1 (edited by auanta 2022-08-27 07:03:32)

Topic: Spectre mitigations

I was wndering if Hyperbola would be seeking to have mitigations for the vulnerabilities listed here:

spec_store_bypass:Vulnerable

spectre_v2:Vulnerable: eIBRS with unprivileged eBPF
grep $ /sys/devices/system/cpu/vulnerabilities/*

Currently there remain a few open vulnerabilities as far as my kernel tells me.

Also I think we require packages to install "microcode", I am not sure of their licenses but they aren't in our

Mitigations should be loaded early in boot process per Arch wiki, before the initramfs

2

Re: Spectre mitigations

Well, Hyperbola won't install any kind of mirocode. That is especially the point about rejecting firmware-blobs. To make that part clear: We will never include binary blobs into the Hyperbola-system being not open before compilation.

For GNU/Linux-libre there are therefore only that mitigations available we have done. HyperbolaBSD will get even more attention possible!

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

3

Re: Spectre mitigations

@auanta besides, many of those blobs could have unknown risks..

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

4 (edited by auanta 2022-08-27 15:58:53)

Re: Spectre mitigations

throgh wrote:

Well, Hyperbola won't install any kind of mirocode. That is especially the point about rejecting firmware-blobs. To make that part clear: We will never include binary blobs into the Hyperbola-system being not open before compilation.

For GNU/Linux-libre there are therefore only that mitigations available we have done. HyperbolaBSD will get even more attention possible!


I'm not asking for binary blobs to be included in the kernel, not at all. I don't have the knowledge about what intel microcode even is. Are we sure that those are blobs? Or are they just patches?

Forgive me,, for I have been working a lot and am tired but I wanted to get this out

From the responses so far I think we need to re-look at what mitigations are available. The mainline Linux kernel has made mitigations but some options apparently have to be turned on in the compile process. So, it would just be a matter setting the defaults for the Linux-libre kernel at compile time to cover these vulnerabilities. The issue I see on my computer is that some but not all have been 'patched' or configured with the safe defaults.

With that being the case, the safe defaults are in line with Hyperbola policy

Unless I totally misunderstood, tho. But I do gather that microcode is but only one of the mitigations, the other is changes to the kernel itself. It must be stressed that Spectre affects even ARM and MIPS cpus, and I am left with the impression that this affects all kernels

Information can be found here and some astute kernel person can make the appropriate decisions:

https://docs.kernel.org/admin-guide/hw-vuln/
https://docs.kernel.org/admin-guide/hw- … ectre.html
https://wiki.archlinux.org/title/Microcode
https://wiki.archlinux.org/title/Security#CPU

Excited for HyperbolaBSD-libre btw

5

Re: Spectre mitigations

i see @aunta now you are paranoid type big_smile .

first just make some tea and relax, the nations are in needs for hard workers like you smile
i will describe the things as i can below.

first in hyperbola gnu linux stage: unless you are a big boss who holds a lot of money or power or engaged with mafia, yakuza, or deepweb activities you may rest assured that malicious hacker probably has no interest to exploit your computer. your chances on accidentaly meet malicious code and robots are pretty slim as well and those malicious code first must breach into your system too.

second stage when hyperbsd is finished: if you still paranoid with first stage, you dont have to worry anymore as hyperbsd based on a super secure openbsd, no advanced tweaks needed as these distribution are secure from the ground up.

you might find many articles on the net this is the example one:
https://why-openbsd.rocks/fact/meltdown-spectre/

6

Re: Spectre mitigations

GNU/Linux-libre is for us surely a point to stay for the moment: Nevertheless we are working onto HyperBK and therefore porting the kernel building with a free and libre toolchain also. HyperbolaBSD itself is therefore the major goal and our GNU/Linux-libre is more the point of transitiion. When we can include more mitigations, we will do that also for GNU/Linux-libre. smile

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

7 (edited by auanta 2022-08-27 19:19:42)

Re: Spectre mitigations

dikasp2 you made me laugh out loud! But yes - OpenBSD mitigations sound fabulous!

throgh - Looking forward to this exciting new evolution!

Didn't know OpenBSD - or any BSD - was my kind of thing, even, but I do now wink