Welcome!

Please read this important information about Spectre and Meltdown vulnerabilities.
Please read this important information about MX sources lists.
News
  • MX Linux on social media: here
  • Mepis support still here
Current releases
  • MX-17 Final release info here
  • MX-16.1 release info here
  • antiX-17 release info here
    New users
    • Please read this first, and don't forget to add system and hardware information to posts!
    • Read Forum Rules

Script to check for Meltdown and/or Spectre vulnerability

Message
Author
User avatar
timkb4cq
Forum Veteran
Forum Veteran
Posts: 3938
Joined: Wed Jul 12, 2006 4:05 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#11 Postby timkb4cq » Fri Jan 12, 2018 6:36 pm

Looking at the 7447a's functional schematic and explanation, it's probably pretty safe. It does do some speculative branching, but only puts one instruction after each of the (up to 4) predicted branch targets on the queue. That would leave little footprint to leak compared to an i7 which will speculatively perform dozens of commands on a speculative branch.

n.b. I'm not a CPU guru and the docs I saw could be oversimplified, so take the opinion for what it's worth...
MSI 970A-G43 MB, AMD FX-6300 (six core), 16GB RAM, GeForce 730, Samsung 850 EVO 250GB SSD, Seagate Barracuda XT 3TB

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 14103
Age: 59
Joined: Fri Dec 15, 2006 8:07 pm

Re: Script to check for Meltdown and/or Spectre vulnerability

#12 Postby Stevo » Fri Jan 12, 2018 6:42 pm

We have the fixed 4.14 kernel already available, or easy ways to install the fixed standard Debian release or backports kernels, but we aren't forcing the upgrades right now. Our last few 4.14 Liquorix kernels also support KPTI for 64-bit.

I think it is very difficult to adapt the KPTI patches to 32-bit, otherwise the fixes would have been pushed to Ubuntu and Debian already. It's not just a matter of adding PROCESS_TABLE_ISOLATION=y to the 32-bit configuration.

User avatar
asqwerth
Forum Guide
Forum Guide
Posts: 2320
Joined: Sun May 27, 2007 5:37 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#13 Postby asqwerth » Fri Jan 12, 2018 10:30 pm

calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...


Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.
Desktop: Intel i5-4460, 16GB RAM, Intel integrated graphics
Clevo N130WU-based Ultrabook: Intel i7-8550U (Kaby Lake R), 16GB RAM, Intel integrated graphics (UEFI)
ASUS X42D laptop: AMD Phenom II, 6GB RAM, Mobility Radeon HD 5400

calinb
Forum Novice
Forum  Novice
Posts: 64
Joined: Tue Jun 27, 2017 1:57 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#14 Postby calinb » Sat Jan 13, 2018 1:30 am

asqwerth wrote:
calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...


Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.

That's what puzzled me about the script's output. It said my Atom was vulnerable to Spectra (Variant 1 and 2) and also Meltdown (Variant 3) with both current MX-16 PAE and Liquorix kernels.

calinb
Forum Novice
Forum  Novice
Posts: 64
Joined: Tue Jun 27, 2017 1:57 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#15 Postby calinb » Sat Jan 13, 2018 1:43 am

timkb4cq wrote:Looking at the 7447a's functional schematic and explanation, it's probably pretty safe. It does do some speculative branching, but only puts one instruction after each of the (up to 4) predicted branch targets on the queue. That would leave little footprint to leak compared to an i7 which will speculatively perform dozens of commands on a speculative branch.

n.b. I'm not a CPU guru and the docs I saw could be oversimplified, so take the opinion for what it's worth...

Yes--I suspect that you may have already stumbled upon this page, timkb4cq:
https://tenfourfox.blogspot.com/2018/01/more-about-spectre-and-powerpc-or-why.html

The comments on the page are somewhat encouraging too. If I had a little more time on my hands, I'd try to compile some of the PPC test code myself. I am actually thinking about trying to do all my online shopping, banking, and financial stuff on my old Mac Mini running Ubuntu Mate 16.04 LTS. By the time the LTS runs out, I anticipate that new CPU architectures will be available or maybe Gentoo will keep my Mac Mini running on the cheap! PPC is just about dead now in GNU/Linux land, though BSD distros will probably keep it going longer.

calinb
Forum Novice
Forum  Novice
Posts: 64
Joined: Tue Jun 27, 2017 1:57 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#16 Postby calinb » Sat Jan 13, 2018 1:48 am

Stevo wrote:<snip>
I think it is very difficult to adapt the KPTI patches to 32-bit, otherwise the fixes would have been pushed to Ubuntu and Debian already. It's not just a matter of adding PROCESS_TABLE_ISOLATION=y to the 32-bit configuration.

Thanks again, Stevo. That is really a bummer, because sometimes I really appreciate the small size of my Atom netbook and the script is saying it's vulnerable to all three variants, but maybe the script is wrong about the Meltdown variant and my netbook's old Atom CPU.

User avatar
stsoh
Forum Regular
Forum Regular
Posts: 138
Joined: Sun Aug 20, 2017 10:11 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#17 Postby stsoh » Sat Jan 13, 2018 6:27 am

Stevo wrote:Just backported the latest intel-microcode from Sid, the script is now a little better:

Code: Select all

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES


For my i5-6200U CPU.

The Debian changelog also mentions this mitigation. The new microcode should come down the pipe soon, but requires a reboot in order to load.


does not resolve for old cpu, it is vulnerable as b4 after updated intel-microcode.

Code: Select all

2018-01-13  12:32:08  upgrade  intel-microcode                           amd64  3.20171215.1~mx17+1             3.20180108.1~mx17+1


Code: Select all

Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.14.0-13.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.14-16 (2018-01-11) x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 34 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
Intel Dual core E5400, cache 2MB, 3145MHz, 8GB RAM
Mesa DRI Intel G41, RTL8169 PCI Gigabit, Intel NM10/ICH7HD Audio
being wise, does not means u r not dumb.
being dumb, does not means u r not wise.
easy to blame other than to admit own fault.

User avatar
vamsi
Forum Regular
Forum Regular
Posts: 292
Joined: Thu Apr 13, 2017 2:50 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#18 Postby vamsi » Sat Jan 13, 2018 7:55 am

Installed MX 4.14 kernel from package installer and before installing i got output that my system is vulnerable and after installing also it showed same output VULNERABLE by the way i am using 32 bit

By the way what is the meaning of this in the dolphin's post
Updated kernels are also available for our 32 bit versions, but be advised that there have not been any upstream 32 bit patches for meltdown made available as yet.


I installed MX 4.14 Kernel

Code: Select all

$ uname -r
4.14.0-3-686-pae


Then my system is still vulnerable ??

User avatar
asqwerth
Forum Guide
Forum Guide
Posts: 2320
Joined: Sun May 27, 2007 5:37 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#19 Postby asqwerth » Sat Jan 13, 2018 8:07 am

Means there are no patches for meltdown in the updated 32-bit kernels. All the usual big distros upstream have not created any so far.
Desktop: Intel i5-4460, 16GB RAM, Intel integrated graphics
Clevo N130WU-based Ultrabook: Intel i7-8550U (Kaby Lake R), 16GB RAM, Intel integrated graphics (UEFI)
ASUS X42D laptop: AMD Phenom II, 6GB RAM, Mobility Radeon HD 5400

User avatar
vamsi
Forum Regular
Forum Regular
Posts: 292
Joined: Thu Apr 13, 2017 2:50 am

Re: Script to check for Meltdown and/or Spectre vulnerability

#20 Postby vamsi » Sat Jan 13, 2018 8:47 am

asqwerth wrote:Means there are no patches for meltdown in the updated 32-bit kernels. All the usual big distros upstream have not created any so far.


Thanks asqwerth then it is no use in installing MX-4.14 kernel then i think i need to uninstall it


Return to “General”

Who is online

Users browsing this forum: Bing [Bot] and 7 guests