Linux kernel mitigations released for new Intel CPU issues
Mainline Linux kernel received mitigations for TSX Asynchronous Abort (TAA), JCC Erratum and iITLB Multihit (NX) - No eXcuses.
"TSX Asynchronous Abort" (TAA) is a new ZombieLoad side-channel attack variant focused on Intel processors with TSX (Transactional Synchronization Extensions). This variant was actually discovered as part of ZombieLoad (announced back in May) but faced an extended embargo. TAA can allow leaking of data across processes, privilege boundaries and Hyper Threading. With Hyper Threading disabled, TAA can still leak data from protected domains.
The mitigation for ZombieLoad TAA released today (11.12) exposes /sys/devices/system/cpu/vulnerabilities/tsx_async_abort for reporting the mitigation status plus a new tsx_async_abort kernel parameter. With the TAA mitigation, the system will clear CPU buffers on ring transitions.
Ref.: https://seclists.org/oss-sec/2019/q4/67
The "Jump Conditional Code" (JCC) erratum, made public today (11.12) by Intel, is a bug that can happen when jump instructions cross cache lines and affects Skylake through Cascade Lake processors. Intel's mitigations document for Jump Conditional Code Erratum states that the mitigation/workaround will impact performance by 0-4% excluding outliers, which means that even higher performance downsides in specific workloads.
The "iITLB Multihit (NX) - No eXcuses" is known since last year (CVE-2018-12207). This issue occurs for some Intel CPUs causing a machine check error and possible unrecoverable CPU lockup stemming from page size changes. This has implications in the VM space for being able to cause a denial of service attack by a malicious guest. The workaround for this vulnerability is KVM marking huge pages in the extended page tables as non-executable (NX).
The mitigation released today exposes /sys/devices/system/cpu/vulnerabilities/itlb_multihit for reporting status and a new kvm.nx_huge_pages parameter.
That's it, more patches and more performance penalties.
BF/CM - Buyer Beware. Conduct your own due diligence on the sustainability of the deals presented here as well as the provider's track record.
Comments
Ryzen ftw!
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
End of the day Leftover performance maybe like opteron
I bench YABS 24/7/365 unless it's a leap year.
AMD will take significant market share from Intel in the server/cloud arena. 3rd generation Threadripper is coming by the end of this month:
BF/CM - Buyer Beware. Conduct your own due diligence on the sustainability of the deals presented here as well as the provider's track record.
Still waiting for the Proxmox kernel update.
Free NAT KVM | Free NAT LXC
Actually, can anyone run Geekbench on an older kernel and an updated kernal for both a similar specced multi-thread Intel and Ryzen (Passmark single-thread should be similar) to see how big the performance penalty is?
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
Saw this from the other forum: https://zombieloadattack.com/
I think AMD is the way to go. Surprising, but the cheap, fast and good (i.e. secure) trinity applies in AMD's case relative to Intel.
In the consumer market, the integrated APUs are also killing Intel. One AMD with its APU is enough for most games at decent frame rates save the really hardcore ones.
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
I just did a bench after updating to the latest microcode and Linux kernel on my second-hand Intel laptop:
https://browser.geekbench.com/v4/cpu/14922154
Doesn't seem too different from before the update:
https://browser.geekbench.com/v4/cpu/12449489
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
I'm using AMD Ryzen on my home proxmox server as well. If I get the chance to upgrade my gaming PC, I would get an amd as well (currently Intel). So ya, if others also think like me, amd have and will be taking Intel for everything they have.
Somik.org - Server admins cheat codes
yes indeed. my desktop and/or laptop will definitely be Ryzen
I bench YABS 24/7/365 unless it's a leap year.
Intel make love to Bezos long time from behind.
Click here for 30s preview.
Seems like this Intel nightmare isn't going away. The microcodes seem to be band-aids. As long as you patch one, another leak erupts because the underlying infrastructure is rotten. A complete chip redesign is going to be massive pain. Intel is looking as hot as Boeing now, while AMD is looking as cool as Airbus.
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
Are you talking about Windoze too?
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
If I ever run Windoze these days, 90% it is in a VM (unless I have to fire up Adobe).
That said, I must say that Windoze is a lot more secure these days, but it is still unfortunately a resource hog relative to Linux, which runs on my dirt cheap, self-refurbished Lenovo x240 off my local version of eBay much more smoothly.
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
Timeout for me due to night mode crap.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
https://talk.lowendspirit.com/index.php?p=/discussion/36/dark-theme-for-24-hours-only-dont-panic
It was enabled while I 'try' to give people more options and for 24 hours only.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Seeking assistance from the hive mind here. If you know any of the providers in my white list that offers AMD servers, please drop a reply so that I can make an annotation in the list.
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
Did a quick search and it seems like only ExtraVM and Nexus Bytes in my list currently has Ryzen VPS. If you know any others, let me know!
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
Debian released kernel patches to mitigate these vulnerabilities.
Ref.: https://lists.debian.org/debian-security-announce/2019/msg00219.html
BF/CM - Buyer Beware. Conduct your own due diligence on the sustainability of the deals presented here as well as the provider's track record.