Re: [Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
On Wed, Feb 19, 2020 at 06:26:56PM +0200, Konstantin Ritt wrote: > Should we ever try to work around issues caused by broken CPUs? Yes. Because "CPU is broken" one way or the other is rather the common case. Declining to work as best as reasonably feasible in this situation might as well end up with an empty potential user base. Andre' ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
On Wednesday, 19 February 2020 08:26:56 PST Konstantin Ritt wrote: > Should we ever try to work around issues caused by broken CPUs? Maybe we > should warn the user instead (with big red banner) and decline to install > anything at all? That was the thinking on the first task. We thought it was a small corner case and that it would be simply fixed by the few people with a BIOS upgrade. When it turned out to be much more widespread and systemd also worked around it, we did too. > > (or buy Intel) > > Or let's maybe also try to work around Meltdown and Spectre on i, just for > symmetry? ;) a) we don't have to for most of Qt, since the mitigations for them are done in the kernel and microcode updates already. The only exception is anything that JITs untrusted sources. Namely, qtwebengine. But I believe the mitigations are already present in the Chromium sources we use. b) Spectre (one of the two or both) also affects AMD and ARM and every single out-of-order processor system out there. Please see the technical docs for more information. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel System Software Products ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
> > > Judging from the screenshots, it's the latest and greatest version > > > of the Qt installer (qt-opensource-windows-x86-5.14.1.exe) [1] > > > > Okay, but what version of Qt is the Qt Installer using? Installer > > team, can you check? > > > > Looking into the binary I've found: > > "Build date: Jan 8 2020 IFW Version: 3.2.0, built with Qt 5.12.4." > > https://codereview.qt-project.org/c/qt/qtbase/+/272837 Fix > QRandomGenerator initialization on AMD CPUs > > fixed it for 5.13 and a there we can see a cherry pick for 5.12: > https://codereview.qt-project.org/c/qt/qtbase/+/275914 > which went in on 9th of October 2019. > > Qt 5.12.4 was released on 17th of June 2019. > Qt 5.12.6 was released on 13th of November 2019, and should have the fix. > > Installer needs to use an more up to date Qt. > I've opened up a ticket for the Qt Installer Framework: https://bugreports.qt.io/browse/QTIFW-1632 Cheers, Cristian. ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
> > > > Judging from the screenshots, it's the latest and greatest version of > > the Qt installer (qt-opensource-windows-x86-5.14.1.exe) [1] > > Okay, but what version of Qt is the Qt Installer using? Installer team, can > you > check? > Looking into the binary I've found: "Build date: Jan 8 2020 IFW Version: 3.2.0, built with Qt 5.12.4." https://codereview.qt-project.org/c/qt/qtbase/+/272837 Fix QRandomGenerator initialization on AMD CPUs fixed it for 5.13 and a there we can see a cherry pick for 5.12: https://codereview.qt-project.org/c/qt/qtbase/+/275914 which went in on 9th of October 2019. Qt 5.12.4 was released on 17th of June 2019. Qt 5.12.6 was released on 13th of November 2019, and should have the fix. Installer needs to use an more up to date Qt. Cheers, Cristian. ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
On woensdag 19 februari 2020 00:51:12 CET Thiago Macieira wrote: > Also https://bugreports.qt.io/browse/QTBUG-70606, which is when I reported > the > problem to AMD, but we did not introduce a workaround since we didn't know it > was this widespread. We for sure encountered it very, very often with our Krita users, until Dmitry patched it: https://codereview.qt-project.org/c/qt/qtbase/+/272837. -- https://www.valdyas.org | https://www.krita.org ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
Just for clarity: systemd has worked around this issue back in 2019 IIRC , once the issue has been widely reported and confirmed. Did that allow the user to boot his linux? Yes, the user is now able to boot into his shiny and fast (yet insecure and highly vulnerable) operation system. Months later, do we (Qt) REALLY have to be the only "secure" citizen in the 0x world? If so, then what about ASLR, SSP and other techniques aimed to protect your lovely lib/app/os from ACE but can not (due to broken HW RNG, which the user could never know about)?! Regards, Konstantin ср, 19 февр. 2020 г. в 18:26, Konstantin Ritt : > Should we ever try to work around issues caused by broken CPUs? Maybe we > should warn the user instead (with big red banner) and decline to install > anything at all? > > > (or buy Intel) > > Or let's maybe also try to work around Meltdown and Spectre on i, just for > symmetry? ;) > > Regards, > Konstantin > > > ср, 19 февр. 2020 г. в 01:51, Thiago Macieira : > >> On Tuesday, 18 February 2020 05:36:56 PST Sze Howe Koh wrote: >> > > Christian Kandeler (18 February 2020 12:59) replied >> > > >> > > > Probably the same as https://bugreports.qt.io/browse/QTBUG-77375. >> >> Also https://bugreports.qt.io/browse/QTBUG-70606, which is when I >> reported the >> problem to AMD, but we did not introduce a workaround since we didn't >> know it >> was this widespread. >> >> > > Which version was this encountered in ? >> > > >> > >> > Judging from the screenshots, it's the latest and greatest version of >> > the Qt installer (qt-opensource-windows-x86-5.14.1.exe) [1] >> >> Okay, but what version of Qt is the Qt Installer using? Installer team, >> can >> you check? >> >> Also, anyone affected, PLEASE upgrade your BIOS right now. Your system is >> insecure. (or buy Intel) >> >> -- >> Thiago Macieira - thiago.macieira (AT) intel.com >> Software Architect - Intel System Software Products >> >> >> >> ___ >> Development mailing list >> Development@qt-project.org >> https://lists.qt-project.org/listinfo/development >> > ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
Should we ever try to work around issues caused by broken CPUs? Maybe we should warn the user instead (with big red banner) and decline to install anything at all? > (or buy Intel) Or let's maybe also try to work around Meltdown and Spectre on i, just for symmetry? ;) Regards, Konstantin ср, 19 февр. 2020 г. в 01:51, Thiago Macieira : > On Tuesday, 18 February 2020 05:36:56 PST Sze Howe Koh wrote: > > > Christian Kandeler (18 February 2020 12:59) replied > > > > > > > Probably the same as https://bugreports.qt.io/browse/QTBUG-77375. > > Also https://bugreports.qt.io/browse/QTBUG-70606, which is when I > reported the > problem to AMD, but we did not introduce a workaround since we didn't know > it > was this widespread. > > > > Which version was this encountered in ? > > > > > > > Judging from the screenshots, it's the latest and greatest version of > > the Qt installer (qt-opensource-windows-x86-5.14.1.exe) [1] > > Okay, but what version of Qt is the Qt Installer using? Installer team, > can > you check? > > Also, anyone affected, PLEASE upgrade your BIOS right now. Your system is > insecure. (or buy Intel) > > -- > Thiago Macieira - thiago.macieira (AT) intel.com > Software Architect - Intel System Software Products > > > > ___ > Development mailing list > Development@qt-project.org > https://lists.qt-project.org/listinfo/development > ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
On Tuesday, 18 February 2020 05:36:56 PST Sze Howe Koh wrote: > > Christian Kandeler (18 February 2020 12:59) replied > > > > > Probably the same as https://bugreports.qt.io/browse/QTBUG-77375. Also https://bugreports.qt.io/browse/QTBUG-70606, which is when I reported the problem to AMD, but we did not introduce a workaround since we didn't know it was this widespread. > > Which version was this encountered in ? > > > > Judging from the screenshots, it's the latest and greatest version of > the Qt installer (qt-opensource-windows-x86-5.14.1.exe) [1] Okay, but what version of Qt is the Qt Installer using? Installer team, can you check? Also, anyone affected, PLEASE upgrade your BIOS right now. Your system is insecure. (or buy Intel) -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel System Software Products ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
On Tue, 18 Feb 2020 at 20:57, Edward Welbourne wrote: > > On Tue, 18 Feb 2020 19:35:53 +0800 > Sze Howe Koh wrote: > >> See > >> https://forum.qt.io/topic/111473/maintenance-tool-error-cannot-open-file-for-writing-no-error/ > > I note that the code quoted is using rand(); the code in QTemporary file > switched to using QRandomGenerator at 5.10.0; that's what now produces > the "WARNING: RDRND generated:" message reported in one post. > > Christian Kandeler (18 February 2020 12:59) replied > > Probably the same as https://bugreports.qt.io/browse/QTBUG-77375. > > Fixed in 5.13.0 - the fix added the warning quoted above and takes steps > to ensure we don't rely on the broken HWRNG, presumably falling back to > some pseudo-random alternative. > > >> Is this worth a post on the Qt Blog? I foresee many frustrated and > >> confused Ryzen users out there who would benefit from a reminder to > >> update their BIOS. > > > I suppose it won't hurt, but I wonder how such a system is usable at > > all... > > Which version was this encountered in ? > > Eddy. Judging from the screenshots, it's the latest and greatest version of the Qt installer (qt-opensource-windows-x86-5.14.1.exe) [1] If it matters, I also realized the error message was actually: Cannot open file "" for writing: No error Regards, Sze-Howe [1] https://forum.qt.io/post/578114 ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
On Tue, 18 Feb 2020 19:35:53 +0800 Sze Howe Koh wrote: >> See >> https://forum.qt.io/topic/111473/maintenance-tool-error-cannot-open-file-for-writing-no-error/ I note that the code quoted is using rand(); the code in QTemporary file switched to using QRandomGenerator at 5.10.0; that's what now produces the "WARNING: RDRND generated:" message reported in one post. Christian Kandeler (18 February 2020 12:59) replied > Probably the same as https://bugreports.qt.io/browse/QTBUG-77375. Fixed in 5.13.0 - the fix added the warning quoted above and takes steps to ensure we don't rely on the broken HWRNG, presumably falling back to some pseudo-random alternative. >> Is this worth a post on the Qt Blog? I foresee many frustrated and >> confused Ryzen users out there who would benefit from a reminder to >> update their BIOS. > I suppose it won't hurt, but I wonder how such a system is usable at > all... Which version was this encountered in ? Eddy. ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
On Tue, 18 Feb 2020 19:35:53 +0800 Sze Howe Koh wrote: > See > https://forum.qt.io/topic/111473/maintenance-tool-error-cannot-open-file-for-writing-no-error/ Probably the same as https://bugreports.qt.io/browse/QTBUG-77375. > Is this worth a post on the Qt Blog? I foresee many frustrated and > confused Ryzen users out there who would benefit from a reminder to > update their BIOS. I suppose it won't hurt, but I wonder how such a system is usable at all... Christian ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
[Development] Broken RNG on AMD Ryzen CPUs affect QTemporaryFile, Qt IFW
See https://forum.qt.io/topic/111473/maintenance-tool-error-cannot-open-file-for-writing-no-error/ In summary, a bad BIOS prevents QTemporaryFile from generating different filenames each run. The Qt Installer encounters name conflicts and produces a cryptic error message: Cannot open file "" for writing: No file name specified Is this worth a post on the Qt Blog? I foresee many frustrated and confused Ryzen users out there who would benefit from a reminder to update their BIOS. Regards, Sze-Howe ___ Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
