High prio kernel security update for "L1TF" + some other security and bugfixes: https://www.phoronix.com/scan.php?page=news_item&px=L1-Terminal-Fault SRPMS: kernel-tmb-4.14.64-1.mga6.src.rpm i586: kernel-tmb-desktop-4.14.64-1.mga6-1-1.mga6.i586.rpm kernel-tmb-desktop-devel-4.14.64-1.mga6-1-1.mga6.i586.rpm kernel-tmb-desktop-devel-latest-4.14.64-1.mga6.i586.rpm kernel-tmb-desktop-latest-4.14.64-1.mga6.i586.rpm kernel-tmb-source-4.14.64-1.mga6-1-1.mga6.noarch.rpm kernel-tmb-source-latest-4.14.64-1.mga6.noarch.rpm x86_64: kernel-tmb-desktop-4.14.64-1.mga6-1-1.mga6.x86_64.rpm kernel-tmb-desktop-devel-4.14.64-1.mga6-1-1.mga6.x86_64.rpm kernel-tmb-desktop-devel-latest-4.14.64-1.mga6.x86_64.rpm kernel-tmb-desktop-latest-4.14.64-1.mga6.x86_64.rpm kernel-tmb-source-4.14.64-1.mga6-1-1.mga6.noarch.rpm kernel-tmb-source-latest-4.14.64-1.mga6.noarch.rpm
This also wants the microcode update released before or at the same time as this update
Depends on: (none) => 23457Priority: Normal => High
Advisory, added to svn: type: security subject: Updated kernel-tmb packages fix security vulnerabilities CVE: - CVE-2018-3615 - CVE-2018-3620 - CVE-2018-3646 src: 6: core: - kernel-tmb-4.14.64-1.mga6 description: | This kernel-tmb update is based on the upstream 4.14.64 and adds fixes and mitigations for the now publically known security issue affecting Intel processors called L1 Terminal Fault (L1TF): Systems with microprocessors utilizing speculative execution and Intel Software Guard Extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis (CVE-2018-3615). Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis (CVE-2018-3620). Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis (CVE-2018-3646). The impact of the L1TF security issues: * Malicious applications may be able to infer the values of data in the operating system memory, or data from other applications. * A malicious guest virtual machine (VM) may be able to infer the values of data in the VMM’s memory, or values of data in the memory of other guest VMs. * Malicious software running outside of SMM may be able to infer values of data in SMM memory. * Malicious software running outside of an Intel® SGX enclave or within an enclave may be able to infer data from within another Intel SGX enclave. NOTE! You also need to install the the 0.20180807-1.mga6.nonfree microcode update (mga#23457) or a bios update from your hardware vendor containing the updated microcodes to get all current set of fixes and mitigations for L1TF. Other changes in this update: * WireGuard has been updated to 0.0.20180809 * added hwmon support for Threadripper2 For other upstream fixes in this update, see the referenced changelogs. references: - https://bugs.mageia.org/show_bug.cgi?id=23459 - https://bugs.mageia.org/show_bug.cgi?id=23457 - https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.63 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.64
Keywords: (none) => advisory
An of course one beoken thing with l1tf fixes was found upstream, so a 4.14.65 was released... :/ So I'm re-spinning all kernels to pick it up...
Whiteboard: (none) => feedback
4.14.65 is mirroring out... (and the only change compared to 4.14.64 is the l1tf fix) so rpms to test: SRPMS: kernel-tmb-4.14.65-1.mga6.src.rpm i586: kernel-tmb-desktop-4.14.65-1.mga6-1-1.mga6.i586.rpm kernel-tmb-desktop-devel-4.14.65-1.mga6-1-1.mga6.i586.rpm kernel-tmb-desktop-devel-latest-4.14.65-1.mga6.i586.rpm kernel-tmb-desktop-latest-4.14.65-1.mga6.i586.rpm kernel-tmb-source-4.14.65-1.mga6-1-1.mga6.noarch.rpm kernel-tmb-source-latest-4.14.65-1.mga6.noarch.rpm x86_64: kernel-tmb-desktop-4.14.65-1.mga6-1-1.mga6.x86_64.rpm kernel-tmb-desktop-devel-4.14.65-1.mga6-1-1.mga6.x86_64.rpm kernel-tmb-desktop-devel-latest-4.14.65-1.mga6.x86_64.rpm kernel-tmb-desktop-latest-4.14.65-1.mga6.x86_64.rpm kernel-tmb-source-4.14.65-1.mga6-1-1.mga6.noarch.rpm kernel-tmb-source-latest-4.14.65-1.mga6.noarch.rpm
Summary: Update request: kernel-tmb-4.14.64-1.mga6 => Update request: kernel-tmb-4.14.65-1.mga6Whiteboard: feedback => (none)
Starting from 4.14.64-desktop-1.mga6, installed tmb kernel and rebooted to the Mate DE but it took about 12 minutes from boot to successful login, which normally takes about 20 seconds on this machine. In addition Mate displays, for the first time ever, all the mounted partitions, even EFI. The odd thing is this kernel sits very comfortably on my new Skylake system with no obvious changes in behaviour. Machine specification: System: Host: difda Kernel: 4.14.65-tmb-desktop-1.mga6 x86_64 CPU: Quad core Intel Core i7-4790 (-HT-MCP-) speed/max: 3967/4000 MHz Machine: Device: desktop Mobo: MSI model: Z97-G43 (MS-7816) v: 3.0 Graphics: Card: NVIDIA GM204 [GeForce GTX 970] The glmark2 score has shot up but the long boot time makes this system very unfriendly. Left unattended it locked the screen. Unlocked it but after deliberating for three minutes it went back to the lock screen. Tried again but gave up in the end. Switched back to the previous desktop kernel and rebooted to the desktop in less than 20 seconds. Trying linus next.
CC: (none) => tarazed25
Yeah, I intentionally kept the "random security fix" enabled in this kernel which affects some hw regarding the slow boot... if you "type random garbage" during boot it will speed up the boot as it generates enough random entropy faster...
OK. Shall try that. I had gone through the whole exercise again and ended up at the same place.
That worked very well. It speeded things up so much that I was typing garbage into the password field. Now login is virtually immediate. Thanks Thomas.
Enough tests... Validating and flushing out due to the severity
Whiteboard: (none) => mga6-64-ok, mga6-32-okKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0346.html
Status: NEW => RESOLVEDResolution: (none) => FIXED