Home | News | Download | Packages | Forum | Wiki | Github

[Solved] Meltdown and Spectre Vulnerabilities


#21

It is confusing, because it says cpu_insecure you are not vunerable because it’s using KPTI.

cpu_insecure == Safe
Because that’s logical /s


(David) #22

LOL. Thank you for the clarification… At least I can be sure the WP article is not spreading BS about which Linux versions are vulnerable and which ones have the KPTI patches already in place.


#23

@silvernode You can also check /proc/config.gz to see with which options your currently running kernel was built or /boot/config-* to see the options for all installed kernels.

And if you want to check before installing you can use something like

xbps-query -R --cat /boot/config-4.14.12_3 linux4.14

:slight_smile:


#24

Right. It would be nice to have these in place though, no?


#25

Void has already got them now:


#26

They haven’t rolled out yet, at least not to me (on either musl or glibc).


#27

Now they have!


#28

Yep, got them now!


#29

Well, we really need replace our cpu for spectre vuln? looks like Raspberry pi is safe on both atacks


(Silvernode) #30

That’s a really useful command. I expect xbps to have a lot of power because of the things I have seen it do, but this is just beyond what I expected. Thanks


(jacky) #31

How to check Linux for Spectre and Meltdown vulnerability

$ git clone https://github.com/speed47/spectre-meltdown-checker.git

Cloning into ‘spectre-meltdown-checker’…
remote: Counting objects: 158, done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 158 (delta 20), reused 22 (delta 10), pack-reused 125
Receiving objects: 100% (158/158), 52.25 KiB | 252.00 KiB/s, done.
Resolving deltas: 100% (90/90), done.

[jacky@machina spectre-meltdown-checker]$ sudo sh spectre-meltdown-checker.sh
Password:

Spectre and Meltdown mitigation detection tool v0.16

Checking vulnerabilities against Linux 4.14.11_1 #1 SMP PREEMPT Wed Jan 3 16:59:01 UTC 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’

  • Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 31 opcodes found, should be >= 70)

STATUS: VULNERABLE

CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’

  • Mitigation 1
  • Hardware (CPU microcode) support for mitigation: NO
  • Kernel support for IBRS: NO
  • IBRS enabled for Kernel space: NO
  • IBRS enabled for User space: NO
  • Mitigation 2
  • Kernel compiled with retpoline option: NO
  • Kernel compiled with a retpoline-aware compiler: NO

STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’

  • Kernel supports Page Table Isolation (PTI): YES
  • PTI enabled and active: YES

STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

2 tests out of 3 didnt pass!!!


(jacky) #32

the official github page


#33

Who audits the auditors?


(Ben Hsu) #34

speed47’s checker script is just a shell script about 500 lines of code. It looks well written and covers most of the error paths (unlike the Intel ME vulnerability checker by Intel, there’s a separate thread on that).

I reviewed the code very briefly - it looks okay. I will give it a +1.


(jacky) #35

thanks for the replay…


#36

So, anyway to get way with Spectre? or just burning my cpu?


(jacky) #37

#38

use noscript: https://noscript.net/getit

or if you dont wanna spend alot of time tweaking use ublock origin easy mode: https://github.com/gorhill/uBlock/wiki/Blocking-mode:-easy-mode

Disabling javascript altogether with noscript is the most secure but will break alot of sites. ublock origin easy mode strikes a good balance for me.


(jacky) #39

Intel Releases Processor Microcode Patch for Linux OSes

To update the microcode.dat to the system, you will need to first ensure the existence of /dev/cpu/microcode and then write microcode.dat to the file with the dd if=microcode.dat of=/dev/cpu/microcode bs=1M command in a terminal emulator. Once the writing process is complete, you will have to reboot your computer for any changes to take effect

The updated microcode archive also contains an intel-ucode folder, which is the second method of installing the microcode, supported by most modern GNU/Linux distributions. To update this way, ensure the existence of /sys/devices/system/cpu/microcode/reload, copy the entire intel-ucode directory to /lib/firmware, overwrite the files in /lib/firmware/intel-ucode/, write the reload interface to 1 to reload the microcode files (e.g. echo 1 > /sys/devices/system/cpu/microcode/reload), and reboot.


#40

or
xbps-install intel-ucode
date on this is 20180108_1