New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Meltdown and Spectre patches for NixOS #33414

Closed
vaibhavsagar opened this Issue Jan 4, 2018 · 22 comments

Comments

Projects
None yet
@vaibhavsagar
Copy link
Contributor

vaibhavsagar commented Jan 4, 2018

Issue description

A quick skim of the commit log seems to indicate that these patches are not in NixOS 17.09. Can someone confirm/deny?

Steps to reproduce

Technical details

  • system: "x86_64-linux"
  • host os: Linux 4.9.66, NixOS, 17.09.2281.b4a0c011e81 (Hummingbird)
  • multi-user?: yes
  • sandbox: no
  • version: nix-env (Nix) 1.11.15
  • channels(vaibhavsagar): "nixpkgs-unstable-18.03pre121255.45a85eaceb"
  • channels(root): "nixos-17.09.2356.cb751f9b1c3"
  • nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs
@grahamc

This comment has been minimized.

Copy link
Member

grahamc commented Jan 4, 2018

The release-17.09 and unstable branches both have the updating the Latest kernel (4.14.11) 1e129a3 / dd396ef which I believe does, include the KPTI / KAISER patches.

The nixos-17.09 channel has been updated to include the patch, but Unstable has not yet updated.

As far as I know, upstream 4.9 and 4.4 do not include these patches yet, and NixOS hasn't applied the patches either. If you'd like to help please do :)

@grahamc

This comment has been minimized.

Copy link
Member

grahamc commented Jan 4, 2018

To be clear: You can get the patched kernel via:

boot.kernelPackages = pkgs.linuxPackages_latest;
@rnhmjoj

This comment has been minimized.

Copy link
Contributor

rnhmjoj commented Jan 4, 2018

The patch for meltdown is called KPTI and should have been merged in kernel 4.15rc6 and backported to 4.14.11, which is in nixpkgs since 1e129a3.

It seems there are no patches for spectre yet. No single patch will mitigate this attack anyway.

@rnhmjoj

This comment has been minimized.

Copy link
Contributor

rnhmjoj commented Jan 4, 2018

I think we should track the spectre patches as they are released.
Updates for chromium and Firefox should come soon.

Update:
People are working on a series of patches to mitigate spectre called "retpoline".
Links for: kernel, LLVM and GCC.

@Ekleog

This comment has been minimized.

Copy link
Member

Ekleog commented Jan 4, 2018

https://twitter.com/olesovhcom/status/948886345547644928 and CESA-2018:0007 (for CentOS) appear to imply that there are microcode updates that are available for mitigating at least part of spectre, if I understand correctly?

@rnhmjoj

This comment has been minimized.

Copy link
Contributor

rnhmjoj commented Jan 5, 2018

Firefox updates: #33456

@edolstra

This comment has been minimized.

Copy link
Member

edolstra commented Jan 5, 2018

Master and 17.09 now have updated 4.4, 4.9 and 4.14 kernels containing KPTI.

@edolstra

This comment has been minimized.

Copy link
Member

edolstra commented Jan 5, 2018

Once the 17.09 channel updates, I'll generate new AMIs.

@fpletz

This comment has been minimized.

Copy link
Member

fpletz commented Jan 5, 2018

I'm currently working on the microcode updates. Intel has not released updates yet but Red Hat has already released them.

@qrilka

This comment has been minimized.

Copy link

qrilka commented Jan 5, 2018

Any hint why nixos-unstable is still on commit from the 2nd of January?

@rnhmjoj

This comment has been minimized.

Copy link
Contributor

rnhmjoj commented Jan 5, 2018

@qrilka Failing tests.

@grahamc

This comment has been minimized.

Copy link
Member

grahamc commented Jan 6, 2018

nixos-17.09 and nixos-17.09-small now have KPTI patches on 4.4, 4.9, and 4.14.

@bendlas

This comment has been minimized.

Copy link
Contributor

bendlas commented Jan 8, 2018

Users of chromium 63 (current stable) should enable the site isolation flag, until 64 is stable
https://support.google.com/faqs/answer/7622138#chrome

@ckauhaus ckauhaus referenced this issue Jan 9, 2018

Closed

Vulnerability Roundup 31 #33470

7 of 11 tasks complete
@concatime

This comment has been minimized.

Copy link
Contributor

concatime commented Jan 10, 2018

@fpletz Intel released the microcode. Take a look at https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File.
I tried to apply manually, and realised that there is not /lib/firmware… lol

@vcunat

This comment has been minimized.

Copy link
Member

vcunat commented Jan 10, 2018

Nixos-unstable now has the kernel updates, etc. Microcode was just now updated on both branches: #33684

@vcunat vcunat closed this Jan 10, 2018

@aij

This comment has been minimized.

Copy link
Contributor

aij commented Jan 10, 2018

I see the microcode update got cherry picked to nixos-17.09 too (ea1cf95), but there is still nothing on
nix-security-announce.

What's the expected timeline for security announcements?

@gnidorah

This comment has been minimized.

Copy link
Contributor

gnidorah commented Jan 10, 2018

Considering that these patches have noticeable impact on performance:
https://access.redhat.com/articles/3311301
https://twitter.com/grsecurity/status/947260475305213953
We may land linuxPackages_weak (reference to linuxPackages_hardened 😅) someday with all them disabled

@CMCDragonkai

This comment has been minimized.

Copy link
Contributor

CMCDragonkai commented Jan 11, 2018

@gnidorah do those tunables work on NixOS as well?

@gnidorah

This comment has been minimized.

Copy link
Contributor

gnidorah commented Jan 11, 2018

@CMCDragonkai for Meltdown patch, "nopti" should work, however Grsecurity company states that it doesn't disable KPTI completely https://twitter.com/grsecurity/status/947260475305213953 This info need to be checked.
AFAIK other patches have not been mainlined yet, but should have similar knobs. (it's just some vendors like Red Hat applied these patches earlier)

@falsifian

This comment has been minimized.

Copy link
Contributor

falsifian commented Jan 12, 2018

EDIT: please ignore this comment; I have an AMD CPU

Is KPTI disabled by default? It seems to be on my system (release-17.09):

james angel-nixos ~ $ dmesg|grep isolation
[    0.000000] Kernel/User page tables isolation: disabled
james angel-nixos ~ $ uname -r
4.9.75

If this isn't just some quirk of my own setup, should we consider enabling it by default? I had assumed I was safe after just updating, until I decided to double-check.

fpletz added a commit that referenced this issue Jan 29, 2018

Revert "microcodeIntel: 20171117 -> 20170108"
This reverts commit 9b7ef9c.

Intel recommends to stop deployment of the updated microcode as it
introduces unexpected system behaviour on many platforms.

See https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

cc #33414

(cherry picked from commit 393e39e)

fpletz added a commit that referenced this issue Jan 29, 2018

Revert "microcodeIntel: 20171117 -> 20170108"
This reverts commit 9b7ef9c.

Intel recommends to stop deployment of the updated microcode as it
introduces unexpected system behaviour on many platforms.

See https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

cc #33414
@fpletz

This comment has been minimized.

Copy link
Member

fpletz commented Jan 29, 2018

I've reverted the intel microcode update because Intel recommends to stop deployment of the updated microcode as it introduces unexpected system behaviour on many platforms.

See https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr.

@concatime

This comment has been minimized.

Copy link
Contributor

concatime commented Jan 29, 2018

Dear intel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment