Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Kernel memory leaking' Intel processor flaw forces Linux,Windows redesign


  • Please log in to reply
6 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 24,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 02 January 2018 - 07:34 PM

Other OSes will need an update, performance hits loom

A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

 

Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

 

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit.

 

Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated – the flaw is in the Intel x86 hardware, and it appears a microcode update can't address it. It has to be fixed in software at the OS level, or buy a new processor without the design blunder.

Details of the vulnerability within Intel's silicon are under wraps: an embargo on the specifics is due to lift early this month, perhaps in time for Microsoft's Patch Tuesday next week. Indeed, patches for the Linux kernel are available for all to see but comments in the source code have been redacted to obfuscate the issue.

However, some details of the flaw have surfaced, and so this is what we know.

Impact

It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the contents of protected kernel memory.

 

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/



BC AdBot (Login to Remove)

 


#2 Platypus

Platypus

  • Global Moderator
  • 15,162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:11:44 PM

Posted 02 January 2018 - 08:52 PM

What doesn't seem clear to me is that they say "Your Intel-powered machine will run slower as a result" and "AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against."

However if "The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI", is there going to be a different kernel architecture in the OS depending on whether it's running on Intel or AMD?
Top 5 things that never get done:

1.

#3 JohnC_21

JohnC_21
  • Topic Starter

  • Members
  • 24,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 02 January 2018 - 09:17 PM

What doesn't seem clear to me is that they say "Your Intel-powered machine will run slower as a result" and "AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against."

However if "The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI", is there going to be a different kernel architecture in the OS depending on whether it's running on Intel or AMD?

That's a good point. Some additional info here. The big word being shouldn't.

 

https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos

 

You may have noticed that we haven't mentioned AMD once in this article up to this point. Well, AMD processors aren't affected by the bug due to security protections that the company has in place. This also means that AMD processors shouldn't be affected by any performance hits.

 

 

 



#4 Platypus

Platypus

  • Global Moderator
  • 15,162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:11:44 PM

Posted 03 January 2018 - 01:36 AM

We'll have to see I guess. From the article:

"Update, 10:56 PM - 1/2/18 - As it turns out, apparently the Linux patch that is being rolled out is for ALL x86 processors including AMD, and the Linux mainline kernel will treat AMD processors as insecure as well. As a result, AMD CPUs will feel a performance hit as well, though the bug only technically affects Intel CPUs and AMD recommends specifically not to enable the patch for Linux. How Microsoft specifically will address the issue with the Windows operating system remains unclear until the company's formal Patch Tuesday update is made known, hopefully soon."
Top 5 things that never get done:

1.

#5 badtoad

badtoad

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 03 January 2018 - 10:49 AM

We all panicked last time.We should get all the facts before we panic this time.



#6 JohnC_21

JohnC_21
  • Topic Starter

  • Members
  • 24,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 03 January 2018 - 10:50 AM

AMD is trying to have the kernel revised to exclude AMD processors but the developers are turning AMD down which kind of sucks. If the kernel does include both processors then there is a -nopti kernel command line that can be used.

 

https://www.techpowerup.com/240187/amd-struggles-to-be-excluded-from-unwarranted-intel-vt-flaw-kernel-patches?cp=2



#7 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,981 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:08:44 AM

Posted 03 January 2018 - 12:39 PM

I just don't get why it should be so difficult to make the OS behave as the OS should behave based on the processor (or family) on which it's running.

 

It's not rocket science (and, in fact, for a great many things, it's common as dirt) to make the code itself differentiate either what it's being compiled for at compile time (which, while one could do so, for an OS that's problematic as far as shipping a grand unified copy) or have logic of the basic "if-then" type in the very limited modules where needed to address this issue to allow it to get maximum efficiency for the given processor on which it's running.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users