On 18/01/18 08:28, Hendrik Boom wrote:
On Wed, Jan 17, 2018 at 09:25:19PM +0800, Tom Cassidy wrote:
You can install the intel-microcode package. AMD processors have a similar
amd-microcode package.
https://packages.debian.org/intel-microcode
It looks like the updated microcode with the latest fixes is currently in
Debian testing so I guess you could grab it from there directly and install
manually if required.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886806
Has anyone revealed how this microcode avoids the Spectre problem?
Does it, for example, disable memory fetch from proteted memory?
There is quite a bit of information out there but it's scattered fairly
thinly. Note this is my current understanding only.
The microcode doesn't "avoid" the Spectre problem by and in itself. A
large part of the fix is implementing extra instructions to inhibit
branch prediction under certain circumstances. It is then up to the OS
to manage that. The bit people are stuggling with right now is that when
the microcode is applied, extra processor feature flags appear so the
kernel will need to re-scan the processor flags after an update and deal
with the consequential fallout.
That won't itself inhibit the ability for userspace processes to access
other process memory. The chief mitigation for that at the moment is the
reduction in timer resolution in Javascript interpreters. That still
doesn't prevent malware using it as a vector, but it does make it a
*lot* harder for a rouge bit of Javascript served as an in-page add from
scrounging through the browser process space for your internet banking
credentials.
What the microcode fix does do is allow some further mitigation to be
applied from the OS perspective, although for people with Haswell and
Broadwell variants it'd be wise not to install the microcode until Intel
get it fixed.
The most important issue for Spectre is ensuring your browser is up to
date (and by up to date I mean the absolute latest version of Firefox).
If you use one of the "free" forks, make sure the mitigation has been
ported across or disable Javascript full stop.
If you use an Intel processor then make sure you have the OS Meltdown
mitigation applied (ie KPTI).
Again, my current understanding based on lots of reading and the
occasional discussion with people who *do* know better.
Corrections welcome. Hysterical ranting about the closed source nature
of microcode >> /dev/null
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
