Re: Meltdown / Spectre

Mark H Weaver skribis: > l...@gnu.org (Ludovic Courtès) writes: > >> Mark H Weaver skribis: >> >>> FYI, in another thread, I recently posted preliminary patches to add the >>> GCC 7.3 release candidate as a Guix package, and to use it to build >>> linux-libre

Re: Meltdown / Spectre

l...@gnu.org (Ludovic Courtès) writes: > Mark H Weaver skribis: > >> FYI, in another thread, I recently posted preliminary patches to add the >> GCC 7.3 release candidate as a Guix package, and to use it to build >> linux-libre on x86_64 and i686 systems: >> >>

Re: Meltdown / Spectre

l...@gnu.org (Ludovic Courtès) writes: > Mark H Weaver skribis: > >> FYI, in another thread, I recently posted preliminary patches to add the >> GCC 7.3 release candidate as a Guix package, and to use it to build >> linux-libre on x86_64 and i686 systems: >> >>

Re: Meltdown / Spectre

Mark H Weaver skribis: > Leo Famulari writes: > >> On Fri, Jan 19, 2018 at 05:06:25PM -0500, Mark H Weaver wrote: >>> There's now a GCC 7.3 release candidate that apparently contains the >>> necessary compiler support to allow linux-libre-4.14.14 to use the

Re: Meltdown / Spectre

Leo Famulari writes: > On Fri, Jan 19, 2018 at 05:06:25PM -0500, Mark H Weaver wrote: >> There's now a GCC 7.3 release candidate that apparently contains the >> necessary compiler support to allow linux-libre-4.14.14 to use the >> retpoline technique internally. >> >>

Re: Meltdown / Spectre

On Fri, Jan 19, 2018 at 05:06:25PM -0500, Mark H Weaver wrote: > l...@gnu.org (Ludovic Courtès) writes: > > Leo Famulari skribis: > >> Something we can do very easily, even on the master branch, is to build > >> specific packages with GCC 7, assuming the Retpoline technique

Re: Meltdown / Spectre

l...@gnu.org (Ludovic Courtès) writes: > Leo Famulari skribis: > >> On Wed, Jan 10, 2018 at 05:39:59AM +0800, Alex Vong wrote: >>> About the "Retpoline" mitigation technique[1]. Right now only GCC 7.2.0 >>> is patched, but our default gcc version is 5.4.0 in master and 5.5.0

Re: Meltdown / Spectre

2018-01-16 4:58 GMT+01:00 Chris Marusich : > Katherine Cox-Buday writes: > > > Tobias Geerinckx-Rice writes: > > > >> I think the real and thornier question for GuixSD > >> is: if the recent CPU vulnerabilities require a > >>

Re: Meltdown / Spectre

Mike Gerwitz skribis: > On Tue, Jan 16, 2018 at 12:10:53 +0100, Ludovic Courtès wrote: >> Should GuixSD nevertheless provide a mechanism to support microcode >> updates, while not steering users to particular proprietary microcode? >> Just like Linux-libre (attempts to) support

Re: Meltdown / Spectre

On Tue, Jan 16, 2018 at 12:10:53 +0100, Ludovic Courtès wrote: > Should GuixSD nevertheless provide a mechanism to support microcode > updates, while not steering users to particular proprietary microcode? > Just like Linux-libre (attempts to) support loading of proprietary > firmware at the

Re: Meltdown / Spectre

Leo Famulari skribis: > On Tue, Jan 09, 2018 at 06:10:02PM -0500, Mark H Weaver wrote: >> Marius Bakke writes: >> > Katherine Cox-Buday writes: >> >> I am also interested -- more from a philisophical perspective -- how >> >>

Re: Meltdown / Spectre

Hello, Leo Famulari skribis: > On Wed, Jan 10, 2018 at 05:39:59AM +0800, Alex Vong wrote: >> I have an idea. Should we add a news entry to Guix blog[0] summarizing >> all the above? For example, we can advice users to install noscript and >> turn off javascript by default

Re: Meltdown / Spectre

ord to use to describe the FSDG: Shackled then ;) I do think these breaches can lead to serious exploits, even though taking over a computer (which is the real concern) may be very hard to achieve and may never happen reading 'random' data. Intels management system is a much worse and direct threat. Address

Re: Meltdown / Spectre

Katherine Cox-Buday writes: > Tobias Geerinckx-Rice writes: > >> I think the real and thornier question for GuixSD >> is: if the recent CPU vulnerabilities require a >> microcode update to fully mitigate, then how do we >> square not recommending

Re: Meltdown / Spectre

On Mon, Jan 15, 2018 at 09:07:45 +0100, Pjotr Prins wrote: > GNU Guix, however, by virtue of being a GNU project is hampered by its > free software credentials. "hamper" isn't a good word to use to describe the FSDG: From The Collaborative International Dictionary of English v.0.48 [gcide]:

Re: Meltdown / Spectre

On Wed, Jan 10, 2018 at 03:04:44PM +0100, Gábor Boskovits wrote: >I don't believe that making a microcode update available makes >the situation worse. An earlier version is a non-free component >of the system anyway. I believe, that it might well worth to >provide the possibility

Re: Meltdown / Spectre

Tobias Geerinckx-Rice writes: > Hej Marius, > > [I see this is being CC'd to @libreboot.org. I'm answering only as a GNU > Guix user and contributor, and assume people who live and breathe this > stuff will find plenty of holes in my opinion. Which this is.] > > Marius Bakke

Re: Meltdown / Spectre

Tobias Platen writes: > Leah Rowe uses the nickname _4of7 on IRC, she is the founder of Libreboot I see - I did not know. Thank you for clarifying that! -- Chris signature.asc Description: PGP signature

Re: Meltdown / Spectre

Gábor Boskovits writes: > The second thing that comes to my mind is to have a free tool to perform > the microcode update, so that we can inspect, that nothing else on the > system gets modified. FWIW there is a tool that does this in Guix already: "iucode-tool". Here is

Re: Meltdown / Spectre

With regards to BSD-3-Clause-Clear and BSD-2-Clause-FreeBSD vs. GPL (and variants), the latest version and "or-later" option of the latter allows a chance to transfer the freedoms of the software to the end-users' copy (it's not a perfect ingredient, because it depends on the rights holder to

Re: Meltdown / Spectre

Leo Famulari writes: >> Morally, at least in the short-to-medium term, I'm not convinced. >> The smell of privilege becomes hard to ignore with the costs and other >> assumptions involved. > > I think I agree with you here, Tobias. > > To me, the right choice is not to

Re: Meltdown / Spectre

Christopher Lemmer Webber writes: > Katherine Cox-Buday writes: > >> Tobias Geerinckx-Rice writes: >> >> >>> I think the real and thornier question for GuixSD >>> is: if the recent CPU vulnerabilities require a >>> microcode update to fully mitigate, then

Re: Meltdown / Spectre

On Wed, Jan 10, 2018 at 11:46:46AM +0100, Tobias Platen wrote: > The Talos II is a free-er system. And its processor (the POWER9) does not > seem to be affected by Meltdown/Sprectre [1]. > > [1] https://mobile.twitter.com/RaptorCompSys?p=s The Talos teams says that their POWER8 and POWER9

Re: Meltdown / Spectre

I don't believe that making a microcode update available makes the situation worse. An earlier version is a non-free component of the system anyway. I believe, that it might well worth to provide the possibility to update it. I think it would be beneficial, if we got a singned blob for that,

Re: Meltdown / Spectre

Alex Vong transcribed 1.7K bytes: > Mark H Weaver writes: > > > Mark H Weaver writes: > > > >> I just followed this up with a Spectre mitigation for WebKitGTK+ > >> backported from upstream WebKit: > >> > >> > >>

Re: Meltdown / Spectre

I don't know if this serves as guidance as to if microcode is functional or not, but from [1] I quote: #+BEGIN_QUOTE However, there is an exception for secondary embedded processors. The exception applies to software delivered inside auxiliary and low-level processors and FPGAs, within which

Re: Meltdown / Spectre

Alex Vong writes: > Hello, > > I hope this is on topic. Recently, 2 critical vulnerabilities (see > https://meltdownattack.com/) affecting virtually all intel cpus are > discovered. I am running libreboot x200 (see > https://www.fsf.org/ryf). What should I do right now to

Re: Meltdown / Spectre

Katherine Cox-Buday writes: > Tobias Geerinckx-Rice writes: > > >> I think the real and thornier question for GuixSD >> is: if the recent CPU vulnerabilities require a >> microcode update to fully mitigate, then how do we >> square not recommending proprietary globs like >> this

Re: Meltdown / Spectre

On Tue, Jan 09, 2018 at 06:10:02PM -0500, Mark H Weaver wrote: > Marius Bakke writes: > > Katherine Cox-Buday writes: > >> I am also interested -- more from a philisophical perspective -- how > >> GuixSD and GNU squares with these kinds of security

Re: Meltdown / Spectre

On Wed, Jan 10, 2018 at 05:39:59AM +0800, Alex Vong wrote: > I have an idea. Should we add a news entry to Guix blog[0] summarizing > all the above? For example, we can advice users to install noscript and > turn off javascript by default and only enable it on trusted site when > necessary. I

Re: Meltdown / Spectre

Mark H Weaver writes: > Mark H Weaver writes: > >> I just followed this up with a Spectre mitigation for WebKitGTK+ >> backported from upstream WebKit: >> >> >> https://git.savannah.gnu.org/cgit/guix.git/commit/?id=56804398a94bea941183ae4ed29d2a9f82069a6f >

Re: Meltdown / Spectre

Katherine, Not really an answer to your question, I'm afraid. Just some thoughts I had after hitting ‘Send’ on my previous non-answer. Katherine Cox-Buday wrote on 09/01/18 at 21:13: > Tobias Geerinckx-Rice writes: >> [...] how do we square not recommending proprietary globs

Re: Meltdown / Spectre

Tobias Geerinckx-Rice writes: > I think the real and thornier question for GuixSD > is: if the recent CPU vulnerabilities require a > microcode update to fully mitigate, then how do we > square not recommending proprietary globs like > this in official channels with giving users

Re: Meltdown / Spectre

I should probably have written what I thought: Tobias Geerinckx-Rice wrote on 08/01/18 at 22:51: > AIUI, at least on x86 CPUs, the microcode *is* a large and/or functional > part of the processor... ...but it's initially included in ROM. Only when bugs are found in that copy does a user-provided

Re: Meltdown / Spectre

Hej Marius, [I see this is being CC'd to @libreboot.org. I'm answering only as a GNU Guix user and contributor, and assume people who live and breathe this stuff will find plenty of holes in my opinion. Which this is.] Marius Bakke wrote on 08/01/18 at 19:26: > In my opinion, CPU microcode

Re: Meltdown / Spectre

Katherine Cox-Buday writes: > Chris Marusich writes: > >> Leo Famulari writes: > >> I wonder: how easy will it be to install those firmware/microcode >> updates if you are using GuixSD? In particular, I'm curious about the >>

Re: Meltdown / Spectre

Chris Marusich writes: > Leo Famulari writes: > I wonder: how easy will it be to install those firmware/microcode > updates if you are using GuixSD? In particular, I'm curious about the > case of the Lenovo x200 with libreboot, since that's what I use

Re: Meltdown / Spectre

Hi, Mark H Weaver skribis: > Mark H Weaver writes: > >> Leo Famulari writes: >> >>> The Spectre bugs have to be fixed per-application for now. As far as I >>> know, we haven't made any related changes to packages besides >>> linux-libre.

Re: Meltdown / Spectre

Mark H Weaver writes: > I just followed this up with a Spectre mitigation for WebKitGTK+ > backported from upstream WebKit: > > > https://git.savannah.gnu.org/cgit/guix.git/commit/?id=56804398a94bea941183ae4ed29d2a9f82069a6f FYI, adding a patch to 'webkitgtk' seems to have

Re: Meltdown / Spectre

Mark H Weaver writes: > Leo Famulari writes: > >> The Spectre bugs have to be fixed per-application for now. As far as I >> know, we haven't made any related changes to packages besides >> linux-libre. >> >> Mozilla has released an update that is supposed to

Re: Meltdown / Spectre

Leo Famulari writes: > ### Guix status ### > > The CPU makers are issuing microcode updates as a hardware-level > mitigation, but I don't think we'll be providing those in Guix. It seems some (but not all) mitigations may require firmware/microcode updates. For details,

Re: Meltdown / Spectre

Leo Famulari writes: > The Spectre bugs have to be fixed per-application for now. As far as I > know, we haven't made any related changes to packages besides > linux-libre. > > Mozilla has released an update that is supposed to mitigate the > vulnerability but I don't if

Meltdown / Spectre

On Sat, Jan 06, 2018 at 09:20:50PM +0800, Alex Vong wrote: > I hope this is on topic. Recently, 2 critical vulnerabilities (see > https://meltdownattack.com/) affecting virtually all intel cpus are > discovered. I am running libreboot x200 (see > https://www.fsf.org/ryf). > What should I do right