What do Meltdown and Spectre mean for libreboot x200 user?

What do Meltdown and Spectre mean for libreboot x200 user?

[Alex Vong]

Hello,

I hope this is on topic. Recently, 2 critical vulnerabilities (see
https://meltdownattack.com/) affecting virtually all intel cpus are
discovered. I am running libreboot x200 (see
https://www.fsf.org/ryf). What should I do right now to patch my laptop?

Cheers,
Alex

Re: What do Meltdown and Spectre mean for libreboot x200 user?

[Mark H Weaver]

Hi Alex,

Alex Vong <alexvong1995@gmail.com> writes:
> I hope this is on topic. Recently, 2 critical vulnerabilities (see
> https://meltdownattack.com/) affecting virtually all intel cpus are
> discovered. I am running libreboot x200 (see
> https://www.fsf.org/ryf). What should I do right now to patch my laptop?

I haven't yet had time to properly study this, but so far I'd strongly
recommend updating to linux-libre-4.14.12, which contains an important
mitigation called kernel page-table isolation (KPTI).
linux-libre-4.9.75 also contains backported mitigations, but I'm not
sure if they're as comprehensive.

Alan Cox also says that Javascript can be used to remotely exploit these
vulnerabilities, so you should use the NoScript web browser extension if
you're not already doing so.  Enable Javascript only when you must.  He
wrote:

  What you do need to care about _big_ _time_ is javascript because the
  exploit can be remotely used by javascript on web pages to steal stuff
  from your system memory. Mozilla and Chrome both have pending
  updates. and some recommendations about protection. Also consider
  things like Adblockers and extensions like noscript that can stop a
  lot of junk running in the first place. Do that ASAP.

  https://plus.google.com/+AlanCoxLinux/posts/Z6inLSq4iqH

We (GNU Guix developers) should also start investigating how to deploy
the "Retpoline" mitigation technique, which apparently involves patching
our linker and recompiling our entire system with it, but it will take
some time to do that.

  https://support.google.com/faqs/answer/7625886

      Mark

Re: What do Meltdown and Spectre mean for libreboot x200 user?

[Leah Rowe]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Alex,

The libreboot mailing list is down, so you can't CC it at the moment.
I was notified about this thread.

There's not much we can do from the Libreboot side, but there are
mitigations on kernel side... since it's exploitable from javascript
you could also e.g. not run JavaScript. specing on #libreboot IRC had
the idea to run Firefox without the JIT enabled - we both tried to
compile the latest ESR however, with --disable-ion, and it segfaulted.
I tried to build ff 45esr instead, but that build failed.

- -- 
Leah Rowe

Libreboot developer and project founder.

Use free software. Free as in freedom.
https://www.gnu.org/philosophy/free-sw.html

Use a free BIOS - https://libreboot.org/
Use a free operating system, GNU+Linux.

Support computer user freedom
https://fsf.org/ - https://gnu.org/

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
Web: https://minifree.org/

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE+JRrnG26iGmvPhSA/0W3TPnRz5QFAlpV1UgACgkQ/0W3TPnR
z5T9qAf+PH4YUo39T5irNIbzyljufibnn0zHGtwKOYtxHtZvzPAsaht2/VK6D1UT
MUjH2EI2UYQsYzUPoza9SJ86TTtvukpZ9eBVNUW+Ah3KHO/ljHPFco3I0FlkjsoC
rSRC2y7Nb1e8jidSXJ6bAqZGYqlNjmMcPU+7ct41bIwARybAD8PDsTXHnSH8Iqkk
7SP+XE062VOG41faKt7CZurxvdxBkn6ZfgCOc6+6jrhJBbOB7MPGTUuhxMjY+mPo
tSJ4jAC15kZ9mQHu5f2ewnOn0zMQhTWU+AaOOaqdfh1RfK4nlf6UQkASw1pJ7/01
ywauC8hFVD2qDxr3OXXFCKdgbw61jw==
=QnYX
-----END PGP SIGNATURE-----

Re: What do Meltdown and Spectre mean for libreboot x200 user?

[Alex Vong]

Leah Rowe <info@gluglug.org.uk> writes:

> Hi Alex,
>
> The libreboot mailing list is down, so you can't CC it at the moment.
> I was notified about this thread.
>
> There's not much we can do from the Libreboot side, but there are
> mitigations on kernel side... since it's exploitable from javascript
> you could also e.g. not run JavaScript. specing on #libreboot IRC had
> the idea to run Firefox without the JIT enabled - we both tried to
> compile the latest ESR however, with --disable-ion, and it segfaulted.
> I tried to build ff 45esr instead, but that build failed.

Thank you. I have updated my kernel. For the browser part, I currently
run tor browser with security level set to high (so that javascript is
disabled by default). Maybe you can tell people on #libreboot about this
solution if you like.

Re: What do Meltdown and Spectre mean for libreboot x200 user?

[Leah Rowe]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Alex,

On 14/01/18 15:17, Alex Vong wrote:
> Thank you. I have updated my kernel. For the browser part, I
> currently run tor browser with security level set to high (so that
> javascript is disabled by default). Maybe you can tell people on
> #libreboot about this solution if you like.

This is technically unrelated to Libreboot, even if it is an important
issue. swiftgeek and I decided not to document anything about it on
the site.

In my opinion, GNU+Linux distributions should be the ones advising
people, since all of the defense/mitigation is done there at that
level. The implications at firmware level are non-existent (for
instance, these attacks can't, to my knowledge, be used to actually
run/modify malicious code, just read memory, so it's not as if some
evil site could install malicious boot firmware in your system).

- -- 
Leah Rowe

Libreboot developer and project founder.

Use free software. Free as in freedom.
https://www.gnu.org/philosophy/free-sw.html

Use a free BIOS - https://libreboot.org/
Use a free operating system, GNU+Linux.

Support computer user freedom
https://fsf.org/ - https://gnu.org/

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
Web: https://minifree.org/

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE+JRrnG26iGmvPhSA/0W3TPnRz5QFAlpckVcACgkQ/0W3TPnR
z5QjOgf/WGDpNZBYVuk+TxplF/Fq7D3dooTasbEEjjcPt8vnqCUZXHTKg9lZDrjd
yCWFkhWvR3ZkTQSoxVMbinHvQg8iDH5ZMOae5KAjxlFVeKFVHvS79UpMwHEs6SE0
PZK5p18rD3g43U1C6ck4UCnKTeSmDmUWrcLqAXa0RAcT+jvnhLCn3b4vAnyxZKjj
KguwmMGd0+vO4b22Na9lPA9HoHwDZEMYydr38n1x7U7ZYFw1XymfD9R9i/8+YksE
ATbmiVx6Dk0IKHEVU2dtIDOi20fRJIqEKotXFR71TMSIfXOySTn61y1Y0aEziSsQ
Cys1b3F9Tux8MwV8aB+mwNga3H/UBQ==
=t2lW
-----END PGP SIGNATURE-----

Re: What do Meltdown and Spectre mean for libreboot x200 user?

[Andy Wingo]

Greets,

On Mon 15 Jan 2018 12:32, Leah Rowe <info@gluglug.org.uk> writes:

> The implications [of Meltdown/Spectre] at firmware level are
> non-existent (for instance, these attacks can't, to my knowledge, be
> used to actually run/modify malicious code, just read memory, so it's
> not as if some evil site could install malicious boot firmware in your
> system).

I agree that it's unlikely that a site could install boot firmware, but
AFAIU it's not out of the realm of possibility.  The vector I see would
be using Meltdown/Spectre to read authentication/capability tokens which
could be used to gain access, either via some other RCE vuln or possibly
via remote access.  Maybe evil code could find an SSH private key in a
mapped page, for example, which the evil server could use to SSH
directly to your machine.  But I admit that it's a bit farfetched :)

Andy

Re: What do Meltdown and Spectre mean for libreboot x200 user?

[Leah Rowe]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Andy,

On 15/01/18 13:25, Andy Wingo wrote:
> Greets,
> 
> On Mon 15 Jan 2018 12:32, Leah Rowe <info@gluglug.org.uk> writes:
> 
>> The implications [of Meltdown/Spectre] at firmware level are 
>> non-existent (for instance, these attacks can't, to my knowledge,
>> be used to actually run/modify malicious code, just read memory,
>> so it's not as if some evil site could install malicious boot
>> firmware in your system).
> 
> I agree that it's unlikely that a site could install boot firmware,
> but AFAIU it's not out of the realm of possibility.  The vector I
> see would be using Meltdown/Spectre to read
> authentication/capability tokens which could be used to gain
> access, either via some other RCE vuln or possibly via remote
> access.  Maybe evil code could find an SSH private key in a mapped
> page, for example, which the evil server could use to SSH directly
> to your machine.  But I admit that it's a bit farfetched :)

If the attack is used in order to gain access to GPG keys, it could be
used to impersonate you. If it is used in order to read private SSH
keys, then it could be used to log onto your servers for instance, and
install malicious firmware.

Of course, this can be mitigated by write-protecting. Libreboot
systems support this, for the most part, though write protection of
boot flash is not enabled by default, for ease-of-use reasons.

It is not far fetched at all. I highly recommend that you take care as
to what code runs on your system, especially with things like web
browsers. If you give someone SSH into a system (e.g. shared server)
but they don't need code execution (e.g. the SSH daemon is there for
them to have SCP access), make sure noexec is set on their directory's
mountpoint. Things like that.

Also make sure that your distro supports reproducible builds, and make
sure that your package manager is configured to retrieve packages
through the Tor network.

The attack can be performed from user space, so make sure that you
have nothing in userspace that could possibly pull off the attack.

- -- 
Leah Rowe

Libreboot developer and project founder.

Use free software. Free as in freedom.
https://www.gnu.org/philosophy/free-sw.html

Use a free BIOS - https://libreboot.org/
Use a free operating system, GNU+Linux.

Support computer user freedom
https://fsf.org/ - https://gnu.org/

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
Web: https://minifree.org/

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE+JRrnG26iGmvPhSA/0W3TPnRz5QFAlpiACYACgkQ/0W3TPnR
z5RJegf/cyj9BMUixI1OW1iR7UrRjcAyIQoG5dzQ/FvG79w63/PYU+E1OtVa3k3C
c7Wzqn2NSBJKCZOM6JtgMM5J0E7vXCAtUn8r3i+LzjKrKuQUb77GiST5clmELVj1
OzW4ELR9xoSvU8b7RGxwG2TuJ2qoUfZcKQr2b03E9zsn2D8mdYRiWjbsmLh7SfA8
5qq8Ti1eFJnaLq+r4UbvkUfB2FS6U5q5MAq+8yDhOIoLpHFwso/GVMrpujzGmn7F
30pO5xbw99aIgNMMZuGRwuQ8ZsshbUwzJ4WSsgEoZ1+PZrvKRsJgUsAeNPRIdTKO
LJfi9IbmgvipISOoBpj1bIPlt1DOvA==
=bBs6
-----END PGP SIGNATURE-----

Re: What do Meltdown and Spectre mean for libreboot x200 user?

[Leah Rowe]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 19/01/18 14:26, Leah Rowe wrote:
> Hi Andy,
> 
> On 15/01/18 13:25, Andy Wingo wrote:
>> Greets,
> 
>> On Mon 15 Jan 2018 12:32, Leah Rowe <info@gluglug.org.uk>
>> writes:
> 
>>> The implications [of Meltdown/Spectre] at firmware level are 
>>> non-existent (for instance, these attacks can't, to my
>>> knowledge, be used to actually run/modify malicious code, just
>>> read memory, so it's not as if some evil site could install
>>> malicious boot firmware in your system).
> 
>> I agree that it's unlikely that a site could install boot
>> firmware, but AFAIU it's not out of the realm of possibility.
>> The vector I see would be using Meltdown/Spectre to read 
>> authentication/capability tokens which could be used to gain 
>> access, either via some other RCE vuln or possibly via remote 
>> access.  Maybe evil code could find an SSH private key in a
>> mapped page, for example, which the evil server could use to SSH
>> directly to your machine.  But I admit that it's a bit farfetched
>> :)
> 
> If the attack is used in order to gain access to GPG keys, it could
> be used to impersonate you. If it is used in order to read private
> SSH keys, then it could be used to log onto your servers for
> instance, and install malicious firmware.
> 
> Of course, this can be mitigated by write-protecting. Libreboot 
> systems support this, for the most part, though write protection
> of boot flash is not enabled by default, for ease-of-use reasons.
> 
> It is not far fetched at all. I highly recommend that you take care
> as to what code runs on your system, especially with things like
> web browsers. If you give someone SSH into a system (e.g. shared
> server) but they don't need code execution (e.g. the SSH daemon is
> there for them to have SCP access), make sure noexec is set on
> their directory's mountpoint. Things like that.

Do you use Google?
Do you use Twitter?
What about your bank?
Government website?

anything that serves you javascript is a potential threat. Even if an
organisation is benevolent, who is to say that they don't get
compromised at one point and start being used as a vessel for attack
at some point.

- -- 
Leah Rowe

Libreboot developer and project founder.

Use free software. Free as in freedom.
https://www.gnu.org/philosophy/free-sw.html

Use a free BIOS - https://libreboot.org/
Use a free operating system, GNU+Linux.

Support computer user freedom
https://fsf.org/ - https://gnu.org/

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
Web: https://minifree.org/

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE+JRrnG26iGmvPhSA/0W3TPnRz5QFAlpiANAACgkQ/0W3TPnR
z5TI4gf/bpwmVhu+xCqp+y9+YEm9WVj8b8vGNIwE140uQMIbXY5Ck1lWiBwePJCb
HOa3Mi3zk+wd+JCiuilgmqz8wFyuOBMt+GeJ/w6Gh7WYTMxtHeYOTegMfpEclTLw
8w23UUG+j2zAoUMYoQSZJ7IG163wlSHrKSLMtdHEnktFGhX5qlYJVYeQfr3k2kc3
j/mJuvOEIjLZLPSJxiQvQAKBsdYPw1UFjrcsEcwe6AuPAXnHnmPuft7D1gc47F8g
STy+shxlvkggJAQY6/rdMMRPflC4c2/JU7NtsdexgRICHBs8Akj4h/gN763fsTR5
HSsNRusXUSkLrMYolY6hv9JbnEGBPA==
=PQ/l
-----END PGP SIGNATURE-----