Linus releases RC5 of Linux patches to fix SPECTREv2

Linus releases RC5 of Linux patches to fix SPECTREv2

Abstract:

A new set of Intel based vulnerabilities had been discovered Every security release for Linux had creates slower versions of the Operating System. Linux even started shipping their Operating System with security disabled, by default. This latest release candidate disables another item.

[Penguin courtesy TheRegister]

November Release

Linus released a kernel patch to fix a November Release issue.

In November, it emerged that Spectre Version 2 fixes in the Linux kernel were a performance nightmare. Single Thread Indirect Branch Predictors (STIBP) were the culprit: they didn't play well with symmetrical multi-threading (SMT), and performance took a 50 per cent hit.

People were not very happy about this latest fix.

[SPECTRE logo]

December Release

What is contained in this Intel Linux release candidate:

The workaround was to disable STIBP while waiting for a fix, and that's what landed in Linux 4.20-rc5. Phoronix described the fix as “processes opting into [STIBP] (via prctl interface and defaulting it on for SECCOMP processes”, rather than applying SMT to all threads.

 This latest fix attempt is not without pain.

Torvalds remarked that this release candidate has lots of code: “rc5 is the biggest rc so far (with the obvious exception of rc1), and it looks fairly unusual in the diffstat too, with almost a third being arch updates."

Merry Christmas - The Intel security nightmare continues.




[Oracle SPARC Hardware Family]

SPARC Solaris Fast & Secure

As mentioned earlier in Network Management, Oracle SPARC T4, T5, M5, M6, M7, S7, and M8 had been patched at the Firmware Level, making their systems secure for the hosted Solaris Operating System... while all older Sun 64 bit SPARC Processors were immune.


As existing Intel hardware continues to get slower with every patch, SPARC processors, which were faster to begin with, continue to show performance gains, by merely existing as a more secure alternative.

Conclusions

While the rest of the world is still struggling with Linux on Intel processors, SPARC based Data Centers continue to run. Running in security & safety under SPARC is quite normal.

Spectre - SPARC Solaris: The Safe Choice

Spectre - SPARC Solaris: The Safe Choice

Abstract:

As the industry continues to struggle with Meltdown, a second vulnerability family appeared referred to as Spectre. As of this article publication, there are 4 variants of Spectre, the latter two variants referred to as Spectre-NG. All SPARC systems are safe, if the most recent systems are on the most current firmware & OS releases. As of this publishing, the latest application/OS & firmware patches fixes the first two. The later 2 does not affect SPARC, as the rest of the Intel and other CPU communities are struggling with their cloud and local server infrastructures.
 

[Spectre logo, courtesy solaris.wtf]

Spectre 

Spectre comes in 4 variants, the first 2 and next 2 identified as of the publishing of this article.

Spectre v1

Upgrade firefox to 57.0.4 or greater for protection (i.e. bundled in recent Solaris 11.3 updates.

Unpatched super-scalar CPU's (i.e. SPARC T4, T5, M6, M7, S7, M8, M10, M12) could possibly be exploited by CVE-2017-5753.

Spectre  v2

 A quick summary on Stack Exchange on how Spectre works:

the attacker tricks the speculative execution to predictively execute instructions erroneously. In a nutshell, the predictor is coerced to predict a specific branch result (if -> true), that results in asking for an out-of-bound memory access that the victim process would not normally have requested, resulting in incorrect speculative execution. Then by the side-channel, retrieves the value of this memory. In this way, memory belonging to the victim process is leaked to the malicious process.

Unpatched super-scalar CPU's (i.e. SPARC T4, T5, M6, M7, S7, M8, M10, M12) may be exploited by CVE-2017-5715.

Spectre v3a

All 64 bit SPARC is immune to CVE-2018-3640 .

Spectre v4

All 64 bit SPARC is immune to CVE-2018-3639 .

[SPARC Logo, courtesy SPARC International]

SPARC

Modern 64 bit SPARC variants come in 2 classes: Scalar and Super-Scalar

[Sun Microsystems Logo, courtesy Sun Microsystems]

Sun UltraSPARC

Older Sun UltraSPARC 64 bit Servers do not have the CPU feature which could possibly be exploited and were not vulnerable... they did not issue speculative instructions. Oracle had purchased Sun, so their support channel can provide a definitive explanation. Performance was mostly driven on these servers leveraging SMP chassis, Multi-Core sockets, and large memory footprints.

[Oracle Logo, courtesy Oracle Corporation]

Oracle SPARC

Newer Oracle SPARC Solaris servers are possibly vulnerable, if you are running a modern CPU which initiates speculative instructions (i.e. T4 or newer) while older 64 bit CPU's are not vulnerable. It has been reported on Solaris WTF that "Spectre (CVE-2017-5753 and CVE-2017-5715)" has been fixed in firmware (i.e. T4: 8.9.10 or greater; T5, M5, M6: 9.6.22a or greater; M7, S7, M8: 9.8.5c or greater.)

The short story, a firmware patch for CPU's newer than T4 are required and the impact is very minor in performance, according to the previous blog. Stock Firefox as shipped with Solaris 10 is vulnerable to Spectre v1, Solaris 11 fixed Firefox vulnerability early 2018, so users should migrate to Solaris 11.

[Fujitsu Logo, courtesy Fujitsu corporation]

Fujitsu SPARC

Sun and Oracle are not the only 2 vendors, who have produced 64 bit SPARC platforms. Newer Fujitsu SPARC Servers are also super-scalar, possibly vulnerable to Spectre v2 (CVE-2017-5753), and have been been fixed in firmware (i.e. M10: XCP2351; M12: XCP3051.)

Conclusions:

If you are using an older Sun UltraSPARC server, you are OK. If you are running a newer Oracle SPARC (i.e. T4 or newer) server, you should update Firefox on Solaris 10 or get on the latest Solaris 11 release to be protected from Spectre v1. For the same class of hardware, apply firmware patches available today to protect from Spectre v2. SPARC is immune to Spectre v3 & v4. Get with your Oracle support for the first 2 variants (doc id 2349278.1) and second 2 variants.