Peppermint OS

General => General Discussion => Topic started by: pin on January 17, 2018, 12:41:04 am

Title: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 17, 2018, 12:41:04 am
Let's see how far this goes or if it looses momentum!?
https://www.reddit.com/r/linuxmasterrace/comments/7i6kl7/amd_listened_to_us_and_added_a_psp_disable_option/?st=jawq1tt4&sh=eacf3aa8
and even more interesting, WD collaborating with open-source cpu RISC-V
https://www.wdc.com/about-wd/newsroom/press-room/2017-11-28-western-digital-to-accelerate-the-future-of-next-generation-computing-architectures-for-big-data-and-fast-data-environments.html
 :D
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 19, 2018, 01:16:32 pm
Just to leave some recent info on this issue here
http://kroah.com/log/blog/2018/01/19/meltdown-status-2/

Unfortunately, I've my Peppermint system back at my working place... but, I have both my systems updated and, therefore no reason to expect differences.
So, here is the output of the command in the link above on my Void system
Code: [Select]
[pin@awesomevoidmusl ~]$ uname -r
4.14.14_1
[pin@awesomevoidmusl ~]$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline

...just in case you would feel like checking your own system.

Good evening everyone
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: murraymint on January 19, 2018, 01:38:01 pm
Code: [Select]
grep: /sys/devices/system/cpu/vulnerabilities/*: No such file or directory
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 19, 2018, 02:04:14 pm
Hi murraymint
It should be
Code: [Select]
grep . /sys/devices/system/cpu/vulnerabilities/*and not
Code: [Select]
grep: /sys/devices/system/cpu/vulnerabilities/*: No such file or directoryi.e grep<space>.<space>/sys/... and not grep:<space>/sys/...
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: murraymint on January 19, 2018, 02:20:43 pm
Hi, I posted the output to your command, pasted exactly as you had it. It doesn't work on Peppermint 7 ( or 8 ).
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 20, 2018, 04:25:37 am
 :o You're right?? Sorry!!
I've picked-up my Peppermint 7 laptop at work today and there is no vulnerabilities folder in
Code: [Select]
/sys/devices/system/cpu/
This folder is at the end of the PATH above on my Void system. Inside are three files; meltdown, spectre_v1 and spectre_v2

Where are these in Peppermint?

EDIT: Just checked my daughter's Bodhi system and these are not there either  :o
So, the question is actually, where did Ubuntu placed these files?
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 20, 2018, 04:43:35 am
Nowhere .. that directory is only created if the kernel is patched to create it.
https://mail-archive.com/linux-kernel@vger.kernel.org/msg1579615.html
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 20, 2018, 05:53:12 am
@PCNetSpec
Any idea why Ubuntu choosed not to apply it?
Oh well, the most important is PTI patch anyway...

Skickat från min SM-G900F via Tapatalk

Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 20, 2018, 06:16:46 am
None whatsoever, but if it were my decision I'd probably not have applied it either. There are testing tools to see if things like the retpoline kernel patches are in place though they probably only fully apply to vanilla kernels (and may unmodified give spurious info on the Ubuntu or other kernels) .. meltdown is already patched .. browsers have been patched to mitigate remote exploits (which wouldn't get mentioned in that directory) and any info in the directory created by that patch would only apply to the kernel, which:-

a) isn't enough info to draw any security conclusions from .. Spectre goes MUCH further than kernel only mitigations.
and
b) would just spark a lot of confusion from those that don't the understand the depth and breadth of the issue.

A LOT more than just the kernel is going to require patching a lot of which is still unknown, this will be an ongoing issue for some time yet with a lot of fixed packages being released .. that directory doesn't (in fact can't) give accurate or inclusive information so is IMHO fairly pointless.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 20, 2018, 08:24:58 am
I agree, the kernel is only one of the several points of attack, and I know I have applied the patches to it  8)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: TrentCoh on January 21, 2018, 09:05:11 am
Is this only hitting the Intel processors? I thought AMD ones have the same issue, and even the Apple ones too.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 21, 2018, 09:25:48 am
It's in another thread but, here you go.
The only immune cpu's are the raspberry pi's. Some of the AMD's, namely the zen's are, most probably, only affected by Spectre and not Meltdown.

Skickat från min SM-G900F via Tapatalk

Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on January 21, 2018, 09:39:53 am
[...] and even the Apple ones too.

True!

Apple says Meltdown and Spectre flaws affect ALL Mac and iOS devices: https://goo.gl/gwFqyp
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 23, 2018, 10:47:32 am
...and here we go again
http://news.softpedia.com/news/canonical-pulls-intel-s-microcode-update-from-ubuntu-repos-due-to-hardware-issue-519494.shtml
duh! Install the microcode,... remove the microcode...
http://www.securityweek.com/intel-halts-spectre-meltdown-cpu-patches-over-unstable-code?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29

Great job Intel  ;)

Today,
http://news.softpedia.com/news/canonical-releases-spectre-patches-for-ubuntu-linux-meltdown-fix-for-powerpc-519507.shtml
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 23, 2018, 11:12:38 am
They REALLY should be clearer on what is patched and what isn't (and by what updates) .. I mean I had no issues with the microcode update, so would I be better off keeping it ?

And what's with the "and now the kernel is patched at 4.13.0-31" .. I thought it already was at 4.13.0-26 :-\

I realise this is a complex issue and not everything is known or fully understood yet, but surely they know what has been done up to this point. And surely they could spell out the implications of using either microcode so people can decide for themselves which suits them better >:(
(I mean what friggin bugs in the new microcode, and if I'm unaffected would I be better off keeping it ? .. I mean how friggin hard could that be to explain allowing ME to decide rather than this 'we know what's best for you, one size fits all', nannying)

This whole damn thing is being dealt with in a very un-linux semi-hidden way leaving people to have to dig for scraps of info from far and wide :(
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 23, 2018, 12:54:23 pm
PCNetSpec said "This whole damn thing is being dealt with in a very un-linux semi-hidden way leaving people to have to dig for scraps of info from far and wide"...i didnt know we were using the game plan from the microsoft playbook?...lol...DAMIEN
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 23, 2018, 12:57:06 pm
Yeah! I totally agree with you. That's why I post those links in the first place.
I understand that this is a rather special situation, and not everything is clear. But as you, I've also updated three systems and have no issues after the update. Should I revert to an non-secure system then?!? Intel is due to release a new microcode next week. Should I trust it? Or maybe, it has to be removed one week later. Really? One of the BSD guys flagged these issues ten years ago! So, it's not like all of it is a complete surprise for Intel.

Well, guess we all have to wait and see where this ends up, but the way it's being dealt with from Intel's side is not, by any means trustful.

Said enough! Maybe recommendations will change already tomorrow  :-X

Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 23, 2018, 01:35:03 pm
hi PCNetSpec, hi pin....whoooo...feeling warm, like the old days when using microsoft being a trained poodle jumping through flaming hoops of fire at the carnival sideshow...lol...OK all joking aside and who knows what tomorrow brings (thanks INTEL thanks CANONICAL for being as clear as mud),...at least for now im hoping things are where they should be but one possible request for future consideration...when i was still using LM Mint, i noticed that in the driver update manager, it would always tell you what microcode you had installed...i notice that our driver manager in peppermint does not tells us which one, just that we are using the alternate driver etc. etc.etc......is there any way that in the future that that feature of marking just which microcode is installed/in use could actually be listed?...just a thought, and now that for the moment i cant even remember which one i have in here, is there a terminal command to ask just that question of it?...thanks...DAMIEN
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 23, 2018, 01:38:53 pm
.. is there a terminal command to ask just that question of it?.

Code: [Select]
dpkg -l | grep microcodewill tell you which version (if any) you have installed.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 23, 2018, 01:48:42 pm
Damn it, you are fast [emoji6]...
...and I had "my fingers on the trigger" [emoji847]

Skickat från min SM-G900F via Tapatalk

Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 23, 2018, 02:11:04 pm
thanks guys...and yes PC is fast...must of taken typing in school like i did...lol...its showing that i do indeed have the "latest and greatest" intel has to offer...DAMIEN

damien1307@DAMIEN1307 ~ $ dpkg -l | grep microcode
ii  intel-microcode                             3.20180108.1                                                amd64        Processor microcode firmware for Intel CPUs
ii  iucode-tool                                 1.5.1-1ubuntu0.1                                            amd64        Intel processor microcode tool
damien1307@DAMIEN1307 ~ $
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 23, 2018, 02:31:03 pm
That's the version Intel now say is broken.

[EDIT]

It would REALLY help if Intel stopped releasing broken stuff (which Ubuntu have to undo/fix) ::)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 23, 2018, 02:37:04 pm
Damn it, you are fast [emoji6]...

The don't call me speedy for noth.... erm, at all really. ???
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 23, 2018, 02:50:12 pm
hey there....well if it is broken, im just going to wait till another comes through the pipeline...im not having any of the problems that people have been reporting...when i run...  (grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched" || echo "unpatched")  ...in the terminal...i get this...

damien1307@DAMIEN1307 ~ $ grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched" || echo "unpatched"
CONFIG_PAGE_TABLE_ISOLATION=y
patched

which shows me im "patched"...at least for today...lol...DAMIEN
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: scifidude79 on January 23, 2018, 04:07:52 pm
It would REALLY help if Intel stopped releasing broken stuff (which Ubuntu have to undo/fix) ::)

???

You know you're asking a lot, right?  ::)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 23, 2018, 05:00:13 pm
I guess they're a bit distracted ATM, what with their world falling apart and all.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 23, 2018, 09:26:32 pm
Good to go, at least for a few days  ;D
Code: [Select]
pedro@peppermint7 ~ $ dpkg -l | grep microcode
ii  intel-microcode                             3.20180108.0+really20170707ubuntu16.04.1     amd64        Processor microcode firmware for Intel CPUs
ii  iucode-tool                                 1.5.1-1ubuntu0.1                             amd64        Intel processor microcode tool
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 24, 2018, 09:47:04 am
hi folks...maybe, just maybe the time has finally arrived for an open source alternative for processors...as a community, diehard linux users usually always want to have exclusively open source everything on our systems just to stay away from proprietary crap and garbage shrouded in secrecy with so many gotchas built into them,  yet we have not really made much noise about open source CPUs/APUs on our computers...maybe now is the time...DAMIEN
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 24, 2018, 10:08:59 am
Seen how expensive a semi-conductor fabrication plant is ?
https://en.wikipedia.org/wiki/Semiconductor_fabrication_plant

You raise the cash, and I'm in :)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 24, 2018, 10:19:15 am
hi PCNetSpec...i only said it would be a good idea...havent quite worked out the logistics of it yet but still thinking...lol...DAMIEN
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 24, 2018, 11:01:27 am
Did you guys see my first post in this thread? WD (hard drive manufacturer) collaborating with RISC-V (open source cpu), so who knows?
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 24, 2018, 12:19:20 pm
Something tells me WD aren't planning on utilising the RISC-V ISA to get into the 'PC' CPU fabrication business .. but sure, never say never :)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 24, 2018, 12:29:57 pm
You might be right! It's always about second intentions, isn't it?
At least we can hope for a pleasent side effect [emoji6]
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 26, 2018, 03:53:52 am
So, it actually only lasted exactly two days...
Time for a new kernel..., again http://news.softpedia.com/news/canonical-releases-new-linux-kernel-update-for-ubuntu-17-10-and-16-04-hwe-users-519561.shtml
 ;)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 26, 2018, 06:56:18 am
Yep, expect a  LOT of updates around this .. and you'd be well advised to stay on top of them.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 26, 2018, 07:06:33 am
No problem with that. They are easily updated, both on Peppermint and on Void. My annoyance is with my daughter's Bodhi system [emoji26]... Bodhi doesn't update kernels in between releases, so every two days or so I'm refreshing the packages and intalling new kernels on her laptop through Synaptic. Not difficult, just borring!

EDIT: Maybe this could actually be automated using a script to fetch the latest kernel from the Ubuntu repos instead?! Probably, worth looking into it...
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 26, 2018, 07:38:06 am
I'd 'assume' that'd be doable, but I don't know enough about Bodhi to know for sure (or I'm afraid to be much help).
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 26, 2018, 08:07:56 am
That was not my intention [emoji6]! I don't expect to get help with another distro.
If I were to decide, she would be running Peppermint...
Anyway, just got her to the new kernel AGAIN!

Skickat från min SM-G900F via Tapatalk

Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 26, 2018, 08:18:04 am
:)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on January 29, 2018, 08:50:17 am
Linux 4.15 Released With Improved Meltdown, Spectre Patches

eWeek article: https://goo.gl/1QChtH

LKML announcement:  https://goo.gl/gj6Zi1
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on January 29, 2018, 09:13:04 am
Works ...

Spoiler (click here to view / hide)
[close]



Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: zebedeeboss on January 29, 2018, 10:31:32 am
Did you just install it as it or did you unload nvidia first install it and then reload nvidia ?
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on January 29, 2018, 10:41:07 am
Did you just install it as it or did you unload nvidia first install it and then reload nvidia ?

I installed it, as is - didn't bother compiling it, et cetera. Recognized nVidia 390.12 just fine.  ;)

Here's a link to the binaries:  https://goo.gl/wubzDQ
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 29, 2018, 10:52:49 am
 ??? Fixed on the 4.14.15 also
Code: [Select]
[pin@awesomevoidmusl ~]$ uname -a
Linux awesomevoidmusl 4.14.15_3 #1 SMP PREEMPT Sun Jan 28 22:13:16 UTC 2018 x86_64 GNU/Linux
[pin@awesomevoidmusl ~]$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full generic retpoline
??? Sorry, on Void again

Should get that 4.15 on my PM7 soon....
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: zebedeeboss on January 29, 2018, 10:54:09 am
Well that worked... on Elementary OS - I wasn't going to test it on my Pep - I'll wait for official releases here   :D
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 29, 2018, 10:59:14 am
Yeah, Zeb....
One stable system and one to play around  8)
Although, I must say I'm surprised with Void, after all I read about rolling releases...
Code: [Select]
Install Date: Thu 12 Oct 2017 09:21 AMNot a single break!!
Well, ICE broke two weeks ago but, that's not an official package...I think dependencies got updates...
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: zebedeeboss on January 29, 2018, 11:07:04 am
Spoiler (click here to view / hide)
[close]

Erm... I might have more than one play thing   ::)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 29, 2018, 11:34:35 am
 :D
EDIT: To be honest, I have plans to test NetBSD..., If only I could figure out how to boot it in EFI mode using grub...
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 29, 2018, 12:46:01 pm
hi guys...a few questions...

1 - is using newest kernel ( 4.15 series ) advisable or wait for update manager etc?
2 - does this affect IBRS support in any way?
3 - does this affect use and application of up to date microcodes already installed and/or future ones to come on this kernel?
4 - will this kernel automatically update through update manager?

i ask only because, though its nice to play around with all the toys here, there is something to be said about stability and usability over the long haul...DAMIEN
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 29, 2018, 12:55:57 pm
Hi DAMIEN1307,
That’s why it's good to have two (or more [emoji6]) systems...
I don't want to break my PM7 laptop [emoji38]!  As I said Void never broke on me...but, IF it does, I still have a working system [emoji6]
The 4.15 will come, question is when?
1) If you can fix/troubleshoot a broken system, give it a try. Otherwise, just wait.
3) Microcode comes from Intel or AMD
4) Eventually, yes. Just saw a few 4.14 on Synaptic... but, it will take some time.

EDIT: I've never tried to install a kernel that is not in the repos yet [emoji55]
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 29, 2018, 01:15:36 pm
hi guys...a few questions...

1 - is using newest kernel ( 4.15 series ) advisable or wait for update manager etc?
2 - does this affect IBRS support in any way?
3 - does this affect use and application of up to date microcodes already installed and/or future ones to come on this kernel?
4 - will this kernel automatically update through update manager?

i ask only because, though its nice to play around with all the toys here, there is something to be said about stability and usability over the long haul...DAMIEN

1) That's your decision .. If you're asking what the Team Peppermint 'official' line would be, it'd be to "stick to the default kernel unless you have a NEED not to, it's the only kernel that will receive automatic security updates".

2) I have no idea what you mean by IBRS ?

3) Theoretically NO .. microcode is simply applied by the kernel, it's not part of it.

4) NO .. the update manager will not automatically update the 4.15 kernel series, it has no mechanism for doing so .. new versions of linux-image-generic-hwe-16.04 will currently only update the 4.13 kernel series.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 29, 2018, 01:25:57 pm
@PCNetSpec
No.4 You are of course right, but one can still change it using Synaptic, although it will involve updating it manually afterwards.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 29, 2018, 02:08:22 pm
hi PC, hi pin...
2 - IBRS = x86 indirect branch speculation feature.  It enables the indirect branch restricted speculation (IBRS) on kernel entry and disables it on exit, IBRS feature requires corresponding microcode support.

3 - ok so then microcode = volatile application to kernel vs passive application to kernel

4 - i figured that update manager would not update this kernel at least at this time.

Spectre 2 requires OS kernel AND CPU microcode to be patched, they have to be made to work together in order to patch Spectre 2 with the IBRS and IBPB features. hence my #2 question does the 4.15 kernel "does this affect IBRS support in any way?"...for good or for bad...DAMIEN
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 29, 2018, 03:50:08 pm
Microcode is processor firmware so independent of the kernel .. though the kernel loads it at boot
https://wiki.debian.org/Microcode

Basically the kernel applies the firmware to the processor at boot instead of the BIOS applying it .. and if it were applied by the BIOS it would be OS/kernel independent wouldn't it ;)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 29, 2018, 03:56:31 pm
@PCNetSpec
No.4 You are of course right, but one can still change it using Synaptic, although it will involve updating it manually afterwards.

Except there's no 4.15 kernel in the default repos ;)

It **may** be added to the default repos at some point if say hwe-16.04-edge ever gets it, but if that happens you'll be able to get automatic updates by switching to the hwe-16.04-edge track .. but unless/until that happens, no you can't use Synaptic as 4.15 just isn't there, and not every kernel in the mainline PPA gets security updates (only the ones that are used in an *buntu release or hwe .. and 4.15 currently isn't, and may never be).

If you want security updates, you MUST use a default kernel or patch the kernel manually.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 29, 2018, 04:21:01 pm
thanx PC...we are on the same page then...kernel applying microcode = "Volatile application"...if it was bios applied microcode, that is what they would call, "passive application"

and also on the same page as to 4.15 updating = probably not going to happen at all on 8 or 8.5 respin...this would be my reasoning to always err on the safe side of caution with security, stability, and usability in mind...wait for the update manager to supply things like this down the pipeline

i would think then that until the kerfuffle dies down from intel etc that the CPU coupled with usage of 4.15 kernel is probably not enabled/disabled as designed when in use but probably not enabled at all until all patches possible could be applied which would mean its not as readily exploitable but not fixed either...DAMIEN
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 29, 2018, 04:42:15 pm
thanx PC...we are on the same page then...kernel applying microcode = "Volatile application"...if it was bios applied microcode, that is what they would call, "passive application"

I get what you (and 'they') are saying, but really both are volatile .. unless the firmware can be stored on the CPU itself, then it needs to be applied (loaded into memory) every time the PC is started .. be that by the BIOS, or by the OS.

Does it really matter if it's stored on the BIOS EEPROM or disk ? .. the storage of the firmware isn't volatile, but in both cases the application of it is.

I guess my point is, they're both the same .. just applied at boot differently.

The Linux method is more flexible and doesn't require a BIOS update .. but at the end of the day it's still the same firmware being applied each boot.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 30, 2018, 10:57:32 am
Spectre & Meltdown vulnerability checker now in Debian's repos
http://news.softpedia.com/news/the-spectre-meltdown-vulnerability-checker-for-linux-is-now-in-debian-s-repos-519618.shtml
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on January 30, 2018, 11:43:55 am
Spectre & Meltdown vulnerability checker now in Debian's repos

Heh!  Oops ...


Spoiler (click here to view / hide)
[close]

Well, like it says ... "A false sense of security is worse than no security at all"  :)

EDIT

File-raped from here: https://goo.gl/r5nJca
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 30, 2018, 12:19:23 pm
hi guys...heres what i got when trying to install that checker...zippo, nada, goose egg, etc...lol...DAMIEN

damien@damien ~ $ sudo apt-get install spectre-meltdown-checker
[sudo] password for damien:
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package spectre-meltdown-checker
damien@damien ~ $

my guess is because its "debian" repository thing that it is not in ubuntu repository at all so will not help peppermint users, that is unless i missed something try to acquire this checker?
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 30, 2018, 12:32:20 pm
The link it's on VinDSL's post, but here you go...
https://packages.debian.org/stretch-backports/all/spectre-meltdown-checker/download
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on January 30, 2018, 12:36:41 pm
Then, install it manually using GDebi ...  ;)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 30, 2018, 12:40:19 pm
Thx VinDSL, forgot about that detail  ;)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 30, 2018, 12:49:44 pm
Better method would be to download the later 0.33 script from the github page (the .deb from the Debian repo contains the older 0.32 script) and run it:
Code: [Select]
cd ~/Desktop
wget https://github.com/speed47/spectre-meltdown-checker/raw/master/spectre-meltdown-checker.sh
chmod +x ~/Desktop/spectre-meltdown-checker.sh
sudo /home/$USER//Desktop/spectre-meltdown-checker.sh
so on my system with the default 4.13.0-32 kernel:-
Code: [Select]
mark@Dell-E6530 ~ $ sudo /home/$USER/Desktop/spectre-meltdown-checker.sh
[sudo] password for mark:
Spectre and Meltdown mitigation detection tool v0.33+

Checking for vulnerabilities on current system
Kernel is Linux 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25 10:13:43 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO
* Checking count of LFENCE opcodes in kernel:  YES  (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
> STATUS:  NOT VULNERABLE  (Kernel source has PROBABLY been patched to mitigate the vulnerability (LFENCE opcodes heuristic))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  NO
  * Kernel compiled with a retpoline-aware compiler:  NO
  * Retpoline enabled:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
so apparently with the default kernel I'm only vulnerable to one of the three vulnerabilities (Spectre variant 2) .. where your 4.15 kernel appears to be vulnerable to BOTH Spectre variants.



spectre-meltdown-checker on github:
https://github.com/speed47/spectre-meltdown-checker
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 30, 2018, 01:03:44 pm
I knew I had linked that github page sometime ago, https://forum.peppermintos.com/index.php/topic,6415.msg65084.html#msg65084
But, maybe it easier with a .deb file for most of the users.
 :)

Anyway, on Void I get a slightly different response. Vulnerable to V1, but not V2 :o... or maybe I should run this as root...
Code: [Select]
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
* Kernel has array_index_mask_nospec:  UNKNOWN  (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package))
* Checking count of LFENCE opcodes in kernel:  UNKNOWN  (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  YES
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

EDIT: Same output as root  :o
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 30, 2018, 01:11:24 pm
Dunno why .. it's a command line tool either way.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 30, 2018, 01:33:24 pm
as per the 4.15 series pin is using...

PCNetSpec wrote "so apparently with the default kernel I'm only vulnerable to one of the three vulnerabilities (Spectre variant 2) .. where your 4.15 kernel appears to be vulnerable to BOTH Spectre variants."

this is what i was trying to refer to...(probably quite badly i might add) when i wrote

" would think then that until the kerfuffle dies down from intel etc that the CPU coupled with usage of 4.15 kernel is probably not enabled/disabled as designed when in use but probably not enabled at all until all patches possible could be applied which would mean its not as readily exploitable but not fixed either...DAMIEN

that was my 2 cents worth...pockets empty now...lol...DAMIEN



Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 30, 2018, 01:35:55 pm
I'm not on the 4.15 series in any of my machines!
PM7 is on 4.4 series and Void is on the 4.14....
VinDSL is on 4.15!
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on January 30, 2018, 01:36:54 pm
Think I'll install a Liquorix kernel, for shiggles, and see how it scores  ;D
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 30, 2018, 01:37:34 pm
Say that again... a what?
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on January 30, 2018, 01:44:16 pm
Say that again... a what?

https://goo.gl/WXjo1U

Used to run it all the time, but not recently ...
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 30, 2018, 01:50:28 pm
Cheers! Thx for the link!
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on January 30, 2018, 02:10:53 pm
Same ...

Spoiler (click here to view / hide)
[close]

Spoiler (click here to view / hide)
[close]
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on January 30, 2018, 02:17:43 pm
It goes without saying, but at this point, I suppose a word of warning doesn't hurt  8)


(http://vindsl.com/images/Windowshot_2018-01-30_15:14:25.png)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on January 30, 2018, 02:20:29 pm
Yep I got the same .. the liquorix kernel is vulneable to BOTH Spectre variants
Code: [Select]
mark@Dell-E6530 ~ $ uname -a
Linux Dell-E6530 4.14.0-15.2-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.14-22ubuntu1~xenial (2018-01-30) x86_64 x86_64 x86_64 GNU/Linux
mark@Dell-E6530 ~ $ sudo /home/$USER/Desktop/spectre-meltdown-checker.sh
[sudo] password for mark:
Spectre and Meltdown mitigation detection tool v0.33+

Checking for vulnerabilities on current system
Kernel is Linux 4.14.0-15.2-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.14-22ubuntu1~xenial (2018-01-30) x86_64
CPU is Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
* Kernel has array_index_mask_nospec:  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Checking count of LFENCE opcodes in kernel:  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports minimal retpoline compilation)
  * Retpoline enabled:  YES
> STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

Seems the default kernel is the best for now :)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on January 30, 2018, 02:25:46 pm
Seems the default kernel is the best for now :)

You've crystallized my thoughts exactly  :)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: DAMIEN1307 on January 31, 2018, 12:45:40 am
hi pin....sorry pin...i meant vin when i was mentioning that kernel 4.15...tough getting old...lol...DAMIEN
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on January 31, 2018, 09:43:04 am
On Peppermint 7
Code: [Select]
pedro@peppermint7 ~ $ uname -a
Linux peppermint7 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Code: [Select]
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO
* Checking count of LFENCE instructions following a jump in kernel:  YES  (71 jump-then-lfence instructions found, which is >= 30 (heuristic))
> STATUS:  NOT VULNERABLE  (Kernel source has PROBABLY been patched to mitigate the vulnerability (jump-then-lfence instructions heuristic))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  NO
  * Kernel compiled with a retpoline-aware compiler:  NO
  * Retpoline enabled:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 01, 2018, 10:54:20 am
Apparently, one will hardly notice the impact on performance due to Meltdown and Spectre patches  :D
http://news.softpedia.com/news/linux-systems-running-newer-kernels-not-affected-by-meltdown-and-spectre-patches-519639.shtml
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on February 01, 2018, 12:29:01 pm
Ubuntu have today (01-Feb-2018) added a new version of the 4.15 kernel (4.15.0-041500) to the mainline kernel PPA:
http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15/

Like the default 4.13.0-32 kernel it's mitigated against Meltdown and ONE of the two Spectre variants.

But weirdly, according to the spectre-meltdown-checker.sh script 4.15 is vulnerable to Spectre variant 1, whereas the default 4.13 is vulnerable to variant 2

Default kernel 4.13.0-32
Code: [Select]
mark@Dell-E6530 ~ $ uname -a
Linux Dell-E6530 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25 10:13:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
mark@Dell-E6530 ~ $ sudo /home/$USER//Desktop/spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.34

Checking for vulnerabilities on current system
Kernel is Linux 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25 10:13:43 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 58 stepping 9 ucode 0x1c)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO
* Checking count of LFENCE instructions following a jump in kernel:  YES  (68 jump-then-lfence instructions found, which is >= 30 (heuristic))
> STATUS:  NOT VULNERABLE  (Kernel source has PROBABLY been patched to mitigate the vulnerability (jump-then-lfence instructions heuristic))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  NO
  * Kernel compiled with a retpoline-aware compiler:  NO
  * Retpoline enabled:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
NEW 4.15.0-041500 kernel
Code: [Select]
mark@Dell-E6530 ~ $ uname -a
Linux Dell-E6530 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 11:55:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
mark@Dell-E6530 ~ $ sudo /home/$USER//Desktop/spectre-meltdown-checker.sh
[sudo] password for mark:
Spectre and Meltdown mitigation detection tool v0.34

Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 11:55:45 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 58 stepping 9 ucode 0x1c)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
* Kernel has array_index_mask_nospec:  NO
* Checking count of LFENCE instructions following a jump in kernel:  NO  (only 6 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  YES
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
So make of that what you will, toss a coin, and take your pick ???
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 01, 2018, 12:34:41 pm
Yeap! That's it  ???
My Peppermint 7 system is vulnerable to v2 and not v1, but my Void system is vulnerable to v1 and not v2 (see above).
Hum! Why can't one get both?
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on February 01, 2018, 12:46:54 pm
Good question.

Maybe the next 4.13 default kernel will be compiled with a retpoline aware compiler .. and/or 4.15 will get the jump-then-lfence patches.

My money's on the default 4.13 kernel being first .. but who knows ???
(unless 4.15 hits hwe-edge first)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 07, 2018, 10:50:40 am
 :-\ On January 31 the 4.4.0 was bumped to 4.4.0-114, http://news.softpedia.com/news/linux-kernels-4-14-16-4-9-79-4-4-114-and-3-18-93-are-now-available-to-download-519640.shtml
One week latter I'm still running the latest from the repos, i.e 4.4.0-112??

Is it possible to know when it will hit the repos?
On Void, I can trace a package build in real-time here, https://build.voidlinux.eu/waterfall

Is there something similar for Ubuntu?
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on February 07, 2018, 11:35:48 pm
Looks like they got out ...  8)


Spoiler (click here to view / hide)
[close]


Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 08, 2018, 12:10:21 am
Cheers Vin  :-*! Will update tonight.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: Slim.Fatz on February 08, 2018, 12:54:02 am
Hi everyone,

FYI -- I just installed kernel 4.14.18 from this site (http://kernel.ubuntu.com/~kernel-ppa/mainline/) and then rebooted. The  script spectre-meltdown-checker.sh (version 34+) produced the following output:

Spoiler (click here to view / hide)
[close]

Note: finally Spectre Variant 1, Spectre Variant 2 and Meltdown (aka Variant 3) all came out as

STATUS: NOT VULNERABLE

Hooray !! First time I have seen all three with this result !!  8)

My machine:

Spoiler (click here to view / hide)
[close]

 8)

Regards,

-- Slim
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: Slim.Fatz on February 08, 2018, 02:56:35 am
Hi again,

Now a little update to the previous post: On the same machine I also have Peppermint 7 installed. It is sort of my experimental Peppermint  ;D

So, from the same site linked to in the previous post, I fetched kernel-4.15.2 and installed it, ran the sm-checker script and got basically the same result:

Spoiler (click here to view / hide)
[close]

So I'm a happy dude at the moment !!  8)

Regards,

-- Slim
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 08, 2018, 03:03:16 am
Great stuff slim [emoji41]

But, my PM7 is my stable machine. My experimental machine in my Void linux system [emoji6]

I'm currently recovering on more laptop, just need a new SSD... So, who knows? I was actually thinking about taking NetBSD for a spin [emoji38]

EDIT: If I install in legacy mode I'll be able to dual boot it with Peppermint. So, yeah... who knows?
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: Slim.Fatz on February 08, 2018, 04:42:54 am
Hi pin,

I too have been tempted to try one of the BSD distros (again). I tried them maybe ten years ago but was not impressed and never looked back. But a lot can happen in ten years, so maybe I will check one out again someday.

Have fun!  :)

Regards,

-- Slim
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on February 08, 2018, 11:55:54 am
Heh! I don't own a 'stable' machine. I love dangling over the edge of a precipice  :D

It's probably of my own doing - all the haxoring and unconventional hardware setup - but Linux 4.14.x occasionally hardlocks this machine when the power manager blanks my screens. I haven't run across this with any other ver, and it hasn't happened once on Linux 4.15.x

So, I'll be skipping over 4.14 ...
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 08, 2018, 12:04:51 pm
 :-\ :-\ Never had any issues with the 4.14 series... :-\ :-\
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on February 08, 2018, 01:46:31 pm
I draw the line at 'hard resets' (REISUB doesn't work).

Don't want to push my luck, you know  :)



Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 08, 2018, 11:53:30 pm
 8) I've now joined the club... kernel 4.14.18 on Void
Code: [Select]
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  UNKNOWN  (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package))
* Checking count of LFENCE instructions following a jump in kernel...  UNKNOWN  (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package))
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
8)

Still waiting for the 4.4.0-114  :-\
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on February 09, 2018, 12:57:40 pm
Kernel 4.4.0-113.136 is currently  in the "proposed" repos along with a ton of other stuff which probably made it possible such as a newer gcc+ etc.
(I think the main problem was they needed to add a patched GCC compiler before they could add a kernel compiled with it)

The good news is..

a) It means it'll likely land soon.

b) It's patched against all three vulnerability variants.

Here's the output from the spectre-meltdown-checker.sh script on a PM8 Respin-2 virtual machine that I'd removed the HWE from whilst responding to another topic, so was running the 4.4.0-112 kernel before I enabled the "proposed" repo, updated and rebooted:
Code: [Select]
mark@pm8r2-64bit ~ $ uname -a
Linux pm8r2-64bit 4.4.0-113-generic #136-Ubuntu SMP Wed Feb 7 18:00:10 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
mark@pm8r2-64bit ~/Desktop $ sudo ./spectre-meltdown-checker.sh
[sudo] password for mark:
Spectre and Meltdown mitigation detection tool v0.34

Checking for vulnerabilities on current system
Kernel is Linux 4.4.0-113-generic #136-Ubuntu SMP Wed Feb 7 18:00:10 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 58 stepping 9 ucode 0x19)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  NO
* Checking count of LFENCE instructions following a jump in kernel:  NO  (only 9 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  NOT VULNERABLE  (Mitigation: OSB (observable speculation barrier, Intel v6))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  YES
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
mark@pm8r2-64bit ~/Desktop $

So it's a comin :)

NOTE - This was on a VM (hardware virtualisation enabled), but I can't see why that would make a difference .. it did identify the CPU as vulnerable, but the kernel not :)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on February 09, 2018, 01:26:09 pm
And the other good news....

For default Peppermint 8 running the HWE-16.04, the "proposed" repo along with the same ton of other stuff such as the same gcc+ mentioned above also contains kernel 4.13.0-33.36 which according to the spectre-meltdown-checker.sh script is also fully patched against all 3 variants:-
Code: [Select]
mark@Dell-E6530 ~/Desktop $ uname -a
Linux Dell-E6530 4.13.0-33-generic #36~16.04.1-Ubuntu SMP Wed Feb 7 23:32:33 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
mark@Dell-E6530 ~/Desktop $ sudo ./spectre-meltdown-checker.sh
[sudo] password for mark:
Spectre and Meltdown mitigation detection tool v0.34

Checking for vulnerabilities on current system
Kernel is Linux 4.13.0-33-generic #36~16.04.1-Ubuntu SMP Wed Feb 7 23:32:33 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 58 stepping 9 ucode 0x1c)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  NO
* Checking count of LFENCE instructions following a jump in kernel:  NO  (only 5 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  NOT VULNERABLE  (Mitigation: OSB (observable speculation barrier, Intel v6))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  YES
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
mark@Dell-E6530 ~/Desktop $
So all mitigations are coming to all Peppermint PCs near you soon :)

NOTE - This was on metal, so kinda shows that the VM made no difference in my last post.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: Slim.Fatz on February 09, 2018, 01:29:25 pm
Great !!  ;) 8)

Regards,

-- Slim
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on February 09, 2018, 01:43:30 pm
Seems they've also now enabled the
Code: [Select]
grep . /sys/devices/system/cpu/vulnerabilities/*output.

Output for the 4.4.0-113.136 kernel:
Code: [Select]
mark@pm8r2-64bit ~ $ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: OSB (observable speculation barrier, Intel v6)
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
Output for the 4.13.0-33.39 kernel:
Code: [Select]
mark@Dell-E6530 ~ $ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: OSB (observable speculation barrier, Intel v6)
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 09, 2018, 01:45:09 pm
 8) Nice!
I'll be waiting for it  :D
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 23, 2018, 06:38:22 am
Hi everyone on PM7 or/and on the kernel 4.4 series, here are some good news
Code: [Select]
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  NO
* Kernel has the Red Hat/Ubuntu patch:  YES
> STATUS:  NOT VULNERABLE  (Mitigation: OSB (observable speculation barrier, Intel v6))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)
;)
Just update to get the 4.4.0-116 kernel...
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on February 23, 2018, 12:20:52 pm
Yep, Peppermint 8 also got 4.13.0-36 at the same time .. with the same results :)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on February 23, 2018, 02:48:47 pm
Linux 4.15.5 mainline build is hanging in there, too ...  8)

Spoiler (click here to view / hide)
[close]


Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 23, 2018, 03:13:33 pm
Maybe time to mark this as 'Solved' [emoji38]
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on February 23, 2018, 03:22:07 pm
Nope, this can never be truly called "solved" until it's done in hardware, "mitigated" is the best it could be called as the original issue is still present, they've just made the originally discovered mechanism for possible exploit no longer work (nobody is claiming "impossible" to exploit or "fixed", the rabbit hole is just too deep .. someone could still come up with a brand new as yet unthought of mechanism to exploit the still presennt hardware design flaw).

Then again, I guess you can ALWAYS say "things are only fixed until the next exploit is discovered" :)

I'm just finding it difficult to let off the CPU designers by labelling it "solved" when it's a software solution (to a hardware fault) with a performance impact on their CPU's that you just know they'll now blame on software.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 23, 2018, 03:48:32 pm
I was just joking about it!
...and at the same time wondering when the next issue would show up?!
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: PCNetSpec on February 23, 2018, 04:49:05 pm
I thought you might have been joking, but couldn't resist the opportunity for one last moan at the CPU OEM's >:D
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on February 25, 2018, 06:41:41 am
This can never be truly called "solved" until it's done in hardware [...]

Perfect example.

While I was doing weekly maintenance on my 32bit Peppermint/Ubu test box, I started thinking ... I've never installed the mitigation tool.

When I was done doing all of the incremental updates, I ran the tool -  mind you, this is with the most recent mainline kernel build - which tests out just fine on my 64bit machines.

Vuln 3 still hasn't been patched:


(http://vindsl.com/images/VinDSL-Screenshot_2018-02-25_07:30:24.png)
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on February 25, 2018, 06:49:05 am
LoL! I was looking at Conky (above).

259MB RAM being used, sitting idle at the desktop, with CLI open.

Gotta love Peppermint OS ...  :D
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on February 25, 2018, 06:52:04 am
Hi VinDSL,
I remember reading that 32 bit systems would patched later. Looking around after your post, I found that 32 bit is still not fully patched, see http://forums.debian.net/viewtopic.php?f=3&t=135775&sid=333beb75703ac577388e4955a1946bf3&start=60#p663711

EDIT: Gentoo keeps an up-to-date list here https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre#Resolution
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: VinDSL on February 25, 2018, 07:06:45 am
Aha! No biggy ...

I only boot this machine every  week or two, and do incremental updates to keep everything up-to-date.

Thx for the heads-up, pin ;)

Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: esjay on February 25, 2018, 10:41:05 am
In my point of view this issue is solved. 4.13.0-36 is fine, not to forget that a firewall, a router and being careful should be more than enough. By the way, anyone using Ukuu? I am not sure if this enhances security?
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: pin on May 21, 2018, 09:18:21 pm
...and here we go again! Spectre variant 4...
https://techcrunch.com/2018/05/21/intel-discloses-a-new-spectre-exploit-variant-but-leaves-mitigation-off-by-default/

https://www.theverge.com/2018/5/21/17377994/google-microsoft-cpu-vulnerability-speculative-store-bypass-variant-4

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Skickat från min SM-G900F via Tapatalk

Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: The PoorGuy on May 24, 2018, 02:00:18 pm
.
Title: Re: Post Meltdown, Spectre and other Intel issues
Post by: dro3m on June 13, 2018, 02:35:54 pm
Intels has some sketchy ideas and plans, here is a few: