meltdown and spectre

Post Reply
Message
Author
CaputAlista
Posts: 88
Joined: Wed Mar 26, 2014 2:32 pm

meltdown and spectre

#1 Post by CaputAlista »

i has update my system then i download a script for detecting meltdown and spectre (https://github.com/speed47/spectre-melt ... r/releases) and the report is: <<... Checking for vulnerabilities against running kernel Linux 4.13.0-1-amd64 #1 SMP Debian 4.13.13-1mx17 (2017-11-18) x86_64
CPU is Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer ...>>
also: Found linuxfs file linuxfs in directory /antiX
Found:
1 total live kernel (4.13.0-1-amd64)
1 default live kernel (4.13.0-1-amd64)
0 old live kernels

1 total installed kernel (4.13.0-1-amd64)
0 new installed kernels

No new kernels were found


What I can do?

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: meltdown and spectre

#2 Post by Jerry3904 »

Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

User avatar
timkb4cq
Developer
Posts: 3186
Joined: Wed Jul 12, 2006 4:05 pm

Re: meltdown and spectre

#3 Post by timkb4cq »

As previously announced on the antiX forums:
https://www.antixforum.com/spectre-and- ... -upgrades/
The available kernels for antiX-17 with meltdown/spectre patches are 4.14.12 and 4.9.75
The available kernels for antiX-16 with meltdown/spectre patches are the 4.9.75.antix.2 kernel now in jessie repo, the 4.4.109 kernel built from Ubuntu source, or the patched Debian kernel (3.16.0-5)

Keep in mind that there are not yet kernel patches available anywhere for all spectre variants and it may be some time before there are.
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: meltdown and spectre

#4 Post by Jerry3904 »

Oops, didn't see that it was in the antiX forum.
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

User avatar
towwire
Posts: 645
Joined: Fri Oct 15, 2010 12:15 pm

Re: meltdown and spectre

#5 Post by towwire »

timkb4cq wrote:
Keep in mind that there are not yet kernel patches available anywhere for all spectre variants and it may be some time before there are.
Tim, I have the same as you when using Spectre and Meltdown mitigation detection tool v0.27, but you may find that 2 out of 3 VULNERABLE when using Spectre and Meltdown mitigation detection tool v0.30.

I have the same results with each version's of the tools after updating to kernel Linux 4.9.0-0.bpo.5-amd64 from kernel Linux 4.7.0-0.bpo.1-amd64. As shown here:

Code: Select all

$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.9.0-0.bpo.5-amd64 #1 SMP Debian 4.9.65-3+deb9u2~bpo8+1 (2017-01-05) x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 25 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer


$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.30

Checking for vulnerabilities against running kernel Linux 4.9.0-0.bpo.5-amd64 #1 SMP Debian 4.9.65-3+deb9u2~bpo8+1 (2017-01-05) x86_64
CPU is AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 25 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  NO 
*     The SPEC_CTRL CPUID feature bit is set:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: meltdown and spectre

#6 Post by Stevo »

Jerry3904 wrote:Oops, didn't see that it was in the antiX forum.
Yet the OP's results are from the MX kernel, not one of antiX's. There's some wires crossed somewhere...

I think the recent intel-microcode update would have changed one of the Spectre results, too. Maybe that hasn't been applied yet?

User avatar
towwire
Posts: 645
Joined: Fri Oct 15, 2010 12:15 pm

Re: meltdown and spectre

#7 Post by towwire »

Stevo wrote:
Jerry3904 wrote:Oops, didn't see that it was in the antiX forum.
Yet the OP's results are from the MX kernel, not one of antiX's. There's some wires crossed somewhere...

I think the recent intel-microcode update would have changed one of the Spectre results, too. Maybe that hasn't been applied yet?
Oops, sorry I put it in the wrong thread as I was going back and forth between two. Was just trying to show that there are different results between versions of the script.

Here is my APT History, note the two intel-microcode updates.

Code: Select all

2018-01-14  09:42:07  remove   linux-image-amd64                         amd64  4.9+80+deb9u2~bpo8+2                 <none>
2018-01-14  09:42:07  remove   linux-headers-amd64                       amd64  4.9+80+deb9u2~bpo8+2                 <none>
2018-01-14  09:38:21  upgrade  linux-image-amd64                         amd64  4.9+80+deb9u2~bpo8+2                 4.9+80+deb9u2~bpo8+2
2018-01-14  09:38:20  upgrade  linux-headers-amd64                       amd64  4.9+80+deb9u2~bpo8+2                 4.9+80+deb9u2~bpo8+2
2018-01-14  09:36:56  install  linux-image-amd64                         amd64  <none>                               4.9+80+deb9u2~bpo8+2
2018-01-14  09:36:51  install  linux-image-4.9.0-0.bpo.5-amd64           amd64  <none>                               4.9.65-3+deb9u2~bpo8+1
2018-01-14  09:36:50  install  linux-headers-amd64                       amd64  <none>                               4.9+80+deb9u2~bpo8+2
2018-01-14  09:36:48  install  linux-kbuild-4.9                          amd64  <none>                               4.9.65-3+deb9u2~bpo8+1
2018-01-14  09:36:48  install  linux-headers-4.9.0-0.bpo.5-amd64         amd64  <none>                               4.9.65-3+deb9u2~bpo8+1
2018-01-14  09:36:42  install  linux-headers-4.9.0-0.bpo.5-common        all    <none>                               4.9.65-3+deb9u2~bpo8+1
2018-01-14  09:32:47  upgrade  mx-packageinstaller-pkglist               all    18.01mx16                            18.02mx16
2018-01-14  09:32:46  upgrade  smtube                                    amd64  17.5.0-0mx150+1                      18.1.0+4.1
2018-01-14  09:32:45  upgrade  cli-shell-utils                           all    0.3.4                                0.3.5
2018-01-14  09:32:45  install  libqt5script5                             amd64  <none>                               5.3.2+dfsg-2
2018-01-13  09:30:21  upgrade  python-libxml2                            amd64  2.9.1+dfsg1-5+deb8u5                 2.9.1+dfsg1-5+deb8u6
2018-01-13  09:30:21  upgrade  intel-microcode                           amd64  3.20171215.1~mx15+1                  3.20180108.1~mx15+1
2018-01-13  09:30:20  upgrade  libxml2                                   amd64  2.9.1+dfsg1-5+deb8u5                 2.9.1+dfsg1-5+deb8u6
2018-01-13  09:30:19  upgrade  libxml2                                   i386   2.9.1+dfsg1-5+deb8u5                 2.9.1+dfsg1-5+deb8u6
2018-01-12  08:03:11  upgrade  xfce4-whiskermenu-plugin                  amd64  1:1.7.3-1mx15+1                      1:1.7.5-0.1~mx15+1
2018-01-12  08:03:10  upgrade  live-usb-maker-gui                        all    0.2.2                                0.2.3
2018-01-11  08:00:30  upgrade  intel-microcode                           amd64  3.20170707.1mx15+1                   3.20171215.1~mx15+1

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: meltdown and spectre

#8 Post by Stevo »

This is one guy posting on the Alpine Linux developer boards, but it's distressing for older kernels if it's true:

https://lists.alpinelinux.org/alpine-devel/6022.html

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: meltdown and spectre

#9 Post by Jerry3904 »

Nice summary in today's DistroWatch:

https://distrowatch.com/weekly.php?issue=20180115#qa
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

Post Reply

Return to “antiX”