Page 2 of 4

Re: Script to check for Meltdown and/or Spectre vulnerability

Posted: Fri Jan 12, 2018 6:36 pm
by timkb4cq
Looking at the 7447a's functional schematic and explanation, it's probably pretty safe. It does do some speculative branching, but only puts one instruction after each of the (up to 4) predicted branch targets on the queue. That would leave little footprint to leak compared to an i7 which will speculatively perform dozens of commands on a speculative branch.

n.b. I'm not a CPU guru and the docs I saw could be oversimplified, so take the opinion for what it's worth...

Re: Script to check for Meltdown and/or Spectre vulnerability

Posted: Fri Jan 12, 2018 6:42 pm
by Stevo
We have the fixed 4.14 kernel already available, or easy ways to install the fixed standard Debian release or backports kernels, but we aren't forcing the upgrades right now. Our last few 4.14 Liquorix kernels also support KPTI for 64-bit.

I think it is very difficult to adapt the KPTI patches to 32-bit, otherwise the fixes would have been pushed to Ubuntu and Debian already. It's not just a matter of adding PROCESS_TABLE_ISOLATION=y to the 32-bit configuration.

Re: Script to check for Meltdown and/or Spectre vulnerability

Posted: Fri Jan 12, 2018 10:30 pm
by asqwerth
calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...


Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.

Re: Script to check for Meltdown and/or Spectre vulnerability

Posted: Sat Jan 13, 2018 1:30 am
by calinb
asqwerth wrote:
calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...


Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.

That's what puzzled me about the script's output. It said my Atom was vulnerable to Spectra (Variant 1 and 2) and also Meltdown (Variant 3) with both current MX-16 PAE and Liquorix kernels.

Re: Script to check for Meltdown and/or Spectre vulnerability

Posted: Sat Jan 13, 2018 1:43 am
by calinb
timkb4cq wrote:Looking at the 7447a's functional schematic and explanation, it's probably pretty safe. It does do some speculative branching, but only puts one instruction after each of the (up to 4) predicted branch targets on the queue. That would leave little footprint to leak compared to an i7 which will speculatively perform dozens of commands on a speculative branch.

n.b. I'm not a CPU guru and the docs I saw could be oversimplified, so take the opinion for what it's worth...

Yes--I suspect that you may have already stumbled upon this page, timkb4cq:
https://tenfourfox.blogspot.com/2018/01/more-about-spectre-and-powerpc-or-why.html

The comments on the page are somewhat encouraging too. If I had a little more time on my hands, I'd try to compile some of the PPC test code myself. I am actually thinking about trying to do all my online shopping, banking, and financial stuff on my old Mac Mini running Ubuntu Mate 16.04 LTS. By the time the LTS runs out, I anticipate that new CPU architectures will be available or maybe Gentoo will keep my Mac Mini running on the cheap! PPC is just about dead now in GNU/Linux land, though BSD distros will probably keep it going longer.

Re: Script to check for Meltdown and/or Spectre vulnerability

Posted: Sat Jan 13, 2018 1:48 am
by calinb
Stevo wrote:<snip>
I think it is very difficult to adapt the KPTI patches to 32-bit, otherwise the fixes would have been pushed to Ubuntu and Debian already. It's not just a matter of adding PROCESS_TABLE_ISOLATION=y to the 32-bit configuration.

Thanks again, Stevo. That is really a bummer, because sometimes I really appreciate the small size of my Atom netbook and the script is saying it's vulnerable to all three variants, but maybe the script is wrong about the Meltdown variant and my netbook's old Atom CPU.

Re: Script to check for Meltdown and/or Spectre vulnerability

Posted: Sat Jan 13, 2018 6:27 am
by stsoh
Stevo wrote:Just backported the latest intel-microcode from Sid, the script is now a little better:

Code: Select all

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES


For my i5-6200U CPU.

The Debian changelog also mentions this mitigation. The new microcode should come down the pipe soon, but requires a reboot in order to load.


does not resolve for old cpu, it is vulnerable as b4 after updated intel-microcode.

Code: Select all

2018-01-13  12:32:08  upgrade  intel-microcode                           amd64  3.20171215.1~mx17+1             3.20180108.1~mx17+1


Code: Select all

Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.14.0-13.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.14-16 (2018-01-11) x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 34 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

Re: Script to check for Meltdown and/or Spectre vulnerability

Posted: Sat Jan 13, 2018 7:55 am
by vamsi
Installed MX 4.14 kernel from package installer and before installing i got output that my system is vulnerable and after installing also it showed same output VULNERABLE by the way i am using 32 bit

By the way what is the meaning of this in the dolphin's post
Updated kernels are also available for our 32 bit versions, but be advised that there have not been any upstream 32 bit patches for meltdown made available as yet.


I installed MX 4.14 Kernel

Code: Select all

$ uname -r
4.14.0-3-686-pae


Then my system is still vulnerable ??

Re: Script to check for Meltdown and/or Spectre vulnerability

Posted: Sat Jan 13, 2018 8:07 am
by asqwerth
Means there are no patches for meltdown in the updated 32-bit kernels. All the usual big distros upstream have not created any so far.

Re: Script to check for Meltdown and/or Spectre vulnerability

Posted: Sat Jan 13, 2018 8:47 am
by vamsi
asqwerth wrote:Means there are no patches for meltdown in the updated 32-bit kernels. All the usual big distros upstream have not created any so far.


Thanks asqwerth then it is no use in installing MX-4.14 kernel then i think i need to uninstall it