Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

Trying antiX-17.2 kernel on MX-17.1_x64

For issues with MX that has been modified from the initial install. Example: adding packages that then cause issues.
Post Reply
Message
Author
User avatar
Richard
Posts: 2150
Joined: Fri Dec 12, 2008 10:31 am

Trying antiX-17.2 kernel on MX-17.1_x64

#1 Post by Richard » Sat Oct 06, 2018 6:27 pm

Although the 4.9-Deb-LTS kernel gave good results
there was still the L1TF, L1 Terminal Fault, unmitigated,
on both it and the 4.15 kernels, which although it supposedly
requires physical access to exploit.

Even so, curiosity led me to install the new kernel from antiX-17.2,
4.18.7-antix.1-amd64-smp, onto MX-17.1_x64 on the T430,

Everyday temps are about the same. Remains to do
an MX-Snapshot to ascertain snapping temps. So far
no other anomalys noticed. Have the Debian 4.9 LTS
and an up-to-date MX stock 4.15 kernels as backups.

The spectre-meltdown-checker gave a better reading
on the antiX kernel than on all the other kernels tested:

Code: Select all

root@mx171:/home/richard# spectre-meltdown-checker 
Spectre and Meltdown mitigation detection tool v0.39

Checking for vulnerabilities on current system
Kernel is Linux 4.18.7-antix.1-amd64-smp #2 SMP PREEMPT Sun Sep 9 14:03:41 BST 2018 x86_64
CPU is Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  YES  (Intel SSBD)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 0x3a family 0x6 stepping 0x9 ucode 0x20 cpuid 0x306a9)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 
  * Vulnerable to Variant 3a:  YES 
  * Vulnerable to Variant 4:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm64):  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  YES  (for kernel and firmware code)
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  YES  (CPU supports PCID, performance impact of PTI will be reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability:  YES 
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports speculation store bypass:  YES  (found in /proc/self/status)
> STATUS:  NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
Last edited by Richard on Tue Oct 09, 2018 10:45 pm, edited 1 time in total.
MX171: Lenovo T430: Intel Ivy Bridge i5-3320M, 8GB RAM, 4.18.0-2-amd64, 119GB SSD
MX171: EeePC 1005HA: Dual Core Atom N270, 1GB RAM, 4.9.0-8-686, 150GB HDD
Thunar/Doublecmd, LibO613, Dropbox, Firefox, CherryTree, Vbox. LinuxCounter #208633

User avatar
KoO
Forum Regular
Forum Regular
Posts: 306
Joined: Fri Feb 10, 2017 1:21 am

Re: Using antiX-17.2 kernel on MX-17.1_x64

#2 Post by KoO » Sun Oct 07, 2018 4:20 am

Been running that kernel on my T430 for a while now under Antix 17.1 and now 17.2 temps have been good and running smoothly.Also the same on my Desktop machine. Antix only
AntiX 17.2 (4.18.7) i3 ,Windows8.1 , Intel Xeon E3-1241 v3 , 16gb HyperX , Samsung EVO 860 500 GB , Samsung EVO 860 500 GB , GTX 970
Lenovo T430 AntiX17.2 (4.18.7) i3 ,MX17 ,Windows8.1 , i5 +4000 , 8gb , Samsung EVO 860 500 GB , 1TB HGST

User avatar
KernSpy
Forum Regular
Forum Regular
Posts: 625
Joined: Wed Nov 05, 2014 10:09 pm

Re: Using antiX-17.2 kernel on MX-17.1_x64

#3 Post by KernSpy » Sun Oct 07, 2018 8:16 am

Should I have used that instead of .. 4.9.126-antix.1-amd64-smp #1 SMP PREEMPT?

Spectre and Meltdown mitigation detection tool v0.39

Checking for vulnerabilities on current system
Kernel is Linux 4.9.126-antix.1-amd64-smp #1 SMP PREEMPT Mon Sep 10 15:16:15 BST 2018 x86_64
CPU is Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: YES
* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: YES
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: YES (Intel STIBP feature bit)
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: YES (Intel SSBD)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
* CPU microcode is known to cause stability problems: NO (model 0x46 family 0x6 stepping 0x1 ucode 0x1a cpuid 0x40661)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
* Vulnerable to Variant 3a: YES
* Vulnerable to Variant 4: YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for kernel and firmware code)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability: YES
> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports speculation store bypass: YES (found in /proc/self/status)
> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer


================================================
Spectre and Meltdown mitigation detection tool v0.39

Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-1-amd64 #1 SMP Debian 4.15.4-1~mx17+1 (2018-02-23) x86_64
CPU is Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: YES
* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: YES
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: YES (Intel STIBP feature bit)
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: YES (Intel SSBD)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
* CPU microcode is known to cause stability problems: NO (model 0x46 family 0x6 stepping 0x1 ucode 0x1a cpuid 0x40661)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
* Vulnerable to Variant 3a: YES
* Vulnerable to Variant 4: YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB)
* Mitigation 1
* Kernel is compiled with IBRS support: NO
* IBRS enabled and active: UNKNOWN
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability: YES
> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Kernel supports speculation store bypass: NO
> STATUS: VULNERABLE (your kernel needs to be updated)

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
MX-17.1_x64 | System76 Galago UltraPro / Clevo W740SU | Intel Core i7-4770HQ | Intel Iris Pro Graphics 5200 | 16 GB DDR3 | Intel 530 series mSATA SSD - 240-GB | WD7500BPKX - 750-GB | Intel HD Audio. Note: [System76] and the Galago's neutered UEFI

User avatar
Richard
Posts: 2150
Joined: Fri Dec 12, 2008 10:31 am

Re: Using antiX-17.2 kernel on MX-17.1_x64

#4 Post by Richard » Tue Oct 09, 2018 8:32 am

Due to the 4.18.7-antix.1-amd64-smp seeming to be a bit quirky resuming from Suspend,
I changed to the 4.9.126-antix.1-amd64-smp at present which gives a completely mitigated result
from the Spectre-Meltdown-checker. Will try it for a while. Might be a better fit on this older CPU.

Code: Select all

CPU:       Topology: Dual Core model: Intel Core i5-3320M bits: 64 type: MT MCP arch: Ivy Bridge family: 6 
           model-id: 3A (58) stepping: 9 microcode: 20 L2 cache: 3072 KiB 
MX171: Lenovo T430: Intel Ivy Bridge i5-3320M, 8GB RAM, 4.18.0-2-amd64, 119GB SSD
MX171: EeePC 1005HA: Dual Core Atom N270, 1GB RAM, 4.9.0-8-686, 150GB HDD
Thunar/Doublecmd, LibO613, Dropbox, Firefox, CherryTree, Vbox. LinuxCounter #208633

Post Reply

Return to “MX Modified”