Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 3 Jun 2018 15:37:35 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: procmem <procmem@...eup.net>
Cc: kernel-hardening@...ts.openwall.com
Subject: Re: Nethammer and kernel network drivers

On Sun, Jun 03, 2018 at 01:23:28PM +0000, procmem wrote:
> 
> 
> Greg KH:
> > On Sat, Jun 02, 2018 at 05:41:09PM +0000, procmem wrote:
> >> Hello. Daniel provided more details on the problematic areas of the
> >> kernel and I quote what he said verbatim:
> >>
> >>
> >>> We have only found very outdated network drivers using clflush (old
> >>> windows ndis code). On ARM there are many drivers using uncached memory.
> >>> However, we have so far failed to produce enough memory traffic on ARM
> >>> to trigger a bit flip with Nethammer on any ARM device.
> >>> It should be possible though if you can make the ARM device handle
> >>>> =300MBit/s.
> >>> And that's the most plausible scenario.
> >>>
> >>> Anyway, searching for clflush or use of uncached memory is a good idea
> >>> to locate the critical spots.
> >>>
> >>> Intel CAT is (we believe) not used anywhere yet. And we must be careful
> >>> when it gets to the point where we introduce usage of CAT for QoS
> >>> mechanisms.
> >>>
> >>> However, my intuition tells me that most systems are not even vulnerable
> >>> to Rowhammer in the first place. Although the only prevalence studies we
> >>> have suggest otherwise (they find 60-80% are affected).
> >
> > So Linux is not vulnerable to this at all?  That's good to know, thanks
> > for following up with this.
> >
> > greg k-h
> >
> 
> I interpreted this to mean that there is a major problem with ARM
> drivers but the only backstop is the current gen of hardware being
> underpowered.

Really?  There are ARM servers now that can do really fast networking,
yet those drivers do not seem to have this problem from what I can see.
Am I missing something here?

> Also it would be best to put a kernel comment about sec implications
> of Intel CAT for those who want to enable/use it IMHO.

Patches are always gladly accepted :)

thanks,

greg k-h

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.