Advertising

Author Topic: Spectre and Meltdown  (Read 951 times)

Offline witek

  • Newbie
  • *
  • Posts: 13
Spectre and Meltdown
« on: January 07, 2018, 12:01:16 pm »
Hello

Probably you have heard about the topic. The recent voice from a kernel specialist says:
http://kroah.com/log/blog/2018/01/06/meltdown-status/
Quote
Again, update your kernels, don’t delay, and don’t stop. The updates to resolve these problems will be continuing to come for a long period of time. Also, there are still lots of other bugs and security issues being resolved in the stable and LTS kernel releases that are totally independent of these types of issues, so keeping up to date is always a good idea.

I have been using the Sparky kernel and no updates has been issued so far. I`ve experimented with Ubuntu kernels:
http://kernel.ubuntu.com/~kernel-ppa/mainline/ and it works. I`ve downloaded most recent linux-headers and linux-image, installed via dpkg and this post goes from the system on 4.14.12 kernel. If cannot wait for the official sparky kernel, this might be a solution.


Offline paxmark1

  • Sr. Member
  • ****
  • Posts: 408
Re: Spectre and Meltdown
« Reply #1 on: January 07, 2018, 09:00:11 pm »
Also    https://forum.siduction.org/index.php?topic=7010.0  I see nothing from towo yet, their kernel maintainer. 

Planet Debian  not much in last 2 days.
Somewhat dated  but very competent dev       https://blog.sesse.net/blog/tech/2018-01-04-23-46_loose_threads_about_spectre_mitigation.html         via Planet Debian.
Mailing lists will have more, I am not searching.

the intel microcode 3.20171215.1 has migrated to testing.
https://packages.debian.org/sid/intel-microcode

My own preference would be no to  never utilize a ubuntu kernel, not to denigrate ubuntu, many of their developers contribute to Debian and Ubuntu, but if you are trusting Debian or Debian based kernels, stay the course. 

quote from the kroah.com/log/blog entry
Quote
Right now, there are a lot of very overworked, grumpy, sleepless, and just generally pissed off kernel developers working as hard as they can to resolve these issues that they themselves did not cause at all. Please be considerate of their situation right now. They need all the love and support and free supply of their favorite beverage that we can provide them to ensure that we all end up with fixed systems as soon as possible.
Don't make a FrankenDebian

Offline pavroo

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1892
    • SparkyLinux
Re: Spectre and Meltdown
« Reply #2 on: January 07, 2018, 10:50:28 pm »
Talking about the Meltdown security issue - Sparky's Linux kernel 4.14.12 has the option set to yes as default:
CONFIG_PAGE_TABLE_ISOLATION=y
Nothing is easy as it looks.
Danielle Steel

Offline witek

  • Newbie
  • *
  • Posts: 13
Re: Spectre and Meltdown
« Reply #3 on: January 08, 2018, 07:11:37 am »
Talking about the Meltdown security issue - Sparky's Linux kernel 4.14.12 has the option set to yes as default:
CONFIG_PAGE_TABLE_ISOLATION=y

How to get this kernel? My system can only see '4.12.1-sparky' as the most recent kernel?

Offline pavroo

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1892
    • SparkyLinux
Re: Spectre and Meltdown
« Reply #4 on: January 08, 2018, 05:52:26 pm »
Make sure you have sparky's unstable repo enabled:
Code: [Select]
/etc/apt/sources.list.d/sparky-unstable.listThen:
Code: [Select]
sudo apt updateand install it.
Nothing is easy as it looks.
Danielle Steel

Offline witek

  • Newbie
  • *
  • Posts: 13
Re: Spectre and Meltdown
« Reply #5 on: January 18, 2018, 07:45:05 pm »
I upgraded to 4.14.13 then I downloaded the script from https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/ and it shows:
Code: [Select]
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  YES
*     The SPEC_CTRL CPUID feature bit is set:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Checking if we're running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)



I`m confused. Is my system still vulnerable?

Offline pavroo

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1892
    • SparkyLinux
Re: Spectre and Meltdown
« Reply #6 on: January 19, 2018, 12:59:09 am »
The script is also avilable in Sid repos.

The Meltdown is patched already but Spectre...
Quote
There are no Spectre patches available yet. That's because, as Kroah-Hartman explained, "Spectre issues were the last to be addressed by the kernel developers. All of us were working on the Meltdown issue, and we had no real information on exactly what the Spectre problem was at all, and what patches were floating around were in even worse shape than what have been publicly posted."
http://www.zdnet.com/article/the-linux-vs-meltdown-and-spectre-battle-continues/
Nothing is easy as it looks.
Danielle Steel