Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

Script to check for Meltdown and/or Spectre vulnerability

Message
Author
User avatar
timkb4cq
Forum Veteran
Forum Veteran
Posts: 4347
Joined: Wed Jul 12, 2006 4:05 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#11 Post by timkb4cq » Fri Jan 12, 2018 6:36 pm

Looking at the 7447a's functional schematic and explanation, it's probably pretty safe. It does do some speculative branching, but only puts one instruction after each of the (up to 4) predicted branch targets on the queue. That would leave little footprint to leak compared to an i7 which will speculatively perform dozens of commands on a speculative branch.

n.b. I'm not a CPU guru and the docs I saw could be oversimplified, so take the opinion for what it's worth...
MSI 970A-G43 MB, AMD FX-6300 (six core), 16GB RAM, GeForce 730, Samsung 850 EVO 250GB SSD, Seagate Barracuda XT 3TB

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 16160
Joined: Fri Dec 15, 2006 8:07 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#12 Post by Stevo » Fri Jan 12, 2018 6:42 pm

We have the fixed 4.14 kernel already available, or easy ways to install the fixed standard Debian release or backports kernels, but we aren't forcing the upgrades right now. Our last few 4.14 Liquorix kernels also support KPTI for 64-bit.

I think it is very difficult to adapt the KPTI patches to 32-bit, otherwise the fixes would have been pushed to Ubuntu and Debian already. It's not just a matter of adding PROCESS_TABLE_ISOLATION=y to the 32-bit configuration.

User avatar
asqwerth
Forum Veteran
Forum Veteran
Posts: 3254
Joined: Sun May 27, 2007 5:37 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#13 Post by asqwerth » Fri Jan 12, 2018 10:30 pm

calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...
Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.
Desktop: Intel i5-4460, 16GB RAM, Intel integrated graphics
Clevo N130WU-based Ultrabook: Intel i7-8550U (Kaby Lake R), 16GB RAM, Intel integrated graphics (UEFI)
ASUS X42D laptop: AMD Phenom II, 6GB RAM, Mobility Radeon HD 5400

User avatar
calinb
Forum Regular
Forum Regular
Posts: 131
Joined: Tue Jun 27, 2017 1:57 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#14 Post by calinb » Sat Jan 13, 2018 1:30 am

asqwerth wrote:
calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...
Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.
That's what puzzled me about the script's output. It said my Atom was vulnerable to Spectra (Variant 1 and 2) and also Meltdown (Variant 3) with both current MX-16 PAE and Liquorix kernels.

User avatar
calinb
Forum Regular
Forum Regular
Posts: 131
Joined: Tue Jun 27, 2017 1:57 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#15 Post by calinb » Sat Jan 13, 2018 1:43 am

timkb4cq wrote:Looking at the 7447a's functional schematic and explanation, it's probably pretty safe. It does do some speculative branching, but only puts one instruction after each of the (up to 4) predicted branch targets on the queue. That would leave little footprint to leak compared to an i7 which will speculatively perform dozens of commands on a speculative branch.

n.b. I'm not a CPU guru and the docs I saw could be oversimplified, so take the opinion for what it's worth...
Yes--I suspect that you may have already stumbled upon this page, timkb4cq:
https://tenfourfox.blogspot.com/2018/01 ... r-why.html

The comments on the page are somewhat encouraging too. If I had a little more time on my hands, I'd try to compile some of the PPC test code myself. I am actually thinking about trying to do all my online shopping, banking, and financial stuff on my old Mac Mini running Ubuntu Mate 16.04 LTS. By the time the LTS runs out, I anticipate that new CPU architectures will be available or maybe Gentoo will keep my Mac Mini running on the cheap! PPC is just about dead now in GNU/Linux land, though BSD distros will probably keep it going longer.

User avatar
calinb
Forum Regular
Forum Regular
Posts: 131
Joined: Tue Jun 27, 2017 1:57 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#16 Post by calinb » Sat Jan 13, 2018 1:48 am

Stevo wrote:<snip>
I think it is very difficult to adapt the KPTI patches to 32-bit, otherwise the fixes would have been pushed to Ubuntu and Debian already. It's not just a matter of adding PROCESS_TABLE_ISOLATION=y to the 32-bit configuration.
Thanks again, Stevo. That is really a bummer, because sometimes I really appreciate the small size of my Atom netbook and the script is saying it's vulnerable to all three variants, but maybe the script is wrong about the Meltdown variant and my netbook's old Atom CPU.

User avatar
stsoh
Forum Regular
Forum Regular
Posts: 390
Joined: Sun Aug 20, 2017 10:11 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#17 Post by stsoh » Sat Jan 13, 2018 6:27 am

Stevo wrote:Just backported the latest intel-microcode from Sid, the script is now a little better:

Code: Select all

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES
For my i5-6200U CPU.

The Debian changelog also mentions this mitigation. The new microcode should come down the pipe soon, but requires a reboot in order to load.
does not resolve for old cpu, it is vulnerable as b4 after updated intel-microcode.

Code: Select all

2018-01-13  12:32:08  upgrade  intel-microcode                           amd64  3.20171215.1~mx17+1             3.20180108.1~mx17+1

Code: Select all

Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.14.0-13.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.14-16 (2018-01-11) x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 34 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
MX-17.1_x64 Horizon, G41M-P33 Combo(MS-7592), Pentium E5400 (min/max: 1203/2700 MHz), 8Gb RAM (800 MT/s),
Intel 4 Series Integrated Graphics, Realtek PCIe Fast RTL8101/2/6E, PCI Gigabit RTL8169 Ethernets.

User avatar
vamsi
Forum Regular
Forum Regular
Posts: 430
Joined: Thu Apr 13, 2017 2:50 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#18 Post by vamsi » Sat Jan 13, 2018 7:55 am

Installed MX 4.14 kernel from package installer and before installing i got output that my system is vulnerable and after installing also it showed same output VULNERABLE by the way i am using 32 bit

By the way what is the meaning of this in the dolphin's post
Updated kernels are also available for our 32 bit versions, but be advised that there have not been any upstream 32 bit patches for meltdown made available as yet.
I installed MX 4.14 Kernel

Code: Select all

$ uname -r
4.14.0-3-686-pae
Then my system is still vulnerable ??

User avatar
asqwerth
Forum Veteran
Forum Veteran
Posts: 3254
Joined: Sun May 27, 2007 5:37 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#19 Post by asqwerth » Sat Jan 13, 2018 8:07 am

Means there are no patches for meltdown in the updated 32-bit kernels. All the usual big distros upstream have not created any so far.
Desktop: Intel i5-4460, 16GB RAM, Intel integrated graphics
Clevo N130WU-based Ultrabook: Intel i7-8550U (Kaby Lake R), 16GB RAM, Intel integrated graphics (UEFI)
ASUS X42D laptop: AMD Phenom II, 6GB RAM, Mobility Radeon HD 5400

User avatar
vamsi
Forum Regular
Forum Regular
Posts: 430
Joined: Thu Apr 13, 2017 2:50 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#20 Post by vamsi » Sat Jan 13, 2018 8:47 am

asqwerth wrote:Means there are no patches for meltdown in the updated 32-bit kernels. All the usual big distros upstream have not created any so far.
Thanks asqwerth then it is no use in installing MX-4.14 kernel then i think i need to uninstall it

Post Reply

Return to “General”