Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

meltdown and spectre

Post Reply
Message
Author
CaputAlista
Forum Novice
Forum  Novice
Posts: 52
Joined: Wed Mar 26, 2014 2:32 pm

meltdown and spectre

#1 Post by CaputAlista » Sun Jan 14, 2018 12:49 pm

i has update my system then i download a script for detecting meltdown and spectre (https://github.com/speed47/spectre-melt ... r/releases) and the report is: <<... Checking for vulnerabilities against running kernel Linux 4.13.0-1-amd64 #1 SMP Debian 4.13.13-1mx17 (2017-11-18) x86_64
CPU is Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer ...>>
also: Found linuxfs file linuxfs in directory /antiX
Found:
1 total live kernel (4.13.0-1-amd64)
1 default live kernel (4.13.0-1-amd64)
0 old live kernels

1 total installed kernel (4.13.0-1-amd64)
0 new installed kernels

No new kernels were found


What I can do?

User avatar
Jerry3904
Forum Veteran
Forum Veteran
Posts: 22227
Joined: Wed Jul 19, 2006 6:13 am

Re: meltdown and spectre

#2 Post by Jerry3904 » Sun Jan 14, 2018 1:01 pm

Production: 4.15.0-1-amd64, MX-17.1, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 8 GB, Kingston SSD 120 GB and WesternDigital 1TB
Testing: AAO 722: 4.15.0-1-386. MX-17.1, AMD C-60 APU, 4 GB

User avatar
timkb4cq
Forum Veteran
Forum Veteran
Posts: 4304
Joined: Wed Jul 12, 2006 4:05 pm

Re: meltdown and spectre

#3 Post by timkb4cq » Sun Jan 14, 2018 1:08 pm

As previously announced on the antiX forums:
https://www.antixforum.com/spectre-and- ... -upgrades/
The available kernels for antiX-17 with meltdown/spectre patches are 4.14.12 and 4.9.75
The available kernels for antiX-16 with meltdown/spectre patches are the 4.9.75.antix.2 kernel now in jessie repo, the 4.4.109 kernel built from Ubuntu source, or the patched Debian kernel (3.16.0-5)

Keep in mind that there are not yet kernel patches available anywhere for all spectre variants and it may be some time before there are.
MSI 970A-G43 MB, AMD FX-6300 (six core), 16GB RAM, GeForce 730, Samsung 850 EVO 250GB SSD, Seagate Barracuda XT 3TB

User avatar
Jerry3904
Forum Veteran
Forum Veteran
Posts: 22227
Joined: Wed Jul 19, 2006 6:13 am

Re: meltdown and spectre

#4 Post by Jerry3904 » Sun Jan 14, 2018 1:37 pm

Oops, didn't see that it was in the antiX forum.
Production: 4.15.0-1-amd64, MX-17.1, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 8 GB, Kingston SSD 120 GB and WesternDigital 1TB
Testing: AAO 722: 4.15.0-1-386. MX-17.1, AMD C-60 APU, 4 GB

User avatar
towwire
Forum Regular
Forum Regular
Posts: 296
Joined: Fri Oct 15, 2010 12:15 pm

Re: meltdown and spectre

#5 Post by towwire » Sun Jan 14, 2018 5:07 pm

timkb4cq wrote:
Keep in mind that there are not yet kernel patches available anywhere for all spectre variants and it may be some time before there are.
Tim, I have the same as you when using Spectre and Meltdown mitigation detection tool v0.27, but you may find that 2 out of 3 VULNERABLE when using Spectre and Meltdown mitigation detection tool v0.30.

I have the same results with each version's of the tools after updating to kernel Linux 4.9.0-0.bpo.5-amd64 from kernel Linux 4.7.0-0.bpo.1-amd64. As shown here:

Code: Select all

$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.9.0-0.bpo.5-amd64 #1 SMP Debian 4.9.65-3+deb9u2~bpo8+1 (2017-01-05) x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 25 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer


$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.30

Checking for vulnerabilities against running kernel Linux 4.9.0-0.bpo.5-amd64 #1 SMP Debian 4.9.65-3+deb9u2~bpo8+1 (2017-01-05) x86_64
CPU is AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 25 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  NO 
*     The SPEC_CTRL CPUID feature bit is set:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 15965
Joined: Fri Dec 15, 2006 8:07 pm

Re: meltdown and spectre

#6 Post by Stevo » Sun Jan 14, 2018 5:40 pm

Jerry3904 wrote:Oops, didn't see that it was in the antiX forum.
Yet the OP's results are from the MX kernel, not one of antiX's. There's some wires crossed somewhere...

I think the recent intel-microcode update would have changed one of the Spectre results, too. Maybe that hasn't been applied yet?

User avatar
towwire
Forum Regular
Forum Regular
Posts: 296
Joined: Fri Oct 15, 2010 12:15 pm

Re: meltdown and spectre

#7 Post by towwire » Sun Jan 14, 2018 7:03 pm

Stevo wrote:
Jerry3904 wrote:Oops, didn't see that it was in the antiX forum.
Yet the OP's results are from the MX kernel, not one of antiX's. There's some wires crossed somewhere...

I think the recent intel-microcode update would have changed one of the Spectre results, too. Maybe that hasn't been applied yet?
Oops, sorry I put it in the wrong thread as I was going back and forth between two. Was just trying to show that there are different results between versions of the script.

Here is my APT History, note the two intel-microcode updates.

Code: Select all

2018-01-14  09:42:07  remove   linux-image-amd64                         amd64  4.9+80+deb9u2~bpo8+2                 <none>
2018-01-14  09:42:07  remove   linux-headers-amd64                       amd64  4.9+80+deb9u2~bpo8+2                 <none>
2018-01-14  09:38:21  upgrade  linux-image-amd64                         amd64  4.9+80+deb9u2~bpo8+2                 4.9+80+deb9u2~bpo8+2
2018-01-14  09:38:20  upgrade  linux-headers-amd64                       amd64  4.9+80+deb9u2~bpo8+2                 4.9+80+deb9u2~bpo8+2
2018-01-14  09:36:56  install  linux-image-amd64                         amd64  <none>                               4.9+80+deb9u2~bpo8+2
2018-01-14  09:36:51  install  linux-image-4.9.0-0.bpo.5-amd64           amd64  <none>                               4.9.65-3+deb9u2~bpo8+1
2018-01-14  09:36:50  install  linux-headers-amd64                       amd64  <none>                               4.9+80+deb9u2~bpo8+2
2018-01-14  09:36:48  install  linux-kbuild-4.9                          amd64  <none>                               4.9.65-3+deb9u2~bpo8+1
2018-01-14  09:36:48  install  linux-headers-4.9.0-0.bpo.5-amd64         amd64  <none>                               4.9.65-3+deb9u2~bpo8+1
2018-01-14  09:36:42  install  linux-headers-4.9.0-0.bpo.5-common        all    <none>                               4.9.65-3+deb9u2~bpo8+1
2018-01-14  09:32:47  upgrade  mx-packageinstaller-pkglist               all    18.01mx16                            18.02mx16
2018-01-14  09:32:46  upgrade  smtube                                    amd64  17.5.0-0mx150+1                      18.1.0+4.1
2018-01-14  09:32:45  upgrade  cli-shell-utils                           all    0.3.4                                0.3.5
2018-01-14  09:32:45  install  libqt5script5                             amd64  <none>                               5.3.2+dfsg-2
2018-01-13  09:30:21  upgrade  python-libxml2                            amd64  2.9.1+dfsg1-5+deb8u5                 2.9.1+dfsg1-5+deb8u6
2018-01-13  09:30:21  upgrade  intel-microcode                           amd64  3.20171215.1~mx15+1                  3.20180108.1~mx15+1
2018-01-13  09:30:20  upgrade  libxml2                                   amd64  2.9.1+dfsg1-5+deb8u5                 2.9.1+dfsg1-5+deb8u6
2018-01-13  09:30:19  upgrade  libxml2                                   i386   2.9.1+dfsg1-5+deb8u5                 2.9.1+dfsg1-5+deb8u6
2018-01-12  08:03:11  upgrade  xfce4-whiskermenu-plugin                  amd64  1:1.7.3-1mx15+1                      1:1.7.5-0.1~mx15+1
2018-01-12  08:03:10  upgrade  live-usb-maker-gui                        all    0.2.2                                0.2.3
2018-01-11  08:00:30  upgrade  intel-microcode                           amd64  3.20170707.1mx15+1                   3.20171215.1~mx15+1

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 15965
Joined: Fri Dec 15, 2006 8:07 pm

Re: meltdown and spectre

#8 Post by Stevo » Sun Jan 14, 2018 8:37 pm

This is one guy posting on the Alpine Linux developer boards, but it's distressing for older kernels if it's true:

https://lists.alpinelinux.org/alpine-devel/6022.html

User avatar
Jerry3904
Forum Veteran
Forum Veteran
Posts: 22227
Joined: Wed Jul 19, 2006 6:13 am

Re: meltdown and spectre

#9 Post by Jerry3904 » Mon Jan 15, 2018 6:53 am

Nice summary in today's DistroWatch:

https://distrowatch.com/weekly.php?issue=20180115#qa
Production: 4.15.0-1-amd64, MX-17.1, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 8 GB, Kingston SSD 120 GB and WesternDigital 1TB
Testing: AAO 722: 4.15.0-1-386. MX-17.1, AMD C-60 APU, 4 GB

Post Reply

Return to “antiX”