From owner-freebsd-security@freebsd.org Wed Jan 3 01:52:31 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E38F6EA2F9C for ; Wed, 3 Jan 2018 01:52:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [IPv6:2607:f3e0:80:80::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B26737DA17 for ; Wed, 3 Jan 2018 01:52:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (lava.sentex.ca [IPv6:2607:f3e0:0:5::11]) by smarthost2.sentex.ca (8.15.2/8.15.2) with ESMTPS id w031qU4c067543 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 2 Jan 2018 20:52:30 -0500 (EST) (envelope-from mike@sentex.net) Received: from [192.168.43.26] (saphire3.sentex.ca [192.168.43.26]) by lava.sentex.ca (8.15.2/8.15.2) with ESMTP id w031qRA4015224 for ; Tue, 2 Jan 2018 20:52:27 -0500 (EST) (envelope-from mike@sentex.net) To: "freebsd-security@freebsd.org" From: Mike Tancsa Subject: Intel hardware bug Organization: Sentex Communications Message-ID: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> Date: Tue, 2 Jan 2018 20:52:27 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.78 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 01:52:32 -0000 I am guessing this will impact FreeBSD as well ? http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@freebsd.org Wed Jan 3 02:04:24 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50FF1EA47F3 for ; Wed, 3 Jan 2018 02:04:24 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from safegreet.com (safegreet.com [173.230.129.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2F95A7DF81 for ; Wed, 3 Jan 2018 02:04:23 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from localhost (localhost [127.0.0.1]) by safegreet.com (Postfix) with ESMTP id CA11242B8 for ; Tue, 2 Jan 2018 19:56:34 -0600 (CST) X-Virus-Scanned: amavisd-new at safegreet.com Received: from safegreet.com ([127.0.0.1]) by localhost (safegreet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id TNP-pwDy9f8K for ; Tue, 2 Jan 2018 19:56:34 -0600 (CST) Received: from elisha.atlnet (c-24-30-30-53.hsd1.ga.comcast.net [24.30.30.53]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by safegreet.com (Postfix) with ESMTPSA id 0D35C4260 for ; Tue, 2 Jan 2018 19:56:34 -0600 (CST) From: Joey Kelly To: freebsd-security@freebsd.org Subject: Re: Intel hardware bug Date: Tue, 02 Jan 2018 20:56:50 -0500 Message-ID: <7692356.NWgAdSPsLq@elisha.atlnet> User-Agent: KMail/4.14.10 (Linux/4.9.67; KDE/4.14.38; x86_64; ; ) In-Reply-To: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> References: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 02:04:24 -0000 On Tuesday, January 02, 2018 08:52:27 PM Mike Tancsa wrote: > I am guessing this will impact FreeBSD as well ? > > http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ No way around it. It's hardware FAIL, and ignoring it isn't an option since it's apparently a huge hole. -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 From owner-freebsd-security@freebsd.org Wed Jan 3 19:01:48 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F8AEEA9FC6 for ; Wed, 3 Jan 2018 19:01:48 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.not-for.work (onlyone.not-for.work [IPv6:2a01:4f8:201:6350::2]) by mx1.freebsd.org (Postfix) with ESMTP id 2D83E138C for ; Wed, 3 Jan 2018 19:01:48 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:e0f4:994:662:862]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.not-for.work (Postfix) with ESMTPSA id 1ABB6693; Wed, 3 Jan 2018 22:01:40 +0300 (MSK) Date: Wed, 3 Jan 2018 22:01:38 +0300 From: Lev Serebryakov Reply-To: Lev Serebryakov Organization: FreeBSD X-Priority: 3 (Normal) Message-ID: <104827876.20180103220138@serebryakov.spb.ru> To: Joey Kelly , freebsd-security@freebsd.org Subject: Re: Intel hardware bug In-Reply-To: <7692356.NWgAdSPsLq@elisha.atlnet> References: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> <7692356.NWgAdSPsLq@elisha.atlnet> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 19:01:48 -0000 Hello Joey, Wednesday, January 3, 2018, 4:56:50 AM, you wrote: > No way around it. It's hardware FAIL, and ignoring it isn't an option since > it's apparently a huge hole. Looks like there IS way around it and it was "silently" committed to Linux http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table But TLB flush on each syscall (twice) will slow down system, of course, so there should be option to disable it. -- Best regards, Lev mailto:lev@FreeBSD.org From owner-freebsd-security@freebsd.org Wed Jan 3 19:23:52 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E676FEAB445 for ; Wed, 3 Jan 2018 19:23:52 +0000 (UTC) (envelope-from royce.williams@gmail.com) Received: from mail-qt0-x22b.google.com (mail-qt0-x22b.google.com [IPv6:2607:f8b0:400d:c0d::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A5BBD29B6 for ; Wed, 3 Jan 2018 19:23:52 +0000 (UTC) (envelope-from royce.williams@gmail.com) Received: by mail-qt0-x22b.google.com with SMTP id g10so3365896qtj.12 for ; Wed, 03 Jan 2018 11:23:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=5BNNYQ8hrsIGY0NWyzgp7lBcepLIpus0yCSX3NR92cs=; b=MZzma4lI9/XGaJ0jm/D6NrdM4EPoC3o8sk1YvsMuOpARgJNDohqgs2Q2bnRw0aYYnK aBX5sM5NjTBfwDz3tgrxpM4bskLNg8J54iEO8QU8RUO2/gvGiGIhDJL7+w5Wwz+whOcT coq2nsdWB5FX0M33DkCUpvKYcqlqcryxa6v4sTup951NrRqlZR0DgQ29OUhOxW61ZZVs FKyo1dX1+jeGW4DZ0ngORJwZJ1D4Hl9NAO5j3XiZuYX4xKehrSmSv6bkoKcgTTYQljfR eSePmzclP5itDUA71+vZv3bgqnMzSvRw0ARWswec1B7gsSc+Xf/1SJTBhmKOdOjUPQ8s 3rtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=5BNNYQ8hrsIGY0NWyzgp7lBcepLIpus0yCSX3NR92cs=; b=ZCuT8yB0aPJuzLC3X0tK68A4O2rc79rh0LUr1MctHczGfwGsPdyjxzWub96yrl5lF+ 00v5cDfEZx331J1CmzX5t9FqSvSQyDC+4gCOrUMKNUs3qTnpRypUyRtOwCm1m5WH7hZm GIS+rIizXELEAVD6CzpZdn3QhpfBtHy80LxTGqHgSb8z1YfU2bN6wU7zT9CwE4B8q9g9 vtgMI8JNJQW6rbmvnKwHEAfIPnQZsSNZt2AolWrTr+PCG9Zuv4AhxDvwdYKkvrf4Lcwf mRdNMCDOhI31t7Ztur50wk2NAEgAHidddVKRBP1GdB+3EG+4zE0Phaq72V06qOYNHIyH B+GQ== X-Gm-Message-State: AKGB3mJyzpABG28Qvo6Z0KduHGQD2Rz6VmEQ57YRvvVYwFFXPirrJNaT xXYXGIGj+dETnQ+iI4xREOCr9ZNi3m0wHwo88KhluxRg X-Google-Smtp-Source: ACJfBosfa5fgjzzQGoTliyY4evsYN4g+Sfa4SR3x/dY+xGa0V4XoZ8WmY7Xj3MVkkFdnzp9qNpZg19+IogFNP6S1iFk= X-Received: by 10.200.46.149 with SMTP id h21mr3022949qta.73.1515007431387; Wed, 03 Jan 2018 11:23:51 -0800 (PST) MIME-Version: 1.0 Sender: royce.williams@gmail.com Received: by 10.140.104.134 with HTTP; Wed, 3 Jan 2018 11:23:20 -0800 (PST) In-Reply-To: <104827876.20180103220138@serebryakov.spb.ru> References: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> <7692356.NWgAdSPsLq@elisha.atlnet> <104827876.20180103220138@serebryakov.spb.ru> From: Royce Williams Date: Wed, 3 Jan 2018 10:23:20 -0900 X-Google-Sender-Auth: j51I4iW0HTzRgTg8ed3vD-bqiy0 Message-ID: Subject: Re: Intel hardware bug To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 19:23:53 -0000 On Wed, Jan 3, 2018 at 10:01 AM, Lev Serebryakov wrote: > Hello Joey, > > Wednesday, January 3, 2018, 4:56:50 AM, you wrote: > > > No way around it. It's hardware FAIL, and ignoring it isn't an option > since > > it's apparently a huge hole. > Looks like there IS way around it and it was "silently" committed to Linux > > http://pythonsweetness.tumblr.com/post/169166980422/the- > mysterious-case-of-the-linux-page-table > > But TLB flush on each syscall (twice) will slow down system, of course, so > there should be option to disable it. > For what it's worth, this purports to be a PoC: https://gist.github.com/dougallj/f9ffd7e37db35ee953729491cfb71392 Royce From owner-freebsd-security@freebsd.org Wed Jan 3 20:12:49 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 893B4EAD31B for ; Wed, 3 Jan 2018 20:12:49 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5B13F63CCF for ; Wed, 3 Jan 2018 20:12:49 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (unknown [127.0.1.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by freefall.freebsd.org (Postfix) with ESMTPS id 96E26B8AB for ; Wed, 3 Jan 2018 20:12:48 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id C1EDA722A for ; Wed, 3 Jan 2018 20:12:47 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id C6U6Ddj4JQ5P for ; Wed, 3 Jan 2018 20:12:45 +0000 (UTC) Subject: Re: Intel hardware bug DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 821C57225 To: freebsd-security@freebsd.org References: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <3c8a84e7-ed70-4238-b86b-5c841027facf@FreeBSD.org> Date: Wed, 3 Jan 2018 12:12:43 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xBP6Oislo4PfB2EbOa245YjMf5G5oj5ho" X-Mailman-Approved-At: Wed, 03 Jan 2018 20:40:58 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 20:12:49 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --xBP6Oislo4PfB2EbOa245YjMf5G5oj5ho Content-Type: multipart/mixed; boundary="KnvShNtqNNoFRbYmcHd6gfZXD4PIjgmWr"; protected-headers="v1" From: Bryan Drewery To: freebsd-security@freebsd.org Message-ID: <3c8a84e7-ed70-4238-b86b-5c841027facf@FreeBSD.org> Subject: Re: Intel hardware bug References: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> In-Reply-To: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> --KnvShNtqNNoFRbYmcHd6gfZXD4PIjgmWr Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 1/2/2018 5:52 PM, Mike Tancsa wrote: > I am guessing this will impact FreeBSD as well ? >=20 > http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ >=20 Keep in mind that this issue is still under Embargo, so no official statement from FreeBSD will likely be made before it is lifted. I do know that the right people are definitely aware of what's going on. --=20 Regards, Bryan Drewery --KnvShNtqNNoFRbYmcHd6gfZXD4PIjgmWr-- --xBP6Oislo4PfB2EbOa245YjMf5G5oj5ho Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJaTTk7AAoJEDXXcbtuRpfP2WYIAKa7/WZyupDYyN70obX8Xvm6 VhdLYbCikvWsX7wLWLgmoJhgNF5pNVIR2B66KoXQN2SlhXEl1xjGsEuWyo/1ts8l j+oOygFKy4oZ9BbBK20UbnuLBuw5lw8DMgSs9LtSam2b0t3NGF/5IeAzjVRzoqao w7QZUH5M2Nn1m7CJHMubEukS0nAi5Kc3HfzRe8Gvznb/Olvpk+eQ4EY20xnELxIL M5NQ8npwAQ68W/l2UfOJWjyXS5B6O55yYkdW4kmYj4v7iku6cH4V1GEoEB7YjCmw Hh0QV/SexX9QBKitG3Xiyv2EPCoY+EN0gebZtNDig9D/+o2B0mlO2I+9n/00qGI= =ypfC -----END PGP SIGNATURE----- --xBP6Oislo4PfB2EbOa245YjMf5G5oj5ho-- From owner-freebsd-security@freebsd.org Wed Jan 3 20:48:47 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22FD0EAEC33 for ; Wed, 3 Jan 2018 20:48:47 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 101A965BFB for ; Wed, 3 Jan 2018 20:48:46 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 380EC3AE87 for ; Wed, 3 Jan 2018 12:48:40 -0800 (PST) From: "Ronald F. Guilmette" To: "freebsd-security@freebsd.org" Subject: Re: Intel hardware bug In-Reply-To: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> Date: Wed, 03 Jan 2018 12:48:39 -0800 Message-ID: <19097.1515012519@segfault.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 20:48:47 -0000 In message <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net>, Mike Tancsa wrote: >I am guessing this will impact FreeBSD as well ? > >http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ Swell. Just swell. Why couldn't this have been announced the week -before- I bought an Intel processor and motherboard to replace my aging AMD rig, rather than the week -after- I did so? Geeeesssh! From owner-freebsd-security@freebsd.org Wed Jan 3 21:08:08 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 40558EAF658 for ; Wed, 3 Jan 2018 21:08:08 +0000 (UTC) (envelope-from vangyzen@FreeBSD.org) Received: from smtp.vangyzen.net (hotblack.vangyzen.net [199.48.133.146]) by mx1.freebsd.org (Postfix) with ESMTP id 26C69669DE for ; Wed, 3 Jan 2018 21:08:07 +0000 (UTC) (envelope-from vangyzen@FreeBSD.org) Received: from sweettea.beer.town (unknown [76.164.8.130]) by smtp.vangyzen.net (Postfix) with ESMTPSA id 9EEAB5651C; Wed, 3 Jan 2018 14:59:36 -0600 (CST) Subject: Re: Intel hardware bug To: "Ronald F. Guilmette" , "freebsd-security@freebsd.org" References: <19097.1515012519@segfault.tristatelogic.com> From: Eric van Gyzen Message-ID: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> Date: Wed, 3 Jan 2018 14:59:35 -0600 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <19097.1515012519@segfault.tristatelogic.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 21:08:08 -0000 On 01/03/2018 14:48, Ronald F. Guilmette wrote: > > In message <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net>, > Mike Tancsa wrote: > >> I am guessing this will impact FreeBSD as well ? >> >> http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ > > Swell. Just swell. > > Why couldn't this have been announced the week -before- I bought an Intel > processor and motherboard to replace my aging AMD rig, rather than the week > -after- I did so? > > Geeeesssh! Wait until Tuesday before you explode. Intel are now saying that it's not a "bug" in Intel CPUs. https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ Eric From owner-freebsd-security@freebsd.org Wed Jan 3 21:14:30 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CFBF3EAFB33; Wed, 3 Jan 2018 21:14:30 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 98FBD66EA2; Wed, 3 Jan 2018 21:14:30 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io0-x229.google.com with SMTP id t63so68215iod.0; Wed, 03 Jan 2018 13:14:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=vCA/Fzs+Zbhw2I80mz5jtTKDXSMmafao/+JrTAFqkTM=; b=MNiQJAZsP7AbtRB3yoviyy0NGgsKtZ5KaLibP1k2zsaU67NgzlK3SwD7Vr6UOTxvkB r3KcJD9Fz2KGgD+nQLa14w4GJEKrQ06Ac0fuJa7uV/CW5gpvY9sSJb5yTrS4BnRNgmeM g4q3lPY6o8Iv2Rr2NIJCOV2dqQ4mZ5/ScTMUEy7xTe/tJ8e/myB00TQq0NB7QF4aXl6S bIn7/zZKOnAjXzvHAE3e1GtgobCsGTrVbAwNWIo01VQUAiotpXfxjBKBLOZ3+FBqvWop XhkkiV2SBiekKw5qqaIjHhewRJLrQrxUjQmibO6T63OGQDYrG0Q7X1OKqq4mG2HoqlsY tiYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=vCA/Fzs+Zbhw2I80mz5jtTKDXSMmafao/+JrTAFqkTM=; b=rnKqOXWqUAv8hKAf6TjkpFAhqBUiOgNR6hjd/vUk/BBn4DeNEKS0qO6fWrbqauJ0kN T9gc+5ZGvOKsthqpgAPnq94eQbKwPLk0kFGqu40jPcH9PPNZ6EiMU+kXkbV4BZn2o/ZX 0LADZTSG2dIH3KiJptHmHKZ8DX2FztrdW5cB4+BqZBwuhwb6WPjnIOmX8bJxH2oMNZUh IDUuzOTJ6ga6laf8ldHy3I8UFoApxCXhjQIrkD3d87qmbvex+e5AZtARcex3CtsU46FR cSUsl9jr0vOOI6q0DbI6SSwEv6VsSLN9cCgxEczW/tdM8Fvsq2wXAT+j0WbcYq5wIK3U CL1A== X-Gm-Message-State: AKGB3mLLSv3iJoQb8mLgSsAAX5QAazZ2qDaVGU6myJBR3fipI7Vi06A7 c0G5t9dJo78NKgNJvWGkTzwrKmafbtaret/EJwudQS7D X-Google-Smtp-Source: ACJfBotK5fBvdkRmOvO7/YutzapQk3LnzJZpDIKLXz+3xQgpFRH5+apeCudzRIDRMyX9+P+2f+BsHmvjO7PzDD5BiK4= X-Received: by 10.107.175.234 with SMTP id p103mr2899451ioo.63.1515014069853; Wed, 03 Jan 2018 13:14:29 -0800 (PST) MIME-Version: 1.0 Sender: carpeddiem@gmail.com Received: by 10.107.131.163 with HTTP; Wed, 3 Jan 2018 13:14:09 -0800 (PST) From: Ed Maste Date: Wed, 3 Jan 2018 16:14:09 -0500 X-Google-Sender-Auth: dJ9towGUbo9XN3WsY0XjS4bGHX0 Message-ID: Subject: Re "Intel responds to security research findings" To: freebsd-security@freebsd.org, freebsd-security-notifications@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 21:14:30 -0000 With respect to https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ The FreeBSD Security Team recently learned of the details of these issues that affect certain CPUs. Details could not be discussed publicly, but mitigation work is in progress. Work is ongoing to develop and commit these mitigations to the FreeBSD repository as soon as possible, with updates for releases to follow. From owner-freebsd-security@freebsd.org Wed Jan 3 22:20:09 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C509DEB2626 for ; Wed, 3 Jan 2018 22:20:09 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "land.berklix.org", Issuer "land.berklix.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 51EFE69434 for ; Wed, 3 Jan 2018 22:20:08 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (pD9FA9F51.dip0.t-ipconnect.de [217.250.159.81]) (authenticated bits=0) by land.berklix.org (8.15.2/8.15.2) with ESMTPSA id w03LDEJi091441 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 3 Jan 2018 21:13:18 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id w03LEORS077757; Wed, 3 Jan 2018 22:14:24 +0100 (CET) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id w03LE5ZL017578; Wed, 3 Jan 2018 22:14:18 +0100 (CET) (envelope-from jhs@berklix.com) Message-Id: <201801032114.w03LE5ZL017578@fire.js.berklix.net> To: "Freebsd Security" Subject: Re: Intel hardware bug From: "Julian H. Stacey" Organization: http://berklix.eu BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.eu/free/ X-From: http://www.berklix.eu/~jhs/ In-reply-to: Your message "Tue, 02 Jan 2018 20:52:27 -0500." <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> Date: Wed, 03 Jan 2018 22:14:05 +0100 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 22:20:09 -0000 Mike Tancsa wrote: > I am guessing this will impact FreeBSD as well ? > http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ More URLs: https://lkml.org/lkml/2017/12/4/709 [patch 00/60] x86/kpti: Kernel Page Table Isolation (was KAISER) https://gruss.cc/files/kaiser.pdf Funded by ERC & EU KASLR is Dead: Long Live KASLR http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table July 28, 2017 The mysterious case of the Linux Page Table Isolation patches ... Ref to FreeBSD http://www.bbc.co.uk/news/technology-42553818 Major flaw in millions of Intel chips revealed https://www.theguardian.com/technology/2018/jan/03/major-security-flaw-found-intel-processors-computers-windows-mac-os-linux Wed 3 Jan `18 14.24 GMT Major security flaw found in Intel processors https://twitter.com/aionescu/status/948609809540046849 9:39 AM - 3 Jan 2018 MacOS fix the Intel #KPTI Issue? Why yes ... since 10.13.2 https://twitter.com/aionescu/status/948609809540046849 https://www.fool.com/investing/2017/12/19/intels-ceo-just-sold-a-lot-of-stock.aspx?source=isesitlnk0000001&mrr=1.00 Dec 19, 2017 at 5:10PM Intel's CEO Just Sold A Lot of StocK .. Krzanich is keeping the bare minimum https://github.com/IAIK/KAISER/ Kernel Address Isolation to have Side-channels Efficiently Removed https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/ Upgrades inc reboots of lots of commercial global net servers is predicted once patches are out for each OS in a few days. I wonder what keywords industry will settle on to refer to this by (eg last time "FOOF bug") Options inc.: KASLR, KAISER, Kernel Address tables, Intel software mitigation, x86/kpti: Kernel Page Table Isolation. I don't know what effect this has on FreeBSD, I guess we'll see an authoritative announcement in a bit, when memory management people get time to stop coding & drop back to PR, Meanwhile: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/bibliography-osinternals.html https://duckduckgo.com/?sites=www.FreeBSD.org%2Cdocs.FreeBSD.org%2Clists.FreeBSD.org%2Cwiki.FreeBSD.org%2Cforums.FreeBSD.org&ka=v&kt=v&kh=1&kj=r2&q=memory+management&submit=Search&ia=web https://www.freebsd.org/doc/en_US.ISO8859-1/articles/vm-design/page-table-optimizations.html https://forums.freebsd.org/threads/63955/page-2 Cheers, Julian -- Julian H. Stacey, Computer Consultant, BSD Linux Unix Systems Engineer, Munich http://berklix.eu/brexit/ UK stole 3,700,000 votes; 700,000 from Brits in EU. http://berklix.eu/queen/ Sign petition before end of 2017. From owner-freebsd-security@freebsd.org Wed Jan 3 22:48:45 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15A4FEB397B for ; Wed, 3 Jan 2018 22:48:45 +0000 (UTC) (envelope-from david.syzdek@acsalaska.net) Received: from smtp22.nwc.acsalaska.net (smtp22.nwc.acsalaska.net [209.112.142.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EBA046A6C1; Wed, 3 Jan 2018 22:48:44 +0000 (UTC) (envelope-from david.syzdek@acsalaska.net) Received: from 10-0-10-67.prv.acsalaska.net (10-0-10-67.prv.acsalaska.net [10.0.10.67]) by smtp22.nwc.acsalaska.net (8.14.9/8.14.9) with ESMTP id w03Mh8bX032186; Wed, 3 Jan 2018 13:43:08 -0900 From: "David M. Syzdek" Message-Id: <7C58A6DB-0760-4E5A-B65D-2ED6A6B7AAD2@acsalaska.net> Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Intel hardware bug Date: Wed, 3 Jan 2018 13:43:08 -0900 In-Reply-To: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> Cc: "Ronald F. Guilmette" , "freebsd-security@freebsd.org" To: Eric van Gyzen References: <19097.1515012519@segfault.tristatelogic.com> <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> X-Mailer: Apple Mail (2.3273) X-Mailman-Approved-At: Wed, 03 Jan 2018 23:15:34 +0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 22:48:45 -0000 > On Jan 3, 2018, at 11:59 AM, Eric van Gyzen = wrote: >=20 > On 01/03/2018 14:48, Ronald F. Guilmette wrote: >>=20 >> In message <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net>, >> Mike Tancsa wrote: >>=20 >>> I am guessing this will impact FreeBSD as well ? >>>=20 >>> http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ >>=20 >> Swell. Just swell. >>=20 >> Why couldn't this have been announced the week -before- I bought an = Intel >> processor and motherboard to replace my aging AMD rig, rather than = the week >> -after- I did so? >>=20 >> Geeeesssh! >=20 > Wait until Tuesday before you explode. Intel are now saying that it's > not a "bug" in Intel CPUs. >=20 > = https://newsroom.intel.com/news/intel-responds-to-security-research-findin= gs/ >=20 > Eric It looks more like they are playing fast and loose with words. =46rom = the article you linked: Intel believes these exploits do not have the potential to = corrupt, modify or delete data. and Recent reports that these exploits are caused by a =E2=80=9Cbug=E2= =80=9D or a =E2=80=9Cflaw=E2=80=9D and are unique to Intel products are = incorrect.=20 They did not say it is *NOT* a bug, just that it is not a bug unique to = Intel. I=E2=80=99ve not seen speculation regarding the =E2=80=9Cbug=E2=80=9D= being able to corrupt, modify, or delete data, I=E2=80=99ve only seen = speculation that the bug allows unprivileged processes to see privileged = memory/cache. Additionally, they indirectly imply that both AMD and ARM chips are = affected by the same bug, however this is, at least in AMD=E2=80=99s = case, appears to be directly refuted by a patch submitted to the Linux = kernel by AMD: https://lkml.org/lkml/2017/12/27/2 = AMD processors are not subject to the types of attacks that the = kernel page table isolation feature protects against. The AMD = microarchitecture does not allow memory references, including speculative = references, that access higher privileged data when running in a lesser = privileged mode when that access would result in a page fault. Disable page table isolation by default on AMD processors by not = setting the X86_BUG_CPU_INSECURE feature, which controls whether = X86_FEATURE_PTI is set. Since other statements are misleading, it could be that the = =E2=80=9Cworkloads=E2=80=9D being described could be a hibernated = laptop; a halted firewall (where the firewall/routing rules are still = running in the kernel); a lightweight user who only uses e-mail and = facebook; etc: Contrary to some reports, any performance impacts are = workload-dependent, and, for the average computer user, should not be significant = and will be mitigated over time. Finally their belief of being the most secure products in the world and = actual reality may differ: Intel believes its products are the most secure in the world and = that, with the support of its partners, the current solutions to this issue provide the = best possible security for its customers. I generally read a company=E2=80=99s press releases in response to = negative publicity with the assumption that they are not lying, but are = obfuscating the truth or dancing around an issue in order to cast = themselves in the best possible light. The proof that this tactic works = is that Eric interpreted the release to say that there is not a bug in = Intel=E2=80=99s hardware instead of Intel is one of many vendors whose = product has this bug (though this remains to be seen). =E2=80=94David M. Syzdek From owner-freebsd-security@freebsd.org Wed Jan 3 23:21:20 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7463BEB4DB8 for ; Wed, 3 Jan 2018 23:21:20 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 057866BB47 for ; Wed, 3 Jan 2018 23:21:20 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wm0-x234.google.com with SMTP id f140so473177wmd.2 for ; Wed, 03 Jan 2018 15:21:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=tnaAnatn+zsU50PnfVdmY/DMNBF9uyeZhcgEy5zwIoM=; b=rBaf0KcrWE2R0zy8QS337xWmQhV70RPQny2gGqD1Lq8Cyvd7eoZ8sA+MGktSjQOkkQ QhXCs9EE3F3GVDCDBJTsDU1ZOUy73W6h4Khf/U0MvAktLz+G+1rdrTSzt2PdlhZuXq7J QXCGbgJovQzQ6qX5YSjvB2YRvM1o9yfe/7/09+zbJH5Jff1qF5/qk+17AltwkyPd/fIz Q92FQ3/RcZMS763CPikVAeDzkclq0U7cvRevhPa67fh+eyU9AYl8fqns3RpxtNPgRMiD DA3mzItus+hRC6N9BxodsuO396BhaYUQn7lXy6TOirnKvcMKq5L1bs3oarnV04CFPGX/ 8F+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=tnaAnatn+zsU50PnfVdmY/DMNBF9uyeZhcgEy5zwIoM=; b=hfciTtkU1Me7G2u++nSxpdSwRI/IYoqrBJkVUKWEPGjOXgMTL1NmaVOJyEBhJduCjL +d3Y508V0W5m5xXMyX090/oS4hgaHxWFXurQC+wsL6jD5DT5p7V20bYgkQ4JaulT90uk bujI/k47jQsb4UnnEFeDvxUBU7aq51J9k36ne+lSfEdQVhKR7XI+dZItSSW9GnAMDBsT y/AePmKYVZX/+1C1eEby3hqMjiWwwG4ea994J866VhlOPeSH1dmRhdjGCW+//zMwnmv2 rbAhhyd++l+ijjp8xtbaGzVji9y16KHg7fIHF5Un4R/DrTxmz+kSV6DcyKSHvAonWZWx WRtA== X-Gm-Message-State: AKGB3mIl/Kf/qXR2HtfLl3UmHDicBCgOfR2j8Bo8THhCuBGU+U1WDnt5 6SHmkNOBsKZcQXS1cP0jL4iSbA== X-Google-Smtp-Source: ACJfBouwBkK5+BvB5yHUYI9vSGaPplhdnlNu/L0WBwsEZOCo+GivX5PLuyvGxVx7sKlXS2sVZ5DhLg== X-Received: by 10.28.213.69 with SMTP id m66mr2549315wmg.151.1515021677077; Wed, 03 Jan 2018 15:21:17 -0800 (PST) Received: from mutt-hbsd ([207.244.70.35]) by smtp.gmail.com with ESMTPSA id p17sm2459810wma.23.2018.01.03.15.21.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 03 Jan 2018 15:21:16 -0800 (PST) Date: Wed, 3 Jan 2018 18:21:01 -0500 From: Shawn Webb To: Mike Tancsa Cc: "freebsd-security@freebsd.org" Subject: Re: Intel hardware bug Message-ID: <20180103232101.aldnvkwteh54ssro@mutt-hbsd> References: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uowf22fjzmxzvibs" Content-Disposition: inline In-Reply-To: <477ab39d-286d-d9a2-d31e-fd5f7f1679a8@sentex.net> X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20171208 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 23:21:20 -0000 --uowf22fjzmxzvibs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 02, 2018 at 08:52:27PM -0500, Mike Tancsa wrote: > I am guessing this will impact FreeBSD as well ? >=20 > http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ https://meltdownattack.com/ --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --uowf22fjzmxzvibs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlpNZVoACgkQaoRlj1JF bu7c6hAAiftJXAqFEnhnF/08K13vJuZG/XPbq1z4MAf1y8IxA7usFCxTuFL8dWAD qohMRD7ZEwkY8htMcrjD9NqIMVZpm2QzT1hhxXGhaFWQ7oilTMlTtgy+vA5TjcjO U9INmcYr442QgYXm++UZAY3Unx+GBBx4L7nkX7SLLqXrUBI3xMXBnmubKhf/PJLz ywn1UwJIxBhRNk20qdfqzoq0KPKMwSarEmYYM3ShlO8ST4mO3rGlIMhswk4lT4G7 yIhr9GzMcGOrDAlRS/KANcdqdlcSCYKbV2DsFLidV82dz+EIDHfKr4jN1ZJGwtcM lgzA7+KaUQYKM9bqkQ4rXTX3mA6m5/efwe2gxJe/q6gL3Q916C8OOsoxY/97ZvME Cxl9Orx5/NxUesjwJUhKCUl6LNvfYbQV9I4j2BDzixzlcthHRKDYN1V28lYehlqK aBbf0ecy+iS15KmUqBCUoFzztEtAVdQYVDauXsEy021cVyUYKkbVTTZM/dweOOrc HYOryEAS8Od1fLGAj+9FkyRZrQQ3fIKmf5t9+GX8L+74l30N0YTzCORGBVCE3vRv DaLzNoad5pFv3QdNMBVk6pTT6BvwipL5zTGv2eK2Bt34vW/JdSpkELDF9nXSs65Q dxUdS/eroE28+6wILkRnot1F/pQpF1eanOeIq83L3TAQYDdhZYA= =4ot3 -----END PGP SIGNATURE----- --uowf22fjzmxzvibs-- From owner-freebsd-security@freebsd.org Thu Jan 4 00:29:14 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 438FCEB7794 for ; Thu, 4 Jan 2018 00:29:14 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 2D7E86E07B for ; Thu, 4 Jan 2018 00:29:13 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 985A63AE87 for ; Wed, 3 Jan 2018 16:29:12 -0800 (PST) From: "Ronald F. Guilmette" To: "freebsd-security@freebsd.org" Subject: Re: Intel hardware bug In-Reply-To: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> Date: Wed, 03 Jan 2018 16:29:12 -0800 Message-ID: <19876.1515025752@segfault.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 00:29:14 -0000 In message <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org>, Eric van Gyzen wrote: >Wait until Tuesday before you explode. Intel are now saying that it's >not a "bug" in Intel CPUs. Right. "That's not a bug! That's a feature!" I say again: Sheeeeeeeessssshhh! Just within the last three months, we first had: "All your WPA2 WiFi are belong to us!" and now, to add insult to injury, we get: "All your Intel *and* ARM CPUs are belong to us!" Obviously, the enemy is what it has always been... complexity. All this stuff is just so hellishly complex nowadays that no single human can grasp and hold even a significant fraction of these things in their minds at any one time. The result is as inevitable as it is predictable. Our machines are making us substantially *less* secure. But I guess that I personally don't have nearly as much reason to bitch and moan as, for example, any origanization that managed or is managing some vast fleet of WiFi hardware (HomeDepot?), or any of the cloud computing vendors who have just seen perhaps 30% of their installed compute power go up in smoke, virtually overnight. If anybody has ample reason to be royally pissed off about all of this nonsense, then it is surely those folks, more than me. Regards, rfg P.S. Right about now, I'd like to have a job working for whichever big ad agency has the AMD account. The ad copy for AMD's next marketing campaign practically writes itself... "Performance without penality!" From owner-freebsd-security@freebsd.org Thu Jan 4 01:36:44 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A1D5BEBB7DD for ; Thu, 4 Jan 2018 01:36:44 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from safegreet.com (safegreet.com [173.230.129.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7C70D71038 for ; Thu, 4 Jan 2018 01:36:44 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from localhost (localhost [127.0.0.1]) by safegreet.com (Postfix) with ESMTP id D996F42BC for ; Wed, 3 Jan 2018 19:36:42 -0600 (CST) X-Virus-Scanned: amavisd-new at safegreet.com Received: from safegreet.com ([127.0.0.1]) by localhost (safegreet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 35egBpNl1wN1 for ; Wed, 3 Jan 2018 19:36:41 -0600 (CST) Received: from elisha.atlnet (c-24-30-30-53.hsd1.ga.comcast.net [24.30.30.53]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by safegreet.com (Postfix) with ESMTPSA id C40EE42B8 for ; Wed, 3 Jan 2018 19:36:41 -0600 (CST) From: Joey Kelly To: freebsd-security@freebsd.org Subject: Re: Intel hardware bug Date: Wed, 03 Jan 2018 20:36:59 -0500 Message-ID: <2888082.RoyTJcGtdE@elisha.atlnet> User-Agent: KMail/4.14.10 (Linux/4.9.67; KDE/4.14.38; x86_64; ; ) In-Reply-To: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> References: <19097.1515012519@segfault.tristatelogic.com> <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 01:36:44 -0000 On Wednesday, January 03, 2018 02:59:35 PM Eric van Gyzen wrote: > > Wait until Tuesday before you explode. Intel are now saying that it's > not a "bug" in Intel CPUs. > > https://newsroom.intel.com/news/intel-responds-to-security-research-findings > / Bogus tripe. They're spreading FUD. -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 From owner-freebsd-security@freebsd.org Thu Jan 4 01:44:48 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 147F3EBC500 for ; Thu, 4 Jan 2018 01:44:48 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9CB2E71A07 for ; Thu, 4 Jan 2018 01:44:47 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: by mail-wm0-x235.google.com with SMTP id f206so776928wmf.5 for ; Wed, 03 Jan 2018 17:44:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WQbOpXYvB4+jm1YinjgTy+kIwiin8T8tRv+pOFUmxyQ=; b=gBF4BljyyMF2rnWnl0aDKzu4CwMzhaczw/41tOMw/MstN9e8CH2dnlB/vEy/+G0JK7 JzvCIJrVKPWtSoz2YRQXW8ZEku6kMRJoGDhnuA7q8lFYau+6JGx0Jz/5kJm0nAI+okWL qBi5tvXVxL+emcycOIPB7Z9kR1vDgrCDhQhrsvP+JzHS2/xgy74ctgX0eluCANCA038i rx9h7ElDwj216idrDYy3QOa5mSrdgDOTMDOIyb7M3ONT3gdXxBwZ7vXNeJJ2TvlVptNN iGkmxf6v8mE9ecqaWohhjW6uy8753WQMW24KPhH90y1TQkqACCo5v2X5nSqe5mAuUnnq JYUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WQbOpXYvB4+jm1YinjgTy+kIwiin8T8tRv+pOFUmxyQ=; b=hdlYijLZ4XTviVj1yDMvV6RRFWy0ETFaSHW+7G7vxQhO+jmasha62NcVPmZhD974aO PjByIP+uXYRVdbVcVp28WSkg7uYYFWS7VevZpO9yYKaLpsW2EiUV29+7rExYvi2KMVmQ LfnQ5O5cMXqFPWeEU6J9cF3RkS1X/trdVZtdCb8CWYguF0V/0NrCBF0+ir1WxYzLUb4V KSroe7/KpxsduoneomCpgK7moll07ePGsY3fNwK3bCijg797ZFqKct6gE8HdCMFlhqZH wQDhLDVM0j6kSNfQQ47nNOiDzHmpZfzjmZlshzbpDnJy0igrTVEYMwuzaRNP1K6WcJe2 Rzrw== X-Gm-Message-State: AKGB3mKBlwDxj1G8OX5mO0aMqOMb05PqH5o6aV2BRb70FzPflk6TDtRh havh271RAebMt2s+/Xof28I9S1R7Gn3LYchBUx0EAw== X-Google-Smtp-Source: ACJfBovEnvMPjJPswlwYRQA6XY6OYkvrLsDd2x0jiC7ZGuavxFF1ifgFy+Dj9cQjyvZL6M1W21j3QTJjCnkPTEhzOHo= X-Received: by 10.80.161.37 with SMTP id 34mr4994834edj.15.1515030285996; Wed, 03 Jan 2018 17:44:45 -0800 (PST) MIME-Version: 1.0 Received: by 10.80.149.174 with HTTP; Wed, 3 Jan 2018 17:44:45 -0800 (PST) In-Reply-To: <2888082.RoyTJcGtdE@elisha.atlnet> References: <19097.1515012519@segfault.tristatelogic.com> <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <2888082.RoyTJcGtdE@elisha.atlnet> From: Oliver Pinter Date: Thu, 4 Jan 2018 02:44:45 +0100 Message-ID: Subject: Re: Intel hardware bug To: Joey Kelly Cc: "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 01:44:48 -0000 On Thursday, January 4, 2018, Joey Kelly wrote: > On Wednesday, January 03, 2018 02:59:35 PM Eric van Gyzen wrote: > > > > > Wait until Tuesday before you explode. Intel are now saying that it's > > not a "bug" in Intel CPUs. > > > > https://newsroom.intel.com/news/intel-responds-to- > security-research-findings > > / > > Bogus tripe. They're spreading FUD. Nope. See this part of announcement : "Intel believes these exploits do not have the potential to corrupt, modify or delete data.ntel believes these exploits do not have the potential to corrupt, modify or delete data." There are no statement about _reading_ kernel or other memory, only about compromising. ;) > > -- > Joey Kelly > Minister of the Gospel and Linux Consultant > http://joeykelly.net > 504-239-6550 > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Thu Jan 4 01:54:00 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB6D3EBD325 for ; Thu, 4 Jan 2018 01:54:00 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from safegreet.com (safegreet.com [173.230.129.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 874CB72345 for ; Thu, 4 Jan 2018 01:54:00 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from localhost (localhost [127.0.0.1]) by safegreet.com (Postfix) with ESMTP id 8672D42BC for ; Wed, 3 Jan 2018 19:53:58 -0600 (CST) X-Virus-Scanned: amavisd-new at safegreet.com Received: from safegreet.com ([127.0.0.1]) by localhost (safegreet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 90hzc5fK5yty for ; Wed, 3 Jan 2018 19:53:57 -0600 (CST) Received: from elisha.atlnet (c-24-30-30-53.hsd1.ga.comcast.net [24.30.30.53]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by safegreet.com (Postfix) with ESMTPSA id 9BB2C42B8 for ; Wed, 3 Jan 2018 19:53:57 -0600 (CST) From: Joey Kelly To: "freebsd-security@freebsd.org" Subject: Re: Intel hardware bug Date: Wed, 03 Jan 2018 20:54:15 -0500 Message-ID: <2347560.AJVtGcUuTT@elisha.atlnet> User-Agent: KMail/4.14.10 (Linux/4.9.67; KDE/4.14.38; x86_64; ; ) In-Reply-To: References: <19097.1515012519@segfault.tristatelogic.com> <2888082.RoyTJcGtdE@elisha.atlnet> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 01:54:00 -0000 On Thursday, January 04, 2018 02:44:45 AM Oliver Pinter wrote: > On Thursday, January 4, 2018, Joey Kelly wrote: > > On Wednesday, January 03, 2018 02:59:35 PM Eric van Gyzen wrote: > > > Wait until Tuesday before you explode. Intel are now saying that it's > > > not a "bug" in Intel CPUs. > > > > > > https://newsroom.intel.com/news/intel-responds-to-> > > > security-research-findings > > > > > / > > > > Bogus tripe. They're spreading FUD. > > Nope. See this part of announcement : > > "Intel believes these exploits do not have the potential to corrupt, modify > or delete data.ntel believes these exploits do not have the potential to > corrupt, modify or delete data." > > There are no statement about _reading_ kernel or other memory, only about > compromising. ;) > No, I mean their lame excuses, dances around the truth, claiming many other platforms AND OPERATING SYSTEMS do it too. 'Tain't so. This is hardware, INTEL hardware, and not an OS problem (though it's an OS band-aid, as someone put it, OS vendors have to wipe Intel's, you know, since they can't wipe it themselves). -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 From owner-freebsd-security@freebsd.org Thu Jan 4 02:14:29 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A22C7EBE8F5 for ; Thu, 4 Jan 2018 02:14:29 +0000 (UTC) (envelope-from brett@lariat.org) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 7504E735A9 for ; Thu, 4 Jan 2018 02:14:28 +0000 (UTC) (envelope-from brett@lariat.org) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id TAA09989 for ; Wed, 3 Jan 2018 19:14:25 -0700 (MST) Message-Id: <201801040214.TAA09989@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 03 Jan 2018 19:13:56 -0700 To: freebsd-security@freebsd.org From: Brett Glass Subject: Re: Intel hardware bug Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 02:14:29 -0000 It's a huge fail. One can apparently use speculative execution to create memory leaks. Some Intel processors without speculative execution - such as the Atom CPUs (including the embedded ones) - won't be affected, whereas the bigger, fancier i3, i5, i7, and Xeon processors will. It's unclear on which side of the line the Atom C2000 series (which had out-of-order but not speculative execution) will lie. Hopefully, when FreeBSD develops kernel patches to address the bug, it will exempt the unaffected processors. (I do a lot of work for embedded Atoms, and hope that they will not be slowed by patches intended for CPUs that actually need them.) --Brett Glass At 06:56 PM 1/2/2018, Joey Kelly wrote: >On Tuesday, January 02, 2018 08:52:27 PM Mike Tancsa wrote: > > I am guessing this will impact FreeBSD as well ? > > > > http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ > >No way around it. It's hardware FAIL, and ignoring it isn't an option since >it's apparently a huge hole. > >-- >Joey Kelly >Minister of the Gospel and Linux Consultant >http://joeykelly.net >504-239-6550 >_______________________________________________ >freebsd-security@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Thu Jan 4 02:36:57 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA95BEBFFA6 for ; Thu, 4 Jan 2018 02:36:57 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id B40F0748EA; Thu, 4 Jan 2018 02:36:57 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 8B1421045D; Thu, 4 Jan 2018 02:36:56 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 229E65CDAB; Thu, 4 Jan 2018 02:35:24 +0000 (UTC) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "David M. Syzdek" Cc: Eric van Gyzen , "freebsd-security\@freebsd.org" , "Ronald F. Guilmette" Subject: Re: Intel hardware bug References: <19097.1515012519@segfault.tristatelogic.com> <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <7C58A6DB-0760-4E5A-B65D-2ED6A6B7AAD2@acsalaska.net> Date: Thu, 04 Jan 2018 03:35:24 +0100 In-Reply-To: <7C58A6DB-0760-4E5A-B65D-2ED6A6B7AAD2@acsalaska.net> (David M. Syzdek's message of "Wed, 3 Jan 2018 13:43:08 -0900") Message-ID: <867esy2vwz.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 02:36:58 -0000 "David M. Syzdek" writes: > They did not say it is *NOT* a bug, just that it is not a bug unique > to Intel. [...] Additionally, they indirectly imply that both AMD and > ARM chips are affected by the same bug, however this is, at least in > AMD=E2=80=99s case, appears to be directly refuted [...] by AMD: There are three different issues. One of them (CVE-2017-5754, labeled =E2=80=9CMeltdown=E2=80=9D) is easily mitigated and has so far only been sh= own to affect Intel processors. The other two (CVE-2017-5753 and CVE-2017-5715, collectively labeled =E2=80=9CSpectre=E2=80=9D) affect AMD and ARM processo= rs as well and have no known workaround. So far, it has been shown that an unprivileged process can read data from the kernel (Meltdown) and other processes (Spectre), and that a privileged process in a VM can read data from the host and presumably also from other VMs on the same host (Spectre). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Thu Jan 4 03:01:46 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 816C2EC18B2 for ; Thu, 4 Jan 2018 03:01:46 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 59C1E760BE for ; Thu, 4 Jan 2018 03:01:46 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [172.16.0.82] (unknown [172.16.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id AE3CA8403 for ; Thu, 4 Jan 2018 03:01:45 +0000 (UTC) Subject: Re: Intel hardware bug To: freebsd-security@freebsd.org References: <19097.1515012519@segfault.tristatelogic.com> <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <7C58A6DB-0760-4E5A-B65D-2ED6A6B7AAD2@acsalaska.net> <867esy2vwz.fsf@desk.des.no> From: Eric McCorkle Message-ID: <0bb7ffc6-fa51-98db-9dc1-1bd49e1c7b44@metricspace.net> Date: Wed, 3 Jan 2018 22:01:45 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <867esy2vwz.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 03:01:46 -0000 On 01/03/2018 21:35, Dag-Erling Smørgrav wrote: > "David M. Syzdek" writes: >> They did not say it is *NOT* a bug, just that it is not a bug unique >> to Intel. [...] Additionally, they indirectly imply that both AMD and >> ARM chips are affected by the same bug, however this is, at least in >> AMD’s case, appears to be directly refuted [...] by AMD: > > There are three different issues. One of them (CVE-2017-5754, labeled > “Meltdown”) is easily mitigated and has so far only been shown to affect > Intel processors. The other two (CVE-2017-5753 and CVE-2017-5715, > collectively labeled “Spectre”) affect AMD and ARM processors as well > and have no known workaround. > > So far, it has been shown that an unprivileged process can read data > from the kernel (Meltdown) and other processes (Spectre), and that a > privileged process in a VM can read data from the host and presumably > also from other VMs on the same host (Spectre). That right there is enough to pluck things like TLS session keys, GELI master keys, and anything else on that level out of kernel memory. Given enough skill, resources, and motivation, it's likely that an attacker could craft a javascript-based version of the attack, then every javascript website (aka all of them) is a potential attack vector. From owner-freebsd-security@freebsd.org Thu Jan 4 05:06:59 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0C13E8A84A for ; Thu, 4 Jan 2018 05:06:59 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id C4EA879CD0 for ; Thu, 4 Jan 2018 05:06:58 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id E56123AE87 for ; Wed, 3 Jan 2018 21:06:57 -0800 (PST) From: "Ronald F. Guilmette" To: "freebsd-security@freebsd.org" Subject: Re: Intel hardware bug In-Reply-To: <2347560.AJVtGcUuTT@elisha.atlnet> Date: Wed, 03 Jan 2018 21:06:57 -0800 Message-ID: <20726.1515042417@segfault.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 05:07:00 -0000 In message <2347560.AJVtGcUuTT@elisha.atlnet>, Joey Kelly wrote: >... >No, I mean their lame excuses, dances around the truth, claiming many other >platforms AND OPERATING SYSTEMS do it too. 'Tain't so. This is hardware, INTEL >hardware, and not an OS problem... While it is clearly true, even from the current very preliminary reports, that this is indeed a hardware issue, rather than an OS issue, you may want to reserve judgement about the possibility that this thing is confined only to Intel hardware. Intel, of course, has said that they believe that this bug may also affect AMD and also ARM CPUs. (But then they would say that, wouldn't they?) But AMD, for its part, has already put out a public statement saying that their CPUs are not affected. So now, the other shoe that we should all be expecting to drop, any time now, is some public statement from ARM Holdings, PLC. If one has already been issued by that company, then Google News doesn't seem to be giving me any easy way to find it, and there is nothing of relevance on the ARM corporate web site (www.arm.com). So I suspect that they haven't said anything yet, which is itself a rather ominous data point. If it turns out that this same bug, or same sort of bug, also affects ARM-based chips, then that is quite possibly an even bigger deal than the already obvious Intel cataclysm. Regards, rfg P.S. It occured to me today just how much this bug, and the still-fresh WPA2 insecurities, are likely to cost -- said costs to be paid by an entire planet's worth of both individuals and businesses. I believe that it may be a conservative estimate to say that each one of these cock ups may cost the global economy something in the range of tens of billions of dollars, or perhaps even more. Immediately following on the heals of this thought, a somewhat humorous idea occured to me... These days we have bug bounty programs which pay people to find bugs, in particular, security-rlated bugs. And perhaps as a result, nowadays we have a bumper crop of them to deal with. In contrast to that, for the past many decades, at least, in my country, at least, when there is an excess of some commodity... e.g. wheat, or corn, or some such thing... the government pays farmers to NOT grow that specific commodity. Given the gigantic global costs resulting from these ever-more-horrendous bugs that clever researchers are out there discovering, nowadays, on a regular basis, perhaps we should be paying people to NOT find bugs. That might be more cost effective, in the long run. And there is some precedent for this kind of counter-intutive reward system, and not just in the field (excuse the pun) of agricultural commodities... https://www.washingtonpost.com/local/paying-criminals-not-to-commit-crime-may-not-be-so-funny-after-all/2016/02/08/151ab936-cea3-11e5-b2bc-988409ee911b_story.html http://www.foxnews.com/politics/2016/08/24/one-california-city-is-paying-people-not-to-commit-crimes.html http://www.guns.com/2017/09/01/sacramento-city-council-approves-1-5-million-program-to-combat-gun-violence/ From owner-freebsd-security@freebsd.org Thu Jan 4 05:54:52 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1C7A0E8BF70 for ; Thu, 4 Jan 2018 05:54:52 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 055067B4BF for ; Thu, 4 Jan 2018 05:54:50 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 32B893AEF8 for ; Wed, 3 Jan 2018 21:54:50 -0800 (PST) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: Re: Intel hardware bug In-Reply-To: <0bb7ffc6-fa51-98db-9dc1-1bd49e1c7b44@metricspace.net> Date: Wed, 03 Jan 2018 21:54:49 -0800 Message-ID: <20920.1515045289@segfault.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 05:54:52 -0000 In message <0bb7ffc6-fa51-98db-9dc1-1bd49e1c7b44@metricspace.net>, Eric McCorkle wrote: >Given enough skill, resources, and motivation, it's likely that an >attacker could craft a javascript-based version of the attack, then >every javascript website (aka all of them) is a potential attack vector. While I can only agree with the essence of what you've said, I feel compelled to take issue with your use of future tense in this context. Unless you have access to the innermost compartmentalized data sources of at least all of NSA, FSB, and Mossad, I think it qualifies as being, at best, speculation to believe that none of the proverbial "state actors" have managed to stumble upon any of these horrendous security problems which are alleged to have been present already for a good decade or more, in chips used in and distributed throughout the entire world. Data isolation between unrelated user-level processes and between user-level processes and the kernel is, as I understand it, the bedrock upon which essentially all computer security rests. As such, it would seem to be a thing that would likely have been poked and prodded, relentlessly, by any actor which, during the past ten years or more, has yearned for unlimited knowledge about friends, enemies, or both. Can we know that none of them "crafted a javascript-based version of the attack" against any of these several issues already, and perhaps even years ago? (They might have done so and then, realizing the value of what they found, compartmentalized the information in a place where even Snowden would never have been aware of it.) Alright. So call me paranoid, if you like. But I seem to dimly recall that there was some executive at some Silicon Valley based semiconductor company who, years ago, advised people that paranoia might actually be an admirable quality, at least for those wishing to survive. Regards, rfg From owner-freebsd-security@freebsd.org Thu Jan 4 07:47:03 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 45EE3EA567A for ; Thu, 4 Jan 2018 07:47:03 +0000 (UTC) (envelope-from freebsd.ed.lists@sumeritec.com) Received: from mx6-out12.antispamcloud.com (mx6-out12.antispamcloud.com [95.211.2.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D84487E1C8 for ; Thu, 4 Jan 2018 07:47:02 +0000 (UTC) (envelope-from freebsd.ed.lists@sumeritec.com) Received: from [153.92.8.106] (helo=srv31.niagahoster.com) by mx16.antispamcloud.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eWy5K-0007AV-Kv; Thu, 04 Jan 2018 06:29:01 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sumeritec.com; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:References:In-Reply-To:Message-ID:Subject:Cc:To:From:Date:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=dFayH6rYSfgZ7UMeT9tV3Wvvkr2ATzUdfw4bFeq4ZcQ=; b=HYn6K1oagkGFG/U8AWrXKQfzZB U0dAeKxd3KD1YmS4GOy+mVg0tAOe7kiEOvtay1zxLkgGka80/IrCR4GFKKcqLetSekxPXqkL+IL8z tpnPSoKvCqnLD8CMNm4JgulLf/s5dlZDB3glWcRpQJawzfP1hU0DJ4eYJCVKy41A4lYUJdfjMCZ3Y LOh1hnyFvfqX6s/JUaOS2+6dCnWoqTAr2JXMIcENVeP1nmHj+2lGZc/wA2lIoUxHVOG2QeJCqWaJ1 RS/QyHXvcFF0aytaHGeJY8fJi9zPn+bpAxeRVfVTHsCgNcuP8fKDrMaRTPP9PkoAR34gC/VqTpAWY eZOaCCYg==; Received: from [114.125.92.33] (port=26722 helo=X220.sumeritec.com) by srv31.niagahoster.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eWy4Z-0003Vs-1i; Thu, 04 Jan 2018 12:28:11 +0700 Date: Thu, 4 Jan 2018 13:28:07 +0800 From: Erich Dollansky To: "Ronald F. Guilmette" Cc: "freebsd-security@freebsd.org" Subject: Re: Intel hardware bug Message-ID: <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> In-Reply-To: <19876.1515025752@segfault.tristatelogic.com> References: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <19876.1515025752@segfault.tristatelogic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AuthUser: freebsd.ed.lists@sumeritec.com X-Originating-IP: 153.92.8.106 X-AntiSpamCloud-Domain: out.niagahoster.com X-AntiSpamCloud-Username: niaga Authentication-Results: antispamcloud.com; auth=pass (login) smtp.auth=niaga@out.niagahoster.com X-AntiSpamCloud-Outgoing-Class: unsure X-AntiSpamCloud-Outgoing-Evidence: Combined (0.25) X-Recommended-Action: accept X-Filter-ID: EX5BVjFpneJeBchSMxfU5jMws8WgUvSLBJW1UWMYDbzj1g3/PwYZaTCzSym8uE9HaKMux9uucmfd G04136rwf8ZGfrvRhPKR/aiQ0JRw/std6aijAQIpY3SN0bxEt8fPg2UF87yfGXUn1JqaojOkVaiq 1VrO5fUgyQS8n4RD4u8EybI1sOftHmSKUCHCvcq0znVhuHMMuHm+3AjcIRD8SILdav0mp8TKrxR/ yvXYwpvu+nxKLrgVvAfnktki+lrHsZM3NzGj8IcslzaWgqEOuM+NvpGlmXbejfqufV4BNvqsAL96 EgU4J4J3tsW/5DkwosefbE1jmWEp5zI0N9cLxVT08VH0yijnhbv6KoiGRjf1jL6IeclsVv9KInUA VKaEbakcPDCTslva+VoTLKS2SpdzyOrbyjmSxo0VnpL7F8y56+418zUeOQ0QXBql74iA17NirEYy qwqMBGrw8ELiqMiA6ZaoUfKfmj/l7KQTGVaZ3JKVmi72ocgY5kMQSjs7JzWerSCxjnzYJaoqOJEH e6lb3jSUvyQBw3jj+H4QpBjSnVNlm+ZMzj5OO5yrsx4KDRtJmboDqETHSvtpr/ekeHprm2bfxHLw 7asqODaXqAw+dTE4egMRZbO+5s5h4mSnzMjuWhzMSGijhmBPgKGg9Ym0zuG5bGEtHB4eQyPb/Sxq r2ls37TS+tBSPvy8vEan9dcfKYRjKgiyUWsqbEVhy46OuktSB8/AAzrZsgwi2uJc9aUV1oY4fX3W 5eOCNA397KhBgEnzWqvz+Ub2Hil3Lwf+YDyAZbFVGPdgHYLUovTWCk/2aD3PKPan0Zq8wFAdNgA/ bvpxeniqBDKdL+6MGabImyUM+mwkdfbDv/vp50qggwXnXge+UydFbsUWPrpxJ2nsnL2uDUV7tpt4 92PMwfcRqNG53byBPkgwbHJvry7CcAk7CB5gmqxSo35nmHjRiyyOq2NXfEHbIsdIVsl26A== X-Report-Abuse-To: spam@quarantine1.antispamcloud.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 07:47:03 -0000 Hi, On Wed, 03 Jan 2018 16:29:12 -0800 "Ronald F. Guilmette" wrote: > In message <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org>, > Eric van Gyzen wrote: > > Obviously, the enemy is what it has always been... complexity. All I disagree. The problem started when Intel published the handbooks for the 8086 with many thing 'reserved for future use' but nobody cared. Intel used segments to separate things everybody hated. Intel introduced later the rings, everybody ignored. Instead of keeping the things separated - as suggested by Intel's design - people used shortcuts whenever possible. People would have had to think a bit more those days. But Darwin was not sleeping and people have to think now. > this stuff is just so hellishly complex nowadays that no single human > can grasp and hold even a significant fraction of these things in Because it is all mixed up as a huge mess instead of being separated like Intel suggested in the Seventies and Eighties. > P.S. Right about now, I'd like to have a job working for whichever > big ad agency has the AMD account. The ad copy for AMD's next > marketing campaign practically writes itself... "Performance without > penality!" Did you claim copyright? Erich From owner-freebsd-security@freebsd.org Thu Jan 4 09:14:20 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27B15EA7E96 for ; Thu, 4 Jan 2018 09:14:20 +0000 (UTC) (envelope-from killing@multiplay.co.uk) Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B44D81148 for ; Thu, 4 Jan 2018 09:14:19 +0000 (UTC) (envelope-from killing@multiplay.co.uk) Received: by mail-wm0-x22a.google.com with SMTP id b141so2164133wme.1 for ; Thu, 04 Jan 2018 01:14:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=multiplay-co-uk.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=v2MT7urC7S8iZ9ZFKJm/kEPm8bvP5PQ886E7RpmrZxA=; b=e9V4ALk7gC72EE1nGol2gFhDhiKjoy9M/XHE06sTFZxZEk6vuEBqCQaY9+nsEjsi2U PymVdT4itBNVT4zLFFsz8CF4jqh+aZokei/QS3l7p1sE+c01N2T5WzGXhC4YLyT4MCnD qEWTKuhMz/Kh15ZlBMU6zKwOSAed4LZnH6esqrafDG5h3w5ZwAssu/Med/CeOuAQguII kmJChy0Jo5z6JoZk6+8PJiOrq8mOhHcCk/w/GwlkN/yOjettH8YwjgkJUkiL7L62ib4L a+pxrqquL008eOK7nvyogLZ1zxXih97XiSvpmi2+/Suk8ZbZfQoH8IiKf0Vp61V1zoi9 wrGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=v2MT7urC7S8iZ9ZFKJm/kEPm8bvP5PQ886E7RpmrZxA=; b=CeDbfh2JCNYPoEyYGJ3HqmJfRciFLYs5qTEoUSAHPOptbZTAVQ9J58q3DDGwxKFsDm pFnAxDe4VD/vw0jjnR6eqw7XshZCTThaKlwMiU18nzPizkGVTxQYb+uKvGTtBrteQqS9 MS1vLxRXPOe/yGm7DLvDL8sp3nDOkEO9MDmfT+4mi4aErQSgzQl8RkK6P5CXcZtgPLb0 pi4Mr7OBuTIZGd6bJwmM6+oiGO//hxJPT/mN5JEzmPdRYNBlqhKauxVesc+YCKdpQmW7 w65akbMqdoQbkm2X6/TGXuBaUE1B9qTk0v/CsqheGEBJanKLoUPx7UvVzFxp+2yb8zwb IXFg== X-Gm-Message-State: AKGB3mKeuexFnO1iDxqqg1NaTJo+D6H4F1Kb+dvyJ+y1SJGgYNhMCZqH ginORhCh8GurSsd4pCcV8x1JEN+sivI= X-Google-Smtp-Source: ACJfBovP+SpdsT9d6B9+tb73KnAhsFQnH290h/T/EWiCwe3Lfxz9X0hh4OpcTZLlXRl6M/vAYo67sA== X-Received: by 10.80.139.180 with SMTP id m49mr6728960edm.36.1515057257062; Thu, 04 Jan 2018 01:14:17 -0800 (PST) Received: from [10.10.1.111] ([185.97.61.1]) by smtp.gmail.com with ESMTPSA id d9sm1782014edb.18.2018.01.04.01.14.15 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Jan 2018 01:14:15 -0800 (PST) Subject: Re: Intel hardware bug To: freebsd-security@freebsd.org References: <20726.1515042417@segfault.tristatelogic.com> From: Steven Hartland Message-ID: Date: Thu, 4 Jan 2018 09:14:17 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <20726.1515042417@segfault.tristatelogic.com> Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 09:14:20 -0000 On 04/01/2018 05:06, Ronald F. Guilmette wrote: > In message <2347560.AJVtGcUuTT@elisha.atlnet>, > Joey Kelly wrote: > >> ... >> No, I mean their lame excuses, dances around the truth, claiming many other >> platforms AND OPERATING SYSTEMS do it too. 'Tain't so. This is hardware, INTEL >> hardware, and not an OS problem... > While it is clearly true, even from the current very preliminary reports, that > this is indeed a hardware issue, rather than an OS issue, you may want to reserve > judgement about the possibility that this thing is confined only to Intel hardware. > > Intel, of course, has said that they believe that this bug may also affect > AMD and also ARM CPUs. (But then they would say that, wouldn't they?) But > AMD, for its part, has already put out a public statement saying that their > CPUs are not affected. > > So now, the other shoe that we should all be expecting to drop, any time now, > is some public statement from ARM Holdings, PLC. If one has already been issued > by that company, then Google News doesn't seem to be giving me any easy way to > find it, and there is nothing of relevance on the ARM corporate web site > (www.arm.com). So I suspect that they haven't said anything yet, which is > itself a rather ominous data point. They already have: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html > > If it turns out that this same bug, or same sort of bug, also affects ARM-based > chips, then that is quite possibly an even bigger deal than the already obvious > Intel cataclysm. > > > Regards, > rfg > From owner-freebsd-security@freebsd.org Thu Jan 4 14:51:16 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3B137EB9C33 for ; Thu, 4 Jan 2018 14:51:16 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 01A996CBD3 for ; Thu, 4 Jan 2018 14:51:15 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 87A691045C; Thu, 4 Jan 2018 14:51:14 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 2668F5CE07; Thu, 4 Jan 2018 14:49:42 +0000 (UTC) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Eric McCorkle Cc: freebsd-security@freebsd.org Subject: Re: Intel hardware bug References: <19097.1515012519@segfault.tristatelogic.com> <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <7C58A6DB-0760-4E5A-B65D-2ED6A6B7AAD2@acsalaska.net> <867esy2vwz.fsf@desk.des.no> <0bb7ffc6-fa51-98db-9dc1-1bd49e1c7b44@metricspace.net> Date: Thu, 04 Jan 2018 15:49:41 +0100 In-Reply-To: <0bb7ffc6-fa51-98db-9dc1-1bd49e1c7b44@metricspace.net> (Eric McCorkle's message of "Wed, 3 Jan 2018 22:01:45 -0500") Message-ID: <86zi5tu1a2.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 14:51:16 -0000 Eric McCorkle writes: > Given enough skill, resources, and motivation, it's likely that an > attacker could craft a javascript-based version of the attack, then > every javascript website (aka all of them) is a potential attack vector. Uh, this has already been demonstrated. According to Google, Chrome 64 (to be released in a few days) includes countermeasures against it. I don't have any further details. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Thu Jan 4 15:03:25 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8B2EEBAE5C for ; Thu, 4 Jan 2018 15:03:25 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 6F0EB6D7D7 for ; Thu, 4 Jan 2018 15:03:25 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 450A410479; Thu, 4 Jan 2018 15:03:24 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id DC26C5CE0B; Thu, 4 Jan 2018 15:01:51 +0000 (UTC) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Erich Dollansky Cc: "Ronald F. Guilmette" , "freebsd-security\@freebsd.org" Subject: Re: Intel hardware bug References: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <19876.1515025752@segfault.tristatelogic.com> <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> Date: Thu, 04 Jan 2018 16:01:51 +0100 In-Reply-To: <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> (Erich Dollansky's message of "Thu, 4 Jan 2018 13:28:07 +0800") Message-ID: <86vaghu0ps.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 15:03:25 -0000 Erich Dollansky writes: > Intel used segments to separate things everybody hated. Everybody hated segment-level memory protection, but the i386 also introduced page-level memory protection, which was widely used and has since been expanded to provide features that were never available at the segment level. > Intel introduced later the rings, everybody ignored. Not at all. They just don't use all four. Unless you start looking at hardware virtualization extensions, which introduce additional protection levels. > Instead of keeping the things separated - as suggested by Intel's > design - people used shortcuts whenever possible. This is irrelevant. We are talking about timing-based side-channel attacks. The attacker is not able to access protected memory directly, but is able to deduce its contents by repeatedly performing illegal memory accesses and then checking how they affect the cache. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Thu Jan 4 15:42:52 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B7CAEBDBED for ; Thu, 4 Jan 2018 15:42:52 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from safegreet.com (safegreet.com [173.230.129.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 35EDE6F10A for ; Thu, 4 Jan 2018 15:42:51 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from localhost (localhost [127.0.0.1]) by safegreet.com (Postfix) with ESMTP id 19BC04212 for ; Thu, 4 Jan 2018 09:42:45 -0600 (CST) X-Virus-Scanned: amavisd-new at safegreet.com Received: from safegreet.com ([127.0.0.1]) by localhost (safegreet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id O9JH3uEvbxZl for ; Thu, 4 Jan 2018 09:42:43 -0600 (CST) Received: by safegreet.com (Postfix, from userid 48) id 7395342BA; Thu, 4 Jan 2018 09:42:43 -0600 (CST) Received: from 64.88.172.228 (SquirrelMail authenticated user mmlj4) by safegreet.com with HTTP; Thu, 4 Jan 2018 09:42:43 -0600 Message-ID: In-Reply-To: <20726.1515042417@segfault.tristatelogic.com> References: <20726.1515042417@segfault.tristatelogic.com> Date: Thu, 4 Jan 2018 09:42:43 -0600 Subject: Re: Intel hardware bug From: "Joey Kelly" Cc: "freebsd-security@freebsd.org" User-Agent: SquirrelMail/1.4.22-5.el6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 15:42:52 -0000 > > In message <2347560.AJVtGcUuTT@elisha.atlnet>, > Joey Kelly wrote: > >>... >>No, I mean their lame excuses, dances around the truth, claiming many >> other >>platforms AND OPERATING SYSTEMS do it too. 'Tain't so. This is hardware, >> INTEL >>hardware, and not an OS problem... > > While it is clearly true, even from the current very preliminary reports, > that > this is indeed a hardware issue, rather than an OS issue, you may want to > reserve > judgement about the possibility that this thing is confined only to Intel > hardware. Hmm... others have my opinion too, it seems: https://www.theregister.co.uk/2018/01/04/intel_meltdown_spectre_bugs_the_registers_annotations/ > > Intel, of course, has said that they believe that this bug may also affect > AMD and also ARM CPUs. (But then they would say that, wouldn't they?) > But > AMD, for its part, has already put out a public statement saying that > their > CPUs are not affected. > > So now, the other shoe that we should all be expecting to drop, any time > now, > is some public statement from ARM Holdings, PLC. If one has already been > issued > by that company, then Google News doesn't seem to be giving me any easy > way to > find it, and there is nothing of relevance on the ARM corporate web site > (www.arm.com). So I suspect that they haven't said anything yet, which is > itself a rather ominous data point. > > If it turns out that this same bug, or same sort of bug, also affects > ARM-based > chips, then that is quite possibly an even bigger deal than the already > obvious > Intel cataclysm. > > > Regards, > rfg > > > P.S. It occured to me today just how much this bug, and the still-fresh > WPA2 > insecurities, are likely to cost -- said costs to be paid by an entire > planet's > worth of both individuals and businesses. I believe that it may be a > conservative > estimate to say that each one of these cock ups may cost the global > economy > something in the range of tens of billions of dollars, or perhaps even > more. > > Immediately following on the heals of this thought, a somewhat humorous > idea > occured to me... > > These days we have bug bounty programs which pay people to find bugs, in > particular, > security-rlated bugs. And perhaps as a result, nowadays we have a bumper > crop of > them to deal with. > > In contrast to that, for the past many decades, at least, in my country, > at least, when there is an excess of some commodity... e.g. wheat, or > corn, > or some such thing... the government pays farmers to NOT grow that > specific > commodity. > > Given the gigantic global costs resulting from these ever-more-horrendous > bugs > that clever researchers are out there discovering, nowadays, on a regular > basis, > perhaps we should be paying people to NOT find bugs. That might be more > cost > effective, in the long run. > > And there is some precedent for this kind of counter-intutive reward > system, > and not just in the field (excuse the pun) of agricultural commodities... > > https://www.washingtonpost.com/local/paying-criminals-not-to-commit-crime-may-not-be-so-funny-after-all/2016/02/08/151ab936-cea3-11e5-b2bc-988409ee911b_story.html > > http://www.foxnews.com/politics/2016/08/24/one-california-city-is-paying-people-not-to-commit-crimes.html > > http://www.guns.com/2017/09/01/sacramento-city-council-approves-1-5-million-program-to-combat-gun-violence/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 From owner-freebsd-security@freebsd.org Thu Jan 4 15:43:01 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1D362EBDC15 for ; Thu, 4 Jan 2018 15:43:01 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id E5A036F148 for ; Thu, 4 Jan 2018 15:43:00 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [192.168.43.57] (mobile-166-171-187-140.mycingular.net [166.171.187.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 5A8508575; Thu, 4 Jan 2018 15:18:09 +0000 (UTC) Subject: Re: Intel hardware bug To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Cc: freebsd-security@freebsd.org References: <19097.1515012519@segfault.tristatelogic.com> <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <7C58A6DB-0760-4E5A-B65D-2ED6A6B7AAD2@acsalaska.net> <867esy2vwz.fsf@desk.des.no> <0bb7ffc6-fa51-98db-9dc1-1bd49e1c7b44@metricspace.net> <86zi5tu1a2.fsf@desk.des.no> From: Eric McCorkle Message-ID: <867801a5-be19-8f62-fa46-2999d54c0967@metricspace.net> Date: Thu, 4 Jan 2018 10:18:08 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <86zi5tu1a2.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 15:43:01 -0000 On 01/04/2018 09:49, Dag-Erling Smørgrav wrote: > Eric McCorkle writes: >> Given enough skill, resources, and motivation, it's likely that an >> attacker could craft a javascript-based version of the attack, then >> every javascript website (aka all of them) is a potential attack vector. > > Uh, this has already been demonstrated. According to Google, Chrome 64 > (to be released in a few days) includes countermeasures against it. I > don't have any further details. This does not surprise me at all. From owner-freebsd-security@freebsd.org Thu Jan 4 15:52:55 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9BA87EBEA37 for ; Thu, 4 Jan 2018 15:52:55 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 78F156F9FE for ; Thu, 4 Jan 2018 15:52:55 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [192.168.43.57] (mobile-166-171-187-140.mycingular.net [166.171.187.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 073EF857B for ; Thu, 4 Jan 2018 15:28:00 +0000 (UTC) To: "freebsd-security@freebsd.org" From: Eric McCorkle Subject: Potential band-aid for Meltdown Message-ID: <30300a34-d0d9-efbf-c9b3-6375703f65a0@metricspace.net> Date: Thu, 4 Jan 2018 10:27:59 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 15:52:55 -0000 I was thinking over meltdown mitigations this morning, and a thought occurred to me (which falls in line with general ideas I've been pursuing) This is a Crowd Supply project I've been eyeing: https://www.crowdsupply.com/rhs-research/nanoevb It's basically an FPGA that can plug into an M.2 slot. One potential use of this could be to use it as an off-die crypto unit, thereby keeping keys out of memory. I don't know what the driver situation looks like for this thing, but as its an open hardware project, I doubt it would be too hard to get support up and running. I realize it's not a perfect solution by far, but it would provide some level of mitigation (especially for things like GELI) that could hold people over until they can replace their hardware. From owner-freebsd-security@freebsd.org Thu Jan 4 15:53:37 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72E1CEBEAF7 for ; Thu, 4 Jan 2018 15:53:37 +0000 (UTC) (envelope-from brett@lariat.org) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 24A696FAB7 for ; Thu, 4 Jan 2018 15:53:36 +0000 (UTC) (envelope-from brett@lariat.org) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id IAA17267; Thu, 4 Jan 2018 08:52:43 -0700 (MST) Message-Id: <201801041552.IAA17267@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 04 Jan 2018 08:52:23 -0700 To: Dag-Erling Smørgrav , Erich Dollansky From: Brett Glass Subject: Re: Intel hardware bug Cc: "freebsd-security@freebsd.org" , "Ronald F. Guilmette" In-Reply-To: <86vaghu0ps.fsf@desk.des.no> References: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <19876.1515025752@segfault.tristatelogic.com> <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> <86vaghu0ps.fsf@desk.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 15:53:37 -0000 At 08:01 AM 1/4/2018, Dag-Erling Smørgrav wrote: >This is irrelevant. We are talking about timing-based side-channel >attacks. The attacker is not able to access protected memory directly, >but is able to deduce its contents by repeatedly performing illegal >memory accesses and then checking how they affect the cache. This is something I do not yet fully understand; perhaps someone here on the list can help explain it to me. The "Spectre" attack is claimed to work by altering the contents of the cache via a speculatively executed instruction. But the contents of that memory are not revealed directly to the program. So, how does it deduce the contents of physical memory merely from the fact that there's a cache miss on its address? --Brett Glass From owner-freebsd-security@freebsd.org Thu Jan 4 15:58:24 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A735BEBF253 for ; Thu, 4 Jan 2018 15:58:24 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [IPv6:2607:f3e0:80:80::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D9527005E for ; Thu, 4 Jan 2018 15:58:24 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (lava.sentex.ca [IPv6:2607:f3e0:0:5::11]) by smarthost2.sentex.ca (8.15.2/8.15.2) with ESMTPS id w04FwMGm025021 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 4 Jan 2018 10:58:22 -0500 (EST) (envelope-from mike@sentex.net) Received: from [192.168.43.26] (saphire3.sentex.net [192.168.43.26]) by lava.sentex.ca (8.15.2/8.15.2) with ESMTP id w04FwLkS026377; Thu, 4 Jan 2018 10:58:21 -0500 (EST) (envelope-from mike@sentex.net) Subject: Re: Potential band-aid for Meltdown To: Eric McCorkle , "freebsd-security@freebsd.org" References: <30300a34-d0d9-efbf-c9b3-6375703f65a0@metricspace.net> From: Mike Tancsa Organization: Sentex Communications Message-ID: <599c8fe0-3745-2fa8-4bd6-d89f061f29f4@sentex.net> Date: Thu, 4 Jan 2018 10:58:21 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <30300a34-d0d9-efbf-c9b3-6375703f65a0@metricspace.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 15:58:24 -0000 On 1/4/2018 10:27 AM, Eric McCorkle wrote: > I was thinking over meltdown mitigations this morning, and a thought > occurred to me (which falls in line with general ideas I've been pursuing) A pretty neat idea. But in terms of keeping crypto keys safe, why not something behind a pkcs11 interface (e.g. eToken) or tpm ? ---Mike > > I realize it's not a perfect solution by far, but it would provide some > level of mitigation (especially for things like GELI) that could hold > people over until they can replace their hardware. -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@freebsd.org Thu Jan 4 16:02:40 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2BC42EBF8D7 for ; Thu, 4 Jan 2018 16:02:40 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.not-for.work (onlyone.not-for.work [IPv6:2a01:4f8:201:6350::2]) by mx1.freebsd.org (Postfix) with ESMTP id EE3347065D for ; Thu, 4 Jan 2018 16:02:39 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:e0f4:994:662:862]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.not-for.work (Postfix) with ESMTPSA id 655FA7CA for ; Thu, 4 Jan 2018 19:02:38 +0300 (MSK) Date: Thu, 4 Jan 2018 19:02:37 +0300 From: Lev Serebryakov Reply-To: Lev Serebryakov Organization: FreeBSD X-Priority: 3 (Normal) Message-ID: <291645341.20180104190237@serebryakov.spb.ru> To: "freebsd-security@freebsd.org" Subject: clang way to patch for Spectre? MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 16:02:40 -0000 Hello Freebsd-security, https://reviews.llvm.org/D41723 -- Best regards, Lev mailto:lev@FreeBSD.org From owner-freebsd-security@freebsd.org Thu Jan 4 16:03:47 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2FE5AEBFA44 for ; Thu, 4 Jan 2018 16:03:47 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id F2A5D70790 for ; Thu, 4 Jan 2018 16:03:46 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [192.168.43.57] (mobile-166-171-187-140.mycingular.net [166.171.187.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 9DA9F85AC; Thu, 4 Jan 2018 16:03:44 +0000 (UTC) Subject: Re: Intel hardware bug To: Brett Glass , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , Erich Dollansky Cc: "freebsd-security@freebsd.org" , "Ronald F. Guilmette" References: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <19876.1515025752@segfault.tristatelogic.com> <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> <86vaghu0ps.fsf@desk.des.no> <201801041552.IAA17267@mail.lariat.net> From: Eric McCorkle Message-ID: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> Date: Thu, 4 Jan 2018 11:03:43 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <201801041552.IAA17267@mail.lariat.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 16:03:47 -0000 On 01/04/2018 10:52, Brett Glass wrote: > At 08:01 AM 1/4/2018, Dag-Erling Smørgrav wrote: > >> This is irrelevant.  We are talking about timing-based side-channel >> attacks.  The attacker is not able to access protected memory directly, >> but is able to deduce its contents by repeatedly performing illegal >> memory accesses and then checking how they affect the cache. > > This is something I do not yet fully understand; perhaps someone here > on the list can help explain it to me. The "Spectre" attack is claimed > to work by altering the contents of the cache via a speculatively > executed instruction. But the contents of that memory are not revealed > directly to the program. So, how does it deduce the contents of physical > memory merely from the fact that there's a cache miss on its address? You can speculatively execute code based on the value of a fetched memory address, which may eventually fault. This can be used to pull things into cache, which can then be measured. The attack looks like this: 1) Fetch kernel/other process memory, which eventually faults 2) Do a bit-shift/mask operation to pluck out one bit of the fetched value. This gets executed speculatively on the fetched value in (1). 3) Execute fetches of two different addresses depending on some bit in the fetched value in (1) (say, 0x100000 for 0 vs 0x200000 for 1). This also gets executed speculatively despite the fact that (1) ends up faulting. 4) Recover from fault in (1) 5) Measure performance of accesses to the two addresses to determine which one is cached. The really terrible thing about this is that it suggests a *class* of attacks: side-channels based on CPU implementations, of which this is the first (and most obvious) one to be discovered. I suspect this is going to be dogging us for years to come. From owner-freebsd-security@freebsd.org Thu Jan 4 16:20:20 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CF0EEC0E9C for ; Thu, 4 Jan 2018 16:20:20 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 079B2719C4 for ; Thu, 4 Jan 2018 16:20:20 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [192.168.43.57] (mobile-166-171-187-140.mycingular.net [166.171.187.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 6329A85BA; Thu, 4 Jan 2018 16:20:19 +0000 (UTC) Subject: Re: Potential band-aid for Meltdown To: Mike Tancsa , "freebsd-security@freebsd.org" References: <30300a34-d0d9-efbf-c9b3-6375703f65a0@metricspace.net> <599c8fe0-3745-2fa8-4bd6-d89f061f29f4@sentex.net> From: Eric McCorkle Message-ID: Date: Thu, 4 Jan 2018 11:20:18 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <599c8fe0-3745-2fa8-4bd6-d89f061f29f4@sentex.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 16:20:20 -0000 On 01/04/2018 10:58, Mike Tancsa wrote: > On 1/4/2018 10:27 AM, Eric McCorkle wrote: >> I was thinking over meltdown mitigations this morning, and a thought >> occurred to me (which falls in line with general ideas I've been pursuing) > > A pretty neat idea. But in terms of keeping crypto keys safe, why not > something behind a pkcs11 interface (e.g. eToken) or tpm ? If you have them (and trust the vendors), sure. My thinking here is for folks with laptops or commodity hardware, who want some measure of security while waiting for fixed hardware to come out. From owner-freebsd-security@freebsd.org Thu Jan 4 16:22:39 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE33DEC1329 for ; Thu, 4 Jan 2018 16:22:39 +0000 (UTC) (envelope-from brett@lariat.org) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 9A76471EB5 for ; Thu, 4 Jan 2018 16:22:39 +0000 (UTC) (envelope-from brett@lariat.org) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id JAA17566; Thu, 4 Jan 2018 09:21:50 -0700 (MST) Message-Id: <201801041621.JAA17566@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 04 Jan 2018 09:21:24 -0700 To: Eric McCorkle , Dag-Erling Smørgrav , Erich Dollansky From: Brett Glass Subject: Re: Intel hardware bug Cc: "freebsd-security@freebsd.org" , "Ronald F. Guilmette" In-Reply-To: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> References: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <19876.1515025752@segfault.tristatelogic.com> <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> <86vaghu0ps.fsf@desk.des.no> <201801041552.IAA17267@mail.lariat.net> <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 16:22:39 -0000 At 09:03 AM 1/4/2018, Eric McCorkle wrote: >The attack looks like this: > >1) Fetch kernel/other process memory, which eventually faults >2) Do a bit-shift/mask operation to pluck out one bit of the fetched >value. This gets executed speculatively on the fetched value in (1). >3) Execute fetches of two different addresses depending on some bit in >the fetched value in (1) (say, 0x100000 for 0 vs 0x200000 for 1). This >also gets executed speculatively despite the fact that (1) ends up faulting. >4) Recover from fault in (1) >5) Measure performance of accesses to the two addresses to determine >which one is cached. Hmmmm. The obvious way to combat this would be to make this class of fault fatal rather than allowing recovery to occur. Of course, this would reveal errors in sloppy code, which some developers would not like. (I recall how much some folks squawked back in the olden days, when segmentation faults - remember segments? - revealed bugs in their code. I, personally, liked segmentation because I was a perfectionist.... I wanted my code to crash dramatically if there was an error so I could fix it.) --Brett Glass From owner-freebsd-security@freebsd.org Thu Jan 4 17:03:34 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA9E1EA59A1 for ; Thu, 4 Jan 2018 17:03:34 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id C075F73D9C for ; Thu, 4 Jan 2018 17:03:34 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [192.168.43.57] (mobile-166-171-187-140.mycingular.net [166.171.187.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id CE50E85D1; Thu, 4 Jan 2018 17:03:33 +0000 (UTC) Subject: Re: Intel hardware bug To: Brett Glass , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , Erich Dollansky Cc: "freebsd-security@freebsd.org" , "Ronald F. Guilmette" References: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <19876.1515025752@segfault.tristatelogic.com> <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> <86vaghu0ps.fsf@desk.des.no> <201801041552.IAA17267@mail.lariat.net> <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <201801041621.JAA17566@mail.lariat.net> From: Eric McCorkle Message-ID: Date: Thu, 4 Jan 2018 12:03:32 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <201801041621.JAA17566@mail.lariat.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 17:03:35 -0000 On 01/04/2018 11:21, Brett Glass wrote: > At 09:03 AM 1/4/2018, Eric McCorkle wrote: > >> The attack looks like this: >> >> 1) Fetch kernel/other process memory, which eventually faults >> 2) Do a bit-shift/mask operation to pluck out one bit of the fetched >> value.  This gets executed speculatively on the fetched value in (1). >> 3) Execute fetches of two different addresses depending on some bit in >> the fetched value in (1) (say, 0x100000 for 0 vs 0x200000 for 1).  This >> also gets executed speculatively despite the fact that (1) ends up >> faulting. >> 4) Recover from fault in (1) >> 5) Measure performance of accesses to the two addresses to determine >> which one is cached. > > Hmmmm. The obvious way to combat this would be to make this class of fault > fatal rather than allowing recovery to occur. Of course, this would > reveal errors > in sloppy code, which some developers would not like. (I recall how much > some > folks squawked back in the olden days, when segmentation faults - remember > segments? - revealed bugs in their code. I, personally, liked segmentation > because I was a perfectionist.... I wanted my code to crash dramatically if > there was an error so I could fix it.) > That breaks the entire way that page faults and virtual memory works, though. You could block meltdown, I suppose, by making the entire kernel address space absolutely forbidden under penalty of an uncatchable signal. This won't stop spectre (same attack against another process' pages), or a similar attack within the same address space (say, to break out of some kind of intra-process isolation). From owner-freebsd-security@freebsd.org Thu Jan 4 17:06:26 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2931DEA5DAE for ; Thu, 4 Jan 2018 17:06:26 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id B811973F95 for ; Thu, 4 Jan 2018 17:06:25 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [192.168.43.57] (mobile-166-171-187-140.mycingular.net [166.171.187.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 714AE85D5; Thu, 4 Jan 2018 17:06:23 +0000 (UTC) Subject: Re: Intel hardware bug From: Eric McCorkle To: Brett Glass , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , Erich Dollansky Cc: "freebsd-security@freebsd.org" , "Ronald F. Guilmette" References: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <19876.1515025752@segfault.tristatelogic.com> <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> <86vaghu0ps.fsf@desk.des.no> <201801041552.IAA17267@mail.lariat.net> <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <201801041621.JAA17566@mail.lariat.net> Message-ID: <13341e69-a8f5-253d-ccb8-e2c14d2322f9@metricspace.net> Date: Thu, 4 Jan 2018 12:06:22 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 17:06:26 -0000 On 01/04/2018 12:03, Eric McCorkle wrote: > You could block meltdown, I suppose, by making the entire > kernel address space absolutely forbidden under penalty of an > uncatchable signal. Actually, scratch that; it doesn't work. The caches are still affected, and could be measured by another core. I suppose you could attempt to flush them upon killing a process in this way, but you still have a window, so it's only a probabilistic defense. From owner-freebsd-security@freebsd.org Thu Jan 4 17:50:07 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62C18EA91AC for ; Thu, 4 Jan 2018 17:50:07 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 26F6575E3F; Thu, 4 Jan 2018 17:50:06 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (203-206-51-137.dyn.iinet.net.au [203.206.51.137] (may be forged)) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id w04HnuPh042378 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 4 Jan 2018 09:49:59 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: clang way to patch for Spectre? To: Lev Serebryakov , "freebsd-security@freebsd.org" References: <291645341.20180104190237@serebryakov.spb.ru> From: Julian Elischer Message-ID: <43417734-d420-5be9-333b-8d0d02d7a58a@freebsd.org> Date: Fri, 5 Jan 2018 01:49:50 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <291645341.20180104190237@serebryakov.spb.ru> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 17:50:07 -0000 On 5/1/18 12:02 am, Lev Serebryakov wrote: > Hello Freebsd-security, > > https://reviews.llvm.org/D41723 > > not really.. What's to stop an unprivileged used bringing his own compiler? or a precompiled binary? From owner-freebsd-security@freebsd.org Thu Jan 4 18:18:12 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BBC3EAB3FE for ; Thu, 4 Jan 2018 18:18:12 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-ua0-x242.google.com (mail-ua0-x242.google.com [IPv6:2607:f8b0:400c:c08::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 19203773F9 for ; Thu, 4 Jan 2018 18:18:11 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-ua0-x242.google.com with SMTP id a25so1647761uak.3 for ; Thu, 04 Jan 2018 10:18:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=r8uw/Opto3qhdKnVGzZokPkmMMpqw44STheIPRxu/XQ=; b=BLELdj8x+Bbo1a3sIXTPtCN0pFQenFYpbW2xtn2xIixRQeEuwZwZmzzt/pTOcDLe0O BS6d0V1RBdjYWSIZHe+t6f8fbRsLt+7RaXwOoe33XJuWaOpGLE/+7vVWCZztWdkCwDB5 fLg/LSqEttSmbutGHzyiN52nTYz+RhDowG8LI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=r8uw/Opto3qhdKnVGzZokPkmMMpqw44STheIPRxu/XQ=; b=BchQlJ6+DyvNN/8fABSpwJckShT9URHbF68GXkdHNAfcZVcv102yL0WrL9kFINVTFd Bg/15Y4lozNE0Sh/hk5WaApz9ZU5qjlDOPE5Yf8BFmHWVfE9gDG6uxBU15S1ajoYkLnz DVgkXS21XwC3407rN/ChfsmFavJmEpMNXlhfbzRgnqCV+CcBHodlwiEl42rScm+tERCt /KcLRVsFZcnHBbecUQB36eeyTf55X9yW1nBgs4UgqczW1lgbb9yOUZTfZN4WQiio+fXZ NghU7imMaREroUbc2QLBzJdH2TNEgIC0d147o4CSE7UsFOaQiYrpjj/oh7/6HMUDrPRh NvwQ== X-Gm-Message-State: AKwxyteSI30LUpyEUVtmwT1Trh6IcrQFMDpbnwNHhetZSYb7IDKrZm48 UVMrahqVwssXryq/BP9foolpE1fEzqvxRpy97Cap X-Google-Smtp-Source: ACJfBosP72kZ/nHotluTyX4WlzPXcDjScwCW+7kk55NchQWeeppCoNCoEz/7pGC5FxdfD4W9ZEjBEBH5DU0JJ9GxktE= X-Received: by 10.159.36.246 with SMTP id 109mr484806uar.111.1515089890752; Thu, 04 Jan 2018 10:18:10 -0800 (PST) MIME-Version: 1.0 Received: by 10.176.81.101 with HTTP; Thu, 4 Jan 2018 10:18:10 -0800 (PST) In-Reply-To: <43417734-d420-5be9-333b-8d0d02d7a58a@freebsd.org> References: <291645341.20180104190237@serebryakov.spb.ru> <43417734-d420-5be9-333b-8d0d02d7a58a@freebsd.org> From: Gordon Tetlow Date: Thu, 4 Jan 2018 11:18:10 -0700 Message-ID: Subject: Re: clang way to patch for Spectre? To: Julian Elischer Cc: Lev Serebryakov , "freebsd-security@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 18:18:12 -0000 On Thu, Jan 4, 2018 at 10:49 AM, Julian Elischer wrote: > On 5/1/18 12:02 am, Lev Serebryakov wrote: >> >> Hello Freebsd-security, >> >> https://reviews.llvm.org/D41723 >> >> > not really.. > > What's to stop an unprivileged used bringing his own compiler? or a > precompiled binary? If I'm reading this right (and there is a good chance I'm not), since unprivileged users don't bring the kernel or system libraries to the system, the mitigations would still work. Gordon From owner-freebsd-security@freebsd.org Thu Jan 4 18:24:50 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8E0BEEABE06 for ; Thu, 4 Jan 2018 18:24:50 +0000 (UTC) (envelope-from mail@kkoenig.net) Received: from mx1.outerhaven.de (mx1.outerhaven.de [81.14.236.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 21CE277B08 for ; Thu, 4 Jan 2018 18:24:49 +0000 (UTC) (envelope-from mail@kkoenig.net) Received: from [192.168.2.245] (big-shell.lan [192.168.2.245]) by mx1.outerhaven.de (OpenSMTPD) with ESMTPSA id 29b18422 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO for ; Thu, 4 Jan 2018 19:18:06 +0100 (CET) Subject: Re: clang way to patch for Spectre? To: freebsd-security@freebsd.org References: <291645341.20180104190237@serebryakov.spb.ru> <43417734-d420-5be9-333b-8d0d02d7a58a@freebsd.org> From: =?UTF-8?Q?Karsten_K=c3=b6nig?= Message-ID: Date: Thu, 4 Jan 2018 19:18:05 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <43417734-d420-5be9-333b-8d0d02d7a58a@freebsd.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 18:24:50 -0000 Hi, On 01/04/2018 18:49, Julian Elischer wrote: > On 5/1/18 12:02 am, Lev Serebryakov wrote: >> Hello Freebsd-security, >> >> https://reviews.llvm.org/D41723 >> >> > not really.. > > What's to stop an unprivileged used bringing his own compiler? or a > precompiled binary? > >From my understanding: The patch is only for variant 2 of the Google P0 blog post[0]. Variant 2 describes how to access memory of a VM host from a guest by tricking kernel modules into caching arbitary inside the CPU cache. But if these are compiled with the patch[1] an attacker can't trick the kernel modules or other applications compiled with it. Best, Karsten [0] https://googleprojectzero.blogspot.de/2018/01/reading-privileged-memory-with-side.html [1] Which I assume to be correct, I haven't looked into it From owner-freebsd-security@freebsd.org Thu Jan 4 20:26:54 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 006B9EB48EF for ; Thu, 4 Jan 2018 20:26:54 +0000 (UTC) (envelope-from cranix@hackerspace.pl) Received: from hackerspace.pl (hackerspace.pl [178.33.49.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C2FFC7F8B4 for ; Thu, 4 Jan 2018 20:26:53 +0000 (UTC) (envelope-from cranix@hackerspace.pl) Received: from cranix by hackerspace.pl with local (Exim 4.90) (envelope-from ) id 1eXC6E-0008PK-He for freebsd-security@freebsd.org; Thu, 04 Jan 2018 21:26:50 +0100 Date: Thu, 4 Jan 2018 21:26:50 +0100 From: Cranix To: freebsd-security@freebsd.org Subject: Re: Potential band-aid for Meltdown Message-ID: <20180104202650.GA32171@hackerspace.pl> References: <30300a34-d0d9-efbf-c9b3-6375703f65a0@metricspace.net> <599c8fe0-3745-2fa8-4bd6-d89f061f29f4@sentex.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.2 (2017-12-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 20:26:54 -0000 How about smartcards? J3A081 costs $10 on javacardsdk.com, both contact less and wired connections, readers if not built in into laptop are generally cheap. There are also a few tools like GlobalPlatformPro that help when developing things for javacards. Basicly You have some java and prepared ant, then You just call ant and have everything working. I had to quickly set up this enviroment few months ago and it was painless experience. Question is about performance but anyway we need secure storage. Some cortex (propably m) microcontrollers have secure storage of keys, this is also a thing to consider. Trusting vendor is other thing but everybody has to anser this question by himself. -- Cranix From owner-freebsd-security@freebsd.org Thu Jan 4 20:43:04 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 899F8EB5B70 for ; Thu, 4 Jan 2018 20:43:04 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.not-for.work (onlyone.not-for.work [148.251.9.81]) by mx1.freebsd.org (Postfix) with ESMTP id 52A9B804F7; Thu, 4 Jan 2018 20:43:04 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:e0f4:994:662:862]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.not-for.work (Postfix) with ESMTPSA id 7FC9D843; Thu, 4 Jan 2018 23:42:56 +0300 (MSK) Date: Thu, 4 Jan 2018 23:42:55 +0300 From: Lev Serebryakov Reply-To: Lev Serebryakov Organization: FreeBSD X-Priority: 3 (Normal) Message-ID: <1401022152.20180104234255@serebryakov.spb.ru> To: Julian Elischer , "freebsd-security@freebsd.org" Subject: Re: clang way to patch for Spectre? In-Reply-To: <43417734-d420-5be9-333b-8d0d02d7a58a@freebsd.org> References: <291645341.20180104190237@serebryakov.spb.ru> <43417734-d420-5be9-333b-8d0d02d7a58a@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2018 20:43:04 -0000 Hello Julian, Thursday, January 4, 2018, 8:49:50 PM, you wrote: >> https://reviews.llvm.org/D41723 >> >> > not really.. > What's to stop an unprivileged used bringing his own compiler? or a > precompiled binary? As far as I understand, Spectre can not cross boundaries, so precompiled binary will be able read its own memory via bug. To read all memory via Spectre (don't confuse it with Meltdown) code must be privileged. And this codegen patch eliminate "gadgets" in kernel which could be exploited by userland code. -- Best regards, Lev mailto:lev@FreeBSD.org From owner-freebsd-security@freebsd.org Fri Jan 5 02:41:21 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E715CEA8CBB for ; Fri, 5 Jan 2018 02:41:21 +0000 (UTC) (envelope-from freebsd.ed.lists@sumeritec.com) Received: from mx12-out5.antispamcloud.com (mx12-out5.antispamcloud.com [46.165.232.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 94CE16F2E6 for ; Fri, 5 Jan 2018 02:41:21 +0000 (UTC) (envelope-from freebsd.ed.lists@sumeritec.com) Received: from [153.92.8.106] (helo=srv31.niagahoster.com) by mx35.antispamcloud.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eXHwV-00088k-Da for freebsd-security@freebsd.org; Fri, 05 Jan 2018 03:41:12 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sumeritec.com; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:References:In-Reply-To:Message-ID:Subject:To:From:Date:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=txK6Pz4Ps+ShP4pqMa1FlxcDeSvkSTtMAesEYThyyRQ=; b=ggBeHoRmfUx0W4kaJvp7X8vF9F FjQQuWNfV4SbTG+lZ73xcLEKrVz51P3CtqKc/cvHUf5u8yq4iQ4mSddLyHc9SVSiWyQFCMgXZpv4T 0B/D17mhJyCGJS9Ni46uB494Y21+z9bE6GRwaCbOfk4sulxgVkeYGpaUfUz7ehVwCstHq/XTZV1L9 +k3/5c3SiinVn7HDupbfNpm7ON7jNXrPL7JoQ8BoKvGr0WnjylrWrOlLkCmHffM2sBOI4rQH3Hj+e Y8Z/12+6UkQzR4HtZH4AiAoPTbUPtul+j2JthsIJdbUHdeIpW4k5XpzXsBb8ogKS1sT4ecZgmS0Cr kxkIxtSQ==; Received: from subs08-103-10-67-165.three.co.id ([103.10.67.165]:63366 helo=X220.sumeritec.com) by srv31.niagahoster.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eXHvj-0008AC-EL for freebsd-security@freebsd.org; Fri, 05 Jan 2018 09:40:23 +0700 Date: Fri, 5 Jan 2018 10:40:20 +0800 From: Erich Dollansky To: freebsd-security@freebsd.org Subject: Re: Intel hardware bug Message-ID: <20180105104020.51c2a742.freebsd.ed.lists@sumeritec.com> In-Reply-To: <86vaghu0ps.fsf@desk.des.no> References: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <19876.1515025752@segfault.tristatelogic.com> <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> <86vaghu0ps.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-AuthUser: freebsd.ed.lists@sumeritec.com X-Originating-IP: 153.92.8.106 X-AntiSpamCloud-Domain: out.niagahoster.com X-AntiSpamCloud-Username: niaga Authentication-Results: antispamcloud.com; auth=pass (login) smtp.auth=niaga@out.niagahoster.com X-AntiSpamCloud-Outgoing-Class: unsure X-AntiSpamCloud-Outgoing-Evidence: Combined (0.19) X-Recommended-Action: accept X-Filter-ID: EX5BVjFpneJeBchSMxfU5tmdcpJdnWV2Vhiz634GuXcXv9krsgRhBn0ayn6qsUc7lCeNIXfjqpSe UiX0XTvcPqfm1maHdAncSkRuP6ipcKfnx8yeplRO3sLIqUlSH7OGPaCEWmBvanFxv5Jk0fC5vywe u0y55YfYug69rU0O7vpLHeKWm+N/u/LV8U8yCyCamdySlZou9qHIGOZDEEo7Oz5PFcTrVJ+zvZvH ArjfByGtQdjfscDSJuG5MqyTGgAPMlw2eBB5w7fOyMq2QAtv4H5+HsgsCFnQw5RRvfPvanfgRcGA xD53rdbVx7JJx2IYTn/nIOG7l2M5BF99f8EUtNOyOZ0LCWyRLTW+ixPGoQGc7n7zay64jR5I1ayb CJrfx9537/7rZ2H1fP4wGxurimbdDoD390nzzgliUnnZRwXSYJerErquhGL/2cp9hA/QYw3U+6fD JowgRNrCFqltRJEbriqr9OJ0Q12Y+nq43Ic/2Jb+MUDCV6Z92vdi8cBprSOIPpeqwlm2NDGXIJ2x 7Ee2ptr3YOxz4xICp+ATaf3lbKfM/L/KiAe8F7/DDm6TlAi1iGhdNcs+Yle1GiLgvTl4lidU1b80 J2t/rYe9m+T+DoqBsC/uQMsclP8aiBJ2SSzm7P5LFQTh7xAIEq/JAOP/OUUiyoxKCnwuNYv1rN6V sHlNXcCdbxR/aQgzOMboEvUJ0lgG1/w0tyuWnShPbysavtI/BpoTTR0m9vx748g+ePukY31yweyg GiaBPV1Kfqb5R4VemuUI6bcEARsm0ASAg3ACsLVYcMwnzM6V4gQ3iiZtVhbV1vIcdJN0W2QuBIdw bMEc9U7OFQR0XkTUr1ss+n2ffnQxt6aJ7klZab+otuHJEaECIIhJNxMS+c0bF+8gN8ax9LqntRCm aHw627KnGFLUSfQxoCgjbv9bX5I= X-Report-Abuse-To: spam@quarantine1.antispamcloud.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 02:41:22 -0000 Hi, On Thu, 04 Jan 2018 16:01:51 +0100 Dag-Erling Sm=C3=B8rgrav wrote: > Erich Dollansky writes: > > Intel used segments to separate things everybody hated. =20 >=20 > Everybody hated segment-level memory protection, but the i386 also good that hate is meanwhile illegal. > introduced page-level memory protection, which was widely used and has > since been expanded to provide features that were never available at > the segment level. Yes, but instead of combining both, the segment registers were set to point to the same memory locations disabling the additional protection given by the segments. >=20 > > Intel introduced later the rings, everybody ignored. =20 >=20 > Not at all. They just don't use all four. Unless you start looking > at hardware virtualization extensions, which introduce additional > protection levels. It was just abusing them to replace the supervisor flag other processors have or have had. >=20 > > Instead of keeping the things separated - as suggested by Intel's > > design - people used shortcuts whenever possible. =20 >=20 > This is irrelevant. We are talking about timing-based side-channel > attacks. The attacker is not able to access protected memory > directly, but is able to deduce its contents by repeatedly performing > illegal memory accesses and then checking how they affect the cache. Directly yes, not if the kernel memory would be always in a different segment. It would land then in cache only when memory near segment bounds are accessed. Which could be easily avoided. Anyway, we cannot turn the clock back now. I just wanted to mention that Intel has had different thoughts those days. I am not even sure if Intel engineers remember this. Erich From owner-freebsd-security@freebsd.org Fri Jan 5 04:05:43 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5203DEAE533 for ; Fri, 5 Jan 2018 04:05:43 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 22C94736B7 for ; Fri, 5 Jan 2018 04:05:43 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [172.16.0.82] (unknown [172.16.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 8261B874A for ; Fri, 5 Jan 2018 04:05:41 +0000 (UTC) To: "freebsd-security@freebsd.org" From: Eric McCorkle Subject: A more general possible meltdown/spectre countermeasure Message-ID: Date: Thu, 4 Jan 2018 23:05:40 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 04:05:43 -0000 I've thought more about how to deal with meltdown/spectre, and I have an idea I'd like to put forward. However, I'm still in something of a panic mode, so I'm not certain as to its effectiveness. Needless to say, I welcome any feedback on this, and I may be completely off-base. I'm calling this a "countermeasure" as opposed to a "mitigation", as it's something that requires modification of code as opposed to a drop-in patch. == Summary == Provide a kernel and userland API by which memory allocation can be done with extended attributes. In userland, this could be accomplished by extending MMAP flags, and I could imagine a malloc-with-attributes flag. In kernel space, this must already exist, as drivers need to allocate memory with various MTRR-type attributes set. The immediate aim here is to store sensitive information that must remain memory-resident in non-cacheable memory locations (or, if more effective attribute combinations exist, using those instead). See the rationale for the argument why this should work. Assuming the rationale holds, then the attack surface should be greatly reduced. Attackers would need to grab sensitive data out of stack frames or similar locations if/when it gets copied there for faster use. Moreover, if this is done right, it could dovetail nicely into a framework for storing and processing sensitive assets in more secure hardware[0] (like smart cards, the FPGAs I posted earlier, or other options). The obvious downside is that you take a performance hit storing things in non-cacheable locations, especially if you plan on doing heavy computation in that memory (say, encryption/decryption). However, this is almost certainly going to be less than the projected 30-50% performance hit from other mitigations. Also, this technique should work against spectre as well as meltdown (assuming the rationale holds). The second downside is that you have to modify code for this to work, and you have to be careful not to keep copies of sensitive information around too long (this gets tricky in userland, where you might get interrupted and switched out). [0]: Full disclosure, enabling open hardware implementations of this kind of thing is something of an agenda of mine. == Rationale == (Again, I'm tired, rushed, and somewhat panicked so my logic could be faulty at any point, so please point it out if it is) The rationale for why this should work relies on assumptions about out-of-order pipelines that cannot be guaranteed to hold, but are extremely likely to be true. As background, these attacks depend on out-of-order execution performing operations that end up affecting cache and branch-prediction state, ultimately storing information about sensitive data in these side-channels before the fault conditions are detected and acted upon. I'll borrow terminology from the paper, using "transient instructions" to refer to speculatively executed instructions that will eventually be cancelled by a fault. These attacks depend entirely on transient instructions being able to get sensitive information into the processor core and then perform some kind of instruction on them before the fault condition cancels them. Therefore, anything that prevents them from doing this *should* counter the attack. If the actual sensitive data never makes it to the core before the fault is detected, the dependent memory accesses/branches never get executed and the data never makes it to the side-channels. Another assumption here is that CPU architects are going to want to squash faulted instructions ASAP and stop issuing along those speculative branches, so as to reclaim execution units. So I'm assuming once a fault comes back from address translation, then transient execution stops dead. Now, break down the cases for whether the address containing sensitive data is in cache and TLB or not. (I'm assuming here that caches are virtually-indexed, which enables cache lookups to bypass address translation.) * In cache, in TLB: You end up basically racing between the cache and TLB, which will very likely end up detecting the fault before the data arrives, but at the very worst, you get one or two cycles of transient instruction execution before the fault. * In cache, not in TLB: Virtually-indexed tagged means you get a cache lookup racing a page-table walk. The cache lookup beats the page table walk by potentially hundreds (maybe thousands) of cycles, giving you a bunch of transient instructions before a fault gets triggered. This is the main attack case. * Not in cache, in TLB: Memory access requires address translation, which comes back almost immediately as a fault. * Not in cache, not in TLB: You have to do a page table walk before you can fetch the location, as you have to go out to physical memory (and therefore need a physical address). The page table walk will come back with a fault, stopping the attack. So, unless I'm missing something here, both non-cached cases defeat the meltdown attack, as you *cannot* get the data unless you do address translation first (and therefore detect faults). As for why this defeats the spectre attack, the logic is similar: you've jumped into someone else's executable code, hoping to scoop up enough information into your branch predictor before the fault kicks you out. However, to capture anything about sensitive information in your side-channels, the transient instructions need to actually get it into the core before a fault gets detected. The same case analysis as above applies, so you never actually get the sensitive info into the core before a fault comes back and you get squashed. [1]: A physically-indexed cache would be largely immune to this attack, as you'd have to do address translation before doing a cache lookup. I have some ideas that can build on this, but I'd like to get some feedback first. From owner-freebsd-security@freebsd.org Fri Jan 5 08:04:20 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1CC63EBB6D9 for ; Fri, 5 Jan 2018 08:04:20 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D99447C890 for ; Fri, 5 Jan 2018 08:04:19 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id A8E251036F; Fri, 5 Jan 2018 08:04:13 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 59F3D5CE83; Fri, 5 Jan 2018 08:02:41 +0000 (UTC) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Erich Dollansky Cc: freebsd-security@freebsd.org Subject: Re: Intel hardware bug References: <02563ce4-437c-ab96-54bb-a8b591900ba0@FreeBSD.org> <19876.1515025752@segfault.tristatelogic.com> <20180104132807.266fe46c.freebsd.ed.lists@sumeritec.com> <86vaghu0ps.fsf@desk.des.no> <20180105104020.51c2a742.freebsd.ed.lists@sumeritec.com> Date: Fri, 05 Jan 2018 09:02:41 +0100 In-Reply-To: <20180105104020.51c2a742.freebsd.ed.lists@sumeritec.com> (Erich Dollansky's message of "Fri, 5 Jan 2018 10:40:20 +0800") Message-ID: <86lghcu40u.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 08:04:20 -0000 Erich Dollansky writes: > [much elided] > Directly yes, not if the kernel memory would be always in a different > segment. It would land then in cache only when memory near segment > bounds are accessed. Which could be easily avoided. Are you familiar with the expression =E2=80=9Cnot even wrong=E2=80=9D? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Fri Jan 5 08:16:50 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 04690EBC1C3 for ; Fri, 5 Jan 2018 08:16:50 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C3EB17CF60 for ; Fri, 5 Jan 2018 08:16:49 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id DEABA10397; Fri, 5 Jan 2018 08:16:48 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id A52495CE86; Fri, 5 Jan 2018 08:15:16 +0000 (UTC) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Eric McCorkle Cc: "freebsd-security\@freebsd.org" Subject: Re: A more general possible meltdown/spectre countermeasure References: Date: Fri, 05 Jan 2018 09:15:16 +0100 In-Reply-To: (Eric McCorkle's message of "Thu, 4 Jan 2018 23:05:40 -0500") Message-ID: <86efn4u3fv.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 08:16:50 -0000 Eric McCorkle writes: > The obvious downside is that you take a performance hit storing things > in non-cacheable locations, especially if you plan on doing heavy > computation in that memory (say, encryption/decryption). However, this > is almost certainly going to be less than the projected 30-50% > performance hit from other mitigations. Where did you get those numbers? Because the worst documented case for KPTI is ~20% for I/O-intensive workloads, and PCID is likely to bring this down to single digits if used correctly. The KAISER paper claims a slowdown of < 1%, but that may have been the result of undisclosed features of the specific CPU they tested on. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Fri Jan 5 08:33:20 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 32D55EBD144 for ; Fri, 5 Jan 2018 08:33:20 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 1CA267DD18 for ; Fri, 5 Jan 2018 08:33:19 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id F3E183ACDA for ; Fri, 5 Jan 2018 00:33:12 -0800 (PST) From: "Ronald F. Guilmette" To: "freebsd-security@freebsd.org" Subject: Re: Intel hardware bug In-Reply-To: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> Date: Fri, 05 Jan 2018 00:33:12 -0800 Message-ID: <2594.1515141192@segfault.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 08:33:20 -0000 In message <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net>, Eric McCorkle wrote: >The attack looks like this: > >1) Fetch kernel/other process memory, which eventually faults >2) Do a bit-shift/mask operation to pluck out one bit of the fetched >value. This gets executed speculatively on the fetched value in (1). >3) Execute fetches of two different addresses depending on some bit in >the fetched value in (1) (say, 0x100000 for 0 vs 0x200000 for 1). This >also gets executed speculatively despite the fact that (1) ends up faulting. >4) Recover from fault in (1) >5) Measure performance of accesses to the two addresses to determine >which one is cached. I must say, that's one hell of a round-about way to read just one bit that you wern't supposed to have access to. But of course, that doesn't really matter if you are an attacker. If the above steps can be repeated, programatically, ad infinitum, to read bits from "protected" memory... and I see no reason why they can't be... then yea, this bug is every bit as bad as the media is making it out to be, and maybe even worse. All your secrets are belong to us! Time to invest in abacuses... or is that abacai? Regards, rfg From owner-freebsd-security@freebsd.org Fri Jan 5 10:08:19 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E20FEEC1C0C for ; Fri, 5 Jan 2018 10:08:19 +0000 (UTC) (envelope-from repeatable_compression@yahoo.com) Received: from sonic301-31.consmr.mail.ne1.yahoo.com (sonic301-31.consmr.mail.ne1.yahoo.com [66.163.184.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ACB311745 for ; Fri, 5 Jan 2018 10:08:19 +0000 (UTC) (envelope-from repeatable_compression@yahoo.com) X-YMail-OSG: tPYEH6cVM1l5zIptmFMmFqUhIFFALqD8GkaWzpDhwxio1eTwycVVAuvDaQws9vP T4FAG3Z72GpY5tsIACENF9XWn7CyNMsO5o7oCssBN2b1VQddpq5B5wNuc9czB_5uiCBXCXnwJFcB z0o39Y2Y7zeyqB4Zy_Bx7DlA8.Mi2C2ZX5hVux87tRiKciJ.7GMC97yb.U4rr40EcZSEe2bUNmxu cyS4aFQFI_U0TntrAKi5tpmQE6FL5xv71QULySgUkX1A_WqZk4jOSQsDV71pLw_nV.LjNol9Ty7C MR6I5ZFNwCX4utWVPsLme3moztVNWxzPq1jTOTPG.bpLahDnonhYqwzTSyCrx0MhXGwZSVoXDBgJ 6bX8gEn7FjeJvGqrxo5V9yuJ72hU.90AS6kD4sJ0zyy5ZiNdEPair8fqLBRs2iHVb4er3FMzQa.E Mw4tQgasMi.tB3lHeSZRrq8PD44MUp0jsgvOvaw5KBzpb2escrDY56ScyLmwEi_mNPLzJnpEPfPe UqvsqDklmsz1Irp9ICob3dA-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Fri, 5 Jan 2018 10:08:18 +0000 Date: Fri, 5 Jan 2018 10:07:01 +0000 (UTC) From: Jules Gilbert To: "Ronald F. Guilmette" , Eric McCorkle , Freebsd Security , Brett Glass , =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , Poul-Henning Kamp , "freebsd-arch@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn Message-ID: <809675000.867372.1515146821354@mail.yahoo.com> In-Reply-To: <2594.1515141192@segfault.tristatelogic.com> References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> Subject: Re: Intel hardware bug MIME-Version: 1.0 X-Mailer: WebService/1.1.11150 YMailNorrin Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:57.0) Gecko/20100101 Firefox/57.0 X-Mailman-Approved-At: Fri, 05 Jan 2018 11:51:40 +0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 10:08:20 -0000 Sorry guys, you just convinced me that no one, not the NSA, not the FSB, no= one!, has in the past, or will in the future be able to exploit this to ac= tually do something not nice. I'm not saying that the hardware shouldn't be fixed, I am saying that we do= n't need to worry about this. In the early days of DOS their was a hardware bug in nearly all floppy cont= rollers, it wasn't even discovered until (I think,) 1985 or so.=C2=A0 The t= hing is..., no one reported unusual problems. So what is this, really?, it's a market exploit opportunity for AMD. =20 On Friday, January 5, 2018, 3:33:31 AM EST, Ronald F. Guilmette wrote: =20 =20 =20 In message <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net>,=20 Eric McCorkle wrote: >The attack looks like this: > >1) Fetch kernel/other process memory, which eventually faults >2) Do a bit-shift/mask operation to pluck out one bit of the fetched >value.=C2=A0 This gets executed speculatively on the fetched value in (1). >3) Execute fetches of two different addresses depending on some bit in >the fetched value in (1) (say, 0x100000 for 0 vs 0x200000 for 1).=C2=A0 Th= is >also gets executed speculatively despite the fact that (1) ends up faultin= g. >4) Recover from fault in (1) >5) Measure performance of accesses to the two addresses to determine >which one is cached. I must say, that's one hell of a round-about way to read just one bit that you wern't supposed to have access to.=C2=A0 But of course, that doesn't re= ally matter if you are an attacker. If the above steps can be repeated, programatically, ad infinitum, to read bits from "protected" memory... and I see no reason why they can't be... then yea, this bug is every bit as bad as the media is making it out to be, and maybe even worse. All your secrets are belong to us! Time to invest in abacuses... or is that abacai? Regards, rfg _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" =20 From owner-freebsd-security@freebsd.org Fri Jan 5 12:01:06 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43A0CEA42EB for ; Fri, 5 Jan 2018 12:01:06 +0000 (UTC) (envelope-from mail@kkoenig.net) Received: from mx1.outerhaven.de (mx1.outerhaven.de [81.14.236.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B31226544E for ; Fri, 5 Jan 2018 12:01:05 +0000 (UTC) (envelope-from mail@kkoenig.net) Received: from [10.0.1.35] (port-87-193-161-154.static.qsc.de [87.193.161.154]) by mx1.outerhaven.de (OpenSMTPD) with ESMTPSA id 647e6b59 TLS version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO for ; Fri, 5 Jan 2018 13:01:01 +0100 (CET) Subject: Re: Intel hardware bug To: freebsd-security@freebsd.org References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> From: =?UTF-8?Q?Karsten_K=c3=b6nig?= Message-ID: <803c9f0c-baa3-f65c-70f8-a27e4ee8a7cf@kkoenig.net> Date: Fri, 5 Jan 2018 13:01:00 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <809675000.867372.1515146821354@mail.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 12:01:06 -0000 Hello, On 05.01.2018 11:07, Jules Gilbert via freebsd-security wrote: > Sorry guys, you just convinced me that no one, not the NSA, not the FSB, no one!, has in the past, or will in the future be able to exploit this to actually do something not nice. > I'm not saying that the hardware shouldn't be fixed, I am saying that we don't need to worry about this. we should indeed worry about this. This could be just the tip of the iceberg. Think about Rowhammer. This was a bug which affected RAM. In the beginning it was just some basic computer science research which was hard to trigger. After some month people found ways to exploit Rowhammer via JavaScript so that every person using a browser was a possible target. The same could happen with this stuff, people are already working on this. Best, Karsten > In the early days of DOS their was a hardware bug in nearly all floppy controllers, it wasn't even discovered until (I think,) 1985 or so.  The thing is..., no one reported unusual problems. > So what is this, really?, it's a market exploit opportunity for AMD. > > > > On Friday, January 5, 2018, 3:33:31 AM EST, Ronald F. Guilmette wrote: > > > In message <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net>, > Eric McCorkle wrote: > >> The attack looks like this: >> >> 1) Fetch kernel/other process memory, which eventually faults >> 2) Do a bit-shift/mask operation to pluck out one bit of the fetched >> value.  This gets executed speculatively on the fetched value in (1). >> 3) Execute fetches of two different addresses depending on some bit in >> the fetched value in (1) (say, 0x100000 for 0 vs 0x200000 for 1).  This >> also gets executed speculatively despite the fact that (1) ends up faulting. >> 4) Recover from fault in (1) >> 5) Measure performance of accesses to the two addresses to determine >> which one is cached. > > > I must say, that's one hell of a round-about way to read just one bit that > you wern't supposed to have access to.  But of course, that doesn't really > matter if you are an attacker. > > If the above steps can be repeated, programatically, ad infinitum, to read > bits from "protected" memory... and I see no reason why they can't be... > then yea, this bug is every bit as bad as the media is making it out to be, > and maybe even worse. > > All your secrets are belong to us! > > Time to invest in abacuses... or is that abacai? > > > Regards, > rfg > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Fri Jan 5 12:30:51 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7A75EEA5E8D for ; Fri, 5 Jan 2018 12:30:51 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 54486665DA for ; Fri, 5 Jan 2018 12:30:51 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [172.16.0.82] (unknown [172.16.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 0A5E3884C; Fri, 5 Jan 2018 12:30:48 +0000 (UTC) Subject: Re: A more general possible meltdown/spectre countermeasure To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Cc: "freebsd-security@freebsd.org" References: <86efn4u3fv.fsf@desk.des.no> From: Eric McCorkle Message-ID: <4bad69c4-6fc7-6735-6b15-81baaee358f3@metricspace.net> Date: Fri, 5 Jan 2018 07:30:48 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <86efn4u3fv.fsf@desk.des.no> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 12:30:51 -0000 On 01/05/2018 03:15, Dag-Erling Smørgrav wrote: > Eric McCorkle writes: >> The obvious downside is that you take a performance hit storing things >> in non-cacheable locations, especially if you plan on doing heavy >> computation in that memory (say, encryption/decryption). However, this >> is almost certainly going to be less than the projected 30-50% >> performance hit from other mitigations. > > Where did you get those numbers? Because the worst documented case for > KPTI is ~20% for I/O-intensive workloads, and PCID is likely to bring > this down to single digits if used correctly. The KAISER paper claims a > slowdown of < 1%, but that may have been the result of undisclosed > features of the specific CPU they tested on. Those were numbers being thrown around. I'm not putting a lot of stake in them. From owner-freebsd-security@freebsd.org Fri Jan 5 12:42:55 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0D1AEA6BA7; Fri, 5 Jan 2018 12:42:55 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id C44D8670C3; Fri, 5 Jan 2018 12:42:55 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [172.16.0.82] (unknown [172.16.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 3ED298850; Fri, 5 Jan 2018 12:42:54 +0000 (UTC) Subject: Re: Intel hardware bug To: Jules Gilbert , "Ronald F. Guilmette" , Freebsd Security , Brett Glass , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , Poul-Henning Kamp , "freebsd-arch@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> From: Eric McCorkle Message-ID: <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> Date: Fri, 5 Jan 2018 07:42:53 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <809675000.867372.1515146821354@mail.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 05 Jan 2018 12:49:00 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 12:42:56 -0000 On 01/05/2018 05:07, Jules Gilbert wrote: > Sorry guys, you just convinced me that no one, not the NSA, not the FSB, > no one!, has in the past, or will in the future be able to exploit this > to actually do something not nice. Attacks have already been demonstrated, pulling secrets out of kernel space with meltdown and http headers/passwords out of a browser with spectre. Javascript PoCs are already in existence, and we can expect them to find their way into adware-based malware within a week or two. Also, I'd be willing to bet you a year's rent that certain three-letter organizations have known about and used this for some time. > So what is this, really?, it's a market exploit opportunity for AMD. Don't bet on it. There's reports of AMD vulnerabilities, also for ARM. I doubt any major architecture is going to make it out unscathed. (But if one does, my money's on Power) From owner-freebsd-security@freebsd.org Fri Jan 5 14:48:50 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27A19EAD345; Fri, 5 Jan 2018 14:48:50 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id DD7BC6BE94; Fri, 5 Jan 2018 14:48:49 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id BC691107C6; Fri, 5 Jan 2018 14:48:47 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 7E0425CEB6; Fri, 5 Jan 2018 14:47:15 +0000 (UTC) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jules Gilbert Cc: "Ronald F. Guilmette" , Eric McCorkle , Freebsd Security , Poul-Henning Kamp , "freebsd-arch\@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn Subject: Re: Intel hardware bug References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> Date: Fri, 05 Jan 2018 15:47:15 +0100 In-Reply-To: <809675000.867372.1515146821354@mail.yahoo.com> (Jules Gilbert's message of "Fri, 5 Jan 2018 10:07:01 +0000 (UTC)") Message-ID: <861sj4tlak.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 14:48:50 -0000 Jules Gilbert writes: > Sorry guys, you just convinced me that no one, not the NSA, not the > FSB, no one!, has in the past, or will in the future be able to > exploit this to actually do something not nice. The technique has already been proven by multiple independent parties to work quite well, allowing an attacker to read kernel memory at speeds of up to 500 kB/s. But I guess you know better... DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Fri Jan 5 15:26:04 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CA18EAF1FC for ; Fri, 5 Jan 2018 15:26:04 +0000 (UTC) (envelope-from repeatable_compression@yahoo.com) Received: from sonic306-21.consmr.mail.ne1.yahoo.com (sonic306-21.consmr.mail.ne1.yahoo.com [66.163.189.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DB2F56DB0E for ; Fri, 5 Jan 2018 15:26:03 +0000 (UTC) (envelope-from repeatable_compression@yahoo.com) X-YMail-OSG: _SddRmcVM1nJxZCtrZgFURVxnQKAGb2iASLhSLJnIiLQbCS6oOI8qaV3dM1hi4w SuR4XEcrNnbotGWzz2cB1RcWpSB1xsID_7tekZTsYHGjwmwhBZUX3Uxfer74oK8ZZpq8DHeO5LEY eeuAb2eFA0_m8B3xyJ0U9s7AytItHsCZ2yzBpQ0SVkTfx.35GjTd0xjGnxD7fy5Qy78qAvRFRsfQ ZNhBUrCcDhnNBIutlsAj5myteoKJ6ntp2NWJeF_A2g2fE84MDuDpIkG3d2Jc_3QRHuWg2.avm5ZM 4da9fZS0GqBoVA8_ekbGtdIOen3sOKRQsarEddWTozNERLkluYwivu3wNG1Gra.4Dbh7zxMjNU5H Ygk40Y9ORP7d7EB11heasRrxS71RutuocaLB4dtCiPv.moiQvwyFRwC8SHS2NcWahwFfIvURAPJt hplC7FHgei1GlSYZHPAvV6Zp7zHb5Rzw8XdNxdkRVR85EoNzCwHRicSwc4O9q4oRvn7_tNhaVrNR FFCBnZyqu3qz5DNmNLgU9Hw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 5 Jan 2018 15:25:57 +0000 Date: Fri, 5 Jan 2018 15:25:34 +0000 (UTC) From: Jules Gilbert To: =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Cc: "Ronald F. Guilmette" , Eric McCorkle , Freebsd Security , Poul-Henning Kamp , "freebsd-arch@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn Message-ID: <302406914.1010662.1515165934929@mail.yahoo.com> In-Reply-To: <861sj4tlak.fsf@desk.des.no> References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <861sj4tlak.fsf@desk.des.no> Subject: Re: Intel hardware bug MIME-Version: 1.0 X-Mailer: WebService/1.1.11150 YMailNorrin Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:57.0) Gecko/20100101 Firefox/57.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 15:26:04 -0000 Ah, sorry I'm wrong.=C2=A0 I apologize.=C2=A0 I won't intrude further.=C2= =A0 I spoke up because selectively choosing to read sections of kernel memo= ry is one thing, obtaining useful information from an arbitrary block of ke= rnel memory you don't get to choose is quite another. But their are several people here I respect very much and if they say I'm w= rong about an area they focus on,... me bad. On Friday, January 5, 2018, 9:48:50 AM EST, Dag-Erling Sm=C3=B8rgrav wrote: =20 =20 Jules Gilbert writes: > Sorry guys, you just convinced me that no one, not the NSA, not the > FSB, no one!, has in the past, or will in the future be able to > exploit this to actually do something not nice. The technique has already been proven by multiple independent parties to work quite well, allowing an attacker to read kernel memory at speeds of up to 500 kB/s.=C2=A0 But I guess you know better... DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no =20 From owner-freebsd-security@freebsd.org Fri Jan 5 13:30:32 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 370F1EA923D; Fri, 5 Jan 2018 13:30:32 +0000 (UTC) (envelope-from aduane@juniper.net) Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.pphosted.com", Issuer "thawte SHA256 SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E414668C62; Fri, 5 Jan 2018 13:30:31 +0000 (UTC) (envelope-from aduane@juniper.net) Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id w05DTiQ3014492; Fri, 5 Jan 2018 05:30:28 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=Rq10H2AKnhJa6OQt+JES3iPtcqyMMxVpJ8rjOFIiCR0=; b=nA2Jv9BZbdDRqYZr9CEPdyO298kV445+NaO05/NX7bi6/PeaDmNFl0EehV6xiLVSikff sC3fZdfLmVURWW3wg7TMvLD4uxmOq/iGYHBfrpbOtAmH1GsNGTXmTyYC4iRXoKBzcGTc iU2m2GslE3owIGc7XhMfOAhJdusb6LEYjvd+o5kfPYYL7Foqp7zTUSD1+0S52S0KD+cU Ek5cUnBVym/SOL5l68st5elNoylP+PLqU58dCuSltZJYXpdegI8GUO/yAUb9QdSMg4jE owJv7vz269JIY6iGmL3rUXMzMj5nppzORhwBBjnxWHhw0ZHZhDLOoCZdm/jXsdQjjH7X oA== Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp0022.outbound.protection.outlook.com [216.32.180.22]) by mx0a-00273201.pphosted.com with ESMTP id 2fa9ymr13j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 05 Jan 2018 05:30:27 -0800 Received: from SN1PR0501MB2125.namprd05.prod.outlook.com (10.163.228.152) by SN1PR0501MB1693.namprd05.prod.outlook.com (10.163.130.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.407.1; Fri, 5 Jan 2018 13:30:26 +0000 Received: from SN1PR0501MB2125.namprd05.prod.outlook.com ([10.163.228.152]) by SN1PR0501MB2125.namprd05.prod.outlook.com ([10.163.228.152]) with mapi id 15.20.0407.000; Fri, 5 Jan 2018 13:30:26 +0000 From: Andrew Duane To: Eric McCorkle , Jules Gilbert , "Ronald F. Guilmette" , Freebsd Security , Brett Glass , =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , Poul-Henning Kamp , "freebsd-arch@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn Subject: RE: Intel hardware bug Thread-Topic: Intel hardware bug Thread-Index: AQHThhm6gtRbndOyekeN4M7Qcuy2NqNlOTSAgAAMhiA= Date: Fri, 5 Jan 2018 13:30:26 +0000 Message-ID: References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> In-Reply-To: <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [66.129.241.11] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; SN1PR0501MB1693; 7:5aYxUZZcdWX6ZDNcffZq8FqMPnCx+mx3MXNLc2/udTNDnhkzQzmumE+DdiNTjTR1BtKeMihQNc15xux2UI0tTjMTONlkHptUb77yHz7uV9DfHPnI7jhfP/C/qZWFuK2aGIWzrBcBrxPI6IO/Y0n79rb1d4L0bk5yqD2P3uv3jyTtd6NxBhe1P2eXDjQZFBmFFiv8sQsPcVC0c1AjVVOUjlfkSxsO6xUheIX4e1FrUWVVZH7KxIlUPyXSdzVR9yrl x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 54d83e8a-b5b8-4844-b342-08d554407afc x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020020)(48565401081)(5600026)(4604075)(3008032)(4534040)(4602075)(4627136)(201703031133081)(201702281549075)(2017052603307)(7153060); SRVR:SN1PR0501MB1693; x-ms-traffictypediagnostic: SN1PR0501MB1693: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(20558992708506)(192374486261705)(138986009662008)(201166117486090); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(8121501046)(5005006)(3231023)(944501075)(3002001)(10201501046)(93006095)(93001095)(6055026)(6041268)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(6072148)(201708071742011); SRVR:SN1PR0501MB1693; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:SN1PR0501MB1693; x-forefront-prvs: 05437568AA x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(376002)(396003)(39380400002)(366004)(199004)(189003)(13464003)(24454002)(551544002)(86362001)(68736007)(6246003)(7116003)(229853002)(77096006)(5660300001)(7736002)(3660700001)(33656002)(106356001)(6436002)(6116002)(7416002)(8936002)(3846002)(97736004)(55016002)(2501003)(39060400002)(305945005)(110136005)(316002)(2950100002)(53936002)(81166006)(81156014)(2906002)(53546011)(2900100001)(3280700002)(9686003)(93886005)(8676002)(6506007)(105586002)(99286004)(3480700004)(2521001)(478600001)(74316002)(14454004)(102836004)(59450400001)(25786009)(76176011)(7696005)(66066001)(921003)(1121003); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR0501MB1693; H:SN1PR0501MB2125.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts) x-microsoft-antispam-message-info: crjRIwDX+1fBxiiPleRIx7Ldfgx6Ycl8CntGyXBX33M43E4qXDlbW9Z1yDgZ4Nh2iTbqKC68AG8ZwWePouqWyA== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-Network-Message-Id: 54d83e8a-b5b8-4844-b342-08d554407afc X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2018 13:30:26.0345 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR0501MB1693 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-05_06:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801050191 X-Mailman-Approved-At: Fri, 05 Jan 2018 15:40:23 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 13:30:32 -0000 I wouldn't think Javascript would have the accurate timing required to leve= rage this attack, but I don't really know enough about the language. Regardless, is there someone within FreeBSD that is working on patches for = this set of problems, at least for Intel? Linux already has at least some, = and I believe NetBSD does too. Of course Windows has already pushed out a W= indows10 fix, 7 and 8 are coming. .................................... Andrew L. Duane - Principal Resident Engineer AT&T Advanced Services Technical Lead Juniper Quality Ambassador m=A0=A0=A0+1 603.770.7088 o +1 408.933.6944 (2-6944) skype: andrewlduane aduane@juniper.net -----Original Message----- From: owner-freebsd-hackers@freebsd.org [mailto:owner-freebsd-hackers@freeb= sd.org] On Behalf Of Eric McCorkle Sent: Friday, January 5, 2018 7:43 AM To: Jules Gilbert ; Ronald F. Guilmette <= rfg@tristatelogic.com>; Freebsd Security ; Br= ett Glass ; Dag-Erling Sm=F8rgrav ; Poul-Henn= ing Kamp ; freebsd-arch@freebsd.org; FreeBSD Hackers ; Shawn Webb ; Natha= n Whitehorn Subject: Re: Intel hardware bug On 01/05/2018 05:07, Jules Gilbert wrote: > Sorry guys, you just convinced me that no one, not the NSA, not the=20 > FSB, no one!, has in the past, or will in the future be able to=20 > exploit this to actually do something not nice. Attacks have already been demonstrated, pulling secrets out of kernel space= with meltdown and http headers/passwords out of a browser with spectre. J= avascript PoCs are already in existence, and we can expect them to find the= ir way into adware-based malware within a week or two. Also, I'd be willing to bet you a year's rent that certain three-letter org= anizations have known about and used this for some time. > So what is this, really?, it's a market exploit opportunity for AMD. Don't bet on it. There's reports of AMD vulnerabilities, also for ARM. I doubt any major architecture is going to make it out unscathed. (But if = one does, my money's on Power) From owner-freebsd-security@freebsd.org Fri Jan 5 15:53:01 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BABB9EB0A16; Fri, 5 Jan 2018 15:53:01 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 921806F00F; Fri, 5 Jan 2018 15:53:01 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [192.168.43.57] (mobile-166-171-187-244.mycingular.net [166.171.187.244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 1FE5D8900; Fri, 5 Jan 2018 15:35:14 +0000 (UTC) Subject: Re: Intel hardware bug To: =?UTF-8?Q?C_Bergstr=c3=b6m?= Cc: Freebsd Security , "freebsd-arch@freebsd.org" , FreeBSD Hackers References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> From: Eric McCorkle Message-ID: <755a65eb-b02e-05c5-e1a2-701cfd8bc837@metricspace.net> Date: Fri, 5 Jan 2018 10:35:13 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 15:53:01 -0000 On 01/05/2018 09:55, C Bergström wrote: > Don't bet on it.  There's reports of AMD vulnerabilities, also for ARM. > I doubt any major architecture is going to make it out unscathed.  (But > if one does, my money's on Power) > > > Nope, the only arch that I'm aware of that gets past this is SPARC(hah!) > due to the seperate userland and kernel memory virtualization. Alas, poor Sparc. I knew them, Horatio... It looks like Red Hat is indeed reporting Power9 to be vulnerable: https://access.redhat.com/security/vulnerabilities/speculativeexecution Unfortunate. I hope they get fixed silicon out in time for the Talos II workstation. From owner-freebsd-security@freebsd.org Fri Jan 5 14:55:36 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65A95EADBCD for ; Fri, 5 Jan 2018 14:55:36 +0000 (UTC) (envelope-from cbergstrom@pathscale.com) Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 188456C89C for ; Fri, 5 Jan 2018 14:55:36 +0000 (UTC) (envelope-from cbergstrom@pathscale.com) Received: by mail-qt0-x22e.google.com with SMTP id e2so5969010qti.0 for ; Fri, 05 Jan 2018 06:55:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pathscale-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4PD0Zfi+So7k9EVdvPlqubBSbdOt7U6U7UmHZ4hrJJQ=; b=Xokg4wOEZfSx4nOCr2bW8OeUDcNsk4cP12sEOsQAMNhZt1HkGLLCMO4PYiRIoxAqjH +xGX4uTdMHxAcrR14EBws2oSYKjXKLDbtTZxVk4psFepbUO+RMf9Sc/LAoMqAlU2qSsy OGxeD4DHh1X+BqNW7My7kk08sMfVwA5IBPI80CEPaJ/LSQAra1/m03feM12mpuFKLPLs NmxWmf4ylUUQVXGqN279GMFhc3EztWR6CP/Ir8xEO4tql/TRWgupmOgYmJbwIWkcBSBl +iFOPm+2CziRbPDQalaTxnDcbmvTbuzktUpCymeK7pgFdvrIeiQRJsV3rnKjXiasaFwp QdQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4PD0Zfi+So7k9EVdvPlqubBSbdOt7U6U7UmHZ4hrJJQ=; b=C2Euf3rvxZjdmJvP5FzrXhYdjdyGpVdINzHdpc+ZUYVOT4qeuothnxGyvE/Uin5vfs ZNgxcBc++fjQa1qdmJ4h4I+o9gkm//L+SC7t8Tz+HvtqNOdCMLRi8BIoPqT5kTvNW26l 3iD9uOzPjUkccvXMoDqYxnxHOGuDypFCV+zfcWaKwUyIjWigguLqIqXoKT4fjckB57sO DyOFAsnZ984kdv8gzYNMWPSyvX5gymbUNZPiXTZkcjn1QYjKzSvi7deUzyJN5xh8QI6L tKrRklgCYViigT0amnzGt1cxT/b1/aWS8Pf/zGs/7Q8gv8/z14lT3XYF78tyJbOju+eD 4qog== X-Gm-Message-State: AKwxytddCo7KJ6sCKIrTamwXFtRbUSYVUu9C4SxBx1vZtzF3N6NcCc6L oWKWQe+D9rbrghM7mgGAqukkb/EKwIbdsz67mAKlFA== X-Google-Smtp-Source: ACJfBouxeRPh4iDo+U5erDZNZHzWjCcih60x2pDe8UTfSk98drVvsV41tDpZAWQkpTHCPThKblkQWFpVHO6ZMuR8MSQ= X-Received: by 10.237.33.154 with SMTP id l26mr4553016qtc.100.1515164135206; Fri, 05 Jan 2018 06:55:35 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.210.3 with HTTP; Fri, 5 Jan 2018 06:55:14 -0800 (PST) X-Originating-IP: [202.83.99.25] In-Reply-To: <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> From: =?UTF-8?B?QyBCZXJnc3Ryw7Zt?= Date: Fri, 5 Jan 2018 22:55:14 +0800 Message-ID: Subject: Re: Intel hardware bug To: Eric McCorkle Cc: Jules Gilbert , "Ronald F. Guilmette" , Freebsd Security , Brett Glass , =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , Poul-Henning Kamp , "freebsd-arch@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn X-Mailman-Approved-At: Fri, 05 Jan 2018 15:56:33 +0000 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 14:55:36 -0000 On Fri, Jan 5, 2018 at 8:42 PM, Eric McCorkle wrote: > On 01/05/2018 05:07, Jules Gilbert wrote: > > Sorry guys, you just convinced me that no one, not the NSA, not the FSB, > > no one!, has in the past, or will in the future be able to exploit this > > to actually do something not nice. > > Attacks have already been demonstrated, pulling secrets out of kernel > space with meltdown and http headers/passwords out of a browser with > spectre. Javascript PoCs are already in existence, and we can expect > them to find their way into adware-based malware within a week or two. > > Also, I'd be willing to bet you a year's rent that certain three-letter > organizations have known about and used this for some time. > > > So what is this, really?, it's a market exploit opportunity for AMD. > > Don't bet on it. There's reports of AMD vulnerabilities, also for ARM. > I doubt any major architecture is going to make it out unscathed. (But > if one does, my money's on Power) > Nope, the only arch that I'm aware of that gets past this is SPARC(hah!) due to the seperate userland and kernel memory virtualization. From owner-freebsd-security@freebsd.org Fri Jan 5 16:40:53 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6C6FEEB30CB; Fri, 5 Jan 2018 16:40:53 +0000 (UTC) (envelope-from nwhitehorn@freebsd.org) Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5067171044; Fri, 5 Jan 2018 16:40:52 +0000 (UTC) (envelope-from nwhitehorn@freebsd.org) Received: from comporellon.tachypleus.net (cpe-75-82-218-62.socal.res.rr.com [75.82.218.62]) (authenticated bits=0) by c.mail.sonic.net (8.15.1/8.15.1) with ESMTPSA id w05GeeDm023309 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 5 Jan 2018 08:40:40 -0800 Subject: Re: Intel hardware bug To: =?UTF-8?Q?C_Bergstr=c3=b6m?= , Eric McCorkle Cc: FreeBSD Hackers , "freebsd-arch@freebsd.org" , Shawn Webb , Freebsd Security , Poul-Henning Kamp , "Ronald F. Guilmette" , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , Brett Glass , Jules Gilbert References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> From: Nathan Whitehorn Message-ID: Date: Fri, 5 Jan 2018 08:40:39 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Sonic-CAuth: UmFuZG9tSVZILE4do3EwanuIbHwb+oXQqQMbU4e5/RAi1Rs7bbWb8We8TNMbM+6jFRuna3/GZxymxTMek3deOLiPVdx5Re4Gm/lJED6aZkw= X-Sonic-ID: C;anAGKjfy5xGXhCeh2dYaJA== M;xAySKjfy5xGXhCeh2dYaJA== X-Spam-Flag: No X-Sonic-Spam-Details: 0.0/5.0 by cerberusd X-Mailman-Approved-At: Fri, 05 Jan 2018 16:47:47 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 16:40:53 -0000 On 01/05/18 06:55, C Bergström wrote: > On Fri, Jan 5, 2018 at 8:42 PM, Eric McCorkle wrote: > >> On 01/05/2018 05:07, Jules Gilbert wrote: >>> Sorry guys, you just convinced me that no one, not the NSA, not the FSB, >>> no one!, has in the past, or will in the future be able to exploit this >>> to actually do something not nice. >> Attacks have already been demonstrated, pulling secrets out of kernel >> space with meltdown and http headers/passwords out of a browser with >> spectre. Javascript PoCs are already in existence, and we can expect >> them to find their way into adware-based malware within a week or two. >> >> Also, I'd be willing to bet you a year's rent that certain three-letter >> organizations have known about and used this for some time. >> >>> So what is this, really?, it's a market exploit opportunity for AMD. >> Don't bet on it. There's reports of AMD vulnerabilities, also for ARM. >> I doubt any major architecture is going to make it out unscathed. (But >> if one does, my money's on Power) >> > Nope, the only arch that I'm aware of that gets past this is SPARC(hah!) > due to the seperate userland and kernel memory virtualization. > _______________________________________________ POWER has the same thing. It's actually stronger separation, since user processes don't share addresses either -- all processes, including the kernel, have windowed access to an 80-bit address space, so no process can even describe an address in another process's address space. There are ways, of course, in which IBM could have messed up the implementation, so the fact that it *should* be secure does not mean it *is*. SPARC avoids the issue because almost all implementations are in-order. -Nathan From owner-freebsd-security@freebsd.org Fri Jan 5 18:24:23 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 35CB0EB83A4; Fri, 5 Jan 2018 18:24:23 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D01AF76945; Fri, 5 Jan 2018 18:24:16 +0000 (UTC) (envelope-from bsd-lists@BSDforge.com) Received: from udns.ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id w05IO4bV079748; Fri, 5 Jan 2018 10:24:10 -0800 (PST) (envelope-from bsd-lists@BSDforge.com) X-Mailer: UDNSMS MIME-Version: 1.0 Cc: "=?UTF-8?B?RnJlZWJzZCBTZWN1cml0eSIgPGZyZWVic2Qtc2VjdXJpdHlAZnJlZWJzZC5vcmc+LCAiRnJlZUJTRCBIYWNrZXJzIiA8ZnJlZWJzZC1oYWNrZXJzQGZyZWVic2Qub3JnPiwgIiBmcmVlYnNkLWFyY2hAZnJlZWJzZC5vcmc+IiA8ZnJlZWJzZC1hcmNoQGZyZWVic2Qub3JnPiwgIkMgQmVyZ3N0csO2bSIgPGNiZXJnc3Ryb21AcGF0aHNjYWxlLmNvbT4=?= In-Reply-To: <755a65eb-b02e-05c5-e1a2-701cfd8bc837@metricspace.net> From: "Chris H" Reply-To: bsd-lists@BSDforge.com To: "Eric McCorkle" Subject: Re: Intel hardware bug Date: Fri, 05 Jan 2018 10:24:10 -0800 Message-Id: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Fri, 05 Jan 2018 18:40:37 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 18:24:23 -0000 On Fri, 5 Jan 2018 10:35:13 -0500 "Eric McCorkle" sa= id > On 01/05/2018 09:55, C Bergstr=C3=B6m wrote: >=20 > > Don't bet on it=2E=C2=A0 There's reports of AMD vulnerabilities, also= for ARM=2E > > I doubt any major architecture is going to make it out unscathed=2E= =C2=A0 (But > > if one does, my money's on Power) > >=20 > >=20 > > Nope, the only arch that I'm aware of that gets past this is SPARC(hah!= ) > > due to the seperate userland and kernel memory virtualization=2E >=20 > Alas, poor Sparc=2E I knew them, Horatio=2E=2E=2E Ahh, good ol' SPARC! >=20 > It looks like Red Hat is indeed reporting Power9 to be vulnerable: >=20 > https://access=2Eredhat=2Ecom/security/vulnerabilities/speculativeexecution >=20 > Unfortunate=2E I hope they get fixed silicon out in time for the Talos II > workstation=2E What *I* want to know; is whether they're going to drastically reduce the price on all the affected processors? As it stands, they should be practically giving them away=2E How is it that the burden lies on the OS vendors, and not the manufacturers?! --Chris From owner-freebsd-security@freebsd.org Fri Jan 5 18:44:49 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41FA2EB9597 for ; Fri, 5 Jan 2018 18:44:49 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 1C4EE77A0A for ; Fri, 5 Jan 2018 18:44:49 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [192.168.43.57] (mobile-166-171-187-244.mycingular.net [166.171.187.244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 9B8548984 for ; Fri, 5 Jan 2018 18:44:46 +0000 (UTC) Subject: Re: Intel hardware bug To: freebsd-security@freebsd.org References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> From: Eric McCorkle Message-ID: Date: Fri, 5 Jan 2018 13:44:46 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 18:44:49 -0000 On 01/05/2018 11:40, Nathan Whitehorn wrote: > POWER has the same thing. It's actually stronger separation, since user > processes don't share addresses either -- all processes, including the > kernel, have windowed access to an 80-bit address space, so no process > can even describe an address in another process's address space. There > are ways, of course, in which IBM could have messed up the > implementation, so the fact that it *should* be secure does not mean it > *is*. That's interesting, as it conflicts with Red Hat's vulnerability disclosure. It that because the silicon is buggy, or because Linux somehow ends up being vulnerable when it need not be? > > SPARC avoids the issue because almost all implementations are in-order. Definitely not true of the post-Oracle models. I saw a tech talk on the core once. From owner-freebsd-security@freebsd.org Fri Jan 5 19:17:50 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8D4AEBAD85 for ; Fri, 5 Jan 2018 19:17:50 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pm4.ctc.com (pm4.ctc.com [147.160.99.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pm4.ctc.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5550E78FED for ; Fri, 5 Jan 2018 19:17:49 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pps.filterd (pm4.ctc.com [127.0.0.1]) by pm4.ctc.com (8.16.0.21/8.16.0.21) with SMTP id w05In0tl016507 for ; Fri, 5 Jan 2018 13:51:25 -0500 Received: from server3a.ctc.com ([10.160.17.12]) by pm4.ctc.com with ESMTP id 2f64w2kcr6-1 (version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for ; Fri, 05 Jan 2018 13:51:25 -0500 Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116]) by server3a.ctc.com (8.14.4/8.14.4) with ESMTP id w05IpPu5016488 for ; Fri, 5 Jan 2018 13:51:25 -0500 Received: from linux116.ctc.com (localhost [127.0.0.1]) by linux116.ctc.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id w05IpOvG025943 for ; Fri, 5 Jan 2018 13:51:24 -0500 Received: (from cameron@localhost) by linux116.ctc.com (8.14.4/8.14.4/Submit) id w05IpOSp025942 for freebsd-security@freebsd.org; Fri, 5 Jan 2018 13:51:24 -0500 Date: Fri, 5 Jan 2018 13:51:24 -0500 From: "Cameron, Frank J" To: freebsd-security@freebsd.org Subject: Re: Intel hardware bug Message-ID: <20180105185124.GF11964@linux116.ctc.com> References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 19:17:50 -0000 Eric McCorkle wrote: > On 01/05/2018 11:40, Nathan Whitehorn wrote: > > POWER has the same thing. It's actually stronger separation, since user > > processes don't share addresses either -- all processes, including the > > kernel, have windowed access to an 80-bit address space, so no process > > can even describe an address in another process's address space. There > > are ways, of course, in which IBM could have messed up the > > implementation, so the fact that it *should* be secure does not mean it > > *is*. > > That's interesting, as it conflicts with Red Hat's vulnerability > disclosure. It that because the silicon is buggy, or because Linux > somehow ends up being vulnerable when it need not be? "Complete mitigation of this vulnerability for Power Systems clients involves installing patches to both system firmware and operating systems. The firmware patch provides partial remediation to this vulnerability and is a pre-requisite for the OS patch to be effective." https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ ----------------------------------------------------------------- This message and any files transmitted within are intended solely for the addressee or its representative and may contain company proprietary information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ----------------------------------------------------------------- From owner-freebsd-security@freebsd.org Fri Jan 5 19:11:53 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4BB74EBA7E3; Fri, 5 Jan 2018 19:11:53 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EFB8E78A87; Fri, 5 Jan 2018 19:11:52 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with ESMTPA id XXP8eEwCzS7BpXXP9eXXNd; Fri, 05 Jan 2018 12:11:51 -0700 X-Authority-Analysis: v=2.2 cv=NKylwwyg c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=EA5itrwUPoEA:10 a=RgaUWeydRksA:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=Vd537ib8pVup7S2X7pQA:9 a=r4kWtJy-rJYS1cas:21 a=y9lL4hI3jn-rAOdh:21 a=pILNOxqGKmIA:10 a=COlSyhbwSJSHYInWLu4A:9 a=BC4vU4yZLJsX9d_B:21 a=NuoWA5lUaQeHgTHG:21 a=TUJ8KVh8p4i7ngx5:21 a=_W_S_7VecoQA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 Received: from [10.168.3.146] (S0106d4ca6d8943b0.gv.shawcable.net [70.66.132.207]) by spqr.komquats.com (Postfix) with ESMTPSA id 404BC335; Fri, 5 Jan 2018 11:11:44 -0800 (PST) MIME-Version: 1.0 From: Cy Schubert Subject: RE: Intel hardware bug Date: Fri, 5 Jan 2018 11:11:49 -0800 To: Eric McCorkle , Jules Gilbert , "Ronald F. Guilmette" , Freebsd Security , Brett Glass , =?Windows-1252?Q?Dag-Erling_Sm=F8rgrav?= , Poul-Henning Kamp , "freebsd-arch@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn Message-Id: <20180105191145.404BC335@spqr.komquats.com> X-CMAE-Envelope: MS4wfH322YrJxfBdQecR2LYFVCLIcE5yPI+FMR67fSdSbX5SZNmSHuWMZP7kLJHrNWkbgGHQJ/Or6pAKfo03lnxd/sr7jTjNhJOjwkd44edBoGATMMjkXkI3 QM1dGSB6Vp70ELNp2fudaiCoxqi/sSxgNbHOxHCZPKco7vbxWasxjK/xIeNfsQ90oMZy78xsGjH7/42XYf0s1tOdrO79NeTAaOgpEhVdcGycCsSKn1Vrsyf/ 0b7qFEzTR+OrUYKggiGe3R39N7Tsq7kRSH9ozokVOVGtkXPsIXHtFR4Ha+0FH6geOENSSPbrnLQDlqkVK1tB1JSwwxlfvtrLzqbnGebFHY7UbeABwcbKbREQ E957EaJEwBCxDZeXdMMRAz0wJG0rsDbL5/RqnCasMHNFNZHtXsB9gpwx6uFN5fe/x2JZp+z2wyYPcnfhOsDFKNnxIIsT93mQKpo0CGwZBe/aP/WNW108+A7J m4inBWLIpFHQhB+k3DJ7NuRQtWHCRRMsfRyDgciOvgFdJs5uInksvHNLeCs2dCVcxrd/0OEtesKcffNmJ202SvP9sfcio88q7p06NcgR5ZnbgIPasMXEyIkx A18St45WB/9j3BJcLTKyp/qHS5n+0oAkT6FYhBYcXnYjW7/clj7YZhl8vEKwc3DmV/wAV2OUS3GEUraS4JMGa5Dz X-Mailman-Approved-At: Fri, 05 Jan 2018 19:22:52 +0000 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 19:11:53 -0000 According to a Red Hat announcement, Power and Series z are also vulnerable= . --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. Also, this old phone only supports top post. Apologies. Cy Schubert or The need of the many outweighs the greed of the few. --- -----Original Message----- From: Eric McCorkle Sent: 05/01/2018 04:48 To: Jules Gilbert; Ronald F. Guilmette; Freebsd Security; Brett Glass; Dag-= Erling Sm=F8rgrav; Poul-Henning Kamp; freebsd-arch@freebsd.org; FreeBSD Hac= kers; Shawn Webb; Nathan Whitehorn Subject: Re: Intel hardware bug On 01/05/2018 05:07, Jules Gilbert wrote: > Sorry guys, you just convinced me that no one, not the NSA, not the FSB, > no one!, has in the past, or will in the future be able to exploit this > to actually do something not nice. Attacks have already been demonstrated, pulling secrets out of kernel space with meltdown and http headers/passwords out of a browser with spectre. Javascript PoCs are already in existence, and we can expect them to find their way into adware-based malware within a week or two. Also, I'd be willing to bet you a year's rent that certain three-letter organizations have known about and used this for some time. > So what is this, really?, it's a market exploit opportunity for AMD. Don't bet on it. There's reports of AMD vulnerabilities, also for ARM. I doubt any major architecture is going to make it out unscathed. (But if one does, my money's on Power) _______________________________________________ freebsd-arch@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-arch To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Fri Jan 5 19:17:50 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D8CBFEBAD87 for ; Fri, 5 Jan 2018 19:17:50 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AFB6A78FEE for ; Fri, 5 Jan 2018 19:17:50 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with ESMTPA id XXUyeEy0kS7BpXXUzeXYtg; Fri, 05 Jan 2018 12:17:49 -0700 X-Authority-Analysis: v=2.2 cv=NKylwwyg c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=RgaUWeydRksA:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=Kt-rIzu-m2MUlLpCDwcA:9 a=bMKrX4mhllEezhu-:21 a=voBcHpuCykQ4YtwT:21 a=CjuIK1q_8ugA:10 a=WMYLbQpIgYqX9OSb0ygA:9 a=b1KAiWStALnyaQGC:21 a=ohZIoiNbPYEWRb7s:21 a=6C0gAyBXFrrH8m29:21 a=_W_S_7VecoQA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 Received: from [10.168.3.146] (S0106d4ca6d8943b0.gv.shawcable.net [70.66.132.207]) by spqr.komquats.com (Postfix) with ESMTPSA id EC625365; Fri, 5 Jan 2018 11:17:47 -0800 (PST) MIME-Version: 1.0 From: Cy Schubert Subject: RE: Intel hardware bug Date: Fri, 5 Jan 2018 11:17:52 -0800 To: Eric McCorkle , "freebsd-security@freebsd.org" Message-Id: <20180105191747.EC625365@spqr.komquats.com> X-CMAE-Envelope: MS4wfGhzU5jB4p6aaBICJEOQzVtRRN/s0Vm/43K0Bh6oFyGk/MDk1TqMvsS/caYh2tro5Aqwc5b+vQHGW2xVGD8m/n3Lrfp39bP24JpAoWY9b549FBtev7Oz 8qoW4lAE6u7ZD08BJ2iLfeAUPhxer++j2ff9oR6Gg88a2ahLPFt1Z/vAWGGFHr8EbxpJXahpOeLRa5mzTr7W98FmXVU9N+a0K+0= X-Mailman-Approved-At: Fri, 05 Jan 2018 19:49:04 +0000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 19:17:50 -0000 SPARC definitely does out of order execution. --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. Also, this old phone only supports top post. Apologies. Cy Schubert or The need of the many outweighs the greed of the few. --- -----Original Message----- From: Eric McCorkle Sent: 05/01/2018 10:45 To: freebsd-security@freebsd.org Subject: Re: Intel hardware bug On 01/05/2018 11:40, Nathan Whitehorn wrote: > POWER has the same thing. It's actually stronger separation, since user > processes don't share addresses either -- all processes, including the > kernel, have windowed access to an 80-bit address space, so no process > can even describe an address in another process's address space. There > are ways, of course, in which IBM could have messed up the > implementation, so the fact that it *should* be secure does not mean it > *is*. That's interesting, as it conflicts with Red Hat's vulnerability disclosure. It that because the silicon is buggy, or because Linux somehow ends up being vulnerable when it need not be? >=20 > SPARC avoids the issue because almost all implementations are in-order. Definitely not true of the post-Oracle models. I saw a tech talk on the core once. _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Fri Jan 5 20:17:53 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 181CEEBE175 for ; Fri, 5 Jan 2018 20:17:53 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 03E887C1F7 for ; Fri, 5 Jan 2018 20:17:52 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id D42623AEF2 for ; Fri, 5 Jan 2018 12:17:50 -0800 (PST) From: "Ronald F. Guilmette" To: Freebsd Security Subject: Re: Intel hardware bug In-Reply-To: Date: Fri, 05 Jan 2018 12:17:50 -0800 Message-ID: <5241.1515183470@segfault.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 20:17:53 -0000 In message , Andrew Duane wrote: >I wouldn't think Javascript would have the accurate timing required to leve= >rage this attack, but I don't really know enough about the language. This brings up something I have been wondering about, although my guess is that much greater minds than mine have already considered this possible mitigation... If the meltdown or spectre (or both) attacks are based on careful analysis of timing information, following a memory fault, then why just just introduce a very tiny delay, of randomized duration, in the relevant kernel fault handler, following each such fault? (Since nothing I've read is talking about this, I am guessing that this would be an even bigger loser, performance-wise, than the mitigations that have been developed so far.) Regards, rfg From owner-freebsd-security@freebsd.org Fri Jan 5 20:32:49 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 156DCEBEF7E for ; Fri, 5 Jan 2018 20:32:49 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pm4.ctc.com (pm4.ctc.com [147.160.99.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pm4.ctc.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D19547CF92 for ; Fri, 5 Jan 2018 20:32:48 +0000 (UTC) (envelope-from cameron@ctc.com) Received: from pps.filterd (pm4.ctc.com [127.0.0.1]) by pm4.ctc.com (8.16.0.21/8.16.0.21) with SMTP id w05KTfSf004990; Fri, 5 Jan 2018 15:32:45 -0500 Received: from server3a.ctc.com ([10.160.17.12]) by pm4.ctc.com with ESMTP id 2f64w2kpaw-1 (version=TLSv1 cipher=AES256-SHA bits=256 verify=NO); Fri, 05 Jan 2018 15:32:45 -0500 Received: from linux116.ctc.com (linux116.ctc.com [10.160.39.116]) by server3a.ctc.com (8.14.4/8.14.4) with ESMTP id w05KWjhV026587; Fri, 5 Jan 2018 15:32:45 -0500 Received: from linux116.ctc.com (localhost [127.0.0.1]) by linux116.ctc.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id w05KWi19028081; Fri, 5 Jan 2018 15:32:44 -0500 Received: (from cameron@localhost) by linux116.ctc.com (8.14.4/8.14.4/Submit) id w05KWikc028080; Fri, 5 Jan 2018 15:32:44 -0500 Date: Fri, 5 Jan 2018 15:32:44 -0500 From: "Cameron, Frank J" To: Andrew Duane Cc: freebsd-security@freebsd.org Subject: Re: Intel hardware bug Message-ID: <20180105203244.GH11964@linux116.ctc.com> References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 20:32:49 -0000 Andrew Duane wrote: > I wouldn't think Javascript would have the accurate timing required to > leverage this attack, but I don't really know enough about the language. "The performance.now() method returns a DOMHighResTimeStamp, measured in milliseconds, accurate to five thousandths of a millisecond (5 microseconds)." https://developer.mozilla.org/en-US/docs/Web/API/Performance/now "We implemented a clock with a parallel counting thread using the SharedArrayBuffer. ... The resulting resolution is close to the resolution of the native timestamp counter. On our Intel Core i5 test machine, we achieve a resolution of up to 2ns using the shared array buffer. This is equivalent to a resolution of only 4 CPU cycles, which is 3 orders of magnitude better than the timestamp provided by performance.now." https://gruss.cc/files/fantastictimers.pdf ----------------------------------------------------------------- This message and any files transmitted within are intended solely for the addressee or its representative and may contain company proprietary information. If you are not the intended recipient, notify the sender immediately and delete this message. Publication, reproduction, forwarding, or content disclosure is prohibited without the consent of the original sender and may be unlawful. Concurrent Technologies Corporation and its Affiliates. www.ctc.com 1-800-282-4392 ----------------------------------------------------------------- From owner-freebsd-security@freebsd.org Fri Jan 5 20:46:13 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52365EBFBA0 for ; Fri, 5 Jan 2018 20:46:13 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [IPv6:2607:f3e0:80:80::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0F8277D98E for ; Fri, 5 Jan 2018 20:46:12 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (lava.sentex.ca [IPv6:2607:f3e0:0:5::11]) by smarthost2.sentex.ca (8.15.2/8.15.2) with ESMTPS id w05KkBj2070950 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 5 Jan 2018 15:46:11 -0500 (EST) (envelope-from mike@sentex.net) Received: from [192.168.43.26] (saphire3.sentex.ca [192.168.43.26]) by lava.sentex.ca (8.15.2/8.15.2) with ESMTP id w05Kk8UH034492; Fri, 5 Jan 2018 15:46:09 -0500 (EST) (envelope-from mike@sentex.net) Subject: Re: Intel hardware bug To: Andrew Duane , Freebsd Security References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net> From: Mike Tancsa Organization: Sentex Communications Message-ID: <6ed8d379-103d-e6f0-9c4a-ede69b5a60b4@sentex.net> Date: Fri, 5 Jan 2018 15:46:08 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.78 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 20:46:13 -0000 On 1/5/2018 8:30 AM, Andrew Duane wrote: > Regardless, is there someone within FreeBSD that is working on patches for this set of problems, at least for Intel? Linux already has at least some, and I believe NetBSD does too. Of course Windows has already pushed out a Windows10 fix, 7 and 8 are coming. There is an official announcement on the FreeBSD site (quote below). Not sure about NetBSD, but DragonFly seems to have published some patches. Looks quite extensive :( https://www.phoronix.com/scan.php?page=news_item&px=DragonFly-Meltdown-Fixed " About the Meltdown and Spectre attacks: FreeBSD was made aware of the problems in late December 2017. We're working with CPU vendors and the published papers on these attacks to mitigate them on FreeBSD. Due to the fundamental nature of the attacks, no estimate is yet available for the publication date of patches." ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@freebsd.org Fri Jan 5 19:37:18 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 91EA0EBC262; Fri, 5 Jan 2018 19:37:18 +0000 (UTC) (envelope-from kmacybsd@gmail.com) Received: from mail-oi0-x244.google.com (mail-oi0-x244.google.com [IPv6:2607:f8b0:4003:c06::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 50BC77A4F7; Fri, 5 Jan 2018 19:37:18 +0000 (UTC) (envelope-from kmacybsd@gmail.com) Received: by mail-oi0-x244.google.com with SMTP id j14so3774508oih.3; Fri, 05 Jan 2018 11:37:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=j5Lww5hOJTkHgnR5QlIw9v5SKLLqOgRo4YfIbtQFYNY=; b=YSvKHjrzNa3uzNxadLBIeSbptOZiF6XWNn+K/6xxbYxxmHAj5+zfQtUyUwjwj+BFNH 7gt+qqizXsgyDgTqr+hwK4XRuxIsRDdoo0C7tusyla3b/uM6TGK20KztmKG2M3Y3hz6W FEC0acah+MxEVSjn6NiVZVaCAVScADylhEG3NjIMhKCSszFGvCAMRCeM5dtGAMjroLa2 XOTDCphqH/gxAU+5xJ5OOvzk4aex/lNtUGgQpwxwFoWOXiSud7M43L6GGk2MNNKrQ52q MHHFom8BkpK9EI7E/9gBl0/FzbAgv7qGtJRMOwx/A3P8iTS6HupuPf5GGixr0ClyF62N +ASg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=j5Lww5hOJTkHgnR5QlIw9v5SKLLqOgRo4YfIbtQFYNY=; b=lzET+UPxNoSBeWwbBymKzjfTyW1JKPRm4j4j0GC7IaFWpxzAiyO4cu8vOK4P6kHR6K McBGUOV/KxHCqWCADkIjD8ehtk6zjHtPO4G4bgUuaxu0GHBiLYxJYYT9I4kY1778Q4gY RFEUEH57gxq+SdZbHs04F7AfYGeagI025O21RMLqdt0ENc1hWyrKcLsI1xYDY+X/SVVr VypMiEuYBHGvKurAcNhvptHRbkZCOSxMMLAF3OJncho0eKOCPl5Cky3sSDiJ0a/UAirL /jI1irxEbalRVMBoiM33BDpgUcxHJ1ShsQnpgPwO9Sfd3izgvrn4WEx23QbMOIBelqMA 15ZQ== X-Gm-Message-State: AKGB3mIY3HV5Suq6vzxgaAim+/eqSfKjgmuT9CU40eWHCE/443KPWPtf ZyzWuyQO4H+S/B2kK8D+Se4l0EcIJPiE8JQa7aIxSg== X-Google-Smtp-Source: ACJfBovkWnm66+zvXb4XM73KT3niZsopBq7jwSyGn99gc6HbVmGi9ZgcIyGONAzc/eDT05C0HccurmJpmrajRkmJ3Vs= X-Received: by 10.202.57.87 with SMTP id g84mr2035556oia.201.1515181037442; Fri, 05 Jan 2018 11:37:17 -0800 (PST) MIME-Version: 1.0 Sender: kmacybsd@gmail.com Received: by 10.157.88.201 with HTTP; Fri, 5 Jan 2018 11:37:17 -0800 (PST) In-Reply-To: <20180105191145.404BC335@spqr.komquats.com> References: <20180105191145.404BC335@spqr.komquats.com> From: "K. Macy" Date: Fri, 5 Jan 2018 11:37:17 -0800 X-Google-Sender-Auth: YcqGLBjADoDtXpu6XXvSQHD1BXU Message-ID: Subject: Re: Intel hardware bug To: Cy Schubert Cc: Eric McCorkle , Jules Gilbert , "Ronald F. Guilmette" , Freebsd Security , Brett Glass , =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , Poul-Henning Kamp , "freebsd-arch@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Fri, 05 Jan 2018 21:41:51 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 19:37:18 -0000 On Fri, Jan 5, 2018 at 11:11 AM, Cy Schubert wr= ote: > According to a Red Hat announcement, Power and Series z are also vulnerab= le. > Link? > --- > > -----Original Message----- > From: Eric McCorkle > Sent: 05/01/2018 04:48 > To: Jules Gilbert; Ronald F. Guilmette; Freebsd Security; Brett Glass; Da= g-Erling Sm=C3=B8rgrav; Poul-Henning Kamp; freebsd-arch@freebsd.org; FreeBS= D Hackers; Shawn Webb; Nathan Whitehorn > Subject: Re: Intel hardware bug > > On 01/05/2018 05:07, Jules Gilbert wrote: >> Sorry guys, you just convinced me that no one, not the NSA, not the FSB, >> no one!, has in the past, or will in the future be able to exploit this >> to actually do something not nice. > > Attacks have already been demonstrated, pulling secrets out of kernel > space with meltdown and http headers/passwords out of a browser with > spectre. Javascript PoCs are already in existence, and we can expect > them to find their way into adware-based malware within a week or two. > > Also, I'd be willing to bet you a year's rent that certain three-letter > organizations have known about and used this for some time. > >> So what is this, really?, it's a market exploit opportunity for AMD. > > Don't bet on it. There's reports of AMD vulnerabilities, also for ARM. > I doubt any major architecture is going to make it out unscathed. (But > if one does, my money's on Power) > _______________________________________________ > freebsd-arch@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-arch > To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-arch@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-arch > To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Fri Jan 5 19:47:46 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2408EBC993; Fri, 5 Jan 2018 19:47:46 +0000 (UTC) (envelope-from kmacybsd@gmail.com) Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7E84F7ABE9; Fri, 5 Jan 2018 19:47:46 +0000 (UTC) (envelope-from kmacybsd@gmail.com) Received: by mail-oi0-x22f.google.com with SMTP id w125so3778605oie.7; Fri, 05 Jan 2018 11:47:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=SBVbEq8aFAKbgpNgZlwITSCuachsMiVKCY3Y34M+Ok4=; b=icbzQZqRsdIYvp/iVR07/aVfxXJdvVjGAQTc2YCbFZv1//6BsJ+m8FXjLFzBDaKDhC 5twVcgXWEBf+gMWd6B7oBvZrZ7k42F3yj4K+SleKcBGU3/XFgjuJ0odnjmKpNSVfq4Et d5RqDi2khJZhkQ7NUwWVEGTg+zgGwJ6fw4y6EetTb9wb/llPeYNX1VKeYFvYxTtCNjnH 1XC17egYymlAixoGDcj4IwXTWAiSXsz5a5jC2F0y9+YEAX7WHc64i/DRAqM2V823keH8 nmjCQREqBKXzUV8V4qDxTnoftESHIibJQkLS8Syadi+2yODgdwyddHZyQUVHhkd5kqdE o/lA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=SBVbEq8aFAKbgpNgZlwITSCuachsMiVKCY3Y34M+Ok4=; b=RITX5oNIw2bMGmQXllVjz9ZJCKiCmIScNR22vQs6jJL9wv+ebQjssS9CUNt9nyZOq3 Ry4BMiDsTwSIfH/n+ppTctlzVzuRcWy4pVgGBv4tDr+IQTRGRSFqQh7uDtodAq4cqd31 qd7dfb82GGVAw2CAQegeosROliTz+ez8yHO/l9VUChIlvU3cBb2iFw5IGrbM+Gb2UAVQ u11yI6yJvBSMNrF3HWNIhQ5wIKCrCu3Lz8139WkHuQq+YDse8XMm2QNrSYHtrTClza4l yMyoIQsXYutUQ6qEIF6e8qMNkEJ/RJauk5XwV/d7pQ+YtFxNd1b2uP7C1KH9gOSG15/e 8u7g== X-Gm-Message-State: AKGB3mJkaqJvEQE9ZS09s+Uap2zgtP9gTFP6gquNpPY22xHJHnpqAZd8 q6pklZL+FJQd9dfAa0c6F91pVQB70zjwKRye/zs= X-Google-Smtp-Source: ACJfBosiwiG1zx9hC6ZAi3zdYyVSAHiUbRLdW3Spf9Ljt82P0aumoVmMV+GWR08/NJk62dzyCnAj++/kie4Izd5IrcE= X-Received: by 10.202.57.87 with SMTP id g84mr2049019oia.201.1515181665680; Fri, 05 Jan 2018 11:47:45 -0800 (PST) MIME-Version: 1.0 Sender: kmacybsd@gmail.com Received: by 10.157.88.201 with HTTP; Fri, 5 Jan 2018 11:47:45 -0800 (PST) In-Reply-To: References: <20180105191145.404BC335@spqr.komquats.com> From: "K. Macy" Date: Fri, 5 Jan 2018 11:47:45 -0800 X-Google-Sender-Auth: bznOiYGbOMhIL_8UvY7BwimpOhY Message-ID: Subject: Re: Intel hardware bug To: Cy Schubert Cc: Eric McCorkle , Jules Gilbert , "Ronald F. Guilmette" , Freebsd Security , Brett Glass , =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , Poul-Henning Kamp , "freebsd-arch@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Fri, 05 Jan 2018 21:57:55 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 19:47:46 -0000 On Fri, Jan 5, 2018 at 11:37 AM, K. Macy wrote: > On Fri, Jan 5, 2018 at 11:11 AM, Cy Schubert = wrote: >> According to a Red Hat announcement, Power and Series z are also vulnera= ble. >> > > Link? Spectre yes. Meltdown no. Spectre is a problem but much harder to exploit. It's Intel's handling of meltdown that is seriously grounds for table flipping. https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ > > >> --- >> >> -----Original Message----- >> From: Eric McCorkle >> Sent: 05/01/2018 04:48 >> To: Jules Gilbert; Ronald F. Guilmette; Freebsd Security; Brett Glass; D= ag-Erling Sm=C3=B8rgrav; Poul-Henning Kamp; freebsd-arch@freebsd.org; FreeB= SD Hackers; Shawn Webb; Nathan Whitehorn >> Subject: Re: Intel hardware bug >> >> On 01/05/2018 05:07, Jules Gilbert wrote: >>> Sorry guys, you just convinced me that no one, not the NSA, not the FSB= , >>> no one!, has in the past, or will in the future be able to exploit this >>> to actually do something not nice. >> >> Attacks have already been demonstrated, pulling secrets out of kernel >> space with meltdown and http headers/passwords out of a browser with >> spectre. Javascript PoCs are already in existence, and we can expect >> them to find their way into adware-based malware within a week or two. >> >> Also, I'd be willing to bet you a year's rent that certain three-letter >> organizations have known about and used this for some time. >> >>> So what is this, really?, it's a market exploit opportunity for AMD. >> >> Don't bet on it. There's reports of AMD vulnerabilities, also for ARM. >> I doubt any major architecture is going to make it out unscathed. (But >> if one does, my money's on Power) >> _______________________________________________ >> freebsd-arch@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-arch >> To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org" >> >> _______________________________________________ >> freebsd-arch@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-arch >> To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Fri Jan 5 19:47:48 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 278A4EBC99B; Fri, 5 Jan 2018 19:47:48 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BFA097ABEA; Fri, 5 Jan 2018 19:47:47 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with ESMTPA id XXxxeF6ugS7BpXXxyeXg6c; Fri, 05 Jan 2018 12:47:46 -0700 X-Authority-Analysis: v=2.2 cv=NKylwwyg c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=RgaUWeydRksA:10 a=20KFwNOVAAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=uzSovi_1LZDTydRZN2AA:9 a=8J4chuak_uIRPK4g:21 a=pVYAQAJm03auPRN6:21 a=QEXdDO2ut3YA:10 a=MMjiIUenpLf6ge6zeOQA:9 a=ZsGH8CjA44_So7fI:21 a=I18adWnKP6q6kCHM:21 a=Th99hHS62kTuvYDY:21 a=_W_S_7VecoQA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 Received: from [10.168.3.146] (S0106d4ca6d8943b0.gv.shawcable.net [70.66.132.207]) by spqr.komquats.com (Postfix) with ESMTPSA id EAFBB3EA; Fri, 5 Jan 2018 11:47:43 -0800 (PST) MIME-Version: 1.0 From: Cy Schubert Subject: RE: Intel hardware bug Date: Fri, 5 Jan 2018 11:47:49 -0800 To: "K. Macy" , Cy Schubert CC: Eric McCorkle , Jules Gilbert , "Ronald F. Guilmette" , Freebsd Security , Brett Glass , =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , Poul-Henning Kamp , "freebsd-arch@freebsd.org" , FreeBSD Hackers , Shawn Webb , Nathan Whitehorn Message-Id: <20180105194743.EAFBB3EA@spqr.komquats.com> X-CMAE-Envelope: MS4wfDfdNQ2Axb8uIQDJJKM+DFEBFjWsWorXKt0r8ks+tP0iKOErSoRXaeUrk2rDccno983U/CQgBtyh3RxCJ8FYzS+MJTKRz/sNso857+DlZa38tr0/3+VV c+vz41Fndb7Z5Hy3sIKDK7QnsHQdNUaCySGj5ONXpi1Yyl5x0iiGcN/9otJZkc26KDXwd2iJ9ZFok/nFmkacXxzE8TW4iDDV9qu5dI031RM9GDyQnZFAqfC/ m16owC1IwLIZs+FX0NcKdPZCDDS+X8GtOmMVeG5wnAj7YcqNBfUrUC8Vn8BHfpHoh1mkcQQ+UVEB5oU8tee/fYO7uuZCeGXdvyWbEAHWKnl+jj4++BfhudXA LnUklwoijzWov8l+P8h0dZl0K9Mv/7eQ/f4Ak5bJsQOY82hYGTHr8FZXoqjks345GWdMBUIGoLY7CgkI3qIpdgAmC+nz+mxNBsgp4qjR/D99e2jTznHpkukE dsk5H+6SULQcJ4XPRC0igRLJYvAWOpc+j7EgZYXs8shYOKtZNLJFlmPAMsFuMwm48eQU6CexknliTsA6/G8XYS8mDZ9ZwL7Q6U1SZiPEhUzgex4Yzo7wVIuC eyxaQfebLC9cLMj+FTKpQ9af70utNzbeL1nNqK5zaWQistOf/g99kRc7nJnjI2/XT+bhzBxL81UTDQSc542RpYoW5FywQPa4nqwAXdBH10aInabgLxudA5IY TyCIfunthjw= X-Mailman-Approved-At: Fri, 05 Jan 2018 21:59:06 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 19:47:48 -0000 https://access.redhat.com/security/vulnerabilities/speculativeexecution?sc_= cid=3D701f2000000tsLNAAY& --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. Also, this old phone only supports top post. Apologies. Cy Schubert or The need of the many outweighs the greed of the few. --- -----Original Message----- From: K. Macy Sent: 05/01/2018 11:37 To: Cy Schubert Cc: Eric McCorkle; Jules Gilbert; Ronald F. Guilmette; Freebsd Security; Br= ett Glass; Dag-Erling Sm=C3=B8rgrav; Poul-Henning Kamp; freebsd-arch@freebs= d.org; FreeBSD Hackers; Shawn Webb; Nathan Whitehorn Subject: Re: Intel hardware bug On Fri, Jan 5, 2018 at 11:11 AM, Cy Schubert wr= ote: > According to a Red Hat announcement, Power and Series z are also vulnerab= le. > Link? > --- > > -----Original Message----- > From: Eric McCorkle > Sent: 05/01/2018 04:48 > To: Jules Gilbert; Ronald F. Guilmette; Freebsd Security; Brett Glass; Da= g-Erling Sm=C3=B8rgrav; Poul-Henning Kamp; freebsd-arch@freebsd.org; FreeBS= D Hackers; Shawn Webb; Nathan Whitehorn > Subject: Re: Intel hardware bug > > On 01/05/2018 05:07, Jules Gilbert wrote: >> Sorry guys, you just convinced me that no one, not the NSA, not the FSB, >> no one!, has in the past, or will in the future be able to exploit this >> to actually do something not nice. > > Attacks have already been demonstrated, pulling secrets out of kernel > space with meltdown and http headers/passwords out of a browser with > spectre. Javascript PoCs are already in existence, and we can expect > them to find their way into adware-based malware within a week or two. > > Also, I'd be willing to bet you a year's rent that certain three-letter > organizations have known about and used this for some time. > >> So what is this, really?, it's a market exploit opportunity for AMD. > > Don't bet on it. There's reports of AMD vulnerabilities, also for ARM. > I doubt any major architecture is going to make it out unscathed. (But > if one does, my money's on Power) > _______________________________________________ > freebsd-arch@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-arch > To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-arch@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-arch > To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Fri Jan 5 19:53:44 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 14885EBD0B2; Fri, 5 Jan 2018 19:53:44 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-lf0-x234.google.com (mail-lf0-x234.google.com [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8BBFD7B171; Fri, 5 Jan 2018 19:53:43 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mail-lf0-x234.google.com with SMTP id h137so6244147lfe.8; Fri, 05 Jan 2018 11:53:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ky/ziy21wuNrx6LeM9kDYxphvOfDrWGuamPAcyLFoyQ=; b=d8mikptJfKSgq/Plw56qX0mkSPbAkIBgFcClyMWNHXZXn+wHIce4L6MLc1kzIh62O+ 0q4RdjMmwq59nCzRaOdHKKhiunrexnPIsHgfsBsdgqMGEDIbMeXcq9kH395EiZyBSWMi l5I22tyz+G+c9yLiLd4vHlnYCSKRr67+etdr7aUySD95fsDubjnJ3C27ftXZ/ZfcymuB wozHvReBFr//b6vtFTWDirbR9N7rDg3kwBhRJNh/i/j7a6uVm7epHtYwvbr5zX+Pi9d+ CJqfAvpFSIIOzJ7JEGDb2zNt7fBekkf4t9wPSwcM0zOTUsCdfbqXtDyDUxLhzZNvesPs 8Dqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ky/ziy21wuNrx6LeM9kDYxphvOfDrWGuamPAcyLFoyQ=; b=XV2td7OqIzB3pAiVLMF3ZDrAR1t1wWA8F8RCFZdBn7KT1nQucK+Igu1HglVrkzP+Se YG+c8jeQlKIb+Vk2pZ+GuUe1kYF4IERh2suuWfG0Y29rhY39HleWIHWJ3wwn5TuBA/aB FN4a6CW13LKJsVKAeq504l/cfacJiDuR1OxlMyAp3fzjt0zi2NMCrdBehkruDfsTFlVf KPZbRSLuNkrA7qdubBxD/y7gSFpg9Gm52taYZErEINHD1bi9Jzfzmu5U6jjcdqRph/RI KGf7oV3AQkK1Zw2rg/gVfcTJF8SaNAN3Or48aktiwBqt6WOqbU3tDsU498fvLUUCzD9v lYvQ== X-Gm-Message-State: AKGB3mKU7PCS7WU6xVb5/uZ7EQUeeAE/wXUha2jxrM9jOjQ9nvcMZalV 2Q3JbN2Vj7JI09d3sr8FDG0rXAsgNfz1AlO0gUgHweck X-Google-Smtp-Source: ACJfBovbFN+wtgncUsoK8jC9T2axtY4jre5KXApipVpLUMad7mBkpUq+3SkJ9VzkZirFREU+19DtnlSJhitlqJl1FGA= X-Received: by 10.25.42.68 with SMTP id f65mr2037762lfl.25.1515182020362; Fri, 05 Jan 2018 11:53:40 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.163.207 with HTTP; Fri, 5 Jan 2018 11:53:39 -0800 (PST) In-Reply-To: <20180105191145.404BC335@spqr.komquats.com> References: <20180105191145.404BC335@spqr.komquats.com> From: Freddie Cash Date: Fri, 5 Jan 2018 11:53:39 -0800 Message-ID: Subject: Re: Intel hardware bug To: Cy Schubert Cc: Freebsd Security , "freebsd-arch@freebsd.org" , FreeBSD Hackers X-Mailman-Approved-At: Fri, 05 Jan 2018 22:03:15 +0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 19:53:44 -0000 On Fri, Jan 5, 2018 at 11:11 AM, Cy Schubert wrote: > According to a Red Hat announcement, Power and Series z are also > vulnerable. > =E2=80=8B > =E2=80=8BThere's a lot of confusion in the media, press releases, and annou= ncements due to conflating Spectre and Meltdown. Meltdown (aka CVE-2017-5754) is the issue that affects virtually all Intel CPUs and specific ARM Cortex-A CPUs. This allows read-access to kernel memory from unprivileged processes (ring 3 apps get read access to ring 0 memory).=E2=80=8B IBM POWER, Oracle Sparc, and AMD Zen are not affected by= this issue as they provide proper separation between kernel memory maps and userland memory maps; or they aren't OoO architectures that use speculative execution in this manner. Spectre (aka CVE-2017-5715 and CVE-2017-5753) is the issue that affects all CPUs (Intel, AMD, ARM, IBM, Oracle, etc) and allows userland processes to read memory assigned to other userland processes (but does NOT give access to kernel memory). =E2=80=8BIOW, POWER and Sparc are vulnerable to Spectre, but not vulnerable= to Meltdown. --=20 Freddie Cash fjwcash@gmail.com From owner-freebsd-security@freebsd.org Fri Jan 5 20:20:18 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC47AEBE46E for ; Fri, 5 Jan 2018 20:20:18 +0000 (UTC) (envelope-from jan@digitaldaemon.com) Received: from digitaldaemon.com (digitaldaemon.com [162.217.114.50]) by mx1.freebsd.org (Postfix) with SMTP id 57CD97C424 for ; Fri, 5 Jan 2018 20:20:18 +0000 (UTC) (envelope-from jan@digitaldaemon.com) Received: (qmail 64581 invoked by uid 89); 5 Jan 2018 20:12:51 -0000 Received: from c-24-0-179-87.hsd1.nj.comcast.net (HELO iMac.local) (jan@digitaldaemon.com@24.0.179.87) by digitaldaemon.com with SMTP; 5 Jan 2018 20:12:51 -0000 Subject: Re: Intel hardware bug To: Freddie Cash Cc: Freebsd Security , FreeBSD Hackers , "freebsd-arch@freebsd.org" References: <20180105191145.404BC335@spqr.komquats.com> From: Jan Knepper Message-ID: <65e5dcae-b973-a54e-868e-bdc4abf007cb@digitaldaemon.com> Date: Fri, 5 Jan 2018 15:12:50 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Mailman-Approved-At: Fri, 05 Jan 2018 22:25:33 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 20:20:18 -0000 Thank you! The news indeed does not properly understand the difference, nor which problem affects which hardware/CPU and in many ways acts like it is "the end of the world". On 01/05/2018 14:53, Freddie Cash wrote: > On Fri, Jan 5, 2018 at 11:11 AM, Cy Schubert > wrote: > >> According to a Red Hat announcement, Power and Series z are also >> vulnerable. >> ​ >> > ​There's a lot of confusion in the media, press releases, and announcements > due to conflating Spectre and Meltdown. > > Meltdown (aka CVE-2017-5754) is the issue that affects virtually all Intel > CPUs and specific ARM Cortex-A CPUs. This allows read-access to kernel > memory from unprivileged processes (ring 3 apps get read access to ring 0 > memory).​ IBM POWER, Oracle Sparc, and AMD Zen are not affected by this > issue as they provide proper separation between kernel memory maps and > userland memory maps; or they aren't OoO architectures that use speculative > execution in this manner. > > Spectre (aka CVE-2017-5715 and CVE-2017-5753) is the issue that affects all > CPUs (Intel, AMD, ARM, IBM, Oracle, etc) and allows userland processes to > read memory assigned to other userland processes (but does NOT give access > to kernel memory). > > ​IOW, POWER and Sparc are vulnerable to Spectre, but not vulnerable to > Meltdown. > From owner-freebsd-security@freebsd.org Fri Jan 5 21:01:59 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 04A41EC07A4; Fri, 5 Jan 2018 21:01:59 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B9B2C7E572; Fri, 5 Jan 2018 21:01:58 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: by mail-it0-x22c.google.com with SMTP id m11so5617286iti.1; Fri, 05 Jan 2018 13:01:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XgGGWIXJEyUixN2cD60ywZtybr4KTK3Y8243ZQ53278=; b=TnQt2LdirHwWS48ve8NiXhPwBgme9ZxKaV8Z2csqjCA1S0kQLQf3B11nwa9oNsMlFX M/xCknHXQzVVO+h09ZJazmiNsvS8EqenX9vPgHnjY/zMFeda54dVXTg4ljzjlJqeWGqk j9FnOkxaCgtZRAU35CUODWdzVm+t4pyVFekp2mnkPB2Y7lo53g1g9yyXexjrYdsy+B3N Z9hcu2Itmrm/NHlGyVnqvwbbAarb1qoAW1wM3AREWjAQeNe50ty3ARGDzDGL07WvOjV+ MhMvBw0ux4i71Iv2Xur9J/ujNn44+gyO82JTw+nA2cj/j67rvA5tBtS+ErNdioC9oTXa Rc+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XgGGWIXJEyUixN2cD60ywZtybr4KTK3Y8243ZQ53278=; b=J7vTH+LsX0R6v3m4sUaCn2rsGY1BWcbxpWYuHIh7RU9Sux/VEOhOcRfmZ/eFq8y0gD MClD3gxGMrxq5A5gvjAQ2EhK3LQKGrK7dOm+EOGH9D9zHfuG2rEMajovM2vHt8nRHrsm +dZveW7xioMYGKREA7GB+ougut2G0jemIBuMABvA/Lq0aJFB0JvEs0A7Fz+OQjn2vcxf 5DPZ6oQErZZlJnl1IHn5EcsVTQDdws/Cq7hcsQK0hwgANfKZb62YbDycPhgabMptCEUu Z0EzdH3xkROzSYrf3+Pr0E8DZq1wreokZbY8BUlX8EL4SxuycBLDNDHOUxl1lqhO+E4f kzXw== X-Gm-Message-State: AKGB3mJyNfRh4UqwzZY2c0lld2X/x/iPSVD9HQGqzprTHssEVFz8J5Ja aqeSY96BSTHCCObVmrAavS8tKcStDHGHeYlw0lRxww== X-Google-Smtp-Source: ACJfBov5EyZIUpx+1q3qOpBJGKLLD3n4O2v6Y8BjJMVCJ5kRxNgEukReHCxElPjxPClWUwCA9KTdiwWbeGxA0f8/Ek8= X-Received: by 10.36.138.134 with SMTP id v128mr4604359itd.153.1515186117757; Fri, 05 Jan 2018 13:01:57 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.180.34 with HTTP; Fri, 5 Jan 2018 13:01:57 -0800 (PST) In-Reply-To: References: <20180105191145.404BC335@spqr.komquats.com> From: Adam Vande More Date: Fri, 5 Jan 2018 15:01:57 -0600 Message-ID: Subject: Re: Intel hardware bug To: "K. Macy" Cc: Cy Schubert , Eric McCorkle , FreeBSD Hackers , "freebsd-arch@freebsd.org" , Shawn Webb , Freebsd Security , Poul-Henning Kamp , Nathan Whitehorn , "Ronald F. Guilmette" , =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= , Brett Glass , Jules Gilbert X-Mailman-Approved-At: Fri, 05 Jan 2018 22:25:46 +0000 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2018 21:01:59 -0000 On Fri, Jan 5, 2018 at 1:37 PM, K. Macy wrote: > On Fri, Jan 5, 2018 at 11:11 AM, Cy Schubert > wrote: > > According to a Red Hat announcement, Power and Series z are also > vulnerable. > > > > Link? > https://access.redhat.com/security/vulnerabilities/speculativeexecution -- Adam From owner-freebsd-security@freebsd.org Sat Jan 6 00:50:21 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F8E1EAAD65 for ; Sat, 6 Jan 2018 00:50:21 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from mx2.catspoiler.org (mx2.catspoiler.org [IPv6:2607:f740:16::d18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "amnesiac", Issuer "amnesiac" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 50C3468B98 for ; Sat, 6 Jan 2018 00:50:21 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org ([76.212.85.177]) by mx2.catspoiler.org (8.15.2/8.15.2) with ESMTPS id w060oYtD027372 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sat, 6 Jan 2018 00:50:36 GMT (envelope-from truckman@FreeBSD.org) Received: from mousie.catspoiler.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTPS id w060Y38q017108 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 5 Jan 2018 16:50:12 -0800 (PST) (envelope-from truckman@FreeBSD.org) Date: Fri, 5 Jan 2018 16:50:12 -0800 (PST) From: Don Lewis Subject: Re: Intel hardware bug To: "Ronald F. Guilmette" cc: Freebsd Security In-Reply-To: <5241.1515183470@segfault.tristatelogic.com> Message-ID: References: <5241.1515183470@segfault.tristatelogic.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-Disposition: INLINE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jan 2018 00:50:21 -0000 On 5 Jan, Ronald F. Guilmette wrote: > > In message look.com>, Andrew Duane wrote: > >>I wouldn't think Javascript would have the accurate timing required to leve= >>rage this attack, but I don't really know enough about the language. > > This brings up something I have been wondering about, although my guess is > that much greater minds than mine have already considered this possible > mitigation... > > If the meltdown or spectre (or both) attacks are based on careful analysis > of timing information, following a memory fault, then why just just introduce > a very tiny delay, of randomized duration, in the relevant kernel fault handler, > following each such fault? It's not the fault timing that matters. The time that matters is the difference in access time between a cache hit and a cache miss. Whether or not you get a cache hit vs. a cache miss is dependent on whether the speculative execution filled that particular cache line, and that depends on the value of the data that the exploit code is trying to exfiltrate. Since the code is being executed speculatively, a fault only halts the speculative execution at that point and doesn't actually result in a call to the fault handler because the CPU eventually figures out that that execution path would not be taken afterall due to some earlier condition that it eventually resolves. That tosses all of the CPU state associated with the speculative execution path, but the cache state remains as a leftover side effect. From owner-freebsd-security@freebsd.org Sat Jan 6 19:55:17 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 873CDDB8C72; Sat, 6 Jan 2018 19:55:17 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6A0587CD63; Sat, 6 Jan 2018 19:55:17 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id w06JtBre047913 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 6 Jan 2018 11:55:11 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id w06JtBG9047912; Sat, 6 Jan 2018 11:55:11 -0800 (PST) (envelope-from jmg) Date: Sat, 6 Jan 2018 11:55:11 -0800 From: John-Mark Gurney To: Freddie Cash Cc: Freebsd Security , FreeBSD Hackers , "freebsd-arch@freebsd.org" Subject: Re: Intel hardware bug Message-ID: <20180106195510.GH75576@funkthat.com> Mail-Followup-To: Freddie Cash , Freebsd Security , FreeBSD Hackers , "freebsd-arch@freebsd.org" References: <20180105191145.404BC335@spqr.komquats.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sat, 06 Jan 2018 11:55:11 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jan 2018 19:55:17 -0000 Freddie Cash wrote this message on Fri, Jan 05, 2018 at 11:53 -0800: > Spectre (aka CVE-2017-5715 and CVE-2017-5753) is the issue that affects all > CPUs (Intel, AMD, ARM, IBM, Oracle, etc) and allows userland processes to > read memory assigned to other userland processes (but does NOT give access > to kernel memory). No, Spectre does not allow one userland process to read another userland process's memory.. It allows an attacker to read any memory within the same process.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sat Jan 6 20:14:20 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 13D40DBBD77 for ; Sat, 6 Jan 2018 20:14:20 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EC90F7D948 for ; Sat, 6 Jan 2018 20:14:19 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id w06KEI5h048176 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 6 Jan 2018 12:14:18 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id w06KEID3048175; Sat, 6 Jan 2018 12:14:18 -0800 (PST) (envelope-from jmg) Date: Sat, 6 Jan 2018 12:14:18 -0800 From: John-Mark Gurney To: "Ronald F. Guilmette" Cc: Freebsd Security Subject: Re: Intel hardware bug Message-ID: <20180106201418.GI75576@funkthat.com> Mail-Followup-To: "Ronald F. Guilmette" , Freebsd Security References: <5241.1515183470@segfault.tristatelogic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5241.1515183470@segfault.tristatelogic.com> X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sat, 06 Jan 2018 12:14:19 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jan 2018 20:14:20 -0000 Ronald F. Guilmette wrote this message on Fri, Jan 05, 2018 at 12:17 -0800: > If the meltdown or spectre (or both) attacks are based on careful analysis > of timing information, following a memory fault, then why just just introduce > a very tiny delay, of randomized duration, in the relevant kernel fault handler, > following each such fault? Randomization only makes it harder, not impossible to detect the timing impact. You just need to collect more samples to average out the noise. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sat Jan 6 22:55:45 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 85384DF7CA3 for ; Sat, 6 Jan 2018 22:55:45 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [217.115.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C19C93335 for ; Sat, 6 Jan 2018 22:55:43 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: (qmail 4776 invoked from network); 6 Jan 2018 22:48:59 -0000 Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org) by elektropost.org with ESMTPS (DHE-RSA-AES128-SHA encrypted); 6 Jan 2018 22:48:59 -0000 Subject: Re: Re "Intel responds to security research findings" To: freebsd-security@freebsd.org References: From: Dirk Engling Message-ID: <8ad62a54-cfc4-6d97-4045-303e6ee7806d@erdgeist.org> Date: Sat, 6 Jan 2018 23:48:58 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jan 2018 22:55:45 -0000 On 03.01.18 22:14, Ed Maste wrote: > The FreeBSD Security Team recently learned of the details of these > issues that affect certain CPUs. Can you say, at what day you were informed? erdgeist