Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian and Intel CPUs vulnerabilities.

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
Naron
Posts: 28
Joined: 2011-08-29 11:48
Has thanked: 2 times
Been thanked: 1 time

Debian and Intel CPUs vulnerabilities.

#1 Post by Naron »

How concerned should I be regarding the recently discovered CPU flaws? My system uses an Intel Core i5-2400 and unfortunately it seems that there are no firmware updates from my vendor to mitigate these damned flaws. But, from what I understand, Linux can mitigate at least some of these flaws even without firmware updates, by integrating corrections in the kernel itself. It this true? I would have some peace of mind if it is. I have checked what Debian says about my CPU vulnerabilities:

Code: Select all

grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
I'm not sure how to interpret this, it seems that one vulnerability is not patched so what to do? Should I switch to AMD?

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Debian and Intel CPUs vulnerabilities.

#2 Post by bw123 »

How concerned should I be regarding the recently discovered CPU flaws?
...
I think that depends on how sensitive is the data on the system?

found a link about 3a and 4 variants on a websearch:
https://duckduckgo.com/html/?q=pec_stor ... Vulnerable
https://www.us-cert.gov/ncas/alerts/TA18-141A

There are also one or two pretty long threads on the forum here.
...
it seems that one vulnerability is not patched so what to do? Should I switch to AMD?
Not all intel cpus are affected...

Code: Select all

$ ls /sys/devices/system/cpu/vulnerabilities/
meltdown  spec_store_bypass  spectre_v1  spectre_v2
$ cat /sys/devices/system/cpu/vulnerabilities/*
Not affected
Not affected
Not affected
Not affected
$ uname -a
Linux debian 4.9.0-7-amd64 #1 SMP Debian 4.9.110-3+deb9u2 (2018-08-13) x86_64 GNU/Linux
$ grep -m1 -A5 vendor /proc/cpuinfo
vendor_id       : GenuineIntel
cpu family      : 6
model           : 28
model name      : Intel(R) Atom(TM) CPU N450   @ 1.66GHz
stepping        : 10
microcode       : 0x107
Last edited by bw123 on 2018-08-17 11:59, edited 1 time in total.
resigned by AI ChatGPT

User avatar
Fernando Negro
Posts: 124
Joined: 2013-11-24 01:29
Location: Portugal
Has thanked: 2 times

Re: Debian and Intel CPUs vulnerabilities.

#3 Post by Fernando Negro »

The only way that you can have some (relative) "peace of mind" (actually, you can never truly have it, in a computer that is connected to, and installs software from, the Internet) is to use older-generation motherboards and microchips.

1) This is what is known about newer Intel motherboards: https://libreboot.org/faq.html#intel (Search the Internet for information about how some of the new motherboards with "UEFI" BIOSes have "built-in Internet access", that operates independently of the operating system.)

2) This is a possibility raised by the fact that the newer Intel microchips have, for years, come with "remote 3G access" capabilities: https://trisquel.info/en/forum/secret-3 ... -pc-access (Search the Internet for information about Intel's new "Anti-Theft" technology.)
I just *love* the stability, much more bug-free nature, and modular installation options of Debian. Apart from the unfortunate adoption of "systemd" (viewtopic.php?f=20&t=129881&start=165#p671030) this distribution is *great*.

bedtime
Posts: 146
Joined: 2012-12-16 19:34
Has thanked: 1 time
Been thanked: 6 times

Re: Debian and Intel CPUs vulnerabilities.

#4 Post by bedtime »

[plug]
Looks like this won't be fixed for a while. I believe System76 is trying to fix the issue and has shown some progress, but they said this a while ago, and I've yet to see a solution. If you want to escape those vulnerabilities and speed/memory is not a big concern for you, you might want to consider using Raspberry Pi:

https://en.wikipedia.org/wiki/Raspberry_Pi
https://www.raspberrypi.org/products/ra ... 3-model-b/

It seems that for less than a couple hundred dollars that you could have a pretty decent and unique system. Rasp'Pi is made extremely well and is likely to last a long time—British made, with high-quality components and excellent soldering. It uses all opensource technology, and the community seems abundant and helpful.

Oh, and the main OS is...

Debian based! :D
[/plug]

User avatar
4D696B65
Site admin
Site admin
Posts: 2696
Joined: 2009-06-28 06:09
Been thanked: 85 times

Re: Debian and Intel CPUs vulnerabilities.

#5 Post by 4D696B65 »

bedtime wrote:It uses all opensource technology
The broadcom chip is not open and there are non-free blobs in raspbian.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Debian and Intel CPUs vulnerabilities.

#6 Post by stevepusser »

Linux can load firmware updates into the CPU at boot time. Debian has those in the non-free section as "intel-microcode" and "amd64-microcode".

https://packages.debian.org/search?keyw ... ection=all
MX Linux packager and developer

User avatar
Fernando Negro
Posts: 124
Joined: 2013-11-24 01:29
Location: Portugal
Has thanked: 2 times

Re: Debian and Intel CPUs vulnerabilities.

#7 Post by Fernando Negro »

4D696B65 wrote:
bedtime wrote:It uses all opensource technology
The broadcom chip is not open and there are non-free blobs in raspbian.
Right.
"Boards based on the Broadcom VideoCore 4 family, such as the Raspberry Pi, require nonfree software to startup".
--- https://www.fsf.org/resources/hw/single-board-computers
I know little about single-board alternatives. But, there are at least two models that I believe that operate with only Free Software - the "OLinuXino" (https://www.olimex.com/Products/OLinuXi ... e-hardware) and the "Parallella" (https://www.parallella.org/) Open Source Hardware boards (where only the CPU, I believe, is not "open hardware") - the first of which can even be shipped together with Debian "bootable micro SD cards".

The problem, though, is that when it comes to graphical performance (2D acceleration, even) they leave much to be desired - and, are not yet anywhere near on par with desktop computers (that can use good/big dedicated graphics cards) - with the video demonstrations on YouTube showing noticeably big lags, even when just moving windows.

From what I see, single-board computers are only good for some automated tasks that require a computer, for the time being - and, are not yet decent for regular desktop use.
I just *love* the stability, much more bug-free nature, and modular installation options of Debian. Apart from the unfortunate adoption of "systemd" (viewtopic.php?f=20&t=129881&start=165#p671030) this distribution is *great*.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Debian and Intel CPUs vulnerabilities.

#8 Post by Head_on_a_Stick »

Naron wrote:Should I switch to AMD?
AMD is slightly better but still needs the mitigations for Spectre and is also probably vulnerable to the entire class of SMT-related bugs recently exposed by OpenBSD[1] not to mention their built-in management engine ("Platform Security Processor") that renders the machine open to remote hacking[2].

ARM64 is good (lots of boards need blobs though and the architecture is proprietary), POWER9 looks better and RISC-V is the best but still quite expensive.

[1] https://marc.info/?l=openbsd-cvs&m=152943660103446&w=2
[2] https://hackaday.com/tag/intel-management-engine/
deadbang

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Debian and Intel CPUs vulnerabilities.

#9 Post by stevepusser »

Debian just updated the kernels to deal with the new "L1TF" exploit, though I'm not really sure how dangerous it is for desktop users. https://security-tracker.debian.org/tra ... -2018-3620 It looks like we are still waiting for updated firmware from Intel.

Steve (currently backporting the 4.17.15 kernel)
MX Linux packager and developer

User avatar
sunrat
Administrator
Administrator
Posts: 6412
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 116 times
Been thanked: 462 times

Re: Debian and Intel CPUs vulnerabilities.

#10 Post by sunrat »

There was a security update for intel-microcode a couple of days ago.
https://www.debian.org/security/2018/dsa-4273
This update ships updated CPU microcode for some types of Intel CPUs and provides SSBD support (needed to address "Spectre v4") and fixes for "Spectre v3a".
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Debian and Intel CPUs vulnerabilities.

#11 Post by Head_on_a_Stick »

sunrat wrote:There was a security update for intel-microcode a couple of days ago
That seems to fix all the Spectre stuff:

Code: Select all

empty@hegel:~ $ grep -R . /sys/devices/system/cpu/vulnerabilities/
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
empty@hegel:~ $
So just Foreshadow and the management engine left then... :mrgreen:
deadbang

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Debian and Intel CPUs vulnerabilities.

#12 Post by stevepusser »

For anyone running newer hardware on a Stretch base that needs a newer kernel than 4.9, I have the 4.17.15 kernel backported in a repo until it gets into stretch-backports: https://build.opensuse.org/package/show ... x-libc-dev

Why did I name it linux-libc-dev? Because to generate the instructions to add the repo, the OBS needs the name of the package to be one that's generated on all architectures, and linux-libc-dev is one of the few that's not arch-dependent. Linux-source-4.17 would also work...you don't need to install those packages, so just follow the instructions to add the repo and the key, then run

Code: Select all

apt policy *4.17.0-3*
to see the linux-headers and linux-image packages available for your architecture. Those can then be installed with standard apt commands.
MX Linux packager and developer

Post Reply