Home | News | Download | Packages | Forum | Wiki | Github

[Solved] Meltdown and Spectre Vulnerabilities


It is confusing, because it says cpu_insecure you are not vunerable because it’s using KPTI.

cpu_insecure == Safe
Because that’s logical /s

(David) #22

LOL. Thank you for the clarification… At least I can be sure the WP article is not spreading BS about which Linux versions are vulnerable and which ones have the KPTI patches already in place.


@silvernode You can also check /proc/config.gz to see with which options your currently running kernel was built or /boot/config-* to see the options for all installed kernels.

And if you want to check before installing you can use something like

xbps-query -R --cat /boot/config-4.14.12_3 linux4.14



Right. It would be nice to have these in place though, no?


Void has already got them now:


They haven’t rolled out yet, at least not to me (on either musl or glibc).


Now they have!


Yep, got them now!


Well, we really need replace our cpu for spectre vuln? looks like Raspberry pi is safe on both atacks

(Silvernode) #30

That’s a really useful command. I expect xbps to have a lot of power because of the things I have seen it do, but this is just beyond what I expected. Thanks

(jacky) #31

How to check Linux for Spectre and Meltdown vulnerability

$ git clone https://github.com/speed47/spectre-meltdown-checker.git

Cloning into ‘spectre-meltdown-checker’…
remote: Counting objects: 158, done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 158 (delta 20), reused 22 (delta 10), pack-reused 125
Receiving objects: 100% (158/158), 52.25 KiB | 252.00 KiB/s, done.
Resolving deltas: 100% (90/90), done.

[jacky@machina spectre-meltdown-checker]$ sudo sh spectre-meltdown-checker.sh

Spectre and Meltdown mitigation detection tool v0.16

Checking vulnerabilities against Linux 4.14.11_1 #1 SMP PREEMPT Wed Jan 3 16:59:01 UTC 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’

  • Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 31 opcodes found, should be >= 70)


CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’

  • Mitigation 1
  • Hardware (CPU microcode) support for mitigation: NO
  • Kernel support for IBRS: NO
  • IBRS enabled for Kernel space: NO
  • IBRS enabled for User space: NO
  • Mitigation 2
  • Kernel compiled with retpoline option: NO
  • Kernel compiled with a retpoline-aware compiler: NO

STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’

  • Kernel supports Page Table Isolation (PTI): YES
  • PTI enabled and active: YES

STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

2 tests out of 3 didnt pass!!!

(jacky) #32

the official github page


Who audits the auditors?

(Ben Hsu) #34

speed47’s checker script is just a shell script about 500 lines of code. It looks well written and covers most of the error paths (unlike the Intel ME vulnerability checker by Intel, there’s a separate thread on that).

I reviewed the code very briefly - it looks okay. I will give it a +1.

(jacky) #35

thanks for the replay…


So, anyway to get way with Spectre? or just burning my cpu?

(jacky) #37


use noscript: https://noscript.net/getit

or if you dont wanna spend alot of time tweaking use ublock origin easy mode: https://github.com/gorhill/uBlock/wiki/Blocking-mode:-easy-mode

Disabling javascript altogether with noscript is the most secure but will break alot of sites. ublock origin easy mode strikes a good balance for me.

(jacky) #39

Intel Releases Processor Microcode Patch for Linux OSes

To update the microcode.dat to the system, you will need to first ensure the existence of /dev/cpu/microcode and then write microcode.dat to the file with the dd if=microcode.dat of=/dev/cpu/microcode bs=1M command in a terminal emulator. Once the writing process is complete, you will have to reboot your computer for any changes to take effect

The updated microcode archive also contains an intel-ucode folder, which is the second method of installing the microcode, supported by most modern GNU/Linux distributions. To update this way, ensure the existence of /sys/devices/system/cpu/microcode/reload, copy the entire intel-ucode directory to /lib/firmware, overwrite the files in /lib/firmware/intel-ucode/, write the reload interface to 1 to reload the microcode files (e.g. echo 1 > /sys/devices/system/cpu/microcode/reload), and reboot.


xbps-install intel-ucode
date on this is 20180108_1