Forgive me. I called out really for the earlier version of safari because I am having issues with mine. However, I am not on a MBP, I am on an imac, for the computer I am speaking of. As I recall I did an update in end of December and another came in January. Almost as soon as I added the last on I start having issues. I don't think it is a coincidence. However, things are just wonky right now.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
2006/2007 Mac Pro (1,1/2,1) and OS X El Capitan
- Thread starter Mr. Zarniwoop
- Start date
-
- Tags
- mac pro 2006 mac pro 2007
- Sort by reaction score
I can confirm that Security Update 2018-001 breaks El Capitan on Mac Pro 1,1 and 2,1 and that the Rollback of just the kernel file (from 2017-004) is necessary to boot after the 2018-001 update.
I have no proof (just a hunch) that Apple has implemented use of SSE4.1 (which 1,1 and 2,1 CPUs do not possess) in this new kernel to compensate for performance issues caused by handling Spectrum and Meltdown..
For Info:
MD5 (kernel2017-004) = fb43a43f673703863a1321df134d7c11
MD5 (kernel2018-001) = fa693b647577f38d73887a4212dc062e
of /System/Library/Kernels/kernel
I have no proof (just a hunch) that Apple has implemented use of SSE4.1 (which 1,1 and 2,1 CPUs do not possess) in this new kernel to compensate for performance issues caused by handling Spectrum and Meltdown..
For Info:
MD5 (kernel2017-004) = fb43a43f673703863a1321df134d7c11
MD5 (kernel2018-001) = fa693b647577f38d73887a4212dc062e
of /System/Library/Kernels/kernel
So Safari stops at version 11.0.3 for what concerns the Mac Pro... as well as iTunes and other apps
Having followed the unfolding of this security disaster I believe it is more likely, that the kernel is using the "Process Context Identifiers (PCID)" that was introduce with Sandybridge (or even Nehalem), but could only be utilised efficiently starting with Haswell due to missing INVPCID instruction. This functions helps overcome the performance hits that go along with the introduction of "Page Table Isolation (KPTI)" that address the "Meltdown" issue.
It could well be that SSE4 is also used to move & copy memory tables more efficiently).
Since Intel listed only Processors based on Nehalem and later architectures to be affected, the XEONs 51xx and 53xx used in the MacPro 1,1 and 2,1 should be save - although the first Out-of-Order Execution (OoOE) techniques can be traced back to Pentium Pro.
Overall, I expect more updates to come along and hence it is wise to disable automatic backups for those running El Capitan on unsupported hardware. Here´s why (for details refer to Google's Project Zero):
The core issue are the Out-of-Order execution technologies introduced to boost performance by utilising "wait" times imposed by latency and slower memory access speeds to do speculative execution of next-in-line code. Meltdown and Spectre (currently 2 flavours) are one 3 specifically described attack vectors amongst a potential myriad of other option for exploitation.
Spectre 1 requires changes in the compiler and careful review and elimination of susceptible code sections to avoid gaining access to prohibited memory sections by conditioning the branch predictors and allow the speculative execution of malicious code that affects caches and can then be used by a side-channel-attack.
Spectre 2 works in a similar way, but instead the conditioning of the brach predictors is used to speculatively execute existing code snippets of the program to be attacked, again affecting caches and allow data extraction through a side channel attack that identifies the content through the fact that memory access varies depending on the content of the cache.
Spectre 2 is believed to be fixed by the utilisation of 3 new processor instructions IBRS, STIBP and IBPB that require a microcode update and hence a new firmware. Those are reported to have a heavy burden on performance before Skylake.
As Intel pulled back their latest microcode updates due to spontaneous reboot issues and the fact that they would initially only "fix" the processors introduced in the last 5 years, this will drag out quite a bit.
Therefore Linux is also using a kernel patch called "Retpoline", which still requires changes to the compiler to update kernel as well as creating hardened applications.
Although this was quite detailed, I hope this gives you a better idea, why we see the massive number of files included in the security update 2018-001 and what may have to be expected going forward.
As most of these changes happen inside the kernel or respective applications, we may be able to pick and choose those elements that work on our old hardware to take advantage of other fixes as I expect the dependencies and APIs to not change.
There is quite a good article in the computer magazine c't 3/2018 page 58ff - unfortunately in German only, but I believe there is sufficient English articles which can be found by searching the key words in bold letters above.
Last edited:
I'm trying an installation on Vmware ... if the 2018.001 update works, it means that it does not require any SSE 4.1 statement
Last edited:
Hhm, then I may have to check my setup. I just cloned my main system drive and installed the security update 2018-001 onto the clone. I had no problem manipulation that cloned drive when booted back into my main drive.
What I had to do though was to enforce the rebuild of the pre-linked kernel caches by executing "touch /System/Library/Extensions" else I still had the reboot loop when trying to boot from the clone.
I have meanwhile briefly tested the following apps (opening and slightly modifying existing documents/projects) and therefore don´t envision any surprises using the kernel from the previous version:
- Open Office 5.4.4.2
- Final Cut Pro X Trial 10.3.4
- Logic X 10.3.3
- Virtual Box 5.2.6 running OS X 10.6.8
- SheepShaver 2.4 running System 7.5.5
- iMovie 10.1.6
- Photos 1.5
- Pages 5.6.2
- Numbers 3.6.2
- iTunes 12.6.3 (still like to access my iOS Apps, hence not updated yet)
- EyeTV 3.6.9
Done update to 2018.001 on vmware ... do not restart ... end of the road
Done update to 2018.001 on vmware ... do not restart ... end of the road
Do you tried rebuilding the kernel caches like Inspector42 did ?
"What I had to do though was to enforce the rebuild of the pre-linked kernel caches by executing "touch /System/Library/Extensions" else I still had the reboot loop when trying to boot from the clone."
Done update to 2018.001 on vmware ... do not restart ... end of the road
Have you replaced the kernel file with the previous one?
Keep in mind that there are plenty of Apple Products that use C2D which are fully Supported in El Capitan and even High Sierra, so it wouldn't make sense that they would change the kernel to require Nehalem or higher.. All these products DO use later C2D or (C2D based Xeon) which will have the SSE4.1 instruction set.
As I mentioned in an earlier post, after following your instructions to the letter, I still had the boot /loop issue.
Then after reading the tip from @Inspector42 (force the rebuild of the pre-linked kernel caches by executing "touch /System/Library/Extensions") I finally now have a working system with 2018-001 Security update installed.
My thanks to you both for the help.
Well, first of all credit for using the previous kernel goes to @rthpjm.
As far as the security content is concerned, the listed kernel fixes in Apple‘s documentation all refer to Meltdown, which according to Intel does not apply to XEON 51xx and 53xx.
But without source code or further detailed documentation by Apple we will not know for sure.
The version info within the kernel increased only from xnu-3248.72.11 to xnu-3248.73.5 and Darwin version remains at 15.6.0.
I can also confirm that even after the 2018-001 security upgrade (and the rollback of the kernel itself), iTunes as well as Safari seem to work just fine.
I'm guessing that given the speculative execution bug (Spectre) goes all the way back to the PentiumPro, that means the kernel rollback breaks a large part of the fixes for Spectre
I'm guessing that given the speculative execution bug (Spectre) goes all the way back to the PentiumPro, that means the kernel rollback breaks a large part of the fixes for Spectre
So far, Intel claims that C2D based processors are not effected and hence there will likely not be any microcode update for those. That also means, that Meltdown and Spectre are not a threat and don’t need to be fixed.
However the security fix also included a few other fixes applicable to El Capitan.
[doublepost=1517165951][/doublepost]
I‘d also prefer to have a consistent set of system files. But since it now works, reverting back is too much of an effort.
Reading through the security issues addressed in this security update I do not see, why SSE4 instructions would help their resolution - unless Apple chose to backport parts of the kernel from (High)Sierra, which uses them for other reasons. I believe the boot loop has a different cause but may still be no easy fix.
Done update to 2018.001 on vmware ... do not restart ... end of the road
Well, it works for me... VMware Fusion 8.5.8, but it turns out I am faking the board ID, as explained here. No "Illegal Instruction" crash at startup.
Code:
board-id.reflectHost = "FALSE"
board-id = "Mac-F42C88C8"
hw.model.reflectHost = "FALSE"
hw.model = "MacPro3,1"Great, that opens an opportunity to find out, what really causes the boot loop.
Would you mind trying board-id and model for a MacPro2,1 ?
board-id = "Mac-F4208DA9"
hw.model = "MacPro2,1"
I had to remove the borked El Capitan drive. Then finally I could reboot in Recover mode. I had to re-install Lion on a separate hard drive. Download El Capitan again, Pikify it (using the latest app). Then reinsert the borked El Capitan drive, and re-install El Capitan on it.
I did not have a bootable El Capitan image. I'll make sure I do now. However the total process of doing this took less than 1.5 hours (so not so bad) and everything was intact after that...
