snadgeim having a meltdown waiting for meltdown patches ;p06:41
ubot5Debian bug 886367 in intel-microcode "intel-microcode: coming updates for meltdown/spectre" [Grave,Fixed]07:15
snadgeit is fixed upstream yes.. are there updated kernel packages for artful?08:19
snadgei thought it required kernel patch as well as microcode update08:19
tomreynit does, and they're coming. it's a complex set of patches, was planned to be released in 4 days.08:29
tseliotricotz: doesn't 384.111 work with the linux fix?09:31
tseliotapw: are there any kernels that I can try with that fix?09:40
snadgeim building my own mainline kernel with the pti patch.. just to entertain myself, but im not sure if i need the microcode side of it as well.. if debian has that can i use that?10:11
f_gsnadge: the microcode is not related to KPTI10:13
f_git's for a different patch set which is not part of mainline yet10:13
snadgeoh.. so how does KPTI relate to that?10:14
snadgein the thread about the microcode, it says it exposes a feature which that code uses.. or something like that10:14
f_gKPTI is for MELTDOWN, the microcode and related patches are for (some parts of) SPECTRE10:14
snadgegot it10:14
f_g(AFAICT, I am only a downstream observer trying to keep an overview of the whole mess)10:15
snadgeyeah.. so i figured i can at least patch for meltdown.. just for entertainment purposes10:15
snadgewhilst im waiting for something official10:15
dsdapw: i'd be interested in talking more about working together on KPTI stuff if you have time/interest10:23
zioprotohello, I opened this bug in mid-december. https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1738219 How can I track when a Ubuntu kernel for Xenial contains this fix ? thank you10:28
ubot5Launchpad bug 1738219 in linux (Ubuntu Bionic) "the kernel is blackholing IPv6 packets to linkdown nexthops" [Medium,In progress]10:28
dsdthe new nvidia 384.111 does compile and load with linux 4.10.11. (havent tested 3d yet)10:40
dsdlinux v4.14.11, that is10:40
tomreynzioproto: the kernel image package linux-image-generic depends on will list the launchpad ID (1738219) in its changelog.10:44
tomreynzioproto: for example, right now this would be https://packages.ubuntu.com/xenial-updates/linux-image-generic -> https://packages.ubuntu.com/xenial-updates/linux-image-4.4.0-104-generic -> "Ubuntu Resources: Ubuntu Changelog" http://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-104.127/changelog10:46
zioprototomreyn: thanks !10:52
apwdsd, which version are you interested in btw11:01
dsdapw: 4.13 artful 11:07
f_gapw: dsd: same, also able to put in testing/backporting/reviewing work in the next couple of hours11:10
f_galso for 4.4 / xenial, but it seems like the upstream stable patches which are queued are broken and it's not yet clear why/how :-/11:10
f_g4.9 and 4.14 seem to be (mostly fine), or the problem is just not as obvious there11:12
f_gif there is anything to do as an ubuntu kernel team outsider just ping11:16
apwf_g, what is the reported nature of the 4.4 issue ?11:22
f_gapw: init segfaulting when running in a VM as guest kernel11:23
lorddoskiasare you going to release meltdown/spectre patched kernels for 16.04 HWE?11:23
apwf_g, try turning off the vdso11:23
ckingvdso=0 on kernel command line11:24
ckingdo that in the VM image11:25
f_gapw: I am not affected (or rather, my test systems don't seem to be) - I just saw the reports in the review thread11:25
f_galso, wouldn't that imply quite the (additional) performance hit for some workloads?11:26
apwf_g, indeed, but it also narrows the probabal cause11:44
ricotztseliot, I wasn't aware of 384.11111:57
f_gapw: ah, okay. I thought you meant as workaround, not for triaging. sorry for the confusion12:01
snadgeis this it? https://launchpad.net/ubuntu/+source/intel-microcode/3.20170707.112:15
snadgea microcode update from a few days ago12:15
apwlooks too old to me12:15
snadge2nd of january/12:16
snadgethats just a few days ago12:16
snadgeoh.. 7th of july.. still.. thats about when it was first reported wasnt it?12:17
snadgeah thats an unrelated hyperthreading issue12:18
f_gsnadge: that's not it. I think you are looking for mid-December or later12:18
f_gbut there is no public official microcode update by intel yet, only some distros (Suse, Redhat) and vendors (Lenovo)12:19
snadgedebian has it?12:19
f_gunstable has an incomplete collection from various sources, but they are waiting for the relevant changes to get into their kernel and for Intel to do an official release12:21
ricotzapw, https://tracker.debian.org/news/89911012:42
dsdapw: f_g: https://github.com/endlessm/linux/tree/artful-kpti12:50
dsdthis is the 4.14-stable kpti patches backported to artful kernel12:51
dsddone them all now12:51
dsdboot-tested into the desktop12:51
dsdbackport notes: https://gist.github.com/dsd/f98a8f1a15f701934ece3e70c9b8fb0a12:51
dsdhopefully its useful12:51
dsdi dont have an exploit to test against the final result12:52
apwdsd, thanks12:56
f_gdsd: thanks, will test and report back13:29
TJ-has the patch for the KPTI symbol regression for cpu_tlbstate _GPL been spotted yet? If not, it's in the tip/x86/pti tree/branch currently as 1e54768  "x86/tlb: Drop the _GPL from the cpu_tlbstate export"13:37
dsdTJ-: the new nvidia driver version 384.111 looks like it might work without that symbol13:41
TJ-possibly, but there's the legacy 340.x version too13:42
mamarleyTJ-: I just compiled 340.104 against 4.14.11 and 4.15-rc6 recently.  It needs patches for both, but doesn't have any licensing issues.13:59
TJ-I wonder why some others are having issues, can't imagine it's a CONFIG_ issue, and it's Kees Cook reported it so not some iffy report14:01
mamarleyBeats me, sorry.14:01
TJ-Anyhow, the patch is coming along via tip tree so would be good to get into the current Ubuntu work, just in case14:02
f_gdsd: are you already working on the patches queued for 4.14.12 and subsequent follow up fixes?14:10
f_gdsd: also, see http://paste.debian.net/1003601/ (rebased on top of 22.25)14:10
dsdf_g: havent looked at them yet14:20
dsdi'll look at the xen build failure, thanks14:21
dsdi had noted that change as a tricky one :/14:21
dsdjust looking for what else went into 4.9.x recently that might be relevant14:23
dsdany idea about https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-4.9.y&id=404ae546c7d1927b877d24bf447a462a5c5a5ad7 ?14:24
dsdi guess TLB stuff is relevant for the PCID stuff14:26
dviolaI'm getting this on the latest ubuntu LTS kernel: https://gist.github.com/diegoviola/ef83824fc9fbddc67af0d9e75f51962114:28
dviolacompiz is crashing, looks like a kernel issue14:29
dviolaalready posted this on #ubuntu 14:29
dviolahow do I upgrade the kernel to the latest version?14:45
f_gdsd: I cherry-picked the two pre-requisites of f53f7a3f0156 from 4.14, attempting a rebuild..14:49
gpiccolidviola, what is latest LTS kernel ?14:50
gpiccoli4.10 or 4.13?14:50
gpiccoliok, try "apt install linux-generic-hwe-16.04-edge"14:51
dviolaI had this issue on arch with older kernels: *ERROR* CPU pipe A FIFO underrun14:52
gpiccoliit'll get you 4.13, perhaps fix the issue for you14:52
dviolaso I know it's fixed like on 4.13 and 4.1414:52
dsdf_g: i think i didnt do that since i was trying to avoid going beyond 1 prerequisite. i just pushed a fixup commit for the backport, fixes the build error you found14:52
dviolagpiccoli: ok, I'll try that, thanks14:52
gpiccolicool, yw =]14:52
f_gdsd: ack. rebuilding from that (I don't care -much- about XEN ;))14:56
mattiHi there kind kernel hackers/maintainers!15:02
mattiAnyone alive?15:02
jackpot51I am curious - what is the status of the KPTI patch in Ubuntu, and how could a hardware vendor like System76 help in speeding up its delivery?15:28
mattijackpot51: I am having conversation about this in #ubuntu almost in the same time.15:29
mattijackpot51: TJ- was kind enough to shed some light on the release. We might need to wait.15:30
jackpot51Ok, I will look there15:30
TJ-!kpti | jackpot51 15:30
ubot5jackpot51: Spectre and Meltdown are security issues that affect most processors, mitigated by a set of Linux kernel patches named KPTI. | General info: https://spectreattack.com/ | Ubuntu (and flavors) info: http://ubottu.com/y/ubukpti/ | An Ubuntu Security Notice will be released when updates are available, subscribe at https://usn.ubuntu.com/usn/15:30
mattijackpot51: If you don't need anything special, you can grab 4.11.14 already as -generic to try it out.15:30
mattijackpot51: http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.14.11/15:30
mattijackpot51: These does work, albeit it's not the official image, etc.15:31
mattiI fail at English15:31
jackpot51Thanks very much matti15:31
f_gdsd: FWIW, 4.4 and 4.14 just got new upstream stable releases. at least half of 4.14.12 is relevant for sure15:31
TJ-The other issue with the mainline build kernels, as well as not being supported, is they don't contain certain apparmor patches required to fully support LXC/LXD containers15:32
mattijackpot51: What TJ- said ^15:32
f_gTJ- jackpot51 : and no ZFS/SPL, but that can be built from source as module if needed15:32
mattiTJ-: He might be OK-ish for just a notebook, especially System76 one, but yeah...15:32
jackpot51How was Launchpad able to update kernels, as they hinted that is what they brought the build systems down for?15:33
tewardjackpot51: there's case by case allows on the builders right now, I believe.15:33
jackpot51I work for System76, more asking on behalf of our customers. I personally would require LXD and ZFS functionality. We will begin testing the mainline though, to be prepared for its release15:34
TJ-f_g: good point about ZFS, that could make for a 'surprise' :D15:34
mattijackpot51: Oh cool! :)15:35
jackpot51Yeah, would not want to lose half of my storage ;)15:35
tewardjackpot51: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown15:35
TJ-jackpot51: time to start shipping devices with RISC-V parallela 1024 core CPUs :)15:35
tewardalso the "It'll be released when it's ready" that I was told yesterday when I prodded the Security team as well :p15:36
jackpot51Oh, I very much hope we can TJ-15:36
mattijackpot51: I personally don't know if you guys and Canonical do anything special to make the kernel support notebooks (e.g. custom patches, etc.), so it might be from "it's easy" to even get the mainline patched with LXD and ZFS support, or we need to wait patiently.15:37
mattiTJ-: No ARM?15:37
jackpot51matti: We already sell an ARM server, our software infrastructure is capable of doing ARM desktops and laptops, but we do not have a hardware design15:39
jackpot51Is there anything that a competent software developer can do to help out TJ- ?15:40
mattijackpot51: Intel might just open a window of opportunity for S76 :)15:40
jackpot51Indeed. Until recently, if it wasn't Intel people would not buy it. There was very little market for other things. With the Management Engine and Meltdown, that should change people's minds drastically15:43
f_gdsd: your current branch compiles, I have to head home now but will continue testing later.15:46
dsdf_g: just pushed the 4.14.12 updates, thanks15:48
f_gdsd: will trigger a rebuild before heading out ;)15:49
dsdjackpot51: i have a artful kernel with the meltdown workaround added at https://github.com/endlessm/linux/tree/artful-kpti15:50
dsdi dont know if the ubuntu team will take it or draw from it, but its there if it helps anyone15:51
dsdf_g: needs a compile fix15:52
jackpot51Awesome dsd!15:53
dsdpushed a fixup15:54
mattidsd \o/15:54
apwwe will be pushing some of the work we have been doning soon to our main repos too15:59
apwi am sure they will differ some from yours, there is such a huge range of patches out there in this kit15:59
dsdthanks apw, i'll be sure to take a look16:01
dsdapw: i'm curious if you have access to an exploit, or another way of testing to see that the end result is not vulnerable?16:02
apwdsd, i don't atm no16:03
apwdsd,  have you tested ftrace in your port ?  i have had some issues with lockups16:08
dsdapw: no, is there a specific test i can run?16:09
apwi was running the self tests in the kernel source16:10
mattiI only saw Spectre PoC/demo/test - https://gist.github.com/jedisct1/3bbb6e50b768968c30629bf734ea49c616:10
mattiAnd this https://github.com/gkaindl/meltdown-poc16:11
mattiI am sure if there is an 0 day out there, then it's pretty pricey and people won't share out of their kindness... ;/16:12
matti(unless someone lurks on dark/deep web and got hold of one)16:13
dsdapw: it crashed yeah.. [8] event tracing - enable/disable with top level files16:38
apwdsd, that is great in some sense :)  as you have the same failure i do, so that makes it a lot less likely it is a porting issue, rather than a lack of someething at 4.13 level16:58
apwdsd, i have someone looking into why/how to stop it16:58
dsdok great16:58
dsdapw: i confirmed that it doesnt hang on 4.14.12, and i tried throwing some more patches at the 4.13 version but it still hangs17:05
dsdapw: i'm leaving for today, and traveling all weekend, but i will be back on monday if theres still stuff to fix. thanks17:05
apwdsd, thanks for the confirmation, if nothing else comes out of your work on this; that is a big help17:16
dviolaI updated my kernel to 4.13 and still getting crashes, looks like it's unrelated17:18
dviolacompiz is still crashing17:18
dviolaany ideas how to upgrade ubuntu to 17.10?17:19
dviolaI might upgrade to that and get rid of compiz altogether17:19
tomreynrdmsr 0x00000048 &>/dev/null && echo 'Patched.' || echo 'Unpatched.'    # https://twitter.com/olesovhcom/status/94929954480585932819:56
tomreynthis is about OVH's variant 2 mitigation. apparently they got microcode updates (not sure if those are the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367 or https://dev.gentoo.org/~whissi/dist/intel-microcode/microcode-20171117_p20171215.tgz )19:58
ubot5Debian bug 886367 in intel-microcode "intel-microcode: coming updates for meltdown/spectre" [Grave,Fixed]19:58
TJ-Looks like the new Intel IBRS/STIPB/IBPB capabilities will help; presumably they've been in development for several months20:25
f_gapw: anything public yet? does it make sense to continue testing dsd's tree or is that just wasted effort since the diff to your WIP state is too big?20:37
apwthey should be starting to appear as they get applied, in our main trees20:39
f_gTJ-: IMHO IBRS/retpoline looks like 4.16 material, at least the upstream discussion implies as much. unless you are planning on applying the Intel patches as is?20:59
TJ-f_g: wasn't planning it, just commenting on them now they've been formally documented21:00
f_gapw TJ- : is  https://gist.github.com/jedisct1/3bbb6e50b768968c30629bf734ea49c621:02
f_gon your radar? (sorry for premature enter)21:02
f_gargh, wrong link as well: https://lkml.kernel.org/r/ https://gist.github.com/jedisct1/3bbb6e50b768968c30629bf734ea49c621:03
TJ-f_g: spit it out! :D21:04
f_gha - working remote and mixing tmux sessions really messes with my muscle memory of keybindings it seems21:04
TJ-yeah... try again :)21:05
TJ-f_g: what link is it? 21:07
TJ-the patchwork  link is easier to read: https://patchwork.kernel.org/patch/10143611/21:13
f_gis 106.129 going to be rebased on top of 105.128, or will that be skipped altogether?21:44
f_g(4.4, that is)21:44
bjfour xenial (4.4) repo has a pti branch with the patches we are currently planning on going with22:00
f_gbjf: yes, which is where 106.129 was tagged, following after 104.127, skipping the 105.128 (unrelated) CVE fix release from master-next. hence my question, is that one postponed or has the pti branch not been rebased yet22:03
f_gthe pti branch is missing the last few late additions to 4.4.110, including a fix for running under qemu (which might replace disabling vdso?) and the rename of the config option22:04
bjff_g, unfortunately i'm not the one that's been doing the work so i'm not sure if that was intentional or now22:05
bjfapw ^22:05
apwf_g, will look into it23:21
f_gapw: just finished building with https://gist.github.com/anonymous/9d8154de7c18325894cb478d8c76e1fd instead of the pvclock and vdso commits from your pti branch, now on to testing..23:33
vleeWill Ubuntu 16.04 with 4.10 HWE kernel get updates for Meltdown and Spectre?23:37
TJ-vlee: yes23:42
vleeThis most recent announcement did not explicitly mention 4.10 kernel. https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities23:43
TJ-all currently supported kernel images will be updated, and the v4.10 kernel from 17.04 is supported until January 13th23:54

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!