| snadge | im having a meltdown waiting for meltdown patches ;p | 06:41 |
|---|---|---|
| tomreyn | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367 | 07:15 |
| ubot5 | Debian bug 886367 in intel-microcode "intel-microcode: coming updates for meltdown/spectre" [Grave,Fixed] | 07:15 |
| snadge | it is fixed upstream yes.. are there updated kernel packages for artful? | 08:19 |
| snadge | i thought it required kernel patch as well as microcode update | 08:19 |
| tomreyn | it does, and they're coming. it's a complex set of patches, was planned to be released in 4 days. | 08:29 |
| tseliot | ricotz: doesn't 384.111 work with the linux fix? | 09:31 |
| tseliot | apw: are there any kernels that I can try with that fix? | 09:40 |
| snadge | im building my own mainline kernel with the pti patch.. just to entertain myself, but im not sure if i need the microcode side of it as well.. if debian has that can i use that? | 10:11 |
| f_g | snadge: the microcode is not related to KPTI | 10:13 |
| f_g | it's for a different patch set which is not part of mainline yet | 10:13 |
| snadge | oh.. so how does KPTI relate to that? | 10:14 |
| snadge | in the thread about the microcode, it says it exposes a feature which that code uses.. or something like that | 10:14 |
| f_g | KPTI is for MELTDOWN, the microcode and related patches are for (some parts of) SPECTRE | 10:14 |
| snadge | got it | 10:14 |
| f_g | (AFAICT, I am only a downstream observer trying to keep an overview of the whole mess) | 10:15 |
| snadge | yeah.. so i figured i can at least patch for meltdown.. just for entertainment purposes | 10:15 |
| snadge | whilst im waiting for something official | 10:15 |
| dsd | apw: i'd be interested in talking more about working together on KPTI stuff if you have time/interest | 10:23 |
| zioproto | hello, I opened this bug in mid-december. https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1738219 How can I track when a Ubuntu kernel for Xenial contains this fix ? thank you | 10:28 |
| ubot5 | Launchpad bug 1738219 in linux (Ubuntu Bionic) "the kernel is blackholing IPv6 packets to linkdown nexthops" [Medium,In progress] | 10:28 |
| dsd | the new nvidia 384.111 does compile and load with linux 4.10.11. (havent tested 3d yet) | 10:40 |
| dsd | linux v4.14.11, that is | 10:40 |
| tomreyn | zioproto: the kernel image package linux-image-generic depends on will list the launchpad ID (1738219) in its changelog. | 10:44 |
| tomreyn | zioproto: for example, right now this would be https://packages.ubuntu.com/xenial-updates/linux-image-generic -> https://packages.ubuntu.com/xenial-updates/linux-image-4.4.0-104-generic -> "Ubuntu Resources: Ubuntu Changelog" http://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-104.127/changelog | 10:46 |
| zioproto | tomreyn: thanks ! | 10:52 |
| apw | dsd, which version are you interested in btw | 11:01 |
| dsd | apw: 4.13 artful | 11:07 |
| f_g | apw: dsd: same, also able to put in testing/backporting/reviewing work in the next couple of hours | 11:10 |
| f_g | also for 4.4 / xenial, but it seems like the upstream stable patches which are queued are broken and it's not yet clear why/how :-/ | 11:10 |
| dsd | ouch | 11:11 |
| f_g | 4.9 and 4.14 seem to be (mostly fine), or the problem is just not as obvious there | 11:12 |
| f_g | if there is anything to do as an ubuntu kernel team outsider just ping | 11:16 |
| apw | f_g, what is the reported nature of the 4.4 issue ? | 11:22 |
| f_g | apw: init segfaulting when running in a VM as guest kernel | 11:23 |
| lorddoskias | are you going to release meltdown/spectre patched kernels for 16.04 HWE? | 11:23 |
| apw | f_g, try turning off the vdso | 11:23 |
| cking | vdso=0 on kernel command line | 11:24 |
| cking | do that in the VM image | 11:25 |
| f_g | apw: I am not affected (or rather, my test systems don't seem to be) - I just saw the reports in the review thread | 11:25 |
| apw | ack | 11:25 |
| f_g | also, wouldn't that imply quite the (additional) performance hit for some workloads? | 11:26 |
| apw | f_g, indeed, but it also narrows the probabal cause | 11:44 |
| ricotz | tseliot, I wasn't aware of 384.111 | 11:57 |
| f_g | apw: ah, okay. I thought you meant as workaround, not for triaging. sorry for the confusion | 12:01 |
| snadge | is this it? https://launchpad.net/ubuntu/+source/intel-microcode/3.20170707.1 | 12:15 |
| snadge | a microcode update from a few days ago | 12:15 |
| apw | looks too old to me | 12:15 |
| snadge | 2nd of january/ | 12:16 |
| snadge | thats just a few days ago | 12:16 |
| snadge | oh.. 7th of july.. still.. thats about when it was first reported wasnt it? | 12:17 |
| snadge | ah thats an unrelated hyperthreading issue | 12:18 |
| f_g | snadge: that's not it. I think you are looking for mid-December or later | 12:18 |
| f_g | but there is no public official microcode update by intel yet, only some distros (Suse, Redhat) and vendors (Lenovo) | 12:19 |
| snadge | debian has it? | 12:19 |
| f_g | unstable has an incomplete collection from various sources, but they are waiting for the relevant changes to get into their kernel and for Intel to do an official release | 12:21 |
| ricotz | apw, https://tracker.debian.org/news/899110 | 12:42 |
| dsd | apw: f_g: https://github.com/endlessm/linux/tree/artful-kpti | 12:50 |
| dsd | this is the 4.14-stable kpti patches backported to artful kernel | 12:51 |
| dsd | done them all now | 12:51 |
| dsd | boot-tested into the desktop | 12:51 |
| dsd | backport notes: https://gist.github.com/dsd/f98a8f1a15f701934ece3e70c9b8fb0a | 12:51 |
| dsd | hopefully its useful | 12:51 |
| dsd | i dont have an exploit to test against the final result | 12:52 |
| apw | dsd, thanks | 12:56 |
| f_g | dsd: thanks, will test and report back | 13:29 |
| TJ- | has the patch for the KPTI symbol regression for cpu_tlbstate _GPL been spotted yet? If not, it's in the tip/x86/pti tree/branch currently as 1e54768 "x86/tlb: Drop the _GPL from the cpu_tlbstate export" | 13:37 |
| dsd | TJ-: the new nvidia driver version 384.111 looks like it might work without that symbol | 13:41 |
| TJ- | possibly, but there's the legacy 340.x version too | 13:42 |
| mamarley | TJ-: I just compiled 340.104 against 4.14.11 and 4.15-rc6 recently. It needs patches for both, but doesn't have any licensing issues. | 13:59 |
| TJ- | I wonder why some others are having issues, can't imagine it's a CONFIG_ issue, and it's Kees Cook reported it so not some iffy report | 14:01 |
| mamarley | Beats me, sorry. | 14:01 |
| TJ- | Anyhow, the patch is coming along via tip tree so would be good to get into the current Ubuntu work, just in case | 14:02 |
| f_g | dsd: are you already working on the patches queued for 4.14.12 and subsequent follow up fixes? | 14:10 |
| f_g | dsd: also, see http://paste.debian.net/1003601/ (rebased on top of 22.25) | 14:10 |
| dsd | f_g: havent looked at them yet | 14:20 |
| dsd | i'll look at the xen build failure, thanks | 14:21 |
| dsd | i had noted that change as a tricky one :/ | 14:21 |
| dsd | just looking for what else went into 4.9.x recently that might be relevant | 14:23 |
| dsd | any idea about https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-4.9.y&id=404ae546c7d1927b877d24bf447a462a5c5a5ad7 ? | 14:24 |
| dsd | i guess TLB stuff is relevant for the PCID stuff | 14:26 |
| dviola | hi | 14:28 |
| dviola | I'm getting this on the latest ubuntu LTS kernel: https://gist.github.com/diegoviola/ef83824fc9fbddc67af0d9e75f519621 | 14:28 |
| dviola | compiz is crashing, looks like a kernel issue | 14:29 |
| dviola | already posted this on #ubuntu | 14:29 |
| dviola | how do I upgrade the kernel to the latest version? | 14:45 |
| f_g | dsd: I cherry-picked the two pre-requisites of f53f7a3f0156 from 4.14, attempting a rebuild.. | 14:49 |
| gpiccoli | dviola, what is latest LTS kernel ? | 14:50 |
| gpiccoli | 4.10 or 4.13? | 14:50 |
| dviola | 4.10 | 14:51 |
| gpiccoli | ok, try "apt install linux-generic-hwe-16.04-edge" | 14:51 |
| dviola | I had this issue on arch with older kernels: *ERROR* CPU pipe A FIFO underrun | 14:52 |
| gpiccoli | it'll get you 4.13, perhaps fix the issue for you | 14:52 |
| dviola | so I know it's fixed like on 4.13 and 4.14 | 14:52 |
| dsd | f_g: i think i didnt do that since i was trying to avoid going beyond 1 prerequisite. i just pushed a fixup commit for the backport, fixes the build error you found | 14:52 |
| dviola | gpiccoli: ok, I'll try that, thanks | 14:52 |
| gpiccoli | cool, yw =] | 14:52 |
| f_g | dsd: ack. rebuilding from that (I don't care -much- about XEN ;)) | 14:56 |
| matti | Hi there kind kernel hackers/maintainers! | 15:02 |
| matti | Anyone alive? | 15:02 |
| jackpot51 | I am curious - what is the status of the KPTI patch in Ubuntu, and how could a hardware vendor like System76 help in speeding up its delivery? | 15:28 |
| matti | jackpot51: I am having conversation about this in #ubuntu almost in the same time. | 15:29 |
| matti | jackpot51: TJ- was kind enough to shed some light on the release. We might need to wait. | 15:30 |
| jackpot51 | Ok, I will look there | 15:30 |
| TJ- | !kpti | jackpot51 | 15:30 |
| ubot5 | jackpot51: Spectre and Meltdown are security issues that affect most processors, mitigated by a set of Linux kernel patches named KPTI. | General info: https://spectreattack.com/ | Ubuntu (and flavors) info: http://ubottu.com/y/ubukpti/ | An Ubuntu Security Notice will be released when updates are available, subscribe at https://usn.ubuntu.com/usn/ | 15:30 |
| matti | jackpot51: If you don't need anything special, you can grab 4.11.14 already as -generic to try it out. | 15:30 |
| matti | jackpot51: http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.14.11/ | 15:30 |
| matti | jackpot51: These does work, albeit it's not the official image, etc. | 15:31 |
| matti | s/does/do/ | 15:31 |
| matti | I fail at English | 15:31 |
| jackpot51 | Thanks very much matti | 15:31 |
| f_g | dsd: FWIW, 4.4 and 4.14 just got new upstream stable releases. at least half of 4.14.12 is relevant for sure | 15:31 |
| TJ- | The other issue with the mainline build kernels, as well as not being supported, is they don't contain certain apparmor patches required to fully support LXC/LXD containers | 15:32 |
| matti | jackpot51: What TJ- said ^ | 15:32 |
| f_g | TJ- jackpot51 : and no ZFS/SPL, but that can be built from source as module if needed | 15:32 |
| matti | TJ-: He might be OK-ish for just a notebook, especially System76 one, but yeah... | 15:32 |
| jackpot51 | How was Launchpad able to update kernels, as they hinted that is what they brought the build systems down for? | 15:33 |
| teward | jackpot51: there's case by case allows on the builders right now, I believe. | 15:33 |
| jackpot51 | I work for System76, more asking on behalf of our customers. I personally would require LXD and ZFS functionality. We will begin testing the mainline though, to be prepared for its release | 15:34 |
| TJ- | f_g: good point about ZFS, that could make for a 'surprise' :D | 15:34 |
| matti | jackpot51: Oh cool! :) | 15:35 |
| jackpot51 | Yeah, would not want to lose half of my storage ;) | 15:35 |
| teward | jackpot51: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | 15:35 |
| TJ- | jackpot51: time to start shipping devices with RISC-V parallela 1024 core CPUs :) | 15:35 |
| teward | also the "It'll be released when it's ready" that I was told yesterday when I prodded the Security team as well :p | 15:36 |
| jackpot51 | Oh, I very much hope we can TJ- | 15:36 |
| matti | jackpot51: I personally don't know if you guys and Canonical do anything special to make the kernel support notebooks (e.g. custom patches, etc.), so it might be from "it's easy" to even get the mainline patched with LXD and ZFS support, or we need to wait patiently. | 15:37 |
| matti | TJ-: No ARM? | 15:37 |
| matti | :< | 15:37 |
| jackpot51 | matti: We already sell an ARM server, our software infrastructure is capable of doing ARM desktops and laptops, but we do not have a hardware design | 15:39 |
| jackpot51 | Is there anything that a competent software developer can do to help out TJ- ? | 15:40 |
| matti | jackpot51: Intel might just open a window of opportunity for S76 :) | 15:40 |
| matti | opened* | 15:40 |
| jackpot51 | Indeed. Until recently, if it wasn't Intel people would not buy it. There was very little market for other things. With the Management Engine and Meltdown, that should change people's minds drastically | 15:43 |
| f_g | dsd: your current branch compiles, I have to head home now but will continue testing later. | 15:46 |
| dsd | f_g: just pushed the 4.14.12 updates, thanks | 15:48 |
| f_g | dsd: will trigger a rebuild before heading out ;) | 15:49 |
| dsd | jackpot51: i have a artful kernel with the meltdown workaround added at https://github.com/endlessm/linux/tree/artful-kpti | 15:50 |
| dsd | i dont know if the ubuntu team will take it or draw from it, but its there if it helps anyone | 15:51 |
| dsd | f_g: needs a compile fix | 15:52 |
| jackpot51 | Awesome dsd! | 15:53 |
| dsd | pushed a fixup | 15:54 |
| matti | dsd \o/ | 15:54 |
| apw | we will be pushing some of the work we have been doning soon to our main repos too | 15:59 |
| apw | i am sure they will differ some from yours, there is such a huge range of patches out there in this kit | 15:59 |
| dsd | thanks apw, i'll be sure to take a look | 16:01 |
| dsd | apw: i'm curious if you have access to an exploit, or another way of testing to see that the end result is not vulnerable? | 16:02 |
| apw | dsd, i don't atm no | 16:03 |
| dsd | ok | 16:03 |
| apw | dsd, have you tested ftrace in your port ? i have had some issues with lockups | 16:08 |
| dsd | apw: no, is there a specific test i can run? | 16:09 |
| apw | i was running the self tests in the kernel source | 16:10 |
| matti | I only saw Spectre PoC/demo/test - https://gist.github.com/jedisct1/3bbb6e50b768968c30629bf734ea49c6 | 16:10 |
| matti | And this https://github.com/gkaindl/meltdown-poc | 16:11 |
| matti | I am sure if there is an 0 day out there, then it's pretty pricey and people won't share out of their kindness... ;/ | 16:12 |
| matti | (unless someone lurks on dark/deep web and got hold of one) | 16:13 |
| dsd | apw: it crashed yeah.. [8] event tracing - enable/disable with top level files | 16:38 |
| apw | dsd, that is great in some sense :) as you have the same failure i do, so that makes it a lot less likely it is a porting issue, rather than a lack of someething at 4.13 level | 16:58 |
| apw | dsd, i have someone looking into why/how to stop it | 16:58 |
| dsd | ok great | 16:58 |
| dsd | apw: i confirmed that it doesnt hang on 4.14.12, and i tried throwing some more patches at the 4.13 version but it still hangs | 17:05 |
| dsd | apw: i'm leaving for today, and traveling all weekend, but i will be back on monday if theres still stuff to fix. thanks | 17:05 |
| apw | dsd, thanks for the confirmation, if nothing else comes out of your work on this; that is a big help | 17:16 |
| dviola | I updated my kernel to 4.13 and still getting crashes, looks like it's unrelated | 17:18 |
| dviola | compiz is still crashing | 17:18 |
| dviola | any ideas how to upgrade ubuntu to 17.10? | 17:19 |
| dviola | I might upgrade to that and get rid of compiz altogether | 17:19 |
| tomreyn | rdmsr 0x00000048 &>/dev/null && echo 'Patched.' || echo 'Unpatched.' # https://twitter.com/olesovhcom/status/949299544805859328 | 19:56 |
| tomreyn | this is about OVH's variant 2 mitigation. apparently they got microcode updates (not sure if those are the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367 or https://dev.gentoo.org/~whissi/dist/intel-microcode/microcode-20171117_p20171215.tgz ) | 19:58 |
| ubot5 | Debian bug 886367 in intel-microcode "intel-microcode: coming updates for meltdown/spectre" [Grave,Fixed] | 19:58 |
| TJ- | Looks like the new Intel IBRS/STIPB/IBPB capabilities will help; presumably they've been in development for several months | 20:25 |
| f_g | apw: anything public yet? does it make sense to continue testing dsd's tree or is that just wasted effort since the diff to your WIP state is too big? | 20:37 |
| apw | they should be starting to appear as they get applied, in our main trees | 20:39 |
| f_g | TJ-: IMHO IBRS/retpoline looks like 4.16 material, at least the upstream discussion implies as much. unless you are planning on applying the Intel patches as is? | 20:59 |
| TJ- | f_g: wasn't planning it, just commenting on them now they've been formally documented | 21:00 |
| f_g | apw TJ- : is https://gist.github.com/jedisct1/3bbb6e50b768968c30629bf734ea49c6 | 21:02 |
| f_g | on your radar? (sorry for premature enter) | 21:02 |
| f_g | argh, wrong link as well: https://lkml.kernel.org/r/ https://gist.github.com/jedisct1/3bbb6e50b768968c30629bf734ea49c6 | 21:03 |
| TJ- | f_g: spit it out! :D | 21:04 |
| f_g | ha - working remote and mixing tmux sessions really messes with my muscle memory of keybindings it seems | 21:04 |
| TJ- | yeah... try again :) | 21:05 |
| TJ- | f_g: what link is it? | 21:07 |
| f_g | https://lkml.kernel.org/r/<20180103223138.102768-1-jmattson@google.com> | 21:07 |
| TJ- | the patchwork link is easier to read: https://patchwork.kernel.org/patch/10143611/ | 21:13 |
| f_g | is 106.129 going to be rebased on top of 105.128, or will that be skipped altogether? | 21:44 |
| f_g | (4.4, that is) | 21:44 |
| bjf | our xenial (4.4) repo has a pti branch with the patches we are currently planning on going with | 22:00 |
| f_g | bjf: yes, which is where 106.129 was tagged, following after 104.127, skipping the 105.128 (unrelated) CVE fix release from master-next. hence my question, is that one postponed or has the pti branch not been rebased yet | 22:03 |
| f_g | the pti branch is missing the last few late additions to 4.4.110, including a fix for running under qemu (which might replace disabling vdso?) and the rename of the config option | 22:04 |
| bjf | f_g, unfortunately i'm not the one that's been doing the work so i'm not sure if that was intentional or now | 22:05 |
| bjf | apw ^ | 22:05 |
| apw | f_g, will look into it | 23:21 |
| f_g | apw: just finished building with https://gist.github.com/anonymous/9d8154de7c18325894cb478d8c76e1fd instead of the pvclock and vdso commits from your pti branch, now on to testing.. | 23:33 |
| vlee | Will Ubuntu 16.04 with 4.10 HWE kernel get updates for Meltdown and Spectre? | 23:37 |
| TJ- | vlee: yes | 23:42 |
| vlee | This most recent announcement did not explicitly mention 4.10 kernel. https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities | 23:43 |
| TJ- | all currently supported kernel images will be updated, and the v4.10 kernel from 17.04 is supported until January 13th | 23:54 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!