Page 2 of 5

Re: Which kernel should I use ?

Posted: Thu Sep 27, 2018 5:50 pm
by oops
baldyeti wrote:
Thu Sep 27, 2018 5:11 pm

So I have to rely on my distribution maintainers to provide me with the best possible current protection , don't I ?
Running the "inxi" invocation suggested above, I am getting

Code: Select all

# MX17.1 stock 4.15.0-1-amd64 kernel:
	CPU:       Topology: Dual Core model: Intel Core i3-2120 bits: 64 type: MT MCP family: 6 
	model-id: 2A (42) stepping: 7 microcode: 2E L2 cache: 3072 KiB 
	Speed: 2515 MHz min/max: 1600/3300 MHz Core speeds (MHz): 1: 2515 2: 1930 	3: 1981 4: 2721 
	Vulnerabilities: Type: meltdown mitigation: PTI 
	Type: spectre_v1 mitigation: __user pointer sanitization 
	Type: spectre_v2 mitigation: Full generic retpoline, IBPB 
Yes, but do you also have, for the 4.15, these packages installed (at least the related one for your cpu)?

Code: Select all

dpkg -l *microcode* | egrep --color "microcode"
ii  amd64-microcode 3.20160316.3         i386         Processor microcode firmware for AMD CPUs
ii  intel-microcode 3.20180807a.1~deb9u1 i386         Processor microcode firmware for Intel CPUs
un  microcode.ctl   <aucune>             <aucune>     (aucune description n'est disponible)

#exemple version number , with and without the microcode firmware: (here it's with)
grep microcode /proc/cpuinfo
microcode	: 0x218
... It so, it is probably not the latest one

Re: Which kernel should I use ?

Posted: Thu Sep 27, 2018 6:05 pm
by baldyeti
I've got the exact same intel microcode package installed, yet i am getting: microcode : 0x2e

Re: Which kernel should I use ?

Posted: Thu Sep 27, 2018 6:11 pm
by oops
baldyeti wrote:
Thu Sep 27, 2018 6:05 pm
I've got the exact same intel microcode package installed, yet i am getting: microcode : 0x2e
... If so, it is probably not the latest one

Re: Which kernel should I use ?

Posted: Thu Sep 27, 2018 7:30 pm
by Stevo
oops wrote:
Thu Sep 27, 2018 6:11 pm
baldyeti wrote:
Thu Sep 27, 2018 6:05 pm
I've got the exact same intel microcode package installed, yet i am getting: microcode : 0x2e
... If so, it is probably not the latest one
Debian pushed the upstream version into Stretch as a security update, so 3.20180807a is going to be the latest:

https://packages.debian.org/search?keyw ... ection=all

I think just about all the latest threats you've seen for the kernels require that the hacker actually have physical access to your machine. If you're worried about Spectre and other similar exploits, you should be running the latest kernels we provide, or the Debian 4.9 kernel which gets updated. Unfortunately, backporting that newer kernel code to security patches for the 4.15 kernel is beyond our capabilities.

Re: Which kernel should I use ?

Posted: Thu Sep 27, 2018 7:42 pm
by oops
Stevo wrote:
Thu Sep 27, 2018 7:30 pm
Debian pushed the upstream version into Stretch as a security update, so 3.20180807a is going to be the latest:
https://packages.debian.org/search?keyw ... ection=all
Thank you for the info Stevo,
I am not worry about that, it is mostly by principe/quality.

Re: Which kernel should I use ?

Posted: Fri Sep 28, 2018 2:34 am
by azrielle
In light of recent revelation that NSA's security algorithm was incorporated into 4.17, 18, & 19, but will be removed in 20, I'd wait until a stable version of 4.20 came out!

Re: Which kernel should I use ?

Posted: Fri Sep 28, 2018 2:45 am
by baldyeti
It is unclear to me how µcode reporting works: i get 2E, Richard gets 20 and oops gets 218, all presumably with the same, latest, package in place. Perhaps this jut reflects the fact we have different CPU models ?

In my case, "dmesg | grep microcode" shows "microcode updated early to revision 0x2e, date = 2018-04-10"

and "/usr/sbin/iucode_tool -tb -lS /lib/firmware/intel-ucode/*" says
selected microcodes: 019/001: sig 0x000206a7, pf_mask 0x12, 2018-04-10, rev 0x002e, size 12288

Re: Which kernel should I use ?

Posted: Fri Sep 28, 2018 3:27 am
by stsoh
azrielle wrote:
Fri Sep 28, 2018 2:34 am
In light of recent revelation that NSA's security algorithm was incorporated into 4.17, 18, & 19, but will be removed in 20, I'd wait until a stable version of 4.20 came out!
if u worry about nsa cryto_speck, u can blacklist it.
open root thunar > goto /etc/modprobe.d/ > create a file named cryto-speck-blacklist.conf > edit input

Code: Select all

blacklist CONFIG_CRYPTO_SPECK
save > close > exit, done.

Re: Which kernel should I use ?

Posted: Fri Sep 28, 2018 3:53 am
by stsoh
getting old.......kept forgetting......have to update.
open root terminal and input

Code: Select all

# update-initramfs -u
# reboot

Re: Which kernel should I use ?

Posted: Fri Sep 28, 2018 5:16 am
by oops
baldyeti wrote:
Fri Sep 28, 2018 2:45 am
It is unclear to me how µcode reporting works: i get 2E, Richard gets 20 and oops gets 218, all presumably with the same, latest, package in place. Perhaps this jut reflects the fact we have different CPU models ?

In my case, "dmesg | grep microcode" shows "microcode updated early to revision 0x2e, date = 2018-04-10"

and "/usr/sbin/iucode_tool -tb -lS /lib/firmware/intel-ucode/*" says
selected microcodes: 019/001: sig 0x000206a7, pf_mask 0x12, 2018-04-10, rev 0x002e, size 12288
Yes, version number is by CPU model.
Old examples:
https://downloadcenter.intel.com/downlo ... a-File?v=t