Text only | Text with Images

SparkyLinux Forums

Installation & Upgrade => System upgrading => Topic started by: witek on January 07, 2018, 12:01:16 PM

Title: Spectre and Meltdown
Post by: witek on January 07, 2018, 12:01:16 PM
Hello

Probably you have heard about the topic. The recent voice from a kernel specialist says:
http://kroah.com/log/blog/2018/01/06/meltdown-status/
QuoteAgain, update your kernels, don't delay, and don't stop. The updates to resolve these problems will be continuing to come for a long period of time. Also, there are still lots of other bugs and security issues being resolved in the stable and LTS kernel releases that are totally independent of these types of issues, so keeping up to date is always a good idea.

I have been using the Sparky kernel and no updates has been issued so far. I`ve experimented with Ubuntu kernels:
http://kernel.ubuntu.com/~kernel-ppa/mainline/ and it works. I`ve downloaded most recent linux-headers and linux-image, installed via dpkg and this post goes from the system on 4.14.12 kernel. If cannot wait for the official sparky kernel, this might be a solution.

Title: Re: Spectre and Meltdown
Post by: paxmark1 on January 07, 2018, 09:00:11 PM
Also    https://forum.siduction.org/index.php?topic=7010.0  I see nothing from towo yet, their kernel maintainer. 

Planet Debian  not much in last 2 days.
Somewhat dated  but very competent dev       https://blog.sesse.net/blog/tech/2018-01-04-23-46_loose_threads_about_spectre_mitigation.html         via Planet Debian.
Mailing lists will have more, I am not searching.

the intel microcode 3.20171215.1 has migrated to testing.
https://packages.debian.org/sid/intel-microcode

My own preference would be no to  never utilize a ubuntu kernel, not to denigrate ubuntu, many of their developers contribute to Debian and Ubuntu, but if you are trusting Debian or Debian based kernels, stay the course. 

quote from the kroah.com/log/blog entry
QuoteRight now, there are a lot of very overworked, grumpy, sleepless, and just generally pissed off kernel developers working as hard as they can to resolve these issues that they themselves did not cause at all. Please be considerate of their situation right now. They need all the love and support and free supply of their favorite beverage that we can provide them to ensure that we all end up with fixed systems as soon as possible.
Title: Re: Spectre and Meltdown
Post by: pavroo on January 07, 2018, 10:50:28 PM
Talking about the Meltdown security issue - Sparky's Linux kernel 4.14.12 has the option set to yes as default:
CONFIG_PAGE_TABLE_ISOLATION=y
Title: Re: Spectre and Meltdown
Post by: witek on January 08, 2018, 07:11:37 AM
Quote from: pavroo on January 07, 2018, 10:50:28 PM
Talking about the Meltdown security issue - Sparky's Linux kernel 4.14.12 has the option set to yes as default:
CONFIG_PAGE_TABLE_ISOLATION=y

How to get this kernel? My system can only see '4.12.1-sparky' as the most recent kernel?
Title: Re: Spectre and Meltdown
Post by: pavroo on January 08, 2018, 05:52:26 PM
Make sure you have sparky's unstable repo enabled:
Code Select
/etc/apt/sources.list.d/sparky-unstable.list
Then:
Code Select
sudo apt update
and install it.
Title: Re: Spectre and Meltdown
Post by: witek on January 18, 2018, 07:45:05 PM
I upgraded to 4.14.13 then I downloaded the script from https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/ and it shows:
Code Select

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  YES
*     The SPEC_CTRL CPUID feature bit is set:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Checking if we're running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)




I`m confused. Is my system still vulnerable?
Title: Re: Spectre and Meltdown
Post by: pavroo on January 19, 2018, 12:59:09 AM
The script is also avilable in Sid repos.

The Meltdown is patched already but Spectre...
QuoteThere are no Spectre patches available yet. That's because, as Kroah-Hartman explained, "Spectre issues were the last to be addressed by the kernel developers. All of us were working on the Meltdown issue, and we had no real information on exactly what the Spectre problem was at all, and what patches were floating around were in even worse shape than what have been publicly posted."
http://www.zdnet.com/article/the-linux-vs-meltdown-and-spectre-battle-continues/
Title: Re: Spectre and Meltdown
Post by: Timmi on February 03, 2019, 05:12:53 AM
Sorry to interrupt, but I have a question relating to Spectre (on amd64) :
since these exploits are related to 64bit processors,
will these exploits still work if running the 32bit+pae Sparky?
Text only | Text with Images