/srv/irclogs.ubuntu.com/2018/01/03/#ubuntu-discuss.txt

lotuspsychjegood morning to all00:13
pauljwlotuspsychje :)00:16
daftykinshappy new year sir \o00:16
lotuspsychjehey pauljw & daftykins00:16
lotuspsychjehappy new year 2018 to you guys :p00:16
lotuspsychjebest of luck & a great health00:17
pauljwsame to you guys00:17
lotuspsychjeand more ubuntu lol00:17
pauljwalways...00:17
daftykins:)00:24
=== lotuspsychje_ is now known as lotuspsychje
lotuspsychjeoO01:00
* lotuspsychje doesnt like ping timeout01:00
lotuspsychjehi FruitView01:10
lotuspsychje!keyring01:27
lotuspsychje!seahorse01:27
lotuspsychjedax: we have a trigger about that?01:28
daxnot that i know of01:28
lotuspsychjelemme see if theres a wiki01:28
lotuspsychjecant find an ubuntu one dax01:31
lotuspsychjehttps://wiki.gnome.org/Projects/GnomeKeyring01:31
daxreally don't need a factoid for everything, especially if it's just gonna be a link to whatever's in Google01:32
daxI'm really averse to the tendency (and I'm not saying this is one you have, I'm generally commenting) of relying heavily on ubottu's general factoids in lieu of hand-written targeted answers01:33
lotuspsychjeallright no sweat01:34
lotuspsychjeits just a question we see alot passing01:34
daxis there a webpage (or a oneliner that fits in a factoid) that actually solves the question, rather than answering "this is what a keying is"?01:35
dax(i assume the question is the "Your keyring was not unlocked at login." problem)01:35
lotuspsychjeyeah01:35
lotuspsychjeso users understand that part of enter password or leave blank01:35
lotuspsychjehttp://ubuntuhandbook.org/index.php/2013/07/disable-unlock-login-keyring-ubuntu-13-04/01:45
lotuspsychjecant find new stuff01:45
EriC^^morning all06:14
lordievaderGood morning07:11
lordievaderBluesKaj: I suppose Ubuntu does. It used to anyways, not sure if it still has one.07:12
lordievaderOr how it is called these days.07:12
ducassegood morning all07:19
lordievaderHey Dducasse , How are you today?07:29
ducassei'm good lordievader, thanks - how are you?07:40
ducassehad coffee yet? :)07:40
lordievaderDoing good hear, just ordered a pair of speakers.07:45
lordievaderErr, no tea. Found out I'm out of coffee.07:46
ducassetea is good, i'm on coca cola here. what kind of speakers?07:51
lordievaderThese http://www.jamo.com/products/s62207:55
=== TJ_Remix is now known as TJ-
BluesKajHey folks12:11
BluesKajlordievader, that R13ose guy doesn't always give important details about his problems...he's constantly doing things of which he has no idea of the consequences...dealt with him a few times before12:29
lordievaderYes, I know.12:39
BluesKajlots of hand holding12:42
lordievaderWith the occasional "let me do this, crash".12:49
BluesKajyup12:50
pauljwhi everyone12:55
BluesKaj'12:59
BluesKaj'Morning pauljw12:59
pauljwhey BluesKaj :)12:59
BluesKajdaylight in the swamp here, and it's snowing13:01
pauljwsnowing in swamp? BluesKaj, sounds like fun.13:26
BluesKajyeah, it's light fluffy stuff that doesn't really amount to much13:28
EriC^^good afternoon everyone13:29
BluesKajHey EriC^^13:29
EriC^^hey BluesKaj13:31
EriC^^how are you?13:31
BluesKajGood here EriC^^, how about you/13:32
EriC^^good thanks13:32
BluesKaj?13:32
pauljwhi EriC^^13:32
EriC^^hi pauljw how's it going?13:32
pauljwgood thx.  :)13:33
EriC^^:)13:33
lotuspsychjegood evening to all18:36
lotuspsychjehttp://www.omgubuntu.co.uk/2018/01/amazon-brings-linux-distro-enterprise-making-red-hat-worry18:38
lotuspsychjehttp://www.linuxandubuntu.com/home/10-reasons-why-linux-is-better-than-windows18:47
lotuspsychjeJanC: i bypassed belgian EID firefox 57 issue by adding the certificate, works now18:49
pauljwhey lotuspsychje :)18:59
lotuspsychjehey pauljw18:59
lotuspsychjehey Bashing-om19:02
Bashing-omhey lotuspsychje :) ,, been a good session ?19:03
lotuspsychjejust joined cant tell, currently active!19:03
Bashing-omlotuspsychje: 2, just getting settled in . We be active :)19:12
Bashing-omOutside chore .. back soonest :(20:41
lotuspsychjebreath deep :p20:41
pauljw:)20:41
lotuspsychje!info linux-image-generic artful20:44
ubot5linux-image-generic (source: linux-meta): Generic Linux kernel image. In component main, is optional. Version 4.13.0.21.22 (artful), package size 2 kB, installed size 14 kB20:44
nicomachuslotuspsychje: kernels up to 14.9 and 14.10?20:44
nicomachus4.14?20:45
lotuspsychjeer yeah20:45
lotuspsychjeoh wait holdon20:45
lotuspsychjehttps://bugs.launchpad.net/ubuntu/+source/linux/+bug/173414720:45
ubot5Launchpad bug 1734147 in linux (Ubuntu) "Ubuntu 17.10 corrupting BIOS - many LENOVO laptops models" [Critical,Confirmed]20:45
nicomachusI imagine that the 4.4 kernel will get updated too. surely not just 4.1420:45
lotuspsychje4.14.920:46
lotuspsychjeand 4.14.1020:46
nicomachusI've had a ton of updates this morning that look like library updates or something. wondering if that's related.20:49
lotuspsychjenicomachus: not sure im on bionic20:57
lotuspsychjeTJ-: !qemu real outdated 201120:57
lotuspsychje!qemu20:58
ubot5qemu is an emulator you can use to run another operating system - see https://help.ubuntu.com/community/WindowsXPUnderQemuHowTo20:58
daxwe're gonna need a KPTI factoid, way these questions are going20:58
lotuspsychjedax: good idea20:59
daxthat's what, three just in the scrollback on my screen20:59
TJ-dax: it's a major issue, for sure. "KAISER a.k.a Kernel Page Table Isolation is a bug in Intel CPUs since around 2006 which leaks information about kernel data structures into userspace and potentially allows attackers to execute code with kernel privileges"21:01
dax!usn21:01
ubot5Please see http://www.ubuntu.com/usn for information about recent Ubuntu security updates.21:01
dax"!kpti is <reply> The Linux community is working on a patchset for a hardening technique named KPTI that addresses recently-disclosed issues in some processors. Once finished, updates addressing this issue will be released through the normal Ubuntu security update process. See http://www.ubuntu.com/usn if you are interested in receiving all Ubuntu security update notifications."21:02
TJ-dax: that's my best non-techy description for now. It's not clear (yet) if it does allow direct privilege escalation but based on the embargo and scramble to release patches it seems likely21:02
daxs/some processors/many processors/21:02
TJ-Make clear it does NOT affect AMD CPUs21:02
TJ-Intel CPUs from the Core micro-architecture onwards are affected21:03
nicomachusTJ-: I like the other name better but it's not mentionable on this channel. haha21:03
daxwhich of our non-x86 supported targets does it affect?21:03
alkisgI wonder if that will get backported to 16.04 non-hwe kernel, i.e. 4.4... It would be nice to have an insecure but faster kernel available :D21:03
daxalkisg: iirc you can turn off the KPTI patchset with a kernel cmdline option, but not 100% sure, i've read a lot recently21:03
TJ-dax: it's only Intel x86 for this one21:04
alkisgAh, that'd be perfect then21:04
alkisgty21:04
TJ-dax: either "nopti" or "pti=off"21:04
daxTJ-: are the ARM patches people keep going on about preventative?21:04
nicomachusalkisg: i'd rather have it get fixed on a release that's supported for another 3.5 years...21:04
TJ-dax: they're a slightly different issue to this one, but with a similar result21:04
TJ-for ARM6421:04
alkisgnicomachus: if there's a switch for it, yeah, I'd love to have it. Although 16.04 comes with 4.10 nowadays, 4.4 is the non-hwe version21:05
nicomachusyea I'm still on 4.4 here21:05
TJ-e.g. revealing the kernel's randomised base/load address21:05
nicomachus-10421:05
nicomachusdax: please use Forcefully Unmap Complete Kernel With Interrupt Trampolines21:05
dax"!kpti is <reply> The Linux community is working on a patchset for a hardening technique named KPTI that addresses recently-disclosed issues in Intel processors. Once finished, updates addressing this issue will be released through the normal Ubuntu security update process. See http://www.ubuntu.com/usn if you are interested in receiving all Ubuntu security update notifications."21:05
daxnicomachus: ah, is that what that stood for21:05
dax"!kpti is <reply> The Linux community is working on a patchset for a hardening technique named KPTI that addresses recently-disclosed issues in Intel processors. Once finished, updates containing this patchset will be released through the normal Ubuntu security update process. See http://www.ubuntu.com/usn if you are interested in receiving all Ubuntu security update notifications."21:06
TJ-ah, kernel devs and their naming conventions, such wags!21:06
alkisgHow old intel CPUs does it affect? E.g. the first dual cores? Or even P4's?21:06
daxalkisg: Core onwards, TJ- just said21:06
TJ-alkisg: ^^21:06
alkisgSorry didn't see that. Whoops, that's a very big range21:06
alkisgAnd are we expecting a 10% slowdown?21:07
nicomachusTJ-: I think they got a little frustrated trying to fix it. :D21:07
daxfurther wording suggestions? (also, any aliases?)21:07
daxalkisg: it's workload-dependent. I have 4.15-rc6 on my machine right now which has it, and I don't notice any slowdown21:07
lotuspsychjehttps://www.phoronix.com/scan.php?page=article&item=linux-more-x86pti&num=121:07
daxbecause my CPU isn't pegged, like most people's aren't21:07
alkisgNice to hear, ty :)21:07
nicomachusdax: I'm worried about the slowdown21:08
lotuspsychjecant find official ubuntu kpti articles yet21:08
nicomachusalkisg: I've heard more along the lines of 5-30(!!)% slowdown21:08
alkisgOuch21:08
daxlotuspsychje: afaik there aren't any21:08
TJ-as far as I've been able to tell from my research reading Intel whitepapers this bug is in the Core micro-architecture's Smart Memory Access technolgy, specifically I think the speculative reordering of data loads before stores, which can cause page exceptions and reveal which addresses the kernel is using21:08
daxTJ-: yeah, that matches what I've seen so far (which is significantly less in-depth than your reading, I expect, but isn't just pop media)21:09
TJ-lotuspsychje: it's under embargo, everything you're hearing is intelligent 'speculation' based on patches and some published papers21:09
lotuspsychjehttps://nakedsecurity.sophos.com/2018/01/03/fckwit-aka-kaiser-aka-kpti-intel-cpu-flaw-needs-low-level-os-patches/amp/21:09
daxand I'm not putting speculation in factoids, and that includes performance numbers21:09
nicomachus"These KPTI patches move the kernel into a completely separate address space, so it's not just invisible to a running process, it's not even there at all. Really, this shouldn't be needed, but clearly there is a flaw in Intel's silicon that allows kernel access protections to be bypassed in some way."21:09
nicomachus"The downside to this separation is that it is relatively expensive, time wise, to keep switching between two separate address spaces for every system call and for every interrupt from the hardware. These context switches do not happen instantly, and they force the processor to dump cached data and reload information from memory. This increases the kernel's overhead, and slows down the21:09
nicomachuscomputer."21:09
TJ-Xen have an embargo on XSA-253 due to lift tomorrow lunchtime UTC which is probably it: https://xenbits.xen.org/xsa/21:10
dax!kpti21:10
ubot5The Linux community is working on a patchset for a hardening technique named KPTI that addresses recently-disclosed issues in Intel processors. Once finished, updates containing this patchset will be released through the normal Ubuntu security update process. See http://www.ubuntu.com/usn if you are interested in receiving all Ubuntu security update notifications.21:10
dax!-kpti21:10
ubot5kpti aliases: kaiser - added by dax on 2018-01-03 21:09:5121:10
TJ-if you want to read Intel's whitepaper on Smart Memory Access I have it here: http://iam.tj/projects/Intel-SmartMemoryAccess.pdf21:11
nicomachusTJ-: looks like someone found an exploit: https://twitter.com/brainsmoke/status/94856179987550208021:11
dax(feel free to highlight when the situation changes or if you have additional alias suggestions. going afk for a little bit)21:11
nicomachusdax: I suppose if you really wanted, you could link this: https://lkml.org/lkml/2017/12/4/70921:11
TJ-nicomachus: yes, that's it21:11
lotuspsychjenice find nicomachus21:22
JanClotuspsychje: you mean you manually added the "security device" or whatever they call it?21:25
JanCin Firefox 58 there should be an "easy way" to add it again21:25
lotuspsychjehttps://newsroom.intel.com/news/intel-responds-to-security-research-findings/21:25
lotuspsychjeJanC: the belgian ROOT certificate upload to firefox options/certificates21:26
lotuspsychjeJanC: libbeid...so21:27
lotuspsychjeand now its working21:27
JanCthat's more than only the root cert21:28
lotuspsychjeyeah, the security device21:28
lotuspsychjeJanC: anyway its working now21:29
JanCWouter wrote a patch to add a function that allows adding security devices to the new extension API for Firefox, but they didn't want to include it into 57, but it should be in 5821:30
lotuspsychjecool21:30
lotuspsychjeive tested on 57 + bionic devel21:31
lotuspsychjenite nite guys21:37
lotuspsychjethe whole web full of that kpti bug21:37
JanCfrom what I've read (which is not much yet), the slowdown from the patch for the Intel issue mostly affects systems that need to do lots of kernel/userspace context switches21:39
daxyes, that's where the slowdown is21:40
daxso you'll be more or less affected depending on whether your workload 1) does lots of context switches (not including VDSO), 2) runs your CPU at 100%21:41
daxso most people, even most gamers, won't even notice21:41
JanCnot sure how much context switches they need for graphics...21:42
JanCapplications that do a lot of I/O would be heavily affected probably21:42
daxif they're CPU-bound21:42
daxI mean, I'm looking at this from the point of view of desktop users + people running VMs that aren't pegged21:43
daxand they'll probably see somewhat lower numbers if they run a benchmark, and not notice otherwise21:43
JanCwe'll see, I guess21:44
TJ-JanC: also for interrupts and page-fault handling21:44
JanCanything using a tight I/O polling loop would be affected (but that's probably not a good design anyway)21:45
dax(which leads to the more general discussion of how modern Intel CPUs are all ridiculous overkill for consumer workloads, hence the switch to competing based on wattage etc. instead of Ghz)21:46
TJ-Intel seem to be in denial over it "...when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed" and trying to imply this isn't unique to them, which explains why the AMD patch has made it clear they're not affected21:46
JanCwell, it depends what you want to do  :)21:46
daxhint: whatever crazy CPU-bound "what you want to do" you just came up with isn't what i meant by "consumer workloads"21:47
TJ-"operating as designed" in this case is == "operating insecurely as designed"21:47
dax"Intel believes its products are the most secure in the world" lol21:48
TJ-dax: yes, it's such tosh it's obvious they're in denial and scrambling for damage limitation over responsible disclosure :)21:51
JanCdax: some webpages manage to permanently peg a CPU core to 100% quite easily  :)21:53
JanC(but you won't solve that with a faster CPU)21:54
daxi wouldn't know. my workplace installs adblocker automatically. my home stuff is all adblockered. and i don't go to crappy gaming websites.21:54
JanCoh, even Twitter & crap like that can do that if you leave a page open long enough...21:55
JanCit's just bad JavaScript programming usually21:56
TJ-I like umatrix since it shows the 3rd-party domains and blocks them by default, but makes it easy to enable selected resources either temporarily or permanently22:16
daxhttps://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html22:32
TJ-so, the reason AMD say they are not affected is the proof-of-concept allows a read but without crossing the privilege boundary, whereas Intel CPUs do22:40
dax*nod*22:41
daxdidn't read much past the list of PoCs yet22:41
TJ-and PoC #2 affects them only if " If the kernel's BPF JIT is enabled (non-default configuration), it also works on the AMD PRO CPU"22:41
daxany idea whether Ubuntu enabled that?22:41
naccCONFIG_BFP_JIT=y in the 17.10 kernel22:42
nacci'm fairly sure all distros enable it, but not 100%22:42
TJ-/boot/config-4.4.0-105-lowlatency:CONFIG_HAVE_BPF_JIT=y22:42
daxnice22:42
naccit's a fairly significant performance difference for that particular toggle (iirc)22:42
TJ-interesting that the hyper-threading is one vector to exploitation too since that's a single core and therefore it's possible to have 1 thread doing injections and the other testing if they are successful22:46
TJ-blimey! design-gotchya 101: "...Given that branch prediction also must be very fast, we concluded that it is likely that the update function of the history buffer left-shifts the old history buffer, then XORs in the new state"22:48
TJ-that's in reference to the prediction history buffer, which is ~26 entries deep22:48
naccTJ-: nice22:50
TJ-oh wonderful: "...  It would be interesting to see whether attacks against more advanced JIT engines with less control over the system are also practical - in particular, JavaScript engines."22:56
naccTJ-: yeah, i think the first matter of business is disabling JS :?22:56
nacc:/ rather22:56
dax!kpti22:57
ubot5The Linux community is working on a patchset for a hardening technique named KPTI that addresses recently-disclosed issues in most modern processors. Once finished, updates containing this patchset will be released through the normal Ubuntu security update process. See http://www.ubuntu.com/usn if you are interested in receiving all Ubuntu security update notifications. For more information on the relevant bugs, see https://spectreattack.com/22:57
dax!-kpti22:57
ubot5kpti aliases: kaiser, spectre, meltdown - added by dax on 2018-01-03 21:09:51 - last edited by dax on 2018-01-03 22:57:3222:57
naccdax: thx22:58
TJ-"every Intel processor which implements out-of-order execution ... affected ... effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013"23:01
TJ-No wonder this is making waves, they've a PoC working using Javascript to escape browser sandboxing using the spectre technique23:05
TJ-not a problem for servers of course (err, hello, node.js)23:05
JanCdoes anyone know if CPUs from other brands are affected by the Intel issue or similar?23:08
daxit's discussed in the FAQ on  https://spectreattack.com/23:09
TJ-PoC code in the PDF in 124 SLOC23:12
JanCthe FAQ isn't entirely clear, and elsewhere there is conflicting information...23:48
TJ-JanC: right now there are only proofs-of-concept on Intel hardware. Spectre paper says they think that'll affect AMD Ryzen too but they didn't actually test it23:50
TJ-Interestingly, AMD claim that their prediction/speculative execution is using a neural-network that learns and adapts and is/should therefore be mostly immune to some of these attacks, or be very unpredictable23:51
TJ-(thus making it hard to exploit reliably)23:51
TJ-which possibly infers that AMD systems with longer up-times are less susceptible23:52
JanCmight also depend on how predictable things actually are  :)23:52
TJ-It's certainly a watershed moment; lots of admins going to be burning midnight oil as the saying goes23:55
JanCwell, there is no solution for Spectre AFAICT, so no point trying to fix that (certainly not as an admin)23:56
TJ-It could be this causes a major pause in the rush to 'cloud'23:57
JanCyeah23:57
TJ-since these are really serious for shared-tennant services23:57
JanCalthough that might depend on how mass media describe it (as the people who decide on using the cloud or not might often not be technical people...)23:58

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!