Bug 1163120 - No mitigations for CPU vulnerabilities
No mitigations for CPU vulnerabilities
Status: RESOLVED UPSTREAM
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Kernel
Current
i686 Other
: P5 - None : Major (vote)
: ---
Assigned To: openSUSE Kernel Bugs
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-07 10:22 UTC by Suse User
Modified: 2020-12-04 08:08 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CPU and vulnerability info (3.70 KB, text/plain)
2020-02-07 10:22 UTC, Suse User
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Suse User 2020-02-07 10:22:25 UTC
Created attachment 829621 [details]
CPU and vulnerability info

The CPU 'Intel(R) Celeron(R) M processor' remains not fully mitigated and vulnerable to:

itlb_multihit
mds
spec_store_bypass

Attaching CPU info.
Comment 1 Borislav Petkov 2020-02-07 22:05:33 UTC
That's a very old CPU so I don't think you'll ever get microcode for SSB and MDS mitigations to work.

The ITLB multihit thing needs KVM but your CPU doesn't even have hardware virtualization support. But if you don't run guests on it, I wouldn't worry about it.

HTH.
Comment 2 Suse User 2020-02-08 09:22:36 UTC
What about kernel-level mitigations? Are these impossible, i.e. is microcode the only way to mitigate the remaining vulnerabilities?

> But if you don't run guests on it, I wouldn't worry about it.

What about web JavaScript? I have read (and seen Google's presentation) that it is possible web JS to read the RAM. This is quite worrying.
Comment 3 Borislav Petkov 2020-02-08 10:42:03 UTC
(In reply to Suse User from comment #2)
> What about kernel-level mitigations? Are these impossible, i.e. is microcode
> the only way to mitigate the remaining vulnerabilities?

Yes.

> What about web JavaScript? I have read (and seen Google's presentation) that
> it is possible web JS to read the RAM. This is quite worrying.

Which presentation is that? Link?
Comment 4 Suse User 2020-02-08 21:16:41 UTC
> Yes.

That's quite unfortunate.

> Which presentation is that? Link?

https://spectreattack.com/spectre.pdf
https://invidio.us/watch?v=6O8LTwVfTVs

I also asked about this on LKML hoping for some clarity from experts but unfortunately got zero replies (and unsubscribed from that list):

https://lkml.org/lkml/2019/12/8/205

I would really appreciate if you could direct me to the right info (or the right place to ask).
Comment 5 Borislav Petkov 2020-02-09 00:38:34 UTC
(In reply to Suse User from comment #4)
> https://spectreattack.com/spectre.pdf
> https://invidio.us/watch?v=6O8LTwVfTVs

I think you misunderstood. My comment about running guests was about the ITLB multihit thing. The pointers you gave are about Spectre and Meltdown - which are not the ITLB multihit thing and they are not part of your question in the description. So what exactly are you asking?
Comment 6 Suse User 2020-02-09 09:29:33 UTC
I suppose the confusion comes from this bug report being about other vulnerabilities too (as seen in the initial attachment):

# with kernel-default:

- l1tf
- mds
- meltdown
- spectre store bypass
+ itlb multihit

# with kernel-pae (fewer but still not fully mitigated):

- mds
- spectre store bypass
+ itlb multihit

Considering this difference between kernel-default and kernel-pae + the fact that the microcode is the same whether I use either kernel: I thought that some of the vulnerabilities are not just a matter of microcode but kernel level mitigations exists.

> So what exactly are you asking?

(1) After the above clarification, I suppose you can have a second look to my previous question.

> > What about kernel-level mitigations? Are these impossible, i.e. is microcode
> > the only way to mitigate the remaining vulnerabilities?

(2) My other question is:

https://lkml.org/lkml/2019/12/8/205

*I understand (2) and the answer to it may be considered off-topic to this bug report but I still hope you could shed some light on it too (in direct email is fine too, if you think it would be more appropriate).
Comment 7 Borislav Petkov 2020-02-09 09:44:25 UTC
(In reply to Suse User from comment #6)
> (1) After the above clarification, I suppose you can have a second look to
> my previous question.

Hardly a clarification because I still have no clue what exactly you're
asking. If you want an answer to something, please formulate it as an
exact question.

> (2) My other question is:
> 
> https://lkml.org/lkml/2019/12/8/205
> 
> *I understand (2) and the answer to it may be considered off-topic to this
> bug report but I still hope you could shed some light on it too (in direct
> email is fine too, if you think it would be more appropriate).

AFAIU, you're asking whether you can do something additional as a user
in case Spectre and Meltdown are not mitigated on your CPU. But they
*are* mitigated, on *your* machine:

/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
Comment 8 Suse User 2020-02-09 11:55:03 UTC
> If you want an answer to something, please formulate it as an
> exact question.

- Why are L1TF and Meltdown not mitigated in kernel-default but only in
  kernel-pae?

- Is it possible to mitigate MDS and 'Spec store bypass' through kernel
  or only through microcode?

- Can L1TF, MDS or 'Spec store bypass' be exploited through web
  JavaScript, like shown in the video/papers?

> AFAIU, you're asking whether you can do something additional as a user
> in case Spectre and Meltdown are not mitigated on your CPU. But they
> *are* mitigated, on *your* machine:

The 2-part general question asked on LKML is about any system with a
vulnerable CPU hradware. It arises from the following:

A. Mitigations for some systems may not exist
B. Mitigations may exist but they are not complete fixes, as papers say
C. Browser-level mitigations are like B.

Therefore:

D. Web JavaScript (and WebAssemby) can be dangerous and one cannot
possibly verify manually each and every script while browsing the web

E. Unfortunately there are websites which don't work with JS disabled

Based on that I have formulated the 2 questions on LKML:

https://lkml.org/lkml/2019/12/8/205
Comment 9 Borislav Petkov 2020-02-09 15:41:49 UTC
> - Why are L1TF and Meltdown not mitigated in kernel-default but only in
>   kernel-pae?

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=61a6bd83abf2f14b2a917b6a0279c88d299267af

> - Is it possible to mitigate MDS and 'Spec store bypass' through kernel
>   or only through microcode?

As previously stated, only through microcode update.

> - Can L1TF, MDS or 'Spec store bypass' be exploited through web
>   JavaScript, like shown in the video/papers?

L1TF: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html#mitigation-selection-guide
MDS: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#attack-scenarios
SSB: https://software.intel.com/security-software-guidance/software-guidance/speculative-store-bypass

> https://lkml.org/lkml/2019/12/8/205

The section "Process Isolation" here

https://software.intel.com/security-software-guidance/software-guidance/speculative-store-bypass

kinda explains what you need to do.

The section "Web-Browsers" here

https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#attack-scenarios

says that MDS exploitation through JS is highly-unlikely.

The section "Mitigation selection guide" here

https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html#mitigation-selection-guide

says that if you don't use virtualization, the system is protected, as I
already pointed out previously.

And that's all the answers I can give you: I cannot tell you just by
describing what you do whether what you do is absolutely secure. Maybe,
maybe not. I also cannot tell you how likely is a "highly-unlikely"
exploitation. I don't think anyone would give you guarantees here.

What I can tell you is that we do our best to have the kernel up-to-date
and contain the latest mitigations.

I sincerely hope that helps.
Comment 10 Suse User 2020-02-09 17:15:00 UTC
Thank you for this info.

From the answers I understand it is a very complex field in which definitive answers cannot be given. I guess that although some things may be "highly unlikely" it is still a good idea to keep any technology which allows downloading and running unverified/utrusted code disabled by default (be it web JS, WASM or anything else).

I hope RISC-V will change the world of computers. ;)

Thanks!
Comment 11 Borislav Petkov 2020-02-09 18:14:53 UTC
(In reply to Suse User from comment #10)
> Thank you for this info.
> 
> From the answers I understand it is a very complex field in which definitive
> answers cannot be given. I guess that although some things may be "highly
> unlikely" it is still a good idea to keep any technology which allows
> downloading and running unverified/utrusted code disabled by default (be it
> web JS, WASM or anything else).

You can always get a newer CPU for which there is microcode or get an AMD machine which is affected by less issues:

/sys/devices/system/cpu/vulnerabilities/itlb_multihit:Not affected
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline, IBPB: conditional, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected

> I hope RISC-V will change the world of computers. ;)

I wouldn't put my hopes up. I'm pretty sure they'll screw it up in their own way. :-)

Ok, we're done here, closing.
Comment 12 Suse User 2020-02-09 21:13:02 UTC
> You can always get a newer CPU for which there is microcode

Unfortunately a newer CPU means Intel ME (or AMD's analog of it) - something which I am lucky not to have on that old machine which has never had it.

> or get an AMD machine which is affected by less issues:

Which CPU is that please? (Last question, I promise)
Comment 13 Borislav Petkov 2020-02-09 21:16:04 UTC
(In reply to Suse User from comment #12)
> Which CPU is that please? (Last question, I promise)

That is Zen, family 0x17.
Comment 14 Suse User 2020-02-10 08:25:36 UTC
Thank you!
Comment 15 Suse User 2020-03-27 13:49:17 UTC
You said that 'spec store bypass' and MDS can be mitigated only through microcode update.

According to this material which explains that both vulnerabilities are domain-bypass:

https://software.intel.com/security-software-guidance/insights/refined-speculative-execution-terminology

"If a vulnerability is described as having domain-bypass impact, then hardware mitigation, microcode patches and/or software changes to the operating system (OS) or virtual machine monitor (VMM) are often required."

Trying to understand what "and/or" may include I looked at the individual articles for each vulnerability.

This info:

https://software.intel.com/security-software-guidance/software-guidance/speculative-store-bypass#mitigation

says that:

"Speculative store bypass can be mitigated through software-based approaches including process isolation and selective use of LFENCE."

And for MDS:

https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling#mitigation

"For processors that are affected, the mitigation for microarchitectural data sampling issues includes overwriting store buffers, fill buffers, and load ports before transitioning to possibly less-privileged code."

which also sounds like a software mitigation.

I would like to kindly ask the experts here to please review this info and consider the possibility of implementing OS based mitigations which according to Intel are possible.
Comment 16 Miroslav Beneš 2020-07-29 12:38:52 UTC
I believe Boris provided exhaustive answers to your questions. Upstream documentation provides all information about the current implementation of all these mitigations. We try really hard to follow upstream here. If I recall correctly, software mitigations were discussed in some cases, but they were not implemented, because of another issues they have (performance, not reliable and such).

Boris (or someone else) could add more specific info eventually if they like, but I think we're done here.
Comment 17 Suse User 2020-11-27 13:55:48 UTC
> I believe Boris provided exhaustive answers to your questions.

Yes.

> Upstream documentation provides all information about the current implementation of all these mitigations. We try really hard to follow upstream here. If I recall correctly, software mitigations were discussed in some cases, but they were not implemented, because of another issues they have (performance, not reliable and such).

Indeed the documentation provides info and Intel itself confirms that software-based mitigation is possible. Performance hit or not - if it is possible, why not have it and let the user decide whether to enable it or not (e.g. through a boot flag)? There are use cases where security is more important than speed and vice versa. Assuming that only the later is the preferred choice for everyone is not really correct. Let's please not forget that these issues exist exactly because of this such assumption.
Comment 18 Miroslav Beneš 2020-11-30 10:38:29 UTC
You are welcome to report upstream, but I am confident you will fail there, because of the reasons provided here. The microcode mitigation is a standard way to deal with these issues and it is in most cases the only reliable way. Introducing a sub-optimal solution next to the standard one is not how the upstream development works.
Comment 19 Suse User 2020-12-03 12:47:04 UTC
OK, reported upstream:

https://bugzilla.kernel.org/show_bug.cgi?id=210473
Comment 20 Miroslav Beneš 2020-12-04 08:08:55 UTC
And with the upstream report...