Peppermint OS Community Forum

General => GNU/Linux Discussion => Topic started by: VinDSL on January 05, 2018, 11:52:22 pm

Title: #SpectreAndMeltdown
Post by: VinDSL on January 05, 2018, 11:52:22 pm
2018 Jan 04: Canonical publicly communicates the planned update schedule (https://goo.gl/MaQ7xw)

(http://vindsl.com/images/Opera Snapshot_2018-01-05_213955_insights.ubuntu.com.png)


Quote
At its heart, this vulnerability is a CPU hardware architecture design issue.  But there are billions of affected hardware devices, and replacing CPUs is simply unreasonable.  As a result, operating system kernels — Windows, MacOS, Linux, and many others — are being patched to mitigate the critical security vulnerability.

Ubuntu users of the 64-bit x86 architecture (aka, amd64) can expect updated kernels by the original January 9, 2018 coordinated release date, and sooner if possible. 

Updates will be available for:
  • Ubuntu 17.10 (Artful) — Linux 4.13 HWE
  • Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE)
  • Ubuntu 14.04 LTS (Trusty) — Linux 3.13
  • Ubuntu 12.04 ESM** (Precise) — Linux 3.2
Note that an Ubuntu Advantage license is required for the 12.04 ESM kernel update, as Ubuntu 12.04 LTS is past its end-of-life

Ubuntu 18.04 LTS (Bionic) will release in April of 2018, and will ship a 4.15 kernel, which includes the KPTI patchset as integrated upstream.
Title: Re: #SpectreAndMeltdown
Post by: DAMIEN1307 on January 06, 2018, 12:19:44 am
i have taken note that the 4.10 series kernels that many of us are using is not mentioned in this forthcoming kernel security update...DAMIEN
Title: Re: #SpectreAndMeltdown
Post by: VinDSL on January 06, 2018, 12:22:00 am
NOTE: I've been running the Linux 4.13 HWE Kernel in Peppermint 7 for awhile now, with zero problems.

That's the route I'll continue to go ...  ;)


Spoiler (click here to view / hide)
╭─vindsl@Boogaloo-5 ~ 
╰─➤  inxi -v1
System:    Host: Boogaloo-5 Kernel: 4.13.0-22-generic x86_64 (64 bit)
           Desktop: N/A Distro: Peppermint Seven
CPU:       Quad core Intel Core i5-3470 (-MCP-) speed/max: 3192/3600 MHz
Graphics:  Card: NVIDIA GK208 [GeForce GT 710B]
           Display Server: X.Org 1.19.5 drivers: nvidia (unloaded: fbdev,vesa,nouveau)
           Resolution: 1920x1080@60.00hz, 1920x1080@60.00hz, 2560x1080@60.00hz
           GLX Renderer: GeForce GT 710/PCIe/SSE2
           GLX Version: 4.6.0 NVIDIA 387.34
Drives:    HDD Total Size: 1250.3GB (11.4% used)
Info:      Processes: 204 Uptime: 7:10 Memory: 2250.8/15999.2MB
           Client: Shell (zsh) inxi: 2.2.35
[close]
Title: Re: #SpectreAndMeltdown
Post by: pin on January 06, 2018, 12:23:27 am
I'm on 4.14.12 kernel with KTPI patch on my Void box since a few hours ago.
Can't say I could notice any performance difference. But, I've not compiled anything from source.
Will be updating my Peppermint 7 system as soon as I have time!

Skickat från min SM-G900F via Tapatalk

Title: Re: #SpectreAndMeltdown
Post by: PCNetSpec on January 06, 2018, 03:33:29 pm
i have taken note that the 4.10 series kernels that many of us are using is not mentioned in this forthcoming kernel security update...DAMIEN

Don't panic, the 4.4 HWE (where our 4.10 kernel comes from) will get the patches too.

Quote
Ubuntu users of the 64-bit x86 architecture (aka, amd64) can expect updated kernels by the original January 9, 2018 coordinated release date, and sooner if possible.  Updates will be available for:

    Ubuntu 17.10 (Artful) — Linux 4.13 HWE
    Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE)
    Ubuntu 14.04 LTS (Trusty) — Linux 3.13
    Ubuntu 12.04 ESM** (Precise) — Linux 3.2
Title: Re: #SpectreAndMeltdown
Post by: VinDSL on January 07, 2018, 10:05:50 am
NOTE: I've been running the Linux 4.13 HWE Kernel in Peppermint 7 for awhile now, with zero problems.

   That's the route I'll continue to go ...  ;)   

Pin's comment (above) got me thinking about Linux 4.14.x

Greg Kroah-Hartman's musings (over here (https://goo.gl/LwQiNH)) convinced me.

Quote
<SNIP>

Right now, Linus’s kernel tree contains all of the fixes we currently know about to handle the Meltdown vulnerability for the x86 architecture. Go enable the CONFIG_PAGE_TABLE_ISOLATION kernel build option, and rebuild and reboot and all should be fine.

However, Linus’s tree is currently at 4.15-rc6 + some outstanding patches. 4.15-rc7 should be out tomorrow, with those outstanding patches to resolve some issues, but most people do not run a -rc kernel in a “normal” environment.

Because of this, the x86 kernel developers have done a wonderful job in their development of the page table isolation code, so much so that the backport to the latest stable kernel, 4.14, has been almost trivial for me to do. This means that the latest 4.14 release (4.14.12 at this moment in time), is what you should be running. 4.14.13 will be out in a few more days, with some additional fixes in it that are needed for some systems that have boot-time problems with 4.14.12 (it’s an obvious problem, if it does not boot, just add the patches now queued up.)

<SNIP>

If you rely on any other kernel tree other than 4.4, 4.9, or 4.14 right now, and you do not have a distribution supporting you, you are out of luck. The lack of patches to resolve the Meltdown problem is so minor compared to the hundreds of other known exploits and bugs that your kernel version currently contains. You need to worry about that more than anything else at this moment, and get your systems up to date first.

Also, go yell at the people who forced you to run an obsoleted and insecure kernel version, they are the ones that need to learn that doing so is a totally reckless act.

<SNIP>

Conclusion

Again, update your kernels, don’t delay, and don’t stop.
The updates to resolve these problems will be continuing to come for a long period of time. Also, there are still lots of other bugs and security issues being resolved in the stable and LTS kernel releases that are totally independent of these types of issues, so keeping up to date is always a good idea.


I updated all my machines to the Linux 4.14.12 Kernel yesterday, and it's all good, so that's the route I'll be taking ...   8)

Thx pin !
Title: Re: #SpectreAndMeltdown
Post by: Slim.Fatz on January 07, 2018, 10:22:35 am
Hi everyone,

I too have the Linux 4.14.12 kernel on my Peppermint 6 and Seven machines and can also say that it is running just perfectly for me. I guess I'll go on and put it on my Peppermint 8-Respins too.

Regards,

-- Slim  8)
Title: Re: #SpectreAndMeltdown
Post by: cfx795 on January 08, 2018, 03:46:42 am
I'm not sure what kernal I'm using. I'm running Peppermint 7. I will say that I have had my update manager preferences set so that it only gives me levels 1 and 2 updates, and I unchecked the box that said "always show security updates" because (as I remember) I was getting level 4 and 5 "security updates" which made no sense to me. Please let me know if there's something else I should be aware of, here, and doing differently. I don't recall seeing any updates popping up there in the last, say, 48hrs... thanks!
Title: Re: #SpectreAndMeltdown
Post by: pin on January 08, 2018, 04:40:09 am
To know the kernel you are running type
Code: [Select]
uname -a
or
Code: [Select]
uname -r
Peppermint 7 should be on 4.4.0-X, unless you've manually installed another kernel. I know my Peppermint 7 is on 4.4.0-104.
I would allow all updates, at least during the coming months! Or just run
Code: [Select]
sudo apt-get update
and
Code: [Select]
sudo apt-get dist-upgrade
every two days or so.
Ubuntu is releasing the patches today, I think!? tomorrow.
By the way, don't worry about the slowdown. As mentioned above, I've been using the patched kernel on my Void system for a few days now, and haven’t noticed any issues. Actually, the kernels in Void have been rolled out almost on a daily basis for the last 3 days, so far no issues. Currently on 4.14.12-3.
But, I haven’t compiled anything from source yet, so it might be that I'm missjudging the slowdown?!
Title: Re: #SpectreAndMeltdown
Post by: cfx795 on January 08, 2018, 08:22:29 am
Ok, thanks much. I think for know I'll just do the manual install in the terminal window that you suggested. I might start a new topic regarding the update manager, because I never really understood it.
Title: Re: #SpectreAndMeltdown
Post by: PCNetSpec on January 08, 2018, 08:58:07 am
Personally I'd advise you stick with the default kernel and just await the patched kernel updates.

I'd also advise you re-enable level 3,4,and 5 updates .. there is going to be WAY more to this than a single kernel update.
(we chose the Ubuntu update policy rather than Mints precisely for scenarios like this)

Even more importantly, re-enable "always show security updates" as disabling it will stop ALL security updates.
Title: Re: #SpectreAndMeltdown
Post by: scifidude79 on January 08, 2018, 09:50:56 am
I'm not sure what kernal I'm using. I'm running Peppermint 7. I will say that I have had my update manager preferences set so that it only gives me levels 1 and 2 updates, and I unchecked the box that said "always show security updates" because (as I remember) I was getting level 4 and 5 "security updates" which made no sense to me. Please let me know if there's something else I should be aware of, here, and doing differently. I don't recall seeing any updates popping up there in the last, say, 48hrs... thanks!

The level 4 and 5 thing is some weird thing that Mint does.  We only use their update manager, not their settings.  Those updates are NOT dangerous and every security update should always be installed.  Period.  Security updates are call that because they are updates to the security of your system.  Without those updates, your system's security could be compromised.
Title: Re: #SpectreAndMeltdown
Post by: PCNetSpec on January 08, 2018, 10:14:11 am
Even Mint don't disable updates from the security repo .. erm do they ?, surely not that would be absurd.
Title: Re: #SpectreAndMeltdown
Post by: scifidude79 on January 08, 2018, 11:26:50 am
Even Mint don't disable updates from the security repo .. erm do they ?, surely not that would be absurd.

I don't think so, that wouldn't be a good move, though it's been too long since I ran Mint to be sure.
Title: Re: #SpectreAndMeltdown
Post by: cfx795 on January 08, 2018, 04:14:14 pm
Personally I'd advise you stick with the default kernel and just await the patched kernel updates.

I'd also advise you re-enable level 3,4,and 5 updates .. there is going to be WAY more to this than a single kernel update.
(we chose the Ubuntu update policy rather than Mints precisely for scenarios like this)

Even more importantly, re-enable "always show security updates" as disabling it will stop ALL security updates.

Ok. I guess that answers my questions, really. I sort of had the sneaking suspicion that this was what I should be doing, allowing all updates, but I wanted to hear it straight from folks more knowledgeable than myself, before I started enabling things with exotic labels like "unsafe" and "dangerous." I enabled 3, 4, and 5 and re-enabled all security updates. My system is up to date.
Title: Re: #SpectreAndMeltdown
Post by: pin on January 08, 2018, 05:27:59 pm
Here is a tool to check system vulnerability https://github.com/speed47/spectre-meltdown-checker
Title: Re: #SpectreAndMeltdown
Post by: pin on January 09, 2018, 02:53:09 pm
Hum! Has anyone got the Ubuntu KTPI patched kernel today?? It was supposed to be released today!...
Title: Re: #SpectreAndMeltdown
Post by: DAMIEN1307 on January 09, 2018, 06:04:53 pm
hi pin...i havent seen it yet from peppermints update manager but did see it on my linux mint update manager on my other computer with the AMD chip...curiously though that even though mint said it was updating 4.4 series and 4.13 series kernels, i only saw the 4.4 series download in the specs...also take note of message from Ubuntu..."The Rolling HWE kernel for Ubuntu 16.04 will go to 4.13 early, instead of also fixing 4.10 HWE kernel."...so the 4.10 series kernel that most peppermint users have been using, it looks like we will have to at a minimum either regress to the 4.4 LTS series, or upgrade to at least the 4.13 HWE series kernels in order to have the kernel security update applied...will keep you all informed if i find out more...sorry i couldnt tell ya more than that...DAMIEN
Title: Re: #SpectreAndMeltdown
Post by: pin on January 09, 2018, 11:03:59 pm

Thx!
Title: Re: #SpectreAndMeltdown
Post by: murraymint on January 10, 2018, 08:27:31 am
This came through yesterday for Peppermint 7:

Code: [Select]
4.4.0-108-generic #131-Ubuntu SMP Sun Jan 7 14:34:49 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux


EDIT:

and just now:
Code: [Select]
4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Title: Re: #SpectreAndMeltdown
Post by: pin on January 10, 2018, 09:16:20 am
Thanks!
Will be loading those as soon as I get home... ;)