Show more

#FreeBSD update on #Meltdown mitigation. Including a WIP mitigation implementation.

lists.freebsd.org/pipermail/fr

The patch applied fine in #HardenedBSD 12-CURRENT. I'm compiling world + kernel with the patch to test it out on my laptop.

Over on the TenFourFox blog, someone tested on PowerPC G5 and G4: Mostly works. G3 and older seem relatively safe.

tenfourfox.blogspot.de/2018/01

First minor fallout from patches we noticed on our notebooks: Pulse Secure VPN client needs an update, at least when Host Checker is being used during the login process. (In our case, Host Checker is doing several policy checks - like verifying the machine certificate - before permitting a network connection).

kb.pulsesecure.net/articles/Pu

My favourite linux kernel config pet peeve: Options where the help text tells me to prefer a certain answer, but the default is different.

mastodon.infra.de/media/JHG2Z0

Sunday fun: Fighting all the moths. Again.
Some of my partner's woollen carpets got infested with them. I don't remember this happening repeatedly while she still had cats, but I'm not sure if that was to their credit, or it was because we had to clean the carpets much more often than now...

mastodon.infra.de/media/IxxeIO

Jan Wildeboer (Red Hat) has collected a timeline on the findings around and in a Google+ post, currently starting somewhere in Fall 2016 with the ARMageddon USENIX paper.

plus.google.com/+jwildeboer/po

Can't find the post linking to Ken Shirriff's article about the Alto disk encryption (righto.com/2018/01/xerox-alto-), but anyway... It has a screenshot of the Alto "Neptune" file manager, which looks like so many two-pane file managers we've seen over the decades since then. It also immediately reminded me of STZip on the Atari.

mastodon.infra.de/media/jh7ZaY
mastodon.infra.de/media/Hm0sJR

Meltdown and Spectre: Here’s what Intel, Apple, Microsoft, others are doing about it arstechnica.com/?p=1239865 #infosec

In contrast to that, Lenovo already has BIOS-Updates for some client systems, available via System Update. That's on a Yoga 260, didn't check for other hardware yet.



mastodon.infra.de/media/wWrF68

Ah, this patch explains the mythical IBRS acronym used in the RedHat advisory, and the microcode update: mail-archive.com/linux-kernel@

"[..] detection and usage of x86 indirect branch speculation feature. It enables the indirect branch restricted speculation (IBRS) on kernel entry and disables it on exit. It enumerates the indirect branch prediction barrier (IBPB).
The x86 IBRS feature requires corresponding microcode support. It mitigates the variant 2 vulnerability"

Stolen from Reddit r/Sysadmin

"A CPU predicts you will walk into a bar, you do not. Your wallet has been stolen."

Using the PowerShell cmdlet from support.microsoft.com/en-us/he on my Laptop... No "hardware support for branch target injection mitigation".

Somehow I don't think that Acer will release a BIOS update for 2011 hardware.

mastodon.infra.de/media/bjBuj0

RedHat: CVE-2017-5715 can be used to cross the guest-host boundary on Red Hat Enterprise Virtualization (and thus KVM).

access.redhat.com/solutions/33

Also RedHat: Performance impact on various workloads - up to 12% in SQL databases and I/O intensive applications. No information about impact on hypervisors.

access.redhat.com/articles/330

Hrm. Did I not read the VMware text carefully this morning, or did the content change in between?
Right now, working for a service provider that depends heavily on VMware (we're in the VSPP licensing program), I'm seriously pissed at the "The remediation as documented in VMSA-2018-0002, has been present in VMware Cloud on AWS since early December 2017" remark.

Yeah, thanks for shipping protection only to your biggest customer, .

On the plus side, I don't notice much of a framerate drop in World of Warships after installing today's Microsoft patch on my machine.

now our computers finally get to feel as vulnerable as we do

According to SuSE, Power is not a safe haven either: suse.com/support/kb/doc/?id=70

"For IBM Power and zSeries the required firmware updates are supplied over regular channels by IBM."

Show more
INFRa Mastodon

This Mastodon instance is not open for public registration. Site administrator is Alexander Bochmann.

Contact email: ab+mastodon@infra.de