Monday, January 29, 2018

Are the BSDs dying? Some security researchers think so

Too few eyeballs on code is a security issue as vulnerabilities go unreported and unpatched. Can FreeBSD, OpenBSD, and NetBSD survive?


https://www.csoonline.com/article/3250653/open-source-tools/is-the-bsd-os-dying-some-security-researchers-think-so.html

Sunday, June 25, 2017

Fwd: [svlug] Intel Skylake/Kaby Lake processors: broken hyper-threading


Just re-sending this from the Debian User's list.... FYI
 - originally from: "Henrique de Moraes Holschuh <hmh@debian.org>"
 - are we all good here?
 - NB: there is a nice perl script to check vuln too on that list
      (I'll post that one here too)


This warning advisory is relevant for users of systems with the Intel
processors code-named "Skylake" and "Kaby Lake".  These are: the 6th and
7th generation Intel Core processors (desktop, embedded, mobile and
HEDT), their related server processors (such as Xeon v5 and Xeon v6), as
well as select Intel Pentium processor models.

TL;DR: unfixed Skylake and Kaby Lake processors could, in some
situations, dangerously misbehave when hyper-threading is enabled.
Disable hyper-threading immediately in BIOS/UEFI to work around the
problem.  Read this advisory for instructions about an Intel-provided
fix.


SO, WHAT IS THIS ALL ABOUT?
---------------------------

This advisory is about a processor/microcode defect recently identified
on Intel Skylake and Intel Kaby Lake processors with hyper-threading
enabled.  This defect can, when triggered, cause unpredictable system
behavior: it could cause spurious errors, such as application and system
misbehavior, data corruption, and data loss.

It was brought to the attention of the Debian project that this defect
is known to directly affect some Debian stable users (refer to the end
of this advisory for details), thus this advisory.

Please note that the defect can potentially affect any operating system
(it is not restricted to Debian, and it is not restricted to Linux-based
systems).  It can be either avoided (by disabling hyper-threading), or
fixed (by updating the processor microcode).

Due to the difficult detection of potentially affected software, and the
unpredictable nature of the defect, all users of the affected Intel
processors are strongly urged to take action as recommended by this
advisory.


DO I HAVE AN INTEL SKYLAKE OR KABY LAKE PROCESSOR WITH HYPER-THREADING?
-----------------------------------------------------------------------

The earliest of these Intel processor models were launched in September
2015.  If your processor is older than that, it will not be an Skylake
or Kaby Lake processor and you can just ignore this advisory.

If you don't know the model name of your processor(s), the command below
will tell you their model names.  Run it in a command line shell (e.g.
xterm):

    grep name /proc/cpuinfo | sort -u

Once you know your processor model name, you can check the two lists
below:

  * List of Intel processors code-named "Skylake":
    http://ark.intel.com/products/codename/37572/Skylake

  * List of Intel processors code-named "Kaby Lake":
    http://ark.intel.com/products/codename/82879/Kaby-Lake

Some of the processors in these two lists are not affected because they
lack hyper-threading support.  Run the command below in a command line
shell (e.g. xterm), and it will output a message if hyper-threading is
supported/enabled:

  grep -q '^flags.*[[:space:]]ht[[:space:]]' /proc/cpuinfo && \
        echo "Hyper-threading is supported"

Alternatively, use the processor lists above to go to that processor's
information page, and the information on hyper-threading will be there.

If your processor does not support hyper-threading, you can ignore this
advisory.


WHAT SHOULD I DO IF I DO HAVE SUCH PROCESSORS?
----------------------------------------------

Kaby Lake:

Users of systems with Intel Kaby Lake processors should immediately
*disable* hyper-threading in the BIOS/UEFI configuration.  Please
consult your computer/motherboard's manual for instructions, or maybe
contact your system vendor's support line.

The Kaby Lake microcode updates that fix this issue are currently only
available to system vendors, so you will need a BIOS/UEFI update to get
it.  Contact your system vendor: if you are lucky, such a BIOS/UEFI
update might already be available, or undergoing beta testing.

You want your system vendor to provide a BIOS/UEFI update that fixes
"Intel processor errata KBL095, KBW095 or the similar one for my Kaby
Lake processor".

We strongly recommend that you should not re-enable hyper-threading
until you install a BIOS/UEFI update with this fix.


Skylake:

Users of systems with Intel Skylake processors may have two choices:

1. If your processor model (listed in /proc/cpuinfo) is 78 or 94, and
  the stepping is 3, install the non-free "intel-microcode" package
   with base version 3.20170511.1, and reboot the system.  THIS IS
   THE RECOMMENDED SOLUTION FOR THESE SYSTEMS, AS IT FIXES OTHER
   PROCESSOR ISSUES AS WELL.

   Run this command in a command line shell (e.g. xterm) to know the
   model numbers and steppings of your processor.  All processors must
   be either model 78 or 94, and stepping 3, for the intel-microcode fix
   to work:

         grep -E 'model|stepping' /proc/cpuinfo | sort -u

   If you get any lines with a model number that is neither 78 or 94, or
   the stepping is not 3, you will have to disable hyper-threading as
   described on choice 2, below.

   Refer to the section "INSTALLING THE MICROCODE UPDATES FROM NON-FREE"
   for instructions on how to install the intel-microcode package.

2. For other processor models, disable hyper-threading in BIOS/UEFI
   configuration.  Please consult your computer/motherboard's manual for
   instructions on how to do this.  Contact your system vendor for a
   BIOS/UEFI update that fixes "Intel erratum SKW144, SKL150, SKX150,
   SKZ7, or the similar one for my Skylake processor".

NOTE: If you did not have the intel-microcode package installed on your
Skylake system before, it is best if you check for (and install) any
BIOS/UEFI updates *first*.  Read the wiki page mentioned below.


INSTALLING THE MICROCODE UPDATES FROM NON-FREE:
-----------------------------------------------

Instructions are available at:

    https://wiki.debian.org/Microcode

Updated intel-microcode packages are already available in non-free for:
unstable, testing, Debian 9 "stretch" (stable), and Debian 8 *backports*
(jessie-backports).

THE MICROCODE PACKAGES FROM THE RECENT STABLE RELEASE (June 17th, 2017)
ALREADY HAVE THE SKYLAKE FIX, BUT YOU MAY HAVE TO INSTALL THEM.

Updated intel-microcode packages in non-free for Debian 8 "jessie"
(oldstable) are waiting for approval and will likely be released in the
next non-free oldstable point release.  They are the same as the
packages in non-free jessie-backports, with a change to the version
number.

The wiki page above has instructions on how to enable "contrib" and
"non-free", so as to be possible to install the intel-microcode package.

Users of "jessie" (oldstable) might want to enable jessie-backports to
get *this* intel-microcode update faster.  This is also explained in the
wiki page above.

MORE DETAILS ABOUT THE PROCESSOR DEFECT:
----------------------------------------

On 2017-05-29, Mark Shinwell, a core OCaml toolchain developer,
contacted the Debian developer responsible for the intel-microcode
package with key information about a Intel processor issue that could be
easily triggered by the OCaml compiler.

The issue was being investigated by the OCaml community since
2017-01-06, with reports of malfunctions going at least as far back as
Q2 2016.  It was narrowed down to Skylake with hyper-threading, which is
a strong indicative of a processor defect.  Intel was contacted about
it, but did not provide further feedback as far as we know.

Fast-forward a few months, and Mark Shinwell noticed the mention of a
possible fix for a microcode defect with unknown hit-ratio in the
intel-microcode package changelog.  He matched it to the issues the
OCaml community were observing, verified that the microcode fix indeed
solved the OCaml issue, and contacted the Debian maintainer about it.

Apparently, Intel had indeed found the issue, *documented it* (see
below) and *fixed it*.  There was no direct feedback to the OCaml
people, so they only found about it later.

The defect is described by the SKZ7/SKW144/SKL150/SKX150/KBL095/KBW095
Intel processor errata.  As described in official public Intel
documentation (processor specification updates):

  Errata:   SKZ7/SKW144/SKL150/SKX150/SKZ7/KBL095/KBW095
            Short Loops Which Use AH/BH/CH/DH Registers May Cause
            Unpredictable System Behavior.

  Problem:  Under complex micro-architectural conditions, short loops
            of less than 64 instructions that use AH, BH, CH or DH
            registers as well as their corresponding wider register
            (e.g. RAX, EAX or AX for AH) may cause unpredictable
            system behavior. This can only happen when both logical
            processors on the same physical processor are active.

  Implication: Due to this erratum, the system may experience
            unpredictable system behavior.

We do not have enough information at this time to know how much software
out there will trigger this specific defect.

One important point is that the code pattern that triggered the issue in
OCaml was present on gcc-generated code.  There were extra constraints
being placed on gcc by OCaml, which would explain why gcc apparently
rarely generates this pattern.

The reported effects of the processor defect were: compiler and
application crashes, incorrect program behavior, including incorrect
program output.


What we know about the microcode updates issued by Intel related to
these specific errata:

Fixes for processors with signatures[1] 0x406E3 and 0x506E3 are
available in the Intel public Linux microcode release 20170511.  This
will fix only Skylake processors with model 78 stepping 3, and model 94
stepping 3.  The fixed microcode for these two processor models reports
revision 0xb9/0xba, or higher.

Apparently, these errata were fixed by microcode updates issued in early
April/2017.  Based on this date range, microcode revision 0x5d/0x5e (and
higher) for Kaby Lake processors with signatures 0x806e9 and 0x906e9
*might* fix the issue.  We do not have confirmation about which
microcode revision fixes Kaby Lake at this time.

Related processor signatures and microcode revisions:
Skylake   : 0x406e3, 0x506e3 (fixed in revision 0xb9/0xba and later,
                              public fix in linux microcode 20170511)
Skylake   : 0x50654          (no information, erratum listed)
Kaby Lake : 0x806e9, 0x906e9 (defect still exists in revision 0x48,
                              fix available as a BIOS/UEFI update)


References:
https://caml.inria.fr/mantis/view.php?id=7452
http://metadata.ftp-master.debian.org/changelogs/non-free/i/intel-microcode/unstable_changelog
https://www.intel.com/content/www/us/en/processors/core/desktop-6th-gen-core-family-spec-update.html
https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html
https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html
https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v5-spec-update.html
https://www.intel.com/content/www/us/en/products/processors/core/6th-gen-x-series-spec-update.html

[1] iucode_tool -S will output your processor signature.  This tool is
    available in the *contrib* repository, package "iucode-tool".

--
  Henrique Holschuh

_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng





Date: Mon, 26 Jun 2017 03:08:51 +1000
>From dng-bounces@lists.dyne.org Sun Jun 25 10: 1:39 2017
From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
To: Devuan DNG <dng@lists.dyne.org>
Subject: Re: [DNG] [WARNING] Intel Skylake/Kaby Lake processors: broken
        hyper-threading

Just re-sending this from the Debian User's list.... FYI
 - originally from: "Henrique de Moraes Holschuh <hmh@debian.org>"
 - this email with the perl script....
      (I'll post that one here too)


On Sun, 25 Jun 2017, Henrique de Moraes Holschuh wrote:
> This warning advisory is relevant for users of systems with the Intel
> processors code-named "Skylake" and "Kaby Lake".  These are: the 6th and
> 7th generation Intel Core processors (desktop, embedded, mobile and
> HEDT), their related server processors (such as Xeon v5 and Xeon v6), as
> well as select Intel Pentium processor models.

Attached, you will find a perl script that can help detect if your
system is affected or not.  Many thanks to Uwe Kleine-K\303\266nig for
suggesting, and writing this script.

--
  Henrique Holschuh


detect-skl150.pl:

#!/usr/bin/perl
# Copyright 2017 Uwe Kleine-K?nig
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License version 2 as published by the
# Free Software Foundation.

open(my $cpuinfo, "</proc/cpuinfo") or die "failed to open cpuinfo\n";

my $cpunum, $vendor, $family, $model, $stepping, $microcoderev, $hyperthreading;

while (<$cpuinfo>) {
        if (/^$/) {
                print "cpu $cpunum: ";
                if ($vendor eq "GenuineIntel" and $family == 6) {
                        if ($model == 78 or $model == 94) {
                                if ($stepping eq "3") {
                                        print "Your CPU is affected, ";
                                        if (hex($microcoderev) >= 0xb9) {
                                                print "but your microcode is new enough\n";
                                        } elsif ($hyperthreading ne "on") {
                                                print "but hyper threading is off, which works around the
+problem\n";
                                        } else {
                                                print "you should install the latest intel-microcode\n";
                                        }
                                } else {
                                        print "You may need a BIOS/UEFI update (unknown Skylake-Y/H/U/S stepping)\n";
                                }
                        } elsif ($model == 85 or $model == 142 or $model == 158) {
                                print "You may need a BIOS/UEFI update (Kaby Lake, or Skylake-X processor)\n";
                        } else {
                                print "You're likely not affected\n";
                        }
                } else {
                        print "You're not affected\n";
                }

                $cpunum = undef;
                $vendor = undef;
                $family = undef;
                $stepping = undef;
                $microcoderev = undef;
                $hyperthreading = undef;

                next;
        }

        $cpunum = $1 if /^processor\s*:\s(.*)/;
        $vendor = $1 if /^vendor_id\s*:\s(.*)/;
        $family = $1 if /^cpu family\s*:\s(.*)/;
        $model = $1 if /^model\s*:\s(.*)/;
        $stepping = $1 if /^stepping\s*:\s(.*)/;
        $microcoderev = $1 if /^microcode\s*:\s(.*)/;

        if (/^flags\s*:/) {
                if (/^flags\s*:.*\bht\b/) {
                        $hyperthreading = "on";
                } else {
                        $hyperthreading = "off";
                }
        }
}



_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng



_______________________________________________
svlug mailing list
svlug@lists.svlug.org
http://lists.svlug.org/lists/listinfo/svlug

Monday, June 05, 2017

Fwd: vim | Word of the Day




 
 
Dictionary.com Word of the Day
 
 
June 05, 2017
 
vim Audio
noun [vim]
1. lively or energetic spirit; enthusiasm; vitality.


QUOTES
Certainly no better selection of a leader could have been made, for Neil was full of the vim of youth, and had a newly acquired fund of scientific knowledge just waiting to be applied.
-- Caroline Abbot Stanley, The Keeper of the Vineyard, 1913
ORIGIN
Vim began as an American colloquialism but became standard on both sides of the Atlantic within a generation. It is the accusative singular of the irregular Latin noun vīs (stem vīr-) "power, force." Latin vīs is related to the Latin noun vir "man (i.e., a male person), husband." The same Proto-Indo-European root wir-, wīr- in Latin vir appears in English wergild and werewolf. Vim entered English in the mid-19th century.

 


Tuesday, February 14, 2017

Automotive Grade Linux (AGL)

https://www.automotivelinux.org/

A Linux Foundation project dedicated to creating open source software solutions for automotive applications.