Welcome!

Please read this important information about Spectre and Meltdown vulnerabilities.
Please read this important information about MX sources lists.

News
  • MX Linux on social media: here
  • Mepis support still here
Current releases
  • MX-17.1 Final release info here
  • antiX-17 release info here
New users
  • Please read this first, and don't forget to add system and hardware information to posts!
  • Read Forum Rules

Script to check for Meltdown and/or Spectre vulnerability

Message
Author
caprea
Forum Novice
Forum  Novice
Posts: 88
Joined: Sat Aug 23, 2014 7:01 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#21 Postby caprea » Sat Jan 13, 2018 9:39 am

Code: Select all

Thanks asqwerth then it is no use in installing MX-4.14 kernel then i think i need to uninstall it

It seems there is a patched 32bit antix-kernel
https://www.antixforum.com/spectre-and-meltdown-security-kernel-upgrades/

I just installed the Debian 3.16 64bit kernel on mx-16 from the mx-package installer.
It still shows it is vulnerable for three vulnerablities.
Then I tried the 4.9.0-0.bpo.5-amd64 , this worked.
The 3.16 most certainly not.

User avatar
timkb4cq
Forum Veteran
Forum Veteran
Posts: 4147
Joined: Wed Jul 12, 2006 4:05 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#22 Postby timkb4cq » Sat Jan 13, 2018 10:40 am

calinb wrote:Yes--I suspect that you may have already stumbled upon this page, timkb4cq:
https://tenfourfox.blogspot.com/2018/01 ... r-why.html
Nope, missed that one. I just searched for info about 7447a speculative instructions & wound up here:
https://www.nxp.com/docs/en/application-note/AN2797.pdf
Nothing directly about Spectre, just the basics about how the processor works. As I said, if I understand the architecture correctly I don't see much of a footprint for a remote attacker to retrieve any targeted data. Maybe a few bytes that a library function exposes, but I doubt they could load the cache with anything useful given the chipset's limitations on speculative execution.
MSI 970A-G43 MB, AMD FX-6300 (six core), 16GB RAM, GeForce 730, Samsung 850 EVO 250GB SSD, Seagate Barracuda XT 3TB

User avatar
kmathern
Forum Veteran
Forum Veteran
Posts: 9243
Age: 59
Joined: Wed Jul 12, 2006 2:26 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#23 Postby kmathern » Sat Jan 13, 2018 10:57 am

caprea wrote:

Code: Select all

Thanks asqwerth then it is no use in installing MX-4.14 kernel then i think i need to uninstall it

It seems there is a patched 32bit antix-kernel
https://www.antixforum.com/spectre-and-meltdown-security-kernel-upgrades/

I just installed the Debian 3.16 64bit kernel on mx-16 from the mx-package installer.
It still shows it is vulnerable for three vulnerablities.
Then I tried the 4.9.0-0.bpo.5-amd64 , this worked.
The 3.16 most certainly not.

I'm seeing the same here.

For the default Debian Jessie 3.16 kernel, the 3.16.0-5 update has the kpti patches according to this: https://tracker.debian.org/news/900500 (near the bottom of that page).

And apt-cache policy shows that the 3.16.0-5 update is in the repos

Code: Select all

$ apt-cache policy linux-image-3.16.0-5-amd64
linux-image-3.16.0-5-amd64:
  Installed: (none)
  Candidate: 3.16.51-3+deb8u1
  Version table:
     3.16.51-3+deb8u1 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages


But when I run MXPI I see that it's trying to install the 3.16.0-4 version packages

Code: Select all

Script started, file is /var/log/mxpi.log
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfile-homedir-perl libfile-which-perl
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  linux-compiler-gcc-4.8-x86 linux-headers-3.16.0-4-common linux-kbuild-3.16
Suggested packages:
  linux-doc-3.16 debian-kernel-handbook
Recommended packages:
  irqbalance
The following NEW packages will be installed:
  linux-compiler-gcc-4.8-x86 linux-headers-3.16.0-4-amd64 linux-headers-3.16.0-4-common
  linux-image-3.16.0-4-amd64 linux-kbuild-3.16
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 39.6 MB of archives.
After this operation, 190 MB of additional disk space will be used.
Do you want to continue? [Y/n]

User avatar
Paul..
Forum Guide
Forum Guide
Posts: 2277
Joined: Sun Mar 18, 2007 6:34 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#24 Postby Paul.. » Sat Jan 13, 2018 1:49 pm

Glad you brought this up, Kent. Will change the script for EDIT: 4.9.0-4-amd64 to 4.9.0-5-amd64 shortly.

-pc

Daily: MSI 890FXA-GD70 | AMD Phenom II X6 1055T | GeForce GTX 750 Ti | 8G
Test: Thinkpad T431s | Intel i5-3437U | Intel 3rd gen Graphics | 4G

User avatar
calinb
Forum Regular
Forum Regular
Posts: 122
Joined: Tue Jun 27, 2017 1:57 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#25 Postby calinb » Sat Jan 13, 2018 4:13 pm

timkb4cq wrote:
calinb wrote:Yes--I suspect that you may have already stumbled upon this page, timkb4cq:
https://tenfourfox.blogspot.com/2018/01 ... r-why.html
Nope, missed that one. I just searched for info about 7447a speculative instructions & wound up here:
https://www.nxp.com/docs/en/application-note/AN2797.pdf.

<snip>

Haha--and that's a good AP Note, timkb4cq. I'll archive it. Thanks!

I tend to agree with you about low risk with the 7447a and I'm actually less comfortable with any "early days" Meltdown or Spectre patches. Validation of these complex things takes far longer than the time these bugs have even been publicly known!

I'm not a CPU architect either but I worked at Intel for over 20 years and attended Chief P6 Architect Bob Colwell's internal P6 architecture classes. Back then I worked in P6 validation (for a couple plus years, and my experience in that job is the reason I say that my confidence in Meltdown and Sprectre patches is low right now).

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 15063
Age: 59
Joined: Fri Dec 15, 2006 8:07 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#26 Postby Stevo » Sat Jan 13, 2018 5:15 pm

It seems there is a patched 32bit antix-kernel
https://www.antixforum.com/spectre-and- ... -upgrades/


I'm fairly certain that any current 32-bit kernel does not support the Meltdown kpti mitigation. I think the antiX announcement should be changed to make this clear. But I hope that someone can prove me wrong!

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 15063
Age: 59
Joined: Fri Dec 15, 2006 8:07 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#27 Postby Stevo » Sat Jan 13, 2018 8:19 pm

A user on the Debian forums emailed and got a reply from one of the developers of the KPTI patch in the kernel:

> Hi,
> I'm writing to you because I noticed your involement with the KPTI/KAISER
> patches. Across several varieties of linux distributions, users have
> noticed that kpti is impossible to enable because it depends on x86_64.
> Many of us are concerned that we are running 32-bit systems that are
> still vulnerable to meltdown; we are also concerned because it's a
> handful of users who have brought this to light, and major news and
> information from our distros are keeping silent on the topic. We are all
> wondering if you could shed some light: in particular, is x86 vulnerable?

Yes, 32bit is vulnerable. We haven't yet had time to look into that as the
vast majority of systems, especially the most endangered cloud stuff, runs
64bit. We know about it and the 32bit mitigation has been under discussion
already, but I can't tell at the moment when we are going to have that.

Sorry that I can't tell you better news.

Thanks,

Thomas


So that's the situation now.

User avatar
azrielle
Forum Regular
Forum Regular
Posts: 183
Age: 65
Joined: Mon Feb 15, 2016 6:34 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#28 Postby azrielle » Sat Jan 13, 2018 10:27 pm

Stevo wrote:A user on the Debian forums emailed and got a reply from one of the developers of the KPTI patch in the kernel:

the
vast majority of systems, especially the most endangered cloud stuff, runs
64bit.

From a practical perspective, 32bit is alot less likely to be attacked for that very reason. Plus, 32bit MX uses about 70MB less RAM!
Acer V5-171 i5/3317u 12GB 11.6" MX17/Korora26/SolydX9/Win7SP1 500GB SSD
Lenovo X131e i3/3227u 8GB 11.6" MX17/ParrotOS_3.11/Win7SP1 240GB SSD
Acer AO D257 Atom/n570 2GB 10" MX16.1/AntiX16.2/Win7SP1 128GB SSD

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 15063
Age: 59
Joined: Fri Dec 15, 2006 8:07 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#29 Postby Stevo » Sat Jan 13, 2018 11:03 pm

Plus 32-bit users really don't need whatever slowdown kpti inflicts on their system, too.

User avatar
calinb
Forum Regular
Forum Regular
Posts: 122
Joined: Tue Jun 27, 2017 1:57 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#30 Postby calinb » Sat Jan 13, 2018 11:09 pm

asqwerth wrote:
calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...


Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.


Update:
According to /proc/cpuinfo and Intel's Impacted Intel Systems list (and contrary to what the script here reported) my Atom N455 MX-16 system is not impacted. The impacted Intel Atom CPUs are:

    Intel Atom® processor C series
    Intel Atom® processor E series
    Intel Atom® processor A series
    Intel Atom® processor x3 series
    Intel Atom® processor Z series

Scroll to the bottom here for the complete list:
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html#4

So between my Atom N455 :turtle: and PPC G4 :snail: I think old and slow CPUs rock! Good thing my Big Board II and old Kaypro machines quit working decades or I'd probably be running CPM too. :spinning:


Return to “General”

Who is online

Users browsing this forum: No registered users and 1 guest