Script to check for Meltdown and/or Spectre vulnerability

Message
Author
caprea
Posts: 146
Joined: Sat Aug 23, 2014 7:01 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#21 Post by caprea »

Code: Select all

Thanks asqwerth then it is no use in installing MX-4.14 kernel then i think i need to uninstall it
It seems there is a patched 32bit antix-kernel
https://www.antixforum.com/spectre-and- ... -upgrades/

I just installed the Debian 3.16 64bit kernel on mx-16 from the mx-package installer.
It still shows it is vulnerable for three vulnerablities.
Then I tried the 4.9.0-0.bpo.5-amd64 , this worked.
The 3.16 most certainly not.

User avatar
timkb4cq
Developer
Posts: 3186
Joined: Wed Jul 12, 2006 4:05 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#22 Post by timkb4cq »

calinb wrote:Yes--I suspect that you may have already stumbled upon this page, timkb4cq:
https://tenfourfox.blogspot.com/2018/01 ... r-why.html
Nope, missed that one. I just searched for info about 7447a speculative instructions & wound up here:
https://www.nxp.com/docs/en/application-note/AN2797.pdf
Nothing directly about Spectre, just the basics about how the processor works. As I said, if I understand the architecture correctly I don't see much of a footprint for a remote attacker to retrieve any targeted data. Maybe a few bytes that a library function exposes, but I doubt they could load the cache with anything useful given the chipset's limitations on speculative execution.
HP Pavillion TP01, AMD Ryzen 3 5300G (quad core), Crucial 500GB SSD, Toshiba 6TB 7200rpm
Dell Inspiron 15, AMD Ryzen 7 2700u (quad core). Sabrent 500GB nvme, Seagate 1TB

User avatar
kmathern
Developer
Posts: 2402
Joined: Wed Jul 12, 2006 2:26 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#23 Post by kmathern »

caprea wrote:

Code: Select all

Thanks asqwerth then it is no use in installing MX-4.14 kernel then i think i need to uninstall it
It seems there is a patched 32bit antix-kernel
https://www.antixforum.com/spectre-and- ... -upgrades/

I just installed the Debian 3.16 64bit kernel on mx-16 from the mx-package installer.
It still shows it is vulnerable for three vulnerablities.
Then I tried the 4.9.0-0.bpo.5-amd64 , this worked.
The 3.16 most certainly not.
I'm seeing the same here.

For the default Debian Jessie 3.16 kernel, the 3.16.0-5 update has the kpti patches according to this: https://tracker.debian.org/news/900500 (near the bottom of that page).

And apt-cache policy shows that the 3.16.0-5 update is in the repos

Code: Select all

$ apt-cache policy linux-image-3.16.0-5-amd64
linux-image-3.16.0-5-amd64:
  Installed: (none)
  Candidate: 3.16.51-3+deb8u1
  Version table:
     3.16.51-3+deb8u1 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages
But when I run MXPI I see that it's trying to install the 3.16.0-4 version packages

Code: Select all

Script started, file is /var/log/mxpi.log
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libfile-homedir-perl libfile-which-perl
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  linux-compiler-gcc-4.8-x86 linux-headers-3.16.0-4-common linux-kbuild-3.16
Suggested packages:
  linux-doc-3.16 debian-kernel-handbook
Recommended packages:
  irqbalance
The following NEW packages will be installed:
  linux-compiler-gcc-4.8-x86 linux-headers-3.16.0-4-amd64 linux-headers-3.16.0-4-common
  linux-image-3.16.0-4-amd64 linux-kbuild-3.16
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 39.6 MB of archives.
After this operation, 190 MB of additional disk space will be used.
Do you want to continue? [Y/n]

User avatar
Paul..
Posts: 1777
Joined: Sun Mar 18, 2007 6:34 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#24 Post by Paul.. »

Glad you brought this up, Kent. Will change the script for EDIT: 4.9.0-4-amd64 to 4.9.0-5-amd64 shortly.

-pc

Asus Prime X570-Pro | AMD Ryzen 7 3700X
16 Gig DDR4 3600 | Radeon RX 5600 XT Graphics
Samsung 860 500GB SSDs (2)

User avatar
calinb
Posts: 74
Joined: Tue Jun 27, 2017 1:57 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#25 Post by calinb »

timkb4cq wrote:
calinb wrote:Yes--I suspect that you may have already stumbled upon this page, timkb4cq:
https://tenfourfox.blogspot.com/2018/01 ... r-why.html
Nope, missed that one. I just searched for info about 7447a speculative instructions & wound up here:
https://www.nxp.com/docs/en/application-note/AN2797.pdf.

<snip>
Haha--and that's a good AP Note, timkb4cq. I'll archive it. Thanks!

I tend to agree with you about low risk with the 7447a and I'm actually less comfortable with any "early days" Meltdown or Spectre patches. Validation of these complex things takes far longer than the time these bugs have even been publicly known!

I'm not a CPU architect either but I worked at Intel for over 20 years and attended Chief P6 Architect Bob Colwell's internal P6 architecture classes. Back then I worked in P6 validation (for a couple plus years, and my experience in that job is the reason I say that my confidence in Meltdown and Sprectre patches is low right now).

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#26 Post by Stevo »

It seems there is a patched 32bit antix-kernel
https://www.antixforum.com/spectre-and- ... -upgrades/
I'm fairly certain that any current 32-bit kernel does not support the Meltdown kpti mitigation. I think the antiX announcement should be changed to make this clear. But I hope that someone can prove me wrong!

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#27 Post by Stevo »

A user on the Debian forums emailed and got a reply from one of the developers of the KPTI patch in the kernel:
> Hi,
> I'm writing to you because I noticed your involement with the KPTI/KAISER
> patches. Across several varieties of linux distributions, users have
> noticed that kpti is impossible to enable because it depends on x86_64.
> Many of us are concerned that we are running 32-bit systems that are
> still vulnerable to meltdown; we are also concerned because it's a
> handful of users who have brought this to light, and major news and
> information from our distros are keeping silent on the topic. We are all
> wondering if you could shed some light: in particular, is x86 vulnerable?

Yes, 32bit is vulnerable. We haven't yet had time to look into that as the
vast majority of systems, especially the most endangered cloud stuff, runs
64bit. We know about it and the 32bit mitigation has been under discussion
already, but I can't tell at the moment when we are going to have that.

Sorry that I can't tell you better news.

Thanks,

Thomas
So that's the situation now.

User avatar
azrielle
Posts: 162
Joined: Mon Feb 15, 2016 6:34 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#28 Post by azrielle »

Stevo wrote:A user on the Debian forums emailed and got a reply from one of the developers of the KPTI patch in the kernel:
the
vast majority of systems, especially the most endangered cloud stuff, runs
64bit.
From a practical perspective, 32bit is alot less likely to be attacked for that very reason. Plus, 32bit MX uses about 70MB less RAM!
Lenovo T430 i5/3320m 8GB MX17.1/Win7SP1 180GB SSD/128GB mSATA
Lenovo X230 i7/3520m 12GB MX17.1/Win7SP1 500GB SSD 480GB mSATA
Lenovo X131e i3/3227u 8GB MX21Xfce/Win7SP1 500GB SSD
Lenovo 11e Celeron n3150 4GB MX19/Fedora30Games 128GB SSD

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#29 Post by Stevo »

Plus 32-bit users really don't need whatever slowdown kpti inflicts on their system, too.

User avatar
calinb
Posts: 74
Joined: Tue Jun 27, 2017 1:57 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#30 Post by calinb »

asqwerth wrote:
calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...
Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.
Update:
According to /proc/cpuinfo and Intel's Impacted Intel Systems list (and contrary to what the script here reported) my Atom N455 MX-16 system is not impacted. The impacted Intel Atom CPUs are:
  • Intel Atom® processor C series
    Intel Atom® processor E series
    Intel Atom® processor A series
    Intel Atom® processor x3 series
    Intel Atom® processor Z series
Scroll to the bottom here for the complete list:
https://www.intel.com/content/www/us/en ... cts.html#4

So between my Atom N455 :turtle: and PPC G4 :snail: I think old and slow CPUs rock! Good thing my Big Board II and old Kaypro machines quit working decades or I'd probably be running CPM too. :spinning:

Post Reply

Return to “General”