Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

MX 17 Repository: The Spectre-Meltdown-Checker Thread

Post Reply
Message
Author
User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 17034
Joined: Fri Dec 15, 2006 8:07 pm

MX 17 Repository: The Spectre-Meltdown-Checker Thread

#1 Post by Stevo » Thu Mar 01, 2018 2:28 pm

Debian has packaged this script for checking your vunerabilities, so we now have it in the main repo.

Simple install and run instructions:

Code: Select all

sudo apt-get install spectre-meltdown-checker
sudo spectre-meltdown-checker

User avatar
Gerson
Forum Regular
Forum Regular
Posts: 363
Joined: Sun Nov 12, 2017 10:58 am

Re: MX 17 Repository: The Spectre-Meltdown-Checker Thread

#2 Post by Gerson » Thu Mar 01, 2018 2:45 pm

I already did it and this is the answer of the terminal.
I do not understand anything. :bawling:

Code: Select all

$ sudo spectre-meltdown-checker
Spectre and Meltdown mitigation detection tool v0.34

Checking for vulnerabilities on current system
Kernel is Linux 4.15.3-antix.1-amd64-smp #2 SMP PREEMPT Tue Feb 13 16:49:07 EET 2018 x86_64
CPU is Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates IBRS capability:  NO 
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO 
    * CPU indicates IBPB capability:  NO 
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates STIBP capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 78 stepping 3 ucode 0xba)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports minimal retpoline compilation)
  * Retpoline enabled:  NO 
> STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
No todos ignoramos las mismas cosas. :confused:

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 17034
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Spectre-Meltdown-Checker Thread

#3 Post by Stevo » Thu Mar 01, 2018 2:57 pm

It means you should update to a newer antiX 4.15.5, MX 4.15.4, or Liquorix 4.15 kernel if you need Spectre v_2 hardening. The first hardware part means we are all still waiting for Intel to release firmware to fix the problems without screwing up the stability of our machines.

User avatar
Gerson
Forum Regular
Forum Regular
Posts: 363
Joined: Sun Nov 12, 2017 10:58 am

Re: MX 17 Repository: The Spectre-Meltdown-Checker Thread

#4 Post by Gerson » Thu Mar 01, 2018 11:40 pm

¿With which do you recommend starting the machine?
$ sudo dpkg --get-selections | grep linux-image
[sudo] password for gerson:
linux-image-4.14.0-3-amd64 install
linux-image-4.15.0-5.1-liquorix-amd64 install
linux-image-4.15.3-antix.1-amd64-smp install
No todos ignoramos las mismas cosas. :confused:

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 17034
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Spectre-Meltdown-Checker Thread

#5 Post by Stevo » Mon Nov 19, 2018 11:39 pm

We've rolled the latest 0.40 from stretch-backports in the main MX 17 and 15/16 repos to make it more convenient to install. We also updated the package description to accurately reflect its current capabilities.

User avatar
stsoh
Forum Regular
Forum Regular
Posts: 449
Joined: Sun Aug 20, 2017 10:11 am

Re: MX 17 Repository: The Spectre-Meltdown-Checker Thread

#6 Post by stsoh » Tue Nov 20, 2018 2:28 am

6 ok out of 8 vulnerabilities.

Code: Select all

Spectre and Meltdown mitigation detection tool v0.40
Checking for vulnerabilities on current system
Kernel is Linux 4.19.2 #1 SMP PREEMPT Wed Nov 14 13:59:19 +08 2018 x86_64
CPU is Pentium(R) Dual-Core  CPU      E5400  @ 2.70GHz.......
SUMMARY:
CVE-2017-5753:OK
CVE-2017-5715:OK
CVE-2017-5754:OK
CVE-2018-3640:KO
CVE-2018-3639:KO 
CVE-2018-3615:OK
CVE-2018-3620:OK
CVE-2018-3646:OK
MX-17.1_x64 Horizon, G41M-P33 Combo (MS-7592), Pentium E5400 (2706 MHz), 8Gb RAM (984 MT/s),
Intel 4 Series Integrated Graphics, Realtek PCIe Fast RTL8101/2/6E, PCI Gigabit RTL8169 Ethernets.
Accepted Linux when i found MX-Linux in 2016.

Kulmbacher
Forum Novice
Forum  Novice
Posts: 83
Joined: Fri Apr 27, 2018 2:47 pm

Re: MX 17 Repository: The Spectre-Meltdown-Checker Thread

#7 Post by Kulmbacher » Tue Nov 20, 2018 4:55 am

nice, 8 OK

Code: Select all

Spectre and Meltdown mitigation detection tool v0.40
Checking for vulnerabilities on current system
Kernel is Linux 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64
CPU is Intel(R) Core(TM) i5-2430M CPU @ 2.40GHz
SUMMARY: 
CVE-2017-5753:OK
CVE-2017-5715:OK 
CVE-2017-5754:OK 
CVE-2018-3640:OK 
CVE-2018-3639:OK 
CVE-2018-3615:OK 
CVE-2018-3620:OK 
CVE-2018-3646:OK

User avatar
Gerson
Forum Regular
Forum Regular
Posts: 363
Joined: Sun Nov 12, 2017 10:58 am

Re: MX 17 Repository: The Spectre-Meltdown-Checker Thread

#8 Post by Gerson » Tue Nov 20, 2018 6:46 am

Today I ran the command:
$ sudo spectre-meltdown-checker
And this is the result but I do not understand anything:

Code: Select all

sudo spectre-meltdown-checker
Spectre and Meltdown mitigation detection tool v0.40

Checking for vulnerabilities on current system
Kernel is Linux 4.18.0-18.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.18-22~mx17+1 (2018-11-13) x86_64
CPU is Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  YES  (Intel SSBD)
  * L1 data cache invalidation
    * FLUSH_CMD MSR is available:  YES 
    * CPU indicates L1D flush capability:  YES  (L1D flush feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU/Hypervisor indicates L1D flushing is not necessary on this system:  NO 
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO 
  * CPU supports Software Guard Extensions (SGX):  YES 
  * CPU microcode is known to cause stability problems:  NO  (model 0x4e family 0x6 stepping 0x3 ucode 0xc6 cpuid 0x406e3)
  * CPU microcode is the latest known available version:  YES  (latest version is 0xc6 dated 2018/04/17 according to builtin MCExtractor DB v84 - 2018/09/27)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES 
  * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES 
  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  YES 
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES 
  * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES 
  * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  YES 

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec:  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Kernel has the Red Hat/Ubuntu patch:  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Kernel has mask_nospec64 (arm64):  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Checking count of LFENCE instructions following a jump in kernel...  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB, IBRS_FW, STIBP)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  YES  (for kernel and firmware code)
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Kernel supports RSB filling:  UNKNOWN  (kernel image missing)
> STATUS:  NOT VULNERABLE  (IBRS + IBPB are mitigating the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  YES 
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports speculation store bypass:  YES  (found in /proc/self/status)
> STATUS:  NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  YES 
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion)
* Kernel supports PTE inversion: strings: '': No hay tal fichero
 NO 
* PTE inversion enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: VMX: conditional cache flushes, SMT vulnerable
* This system is a host running an hypervisor:  NO 
* Mitigation 1 (KVM)
  * EPT is disabled:  NO 
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  YES  (conditional flushes)
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  YES 
> STATUS:  NOT VULNERABLE  (this system is not running an hypervisor)

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
Last edited by Gerson on Tue Nov 20, 2018 5:23 pm, edited 1 time in total.
No todos ignoramos las mismas cosas. :confused:

User avatar
stsoh
Forum Regular
Forum Regular
Posts: 449
Joined: Sun Aug 20, 2017 10:11 am

Re: MX 17 Repository: The Spectre-Meltdown-Checker Thread

#9 Post by stsoh » Tue Nov 20, 2018 7:13 am

Gerson wrote:
Tue Nov 20, 2018 6:46 am
Today I ran the command:
$ sudo spectre-meltdown-checker
And this is the result but I do not understand anything:
........
make it simple, use code.
delete text in-btween hardware check to summary (bottom last few line) and last couple text lines.
look at the example above then u can see vulnerabilities clearly.
MX-17.1_x64 Horizon, G41M-P33 Combo (MS-7592), Pentium E5400 (2706 MHz), 8Gb RAM (984 MT/s),
Intel 4 Series Integrated Graphics, Realtek PCIe Fast RTL8101/2/6E, PCI Gigabit RTL8169 Ethernets.
Accepted Linux when i found MX-Linux in 2016.

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 17034
Joined: Fri Dec 15, 2006 8:07 pm

Re: MX 17 Repository: The Spectre-Meltdown-Checker Thread

#10 Post by Stevo » Tue Nov 20, 2018 2:45 pm

stsoh wrote:
Tue Nov 20, 2018 7:13 am
Gerson wrote:
Tue Nov 20, 2018 6:46 am
Today I ran the command:
$ sudo spectre-meltdown-checker
And this is the result but I do not understand anything:
........
make it simple, use code.
delete text in-btween hardware check to summary (bottom last few line) and last couple text lines.
look at the example above then u can see vulnerabilities clearly.
Yes, just look at the lines that begin with "STATUS". You don't have any vunerabilites that it currently checks.

Post Reply

Return to “Package Requests/Status - MX 17”