Linux kernel mitigations released for new Intel CPU issues

Mainline Linux kernel received mitigations for TSX Asynchronous Abort (TAA), JCC Erratum and iITLB Multihit (NX) - No eXcuses.

"TSX Asynchronous Abort" (TAA) is a new ZombieLoad side-channel attack variant focused on Intel processors with TSX (Transactional Synchronization Extensions). This variant was actually discovered as part of ZombieLoad (announced back in May) but faced an extended embargo. TAA can allow leaking of data across processes, privilege boundaries and Hyper Threading. With Hyper Threading disabled, TAA can still leak data from protected domains.

The mitigation for ZombieLoad TAA released today (11.12) exposes /sys/devices/system/cpu/vulnerabilities/tsx_async_abort for reporting the mitigation status plus a new tsx_async_abort kernel parameter. With the TAA mitigation, the system will clear CPU buffers on ring transitions.

Ref.: https://seclists.org/oss-sec/2019/q4/67

The "Jump Conditional Code" (JCC) erratum, made public today (11.12) by Intel, is a bug that can happen when jump instructions cross cache lines and affects Skylake through Cascade Lake processors. Intel's mitigations document for Jump Conditional Code Erratum states that the mitigation/workaround will impact performance by 0-4% excluding outliers, which means that even higher performance downsides in specific workloads.

The "iITLB Multihit (NX) - No eXcuses" is known since last year (CVE-2018-12207). This issue occurs for some Intel CPUs causing a machine check error and possible unrecoverable CPU lockup stemming from page size changes. This has implications in the VM space for being able to cause a denial of service attack by a malicious guest. The workaround for this vulnerability is KVM marking huge pages in the extended page tables as non-executable (NX).

The mitigation released today exposes /sys/devices/system/cpu/vulnerabilities/itlb_multihit for reporting status and a new kvm.nx_huge_pages parameter.

Ref.: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/diff/Documentation/admin-guide/hw-vuln/multihit.rst?id=eb094f06963bb0fd8134c6a9b805d4ad0002a7d4

That's it, more patches and more performance penalties.

BF/CM - Buyer Beware. Conduct your own due diligence on the sustainability of the deals presented here as well as the provider's track record.

Thanked by (4)poisson uptime tgl mikho

Comments

  • Ryzen ftw!

    Thanked by (2)ITLabs InceptionHosting

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • cybertechcybertech OGBenchmark King

    End of the day Leftover performance maybe like opteron

    I bench YABS 24/7/365 unless it's a leap year.

  • AMD will take significant market share from Intel in the server/cloud arena. 3rd generation Threadripper is coming by the end of this month:

    • Ryzen 3950X: 16 cores / 32 threads, 3.5GHz base frequency, 4.7GHz boost, 72MB L2+L3 cache ($749 USD);
    • Ryzen 3960X: 24 cores / 48 threads, 3.8GHz base frequency, 4.5GHz boost, 140MB L2+L3 cache ($1399 USD);
    • Ryzen 3970X: 32 cores / 64 threads, 3.7GHz base frequency, 4.5GHz boost, 144MB L2+L3 cache ($1999 USD);

    BF/CM - Buyer Beware. Conduct your own due diligence on the sustainability of the deals presented here as well as the provider's track record.

  • NeoonNeoon OGContent WriterSenpai

    Still waiting for the Proxmox kernel update.

  • Actually, can anyone run Geekbench on an older kernel and an updated kernal for both a similar specced multi-thread Intel and Ryzen (Passmark single-thread should be similar) to see how big the performance penalty is?

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • Saw this from the other forum: https://zombieloadattack.com/

    I think AMD is the way to go. Surprising, but the cheap, fast and good (i.e. secure) trinity applies in AMD's case relative to Intel.

    In the consumer market, the integrated APUs are also killing Intel. One AMD with its APU is enough for most games at decent frame rates save the really hardcore ones.

    Thanked by (1)ITLabs

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • @poisson said:
    Actually, can anyone run Geekbench on an older kernel and an updated kernal for both a similar specced multi-thread Intel and Ryzen (Passmark single-thread should be similar) to see how big the performance penalty is?

    I just did a bench after updating to the latest microcode and Linux kernel on my second-hand Intel laptop:
    https://browser.geekbench.com/v4/cpu/14922154

    Doesn't seem too different from before the update:
    https://browser.geekbench.com/v4/cpu/12449489

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • @poisson said:
    Saw this from the other forum: https://zombieloadattack.com/

    I think AMD is the way to go. Surprising, but the cheap, fast and good (i.e. secure) trinity applies in AMD's case relative to Intel.

    In the consumer market, the integrated APUs are also killing Intel. One AMD with its APU is enough for most games at decent frame rates save the really hardcore ones.

    I'm using AMD Ryzen on my home proxmox server as well. If I get the chance to upgrade my gaming PC, I would get an amd as well (currently Intel). So ya, if others also think like me, amd have and will be taking Intel for everything they have.

    Never make the same mistake twice. There are so many new ones to make.
    It’s OK if you disagree with me. I can’t force you to be right.

  • cybertechcybertech OGBenchmark King

    @somik said:

    @poisson said:
    Saw this from the other forum: https://zombieloadattack.com/

    I think AMD is the way to go. Surprising, but the cheap, fast and good (i.e. secure) trinity applies in AMD's case relative to Intel.

    In the consumer market, the integrated APUs are also killing Intel. One AMD with its APU is enough for most games at decent frame rates save the really hardcore ones.

    I'm using AMD Ryzen on my home proxmox server as well. If I get the chance to upgrade my gaming PC, I would get an amd as well (currently Intel). So ya, if others also think like me, amd have and will be taking Intel for everything they have.

    yes indeed. my desktop and/or laptop will definitely be Ryzen

    I bench YABS 24/7/365 unless it's a leap year.

  • Intel make love to Bezos long time from behind.
    Click here for 30s preview.

    Thanked by (1)poisson
  • Seems like this Intel nightmare isn't going away. The microcodes seem to be band-aids. As long as you patch one, another leak erupts because the underlying infrastructure is rotten. A complete chip redesign is going to be massive pain. Intel is looking as hot as Boeing now, while AMD is looking as cool as Airbus.

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • @poisson said:
    .. As long as you patch one, another leak erupts because the underlying infrastructure is rotten..

    Are you talking about Windoze too? :anguished:

    Thanked by (1)poisson

    Than=compare;then=sequence:brought=bring;bought=buy:staffs=pile of sticks:informations/infos=no plural.
    It wisnae me! A big boy done it and ran away. || NVMe2G for life! until death (the end is nigh).

  • @AlwaysSkint said:

    @poisson said:
    .. As long as you patch one, another leak erupts because the underlying infrastructure is rotten..

    Are you talking about Windoze too? :anguished:

    If I ever run Windoze these days, 90% it is in a VM (unless I have to fire up Adobe).

    That said, I must say that Windoze is a lot more secure these days, but it is still unfortunately a resource hog relative to Linux, which runs on my dirt cheap, self-refurbished Lenovo x240 off my local version of eBay much more smoothly.

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • Timeout for me due to night mode crap.

    Than=compare;then=sequence:brought=bring;bought=buy:staffs=pile of sticks:informations/infos=no plural.
    It wisnae me! A big boy done it and ran away. || NVMe2G for life! until death (the end is nigh).

  • @AlwaysSkint said:
    Timeout for me due to night mode crap.

    https://talk.lowendspirit.com/index.php?p=/discussion/36/dark-theme-for-24-hours-only-dont-panic

    It was enabled while I 'try' to give people more options and for 24 hours only.

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • Seeking assistance from the hive mind here. If you know any of the providers in my white list that offers AMD servers, please drop a reply so that I can make an annotation in the list.

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • @poisson said:
    Seeking assistance from the hive mind here. If you know any of the providers in my white list that offers AMD servers, please drop a reply so that I can make an annotation in the list.

    Did a quick search and it seems like only ExtraVM and Nexus Bytes in my list currently has Ryzen VPS. If you know any others, let me know!

    Thanked by (1)vimalware

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • Debian released kernel patches to mitigate these vulnerabilities.
    Ref.: https://lists.debian.org/debian-security-announce/2019/msg00219.html

    Thanked by (1)vimalware

    BF/CM - Buyer Beware. Conduct your own due diligence on the sustainability of the deals presented here as well as the provider's track record.

Sign In or Register to comment.