Author Topic: Post Meltdown, Spectre and other Intel issues  (Read 10389 times)

Online VinDSL

  • Administrator
  • Hero
  • *****
  • Posts: 5841
  • Karma: 1132
  • Team Peppermint
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: Post Meltdown, Spectre and other Intel issues
« Reply #75 on: January 30, 2018, 02:25:46 pm »
Seems the default kernel is the best for now :)

You've crystallized my thoughts exactly  :)

Offline DAMIEN1307

  • Member
  • ***
  • Posts: 154
  • Karma: 11
  • non illigitamus carborundum est
    • View Profile
  • Peppermint version(s): Peppermint 8.5 (Respin) 64 bit
Re: Post Meltdown, Spectre and other Intel issues
« Reply #76 on: January 31, 2018, 12:45:40 am »
hi pin....sorry pin...i meant vin when i was mentioning that kernel 4.15...tough getting old...lol...DAMIEN
ORDO AB CHAO

Offline pin

  • Veteran
  • ****
  • Posts: 1838
  • Karma: 280
    • View Profile
Re: Post Meltdown, Spectre and other Intel issues
« Reply #77 on: January 31, 2018, 09:43:04 am »
On Peppermint 7
Code: [Select]
pedro@peppermint7 ~ $ uname -a
Linux peppermint7 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Code: [Select]
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO
* Checking count of LFENCE instructions following a jump in kernel:  YES  (71 jump-then-lfence instructions found, which is >= 30 (heuristic))
> STATUS:  NOT VULNERABLE  (Kernel source has PROBABLY been patched to mitigate the vulnerability (jump-then-lfence instructions heuristic))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  NO
  * Kernel compiled with a retpoline-aware compiler:  NO
  * Retpoline enabled:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
« Last Edit: January 31, 2018, 09:44:39 am by pin »

Offline pin

  • Veteran
  • ****
  • Posts: 1838
  • Karma: 280
    • View Profile
Re: Post Meltdown, Spectre and other Intel issues
« Reply #78 on: February 01, 2018, 10:54:20 am »
Apparently, one will hardly notice the impact on performance due to Meltdown and Spectre patches  :D
http://news.softpedia.com/news/linux-systems-running-newer-kernels-not-affected-by-meltdown-and-spectre-patches-519639.shtml

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Post Meltdown, Spectre and other Intel issues
« Reply #79 on: February 01, 2018, 12:29:01 pm »
Ubuntu have today (01-Feb-2018) added a new version of the 4.15 kernel (4.15.0-041500) to the mainline kernel PPA:
http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15/

Like the default 4.13.0-32 kernel it's mitigated against Meltdown and ONE of the two Spectre variants.

But weirdly, according to the spectre-meltdown-checker.sh script 4.15 is vulnerable to Spectre variant 1, whereas the default 4.13 is vulnerable to variant 2

Default kernel 4.13.0-32
Code: [Select]
mark@Dell-E6530 ~ $ uname -a
Linux Dell-E6530 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25 10:13:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
mark@Dell-E6530 ~ $ sudo /home/$USER//Desktop/spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.34

Checking for vulnerabilities on current system
Kernel is Linux 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25 10:13:43 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 58 stepping 9 ucode 0x1c)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO
* Checking count of LFENCE instructions following a jump in kernel:  YES  (68 jump-then-lfence instructions found, which is >= 30 (heuristic))
> STATUS:  NOT VULNERABLE  (Kernel source has PROBABLY been patched to mitigate the vulnerability (jump-then-lfence instructions heuristic))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  NO
  * Kernel compiled with a retpoline-aware compiler:  NO
  * Retpoline enabled:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
NEW 4.15.0-041500 kernel
Code: [Select]
mark@Dell-E6530 ~ $ uname -a
Linux Dell-E6530 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 11:55:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
mark@Dell-E6530 ~ $ sudo /home/$USER//Desktop/spectre-meltdown-checker.sh
[sudo] password for mark:
Spectre and Meltdown mitigation detection tool v0.34

Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 11:55:45 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 58 stepping 9 ucode 0x1c)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
* Kernel has array_index_mask_nospec:  NO
* Checking count of LFENCE instructions following a jump in kernel:  NO  (only 6 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  YES
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
So make of that what you will, toss a coin, and take your pick ???
« Last Edit: February 01, 2018, 12:32:14 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline pin

  • Veteran
  • ****
  • Posts: 1838
  • Karma: 280
    • View Profile
Re: Post Meltdown, Spectre and other Intel issues
« Reply #80 on: February 01, 2018, 12:34:41 pm »
Yeap! That's it  ???
My Peppermint 7 system is vulnerable to v2 and not v1, but my Void system is vulnerable to v1 and not v2 (see above).
Hum! Why can't one get both?
« Last Edit: February 01, 2018, 09:18:57 pm by pin »

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Post Meltdown, Spectre and other Intel issues
« Reply #81 on: February 01, 2018, 12:46:54 pm »
Good question.

Maybe the next 4.13 default kernel will be compiled with a retpoline aware compiler .. and/or 4.15 will get the jump-then-lfence patches.

My money's on the default 4.13 kernel being first .. but who knows ???
(unless 4.15 hits hwe-edge first)
« Last Edit: February 01, 2018, 01:09:28 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline pin

  • Veteran
  • ****
  • Posts: 1838
  • Karma: 280
    • View Profile
Re: Post Meltdown, Spectre and other Intel issues
« Reply #82 on: February 07, 2018, 10:50:40 am »
 :-\ On January 31 the 4.4.0 was bumped to 4.4.0-114, http://news.softpedia.com/news/linux-kernels-4-14-16-4-9-79-4-4-114-and-3-18-93-are-now-available-to-download-519640.shtml
One week latter I'm still running the latest from the repos, i.e 4.4.0-112??

Is it possible to know when it will hit the repos?
On Void, I can trace a package build in real-time here, https://build.voidlinux.eu/waterfall

Is there something similar for Ubuntu?

Online VinDSL

  • Administrator
  • Hero
  • *****
  • Posts: 5841
  • Karma: 1132
  • Team Peppermint
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: Post Meltdown, Spectre and other Intel issues
« Reply #83 on: February 07, 2018, 11:35:48 pm »
Looks like they got out ...  8)


Spoiler (click here to view / hide)
[close]



Offline pin

  • Veteran
  • ****
  • Posts: 1838
  • Karma: 280
    • View Profile
Re: Post Meltdown, Spectre and other Intel issues
« Reply #84 on: February 08, 2018, 12:10:21 am »
Cheers Vin  :-*! Will update tonight.

Offline Slim.Fatz

  • Global Moderator
  • Veteran
  • *****
  • Posts: 2343
  • Karma: 616
  • Where's the mouse?
    • View Profile
  • Peppermint version(s): Peppermint 7, 8.5 & 10 - 64bit
Re: Post Meltdown, Spectre and other Intel issues
« Reply #85 on: February 08, 2018, 12:54:02 am »
Hi everyone,

FYI -- I just installed kernel 4.14.18 from this site and then rebooted. The  script spectre-meltdown-checker.sh (version 34+) produced the following output:

Spoiler (click here to view / hide)
[close]

Note: finally Spectre Variant 1, Spectre Variant 2 and Meltdown (aka Variant 3) all came out as

STATUS: NOT VULNERABLE

Hooray !! First time I have seen all three with this result !!  8)

My machine:

Spoiler (click here to view / hide)
[close]

 8)

Regards,

-- Slim
« Last Edit: February 08, 2018, 02:57:29 am by Slim.Fatz »
Respect science, respect nature, respect each other.

Tread lightly: Fluxbox, JWM, i3, Openbox, awesome

Offline Slim.Fatz

  • Global Moderator
  • Veteran
  • *****
  • Posts: 2343
  • Karma: 616
  • Where's the mouse?
    • View Profile
  • Peppermint version(s): Peppermint 7, 8.5 & 10 - 64bit
Re: Post Meltdown, Spectre and other Intel issues
« Reply #86 on: February 08, 2018, 02:56:35 am »
Hi again,

Now a little update to the previous post: On the same machine I also have Peppermint 7 installed. It is sort of my experimental Peppermint  ;D

So, from the same site linked to in the previous post, I fetched kernel-4.15.2 and installed it, ran the sm-checker script and got basically the same result:

Spoiler (click here to view / hide)
[close]

So I'm a happy dude at the moment !!  8)

Regards,

-- Slim
Respect science, respect nature, respect each other.

Tread lightly: Fluxbox, JWM, i3, Openbox, awesome

Offline pin

  • Veteran
  • ****
  • Posts: 1838
  • Karma: 280
    • View Profile
Re: Post Meltdown, Spectre and other Intel issues
« Reply #87 on: February 08, 2018, 03:03:16 am »
Great stuff slim [emoji41]

But, my PM7 is my stable machine. My experimental machine in my Void linux system [emoji6]

I'm currently recovering on more laptop, just need a new SSD... So, who knows? I was actually thinking about taking NetBSD for a spin [emoji38]

EDIT: If I install in legacy mode I'll be able to dual boot it with Peppermint. So, yeah... who knows?
« Last Edit: February 08, 2018, 03:08:54 am by pin »

Offline Slim.Fatz

  • Global Moderator
  • Veteran
  • *****
  • Posts: 2343
  • Karma: 616
  • Where's the mouse?
    • View Profile
  • Peppermint version(s): Peppermint 7, 8.5 & 10 - 64bit
Re: Post Meltdown, Spectre and other Intel issues
« Reply #88 on: February 08, 2018, 04:42:54 am »
Hi pin,

I too have been tempted to try one of the BSD distros (again). I tried them maybe ten years ago but was not impressed and never looked back. But a lot can happen in ten years, so maybe I will check one out again someday.

Have fun!  :)

Regards,

-- Slim
Respect science, respect nature, respect each other.

Tread lightly: Fluxbox, JWM, i3, Openbox, awesome

Online VinDSL

  • Administrator
  • Hero
  • *****
  • Posts: 5841
  • Karma: 1132
  • Team Peppermint
    • View Profile
  • Peppermint version(s): Developmental Builds
Re: Post Meltdown, Spectre and other Intel issues
« Reply #89 on: February 08, 2018, 11:55:54 am »
Heh! I don't own a 'stable' machine. I love dangling over the edge of a precipice  :D

It's probably of my own doing - all the haxoring and unconventional hardware setup - but Linux 4.14.x occasionally hardlocks this machine when the power manager blanks my screens. I haven't run across this with any other ver, and it hasn't happened once on Linux 4.15.x

So, I'll be skipping over 4.14 ...