operating-systems.html: add a warning for Linux/CPU vulns #1231

Merged
Mikaela merged 14 commits from cpu-vulns into master 2019-08-31 17:05:37 +00:00
Mikaela commented 2019-08-28 08:51:28 +00:00 (Migrated from github.com)
Ref: #904 where cpu.fail was mentioned * https://deploy-preview-1231--privacytools-io.netlify.com/operating-systems/#os
dawidpotocki (Migrated from github.com) reviewed 2019-08-28 08:51:28 +00:00
netlify[bot] commented 2019-08-28 08:52:10 +00:00 (Migrated from github.com)

Deploy preview for privacytools-io ready!

Built with commit 4697bf6d6c

https://deploy-preview-1231--privacytools-io.netlify.com

Deploy preview for *privacytools-io* ready! Built with commit 4697bf6d6c04cb128c5d28adfc90f4c88f373113 https://deploy-preview-1231--privacytools-io.netlify.com
Mikaela (Migrated from github.com) reviewed 2019-08-28 08:53:37 +00:00
Mikaela (Migrated from github.com) commented 2019-08-28 08:53:37 +00:00

I would request changes here and as there are so many commands, make a different section and explain the commands more in depth there, but this is just a quick draft PR to see if there is interest or do we trust the OS to handle that?

I only know that mainline kernel doesn't disable SMT / hyper threading by default while downstream:

~~I would request changes here and as there are so many commands, make a different section and explain the commands more in depth there, but this is just a quick draft PR to see if there is interest or do we trust the OS to handle that?~~ I only know that mainline kernel doesn't disable SMT / hyper threading by default while downstream: * Debian/Ubuntu: (tested on 11 & 18.04) keep it on * Tails disables it: https://tails.boum.org/contribute/design/#index62h3 * Fedora: ???
Mikaela (Migrated from github.com) reviewed 2019-08-28 10:22:29 +00:00
Mikaela (Migrated from github.com) commented 2019-08-28 10:22:29 +00:00

I am next going to work on this unless I hear it's out of scope.

* Google/ChromeOS also disables it: https://www.chromium.org/chromium-os/mds-on-chromeos ~~I am next going to work on this unless I hear it's out of scope.~~
dawidpotocki (Migrated from github.com) reviewed 2019-08-28 10:56:10 +00:00
dawidpotocki (Migrated from github.com) commented 2019-08-28 10:54:09 +00:00

update-grub is Ubuntu (or Debian) thing, it does not exist on all distributions.
It is pretty much an alias for grub-mkconfig -o /boot/grub/grub.cfg.

`update-grub` is Ubuntu (or Debian) thing, it does not exist on all distributions. It is pretty much an alias for `grub-mkconfig -o /boot/grub/grub.cfg`.
dawidpotocki (Migrated from github.com) reviewed 2019-08-28 10:57:59 +00:00
dawidpotocki (Migrated from github.com) commented 2019-08-28 10:57:59 +00:00
OpenBSD also disables it. https://marc.info/?l=openbsd-tech&m=153504937925732&w=2
Mikaela (Migrated from github.com) reviewed 2019-08-28 10:59:41 +00:00
Mikaela (Migrated from github.com) commented 2019-08-28 10:59:41 +00:00

@dawidpotocki How about this wording?

@dawidpotocki How about this wording?
dawidpotocki (Migrated from github.com) reviewed 2019-08-28 11:03:25 +00:00
dawidpotocki (Migrated from github.com) commented 2019-08-28 11:03:25 +00:00

I would remove update-grub, it does exactly the same thing, the same way.
Also <li> is not closed properly.

I would remove `update-grub`, it does exactly the same thing, the same way. Also `<li>` is not closed properly.
Mikaela (Migrated from github.com) reviewed 2019-08-28 11:12:25 +00:00
Mikaela (Migrated from github.com) commented 2019-08-28 11:12:25 +00:00

Ok, done

Ok, done
Mikaela (Migrated from github.com) reviewed 2019-08-28 11:13:49 +00:00
Mikaela (Migrated from github.com) commented 2019-08-28 11:13:49 +00:00

Is it enough to list these links here for thinking whether we want to merge this, or should they be included in the PR somehow?

Is it enough to list these links here for thinking whether we want to merge this, or should they be included in the PR somehow?
Mikaela (Migrated from github.com) reviewed 2019-08-28 11:18:54 +00:00
Mikaela (Migrated from github.com) commented 2019-08-28 11:18:53 +00:00

I wonder if this or at least "disable hyperthreading" should be a link, but I can only find

and should it say instead See also the next topic if it cannot be disabled in your UEFI/BIOS? But disabling it in kernel level may be more difficult to revert accidentally and it only takes effect when the CPU is vulnerable and SMT isn't already disabled in UEFI BIOS.

I wonder if this or at least "disable hyperthreading" should be a link, but I can only find * https://www.pcmag.com/article/314585/how-to-disable-hyperthreading and should it say instead *See also the next topic if it cannot be disabled in your UEFI/BIOS*? But disabling it in kernel level may be more difficult to revert accidentally and it only takes effect when the CPU is vulnerable and SMT isn't already disabled in UEFI BIOS.
nitrohorse (Migrated from github.com) reviewed 2019-08-29 02:49:35 +00:00
nitrohorse (Migrated from github.com) commented 2019-08-29 02:49:34 +00:00

To increase readability a bit, what about:

This also affects Windows 10, but it doesn't clearly expose this information nor mitigation instructions.

To increase readability a bit, what about: > This also affects Windows 10, but it doesn't clearly expose this information nor mitigation instructions.
nitrohorse (Migrated from github.com) reviewed 2019-08-29 02:51:09 +00:00
nitrohorse (Migrated from github.com) commented 2019-08-29 02:51:08 +00:00

Suggestion: lowercase "Simultaneous"

Suggestion: lowercase "Simultaneous"
Mikaela (Migrated from github.com) reviewed 2019-08-29 15:24:14 +00:00
Mikaela (Migrated from github.com) commented 2019-08-29 15:24:14 +00:00

The documentation is pain to find, the closest I find now is this:

and it's not what I was reading before (even if I don't get a head or a tail out of it), previously I saw instructions to add something to registry and it didn't disable SMT.

The documentation is pain to find, the closest I find now is this: * https://support.microsoft.com/en-us/help/4073757/protect-windows-devices-from-speculative-execution-side-channel-attack and it's not what I was reading before (even if I don't get a head or a tail out of it), previously I saw instructions to add something to registry and it didn't disable SMT.
nitrohorse (Migrated from github.com) reviewed 2019-08-30 06:59:39 +00:00
nitrohorse (Migrated from github.com) commented 2019-08-30 06:59:39 +00:00

Okay, how about we remove this warning (moving it down into the section) and also generalize the vulnerability section to:

<h4 id="cpuvulns">Remember to check CPU vulnerability mitigations</h4>

Okay, how about we remove this warning (moving it down into the section) and also generalize the vulnerability section to: `<h4 id="cpuvulns">Remember to check CPU vulnerability mitigations</h4>`
nitrohorse (Migrated from github.com) reviewed 2019-08-30 07:01:16 +00:00
nitrohorse (Migrated from github.com) commented 2019-08-30 07:01:15 +00:00

I think this warning is good here and we could hyperlink it too?

<p><em><a href="https://support.microsoft.com/en-us/help/4073757/protect-windows-devices-from-speculative-execution-side-channel-attack">This also affects Windows 10</a>, but it doesn't expose this information or mitigation instructions as easily.</em></p>

I think this warning is good here and we could hyperlink it too? > `<p><em><a href="https://support.microsoft.com/en-us/help/4073757/protect-windows-devices-from-speculative-execution-side-channel-attack">This also affects Windows 10</a>, but it doesn't expose this information or mitigation instructions as easily.</em></p>`
nitrohorse (Migrated from github.com) requested changes 2019-08-30 07:16:57 +00:00
nitrohorse (Migrated from github.com) commented 2019-08-30 07:15:21 +00:00

Here's an idea, to simply things a bit:

<p>
    In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the <code>tail</code> command. To mitigate this, disable <a href="https://en.wikipedia.org/wiki/Simultaneous_multithreading">hyper-threading</a> from the UEFI/BIOS. You can also take the following mitigation steps below if your system/distribution uses GRUB and supports <code>/etc/default/grub.d/</code>:
</p>

We then could move "https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html" down to the links section.

Here's an idea, to simply things a bit: ``` <p> In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the <code>tail</code> command. To mitigate this, disable <a href="https://en.wikipedia.org/wiki/Simultaneous_multithreading">hyper-threading</a> from the UEFI/BIOS. You can also take the following mitigation steps below if your system/distribution uses GRUB and supports <code>/etc/default/grub.d/</code>: </p> ``` We then could move "https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html" down to the links section.
Mikaela (Migrated from github.com) reviewed 2019-08-30 09:53:33 +00:00
Mikaela (Migrated from github.com) commented 2019-08-30 09:52:05 +00:00

So remove line 42 and update line 45?

So remove line 42 and update line 45?
Mikaela (Migrated from github.com) commented 2019-08-30 09:52:26 +00:00

Will test

Will test
Mikaela (Migrated from github.com) commented 2019-08-30 09:53:28 +00:00

I thought Simultaneous was a name, but apparently not. I will try

I thought Simultaneous was a name, but apparently not. I will try
Mikaela (Migrated from github.com) reviewed 2019-08-30 10:39:14 +00:00
Mikaela (Migrated from github.com) left a comment

I marked multiple older reviews as resolved after addressing the feedback, but here are new ones to ponder about

I marked multiple older reviews as resolved after addressing the feedback, but here are new ones to ponder about
Mikaela (Migrated from github.com) commented 2019-08-30 10:35:05 +00:00
<p>When running a enough recent kernel, you can check the CPU vulnerabilities it detects by <code>tail -n +1 /sys/devices/system/cpu/vulnerabilities/*</code>. By using <code>tail -n +1</code> instead of <code>cat</code>, the file names are also visible.</p>

Should there be a comma here?

```suggestion <p>When running a enough recent kernel, you can check the CPU vulnerabilities it detects by <code>tail -n +1 /sys/devices/system/cpu/vulnerabilities/*</code>. By using <code>tail -n +1</code> instead of <code>cat</code>, the file names are also visible.</p> ``` Should there be a comma here?
Mikaela (Migrated from github.com) commented 2019-08-30 10:36:37 +00:00

I wonder what is the official spelling of UEFI/BIOS?

I think UEFI has deprecated/replaced BIOS entirely, but everyone calls it as BIOS due to legacy reasons and I think my grub says "Enter setup" and the thing calls itself as UEFI BIOS on my laptop.

I wonder what is the official spelling of UEFI/BIOS? I think UEFI has deprecated/replaced BIOS entirely, but everyone calls it as BIOS due to legacy reasons and I think my grub says "Enter setup" and the thing calls itself as UEFI BIOS on my laptop.
Mikaela (Migrated from github.com) commented 2019-08-30 10:37:30 +00:00
  <li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>

or kernel/boot or is it fine?

```suggestion <li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li> ``` or kernel/boot or is it fine?
Mikaela (Migrated from github.com) commented 2019-08-30 10:38:22 +00:00

this must be a typo or losing a train of thought and without noticing it continuing with another train of thought

this must be a typo or losing a train of thought and without noticing it continuing with another train of thought
@ -44,0 +55,4 @@
<li><code>sudo mkdir /etc/default/grub.d/</code> to create a directory for additional grub configuration</li>
<li><code>echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf</code> to create a new grub config file source with the echoed content</li>
<li><code>sudo grub-mkconfig -o /boot/grub/grub.cfg</code> to generate a new grub config file including this new kernel boot flag</li>
<li><code>sudo reboot</code> to reboot</li>
Mikaela (Migrated from github.com) commented 2019-08-30 10:37:50 +00:00

I think it's more universal than systemctl reboot

I think it's more universal than `systemctl reboot`
Mikaela (Migrated from github.com) reviewed 2019-08-30 10:40:34 +00:00
Mikaela (Migrated from github.com) commented 2019-08-30 10:40:34 +00:00

I am not entirely sure if a comma belongs here

I am not entirely sure if a comma belongs here
Mikaela (Migrated from github.com) reviewed 2019-08-30 10:43:55 +00:00
Mikaela (Migrated from github.com) commented 2019-08-30 10:43:55 +00:00

(Please mark this as resolved if you accept ed7edb5c27)

(Please mark this as resolved if you accept https://github.com/privacytoolsIO/privacytools.io/pull/1231/commits/ed7edb5c2741d285b6f76298921fb634ee20319a)
nitrohorse (Migrated from github.com) reviewed 2019-08-31 01:28:20 +00:00
nitrohorse (Migrated from github.com) commented 2019-08-31 01:28:20 +00:00

I think technically no, but reads more naturally 😄

I think technically no, but reads more naturally :smile:
nitrohorse (Migrated from github.com) reviewed 2019-08-31 01:29:14 +00:00
nitrohorse (Migrated from github.com) commented 2019-08-31 01:29:13 +00:00

I've seen it with a forward slash but I don't think it's "official" spelling.

I've seen it with a forward slash but I don't think it's "official" spelling.
nitrohorse (Migrated from github.com) reviewed 2019-08-31 01:30:15 +00:00
nitrohorse (Migrated from github.com) commented 2019-08-31 01:30:15 +00:00

kernel boot flag sounds fine to me 😄

kernel boot flag sounds fine to me :smile:
nitrohorse (Migrated from github.com) reviewed 2019-08-31 01:31:17 +00:00
nitrohorse (Migrated from github.com) commented 2019-08-31 01:31:16 +00:00

How about adding quotes:

...now says "SMT disabled."

How about adding quotes: > ...now says "SMT disabled."
nitrohorse (Migrated from github.com) reviewed 2019-08-31 01:33:17 +00:00
nitrohorse (Migrated from github.com) commented 2019-08-31 01:33:17 +00:00

Yeah I think that works 👍

Yeah I think that works :+1:
Mikaela (Migrated from github.com) reviewed 2019-08-31 08:11:18 +00:00
Mikaela (Migrated from github.com) commented 2019-08-31 08:11:18 +00:00
https://en.wikipedia.org/wiki/UEFI isn't too helpful
nitrohorse (Migrated from github.com) reviewed 2019-08-31 15:49:20 +00:00
@ -44,0 +65,4 @@
<li><a href="https://cpu.fail/">CPU.fail</a></li>
<li><a href="https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html">MDS - Microarchitectural Data Sampling on The Linux kernel user's and administrator's guide</a></li>
<li><a href="https://mdsattacks.com/">RIDL and Fallout: MDS attacks on mdsattacks.com</a></li>
<li><a href="https://en.wikipedia.org/wiki/Simultaneous_multithreading">Simultaneous multithreading on Wikipedia</a></li>
nitrohorse (Migrated from github.com) commented 2019-08-31 15:49:05 +00:00

Looks like we link this already, should we remove it here?

Looks like we link this already, should we remove it here?
Mikaela (Migrated from github.com) reviewed 2019-08-31 16:24:01 +00:00
@ -44,0 +65,4 @@
<li><a href="https://cpu.fail/">CPU.fail</a></li>
<li><a href="https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html">MDS - Microarchitectural Data Sampling on The Linux kernel user's and administrator's guide</a></li>
<li><a href="https://mdsattacks.com/">RIDL and Fallout: MDS attacks on mdsattacks.com</a></li>
<li><a href="https://en.wikipedia.org/wiki/Simultaneous_multithreading">Simultaneous multithreading on Wikipedia</a></li>
Mikaela (Migrated from github.com) commented 2019-08-31 16:24:01 +00:00

I changed the earlier link 4697bf6d6c.

I changed the earlier link https://github.com/privacytoolsIO/privacytools.io/pull/1231/commits/4697bf6d6c04cb128c5d28adfc90f4c88f373113.
blacklight447 (Migrated from github.com) approved these changes 2019-08-31 16:25:07 +00:00
nitrohorse (Migrated from github.com) approved these changes 2019-08-31 16:59:38 +00:00
nitrohorse (Migrated from github.com) left a comment

LGTM

LGTM
This repo is archived. You cannot comment on pull requests.
No Milestone
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#1231
No description provided.