Welcome to SparkyLinux forums
Zapraszamy również na polsko-języczne Forum https://forum.linuxiarze.pl

Spectre and Meltdown

Started by witek, January 07, 2018, 12:01:16 PM

Previous topic - Next topic

witek

Hello

Probably you have heard about the topic. The recent voice from a kernel specialist says:
http://kroah.com/log/blog/2018/01/06/meltdown-status/
QuoteAgain, update your kernels, don't delay, and don't stop. The updates to resolve these problems will be continuing to come for a long period of time. Also, there are still lots of other bugs and security issues being resolved in the stable and LTS kernel releases that are totally independent of these types of issues, so keeping up to date is always a good idea.

I have been using the Sparky kernel and no updates has been issued so far. I`ve experimented with Ubuntu kernels:
http://kernel.ubuntu.com/~kernel-ppa/mainline/ and it works. I`ve downloaded most recent linux-headers and linux-image, installed via dpkg and this post goes from the system on 4.14.12 kernel. If cannot wait for the official sparky kernel, this might be a solution.


paxmark1

Also    https://forum.siduction.org/index.php?topic=7010.0  I see nothing from towo yet, their kernel maintainer. 

Planet Debian  not much in last 2 days.
Somewhat dated  but very competent dev       https://blog.sesse.net/blog/tech/2018-01-04-23-46_loose_threads_about_spectre_mitigation.html         via Planet Debian.
Mailing lists will have more, I am not searching.

the intel microcode 3.20171215.1 has migrated to testing.
https://packages.debian.org/sid/intel-microcode

My own preference would be no to  never utilize a ubuntu kernel, not to denigrate ubuntu, many of their developers contribute to Debian and Ubuntu, but if you are trusting Debian or Debian based kernels, stay the course. 

quote from the kroah.com/log/blog entry
QuoteRight now, there are a lot of very overworked, grumpy, sleepless, and just generally pissed off kernel developers working as hard as they can to resolve these issues that they themselves did not cause at all. Please be considerate of their situation right now. They need all the love and support and free supply of their favorite beverage that we can provide them to ensure that we all end up with fixed systems as soon as possible.
Search forum for "More info easier via inxi"    If requested -  no inxi, no help for you by  me.

pavroo

Talking about the Meltdown security issue - Sparky's Linux kernel 4.14.12 has the option set to yes as default:
CONFIG_PAGE_TABLE_ISOLATION=y
Nothing is easy as it looks. Danielle Steel
Join #sparkylinux.org at [url="//irc.libera.chat"]irc.libera.chat[/url]

witek

Quote from: pavroo on January 07, 2018, 10:50:28 PM
Talking about the Meltdown security issue - Sparky's Linux kernel 4.14.12 has the option set to yes as default:
CONFIG_PAGE_TABLE_ISOLATION=y

How to get this kernel? My system can only see '4.12.1-sparky' as the most recent kernel?

pavroo

Make sure you have sparky's unstable repo enabled:
/etc/apt/sources.list.d/sparky-unstable.list
Then:
sudo apt update
and install it.
Nothing is easy as it looks. Danielle Steel
Join #sparkylinux.org at [url="//irc.libera.chat"]irc.libera.chat[/url]

witek

I upgraded to 4.14.13 then I downloaded the script from https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/ and it shows:

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  YES
*     The SPEC_CTRL CPUID feature bit is set:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Checking if we're running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)




I`m confused. Is my system still vulnerable?

pavroo

The script is also avilable in Sid repos.

The Meltdown is patched already but Spectre...
QuoteThere are no Spectre patches available yet. That's because, as Kroah-Hartman explained, "Spectre issues were the last to be addressed by the kernel developers. All of us were working on the Meltdown issue, and we had no real information on exactly what the Spectre problem was at all, and what patches were floating around were in even worse shape than what have been publicly posted."
http://www.zdnet.com/article/the-linux-vs-meltdown-and-spectre-battle-continues/
Nothing is easy as it looks. Danielle Steel
Join #sparkylinux.org at [url="//irc.libera.chat"]irc.libera.chat[/url]

Timmi

Sorry to interrupt, but I have a question relating to Spectre (on amd64) :
since these exploits are related to 64bit processors,
will these exploits still work if running the 32bit+pae Sparky?

View the most recent posts on the forum