Script to check for Meltdown and/or Spectre vulnerability

[ChrisUK]

Maybe of use to some of you:

https://github.com/speed47/spectre-meltdown-checker

(Browse the code before running it)

[BrianLinuxing]

Yeah Chris, its a curate's egg that script.

I've been running it since its first few released versions.

Not much good on ARM, or on my (patched) iMac running 4.14, but hopefully it will be fixed over time.

[stsoh]

run script with latest liquorix kernel, this is what i got on my old pc e5400.

[timkb4cq]

AMD looks a bit better, but Spectre variant 1 looks like it will be a long-term problem.

Screenshot1.jpg

[richb]

I get the same as Tim on my AMD with the 4.14.0-3 kernel installed from MXPI Popular packages>Kernel. From what I have read the Spectre Vulnerability is less likely. Whether it is or not, not much can be done at this point. Also keep browsers up to date. Latest FF is hardened and Goggle Chrome should be within the next few days.

[ChrisUK]

Here's a test specifically for Spectre vulnerability in Browsers:

http://xlab.tencent.com/special/spectre ... check.html

[calinb]

Downloaded from github and my new Intel mobile quad core Pentium running MX-17 and old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely.

I wonder when the new kernels will float downstream to MX to at least reduce my vulnerabilities. I was hoping I could just use my Atom for javascript browsing. I just installed fresh Ubuntu Mate on my PPC G4 Mac-Mini. Maybe it's safe from S&M. Too bad PPC support is dropping like files--especially given S&M these days.

[Stevo]

Just backported the latest intel-microcode from Sid, the script is now a little better:

Code: Select all

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES

For my i5-6200U CPU.

The Debian changelog also mentions this mitigation. The new microcode should come down the pipe soon, but requires a reboot in order to load.

[Stevo]

Downloaded from github and my new Intel mobile quad core Pentium running MX-17 and old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely.

I wonder when the new kernels will float downstream to MX to at least reduce my vulnerabilities. I was hoping I could just use my Atom for javascript browsing. I just installed fresh Ubuntu Mate on my PPC G4 Mac-Mini. Maybe it's safe from S&M. Too bad PPC support is dropping like files--especially given S&M these days.

The changes in the kernels to mitigate Meltdown are currently only for 64-bit. It's hard to find any explanation online as to why this situation happened, though. O̶n̶e̶ ̶A̶r̶c̶h̶ ̶u̶s̶e̶r̶ ̶r̶e̶p̶o̶r̶t̶s̶ ̶t̶h̶a̶t̶ ̶h̶i̶s̶ ̶3̶2̶-̶b̶i̶t̶ ̶k̶e̶r̶n̶e̶l̶ ̶h̶a̶s̶ ̶K̶P̶T̶I̶ ̶m̶i̶t̶i̶g̶a̶t̶i̶o̶n̶ ̶w̶o̶r̶k̶i̶n̶g̶.̶.̶.̶w̶h̶i̶c̶h̶ ̶s̶e̶e̶m̶s̶ ̶o̶d̶d̶,̶ ̶s̶i̶n̶c̶e̶ ̶I̶ ̶t̶h̶o̶u̶g̶h̶t̶ ̶A̶r̶c̶h̶ ̶d̶r̶o̶p̶p̶e̶d̶ ̶3̶2̶-̶b̶i̶t̶ ̶s̶u̶p̶p̶o̶r̶t̶.̶ Edit: Sorry, it was a 64-bit kernel, my mistake.

[calinb]

The changes in the kernels to mitigate Meltdown are currently only for 64-bit. It's hard to find any explanation online as to why this situation happened, though. O̶n̶e̶ ̶A̶r̶c̶h̶ ̶u̶s̶e̶r̶ ̶r̶e̶p̶o̶r̶t̶s̶ ̶t̶h̶a̶t̶ ̶h̶i̶s̶ ̶3̶2̶-̶b̶i̶t̶ ̶k̶e̶r̶n̶e̶l̶ ̶h̶a̶s̶ ̶K̶P̶T̶I̶ ̶m̶i̶t̶i̶g̶a̶t̶i̶o̶n̶ ̶w̶o̶r̶k̶i̶n̶g̶.̶.̶.̶w̶h̶i̶c̶h̶ ̶s̶e̶e̶m̶s̶ ̶o̶d̶d̶,̶ ̶s̶i̶n̶c̶e̶ ̶I̶ ̶t̶h̶o̶u̶g̶h̶t̶ ̶A̶r̶c̶h̶ ̶d̶r̶o̶p̶p̶e̶d̶ ̶3̶2̶-̶b̶i̶t̶ ̶s̶u̶p̶p̶o̶r̶t̶.̶ Edit: Sorry, it was a 64-bit kernel, my mistake.

Good info, Stevo. Thanks! Hopefully at least 64-bit will be along soon. I could build a kernel myself, but haven't done it in years. If I resort to rolling my own, hopefully it will not be difficult to make a more resistant 32-bit kernel too. From my past experiences, the Gentoo forum may be of some assistance. Gentoo still supports PPC!

Speaking of PPC, I did a little research and I could find no one who has demonstrated a vulnerability in my Mac Mini's 7447a PPC CPU. It may be a case of not enough attention though, which is both bad and good (less helpful research but also not a prime target for hackers). An attack has been demonstrated on a G5 CPU, however, but the same attack reportedly leaked nothing from a 7447a.