Script to check for Meltdown and/or Spectre vulnerability
Re: Script to check for Meltdown and/or Spectre vulnerability
Looking at the 7447a's functional schematic and explanation, it's probably pretty safe. It does do some speculative branching, but only puts one instruction after each of the (up to 4) predicted branch targets on the queue. That would leave little footprint to leak compared to an i7 which will speculatively perform dozens of commands on a speculative branch.
n.b. I'm not a CPU guru and the docs I saw could be oversimplified, so take the opinion for what it's worth...
n.b. I'm not a CPU guru and the docs I saw could be oversimplified, so take the opinion for what it's worth...
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB
Re: Script to check for Meltdown and/or Spectre vulnerability
We have the fixed 4.14 kernel already available, or easy ways to install the fixed standard Debian release or backports kernels, but we aren't forcing the upgrades right now. Our last few 4.14 Liquorix kernels also support KPTI for 64-bit.
I think it is very difficult to adapt the KPTI patches to 32-bit, otherwise the fixes would have been pushed to Ubuntu and Debian already. It's not just a matter of adding PROCESS_TABLE_ISOLATION=y to the 32-bit configuration.
I think it is very difficult to adapt the KPTI patches to 32-bit, otherwise the fixes would have been pushed to Ubuntu and Debian already. It's not just a matter of adding PROCESS_TABLE_ISOLATION=y to the 32-bit configuration.
Re: Script to check for Meltdown and/or Spectre vulnerability
Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...
Desktop: Intel i5-4460, 16GB RAM, Intel integrated graphics
Clevo N130WU-based Ultrabook: Intel i7-8550U (Kaby Lake R), 16GB RAM, Intel integrated graphics (UEFI)
ASUS X42D laptop: AMD Phenom II, 6GB RAM, Mobility Radeon HD 5400
Clevo N130WU-based Ultrabook: Intel i7-8550U (Kaby Lake R), 16GB RAM, Intel integrated graphics (UEFI)
ASUS X42D laptop: AMD Phenom II, 6GB RAM, Mobility Radeon HD 5400
Re: Script to check for Meltdown and/or Spectre vulnerability
That's what puzzled me about the script's output. It said my Atom was vulnerable to Spectra (Variant 1 and 2) and also Meltdown (Variant 3) with both current MX-16 PAE and Liquorix kernels.asqwerth wrote:Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...
Re: Script to check for Meltdown and/or Spectre vulnerability
Yes--I suspect that you may have already stumbled upon this page, timkb4cq:timkb4cq wrote:Looking at the 7447a's functional schematic and explanation, it's probably pretty safe. It does do some speculative branching, but only puts one instruction after each of the (up to 4) predicted branch targets on the queue. That would leave little footprint to leak compared to an i7 which will speculatively perform dozens of commands on a speculative branch.
n.b. I'm not a CPU guru and the docs I saw could be oversimplified, so take the opinion for what it's worth...
https://tenfourfox.blogspot.com/2018/01 ... r-why.html
The comments on the page are somewhat encouraging too. If I had a little more time on my hands, I'd try to compile some of the PPC test code myself. I am actually thinking about trying to do all my online shopping, banking, and financial stuff on my old Mac Mini running Ubuntu Mate 16.04 LTS. By the time the LTS runs out, I anticipate that new CPU architectures will be available or maybe Gentoo will keep my Mac Mini running on the cheap! PPC is just about dead now in GNU/Linux land, though BSD distros will probably keep it going longer.
Re: Script to check for Meltdown and/or Spectre vulnerability
Thanks again, Stevo. That is really a bummer, because sometimes I really appreciate the small size of my Atom netbook and the script is saying it's vulnerable to all three variants, but maybe the script is wrong about the Meltdown variant and my netbook's old Atom CPU.Stevo wrote:<snip>
I think it is very difficult to adapt the KPTI patches to 32-bit, otherwise the fixes would have been pushed to Ubuntu and Debian already. It's not just a matter of adding PROCESS_TABLE_ISOLATION=y to the 32-bit configuration.
Re: Script to check for Meltdown and/or Spectre vulnerability
does not resolve for old cpu, it is vulnerable as b4 after updated intel-microcode.Stevo wrote:Just backported the latest intel-microcode from Sid, the script is now a little better:
For my i5-6200U CPU.Code: Select all
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Hardware (CPU microcode) support for mitigation: YES
The Debian changelog also mentions this mitigation. The new microcode should come down the pipe soon, but requires a reboot in order to load.
Code: Select all
2018-01-13 12:32:08 upgrade intel-microcode amd64 3.20171215.1~mx17+1 3.20180108.1~mx17+1
Code: Select all
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 4.14.0-13.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.14-16 (2018-01-11) x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 34 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
MX-17.1_x64 Horizon, G41M-P33 Combo (MS-7592), Pentium E5400 (2706 MHz), 8Gb RAM (984 MT/s),
Intel 4 Series Integrated Graphics, Realtek PCIe Fast RTL8101/2/6E, PCI Gigabit RTL8169 Ethernets.
Accepted Linux when i found MX-Linux in 2016.
Intel 4 Series Integrated Graphics, Realtek PCIe Fast RTL8101/2/6E, PCI Gigabit RTL8169 Ethernets.
Accepted Linux when i found MX-Linux in 2016.
Re: Script to check for Meltdown and/or Spectre vulnerability
Installed MX 4.14 kernel from package installer and before installing i got output that my system is vulnerable and after installing also it showed same output VULNERABLE by the way i am using 32 bit
By the way what is the meaning of this in the dolphin's post
Then my system is still vulnerable ??
By the way what is the meaning of this in the dolphin's post
I installed MX 4.14 KernelUpdated kernels are also available for our 32 bit versions, but be advised that there have not been any upstream 32 bit patches for meltdown made available as yet.
Code: Select all
$ uname -r
4.14.0-3-686-pae
Re: Script to check for Meltdown and/or Spectre vulnerability
Means there are no patches for meltdown in the updated 32-bit kernels. All the usual big distros upstream have not created any so far.
Desktop: Intel i5-4460, 16GB RAM, Intel integrated graphics
Clevo N130WU-based Ultrabook: Intel i7-8550U (Kaby Lake R), 16GB RAM, Intel integrated graphics (UEFI)
ASUS X42D laptop: AMD Phenom II, 6GB RAM, Mobility Radeon HD 5400
Clevo N130WU-based Ultrabook: Intel i7-8550U (Kaby Lake R), 16GB RAM, Intel integrated graphics (UEFI)
ASUS X42D laptop: AMD Phenom II, 6GB RAM, Mobility Radeon HD 5400
Re: Script to check for Meltdown and/or Spectre vulnerability
Thanks asqwerth then it is no use in installing MX-4.14 kernel then i think i need to uninstall itasqwerth wrote:Means there are no patches for meltdown in the updated 32-bit kernels. All the usual big distros upstream have not created any so far.