. For servers, it's really going to be a function of the workload; as you get more I/O intensive (particularly disk and network), you take a higher hit. Older CPUs are hit harder than newer CPUs.

The one bright spot in all of this (if you can call it that) is that these vulnerabilities can only be exploited by programs running locally on your computer. Unfortunately, this includes javascript, running in a browser. Fortunately, there are ways to mitigate ALL of the above attacks with changes in browser code. Firefox and Chrome have already released updates, and Apple have put out an updated version of Safari with mitigations as well (I believe MS have also update Edge and IE). Since the browser is the primary attack point for most users, this means that installing the latest version of your browser SHOULD make it MUCH harder for a malicious javascript to exploit these issues.

Also, these vulnerabilities do NOT allow someone to take over your computer. They DO, however, allow the leakage of sensitive information (passwords, encryption keys) which might be combined with OTHER attacks in some way.

BTW, ARS wrote a good piece on this, if you want to read more details: https://arstechnica.com/gadgets/201...e-and-meltdown-patches-will-hurt-performance/
 
Thank you very much for taking the time and effort to help throw light on these pesky/scary processor design flaws, Gizmo!

I still don't genuinely "get it," but that's all too usual.
 
I was able to update my Mint 18.3 kernel and Nvidia 384 drivers this weekend.
At first I noticed there was an Nvidia 390 driver available, but I didn't want to have any broken games. So I didn't apply it.
I applied all of the other updates and rebooted...
But, upon reboot, Cinnamon would crash and I was stuck with the old desktop in SafeMode.

To fix this:
  1. Open Terminal
  2. type: sudo apt update
  3. Apt will check for all packages that need updates
  4. type: sudo apt upgrade
  5. Apt will upgrade all packages that were not upgraded during the GUI updates.
  6. Reboot
Then I was greeted with my Cinnamon desktop.

I'm not sure why some of the packages were missed just because I didn't install Nvidia 390?
Apt Update seemed to handle all of it just fine.
 
Thank you Gizmo for a detailed explanation!
I'm happy to have mostly AMD processors and Linux Operating Systems.
 
Thank you booman and Gizmo for your very helpful posts!

Previous instructions I've tried to follow don't let me update my Mint Cinnamon 17.3.
My machine refuses to see 18.1 and 18.3 updates. And doesn't ask for them either.

Now that there seems to be a good fix available for 18.3 I'm in trouble for not updating my OS to 18.3. Arrgh.
 
There are Terminal commands to install the newest upgrade, but I'm not sure if you are supposed to do them in sequence or not.
If you are on 17.3 then there should be a specific command to install 18.1 or even 18.3
I'll look it up. I've done it before and it worked.
 
The 965 Black Edition saga has been moved to the Hardware forum.

Let's keep this thread for Spectre and Meltdown mitigation, boys.
 
Back
Top