Official Debian standpoint on Meltdown/Spectre

Here you can discuss every aspect of Debian. Note: not for support requests!

Re: Official Debian standpoint on Meltdown/Spectre

Postby Lysander » 2018-02-25 00:35

Saw this come through earlier today. Very pleased.

Code: Select all
lysander@psychopig-xxxiii:~$ grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
lysander@psychopig-xxxiii:~$ cat /proc/cpuinfo | grep -m1 "model name"
model name   : Intel(R) Core(TM)2 Quad CPU    Q8400  @ 2.66GHz
lysander@psychopig-xxxiii:~$ uname -a
Linux psychopig-xxxiii 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
lysander@psychopig-xxxiii:~$



I'm covered by default on my other machine since it runs a diamondville Atom.

bw123 wrote:I know it's crazy, but I sort of feel let down by this whole thing. I know there has been a lot of work done though, and I appreciate that.


Why do you feel let down? A lot of the Atoms [maybe all, I haven't looked] are invulnerable.
User avatar
Lysander
 
Posts: 543
Joined: 2017-02-23 10:07
Location: London

Re: Official Debian standpoint on Meltdown/Spectre

Postby anticapitalista » 2018-02-25 10:05

Here's mine.

Code: Select all
grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

uname -a
Linux antix1 4.15.5-antix.2-amd64-smp #1 SMP PREEMPT Fri Feb 23 01:05:42 EET 2018 x86_64 GNU/Linux

cat /proc/cpuinfo | grep -m1 "model name"
model name   : Intel(R) Core(TM) i5 CPU       M 520  @ 2.40GHz
antiX "Heather Heyer" - lean and mean.
http://antix.mepis.org
anticapitalista
 
Posts: 328
Joined: 2007-12-14 23:16

Re: Official Debian standpoint on Meltdown/Spectre

Postby None1975 » 2018-02-26 14:08

stevepusser wrote:What kernel is that?

Hello. It is standart Debian 9.3 kernel
Code: Select all
Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
OS: Debian 9.4 / WM: Xmonad
Debian Wiki | DontBreakDebian, My config files in github
Linux User #607425
User avatar
None1975
 
Posts: 481
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Re: Official Debian standpoint on Meltdown/Spectre

Postby stevepusser » 2018-02-26 20:52

Thanks, they must have backported the user pointer sanitation to 4.9. The 4.14.17 that briefly appeared upstream doesn't have it.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: GIMP 2.10.2, Pale Moon 27.9.3, wine-staging 3.10, QuiteRSS 0.18.11, Linux kernel 4.17, Krita 4.0.4
User avatar
stevepusser
 
Posts: 9654
Joined: 2009-10-06 05:53

Re: Official Debian standpoint on Meltdown/Spectre

Postby Rildebai » 2018-02-28 16:22

Run these to check if you are prone to meltdown & spectre.

Code: Select all
sudo apt install spectre-meltdown-checker


Code: Select all
sudo spectre-meltdown-checker
Write programs that do one thing and do it well. ~ Doug Mcllroy on the UNIX Philosophy
User avatar
Rildebai
 
Posts: 83
Joined: 2016-04-30 09:27
Location: Ireland

Re: Official Debian standpoint on Meltdown/Spectre

Postby stevepusser » 2018-02-28 18:29

Stretch users will have to get spectre-meltdown-checker from stretch-backports.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: GIMP 2.10.2, Pale Moon 27.9.3, wine-staging 3.10, QuiteRSS 0.18.11, Linux kernel 4.17, Krita 4.0.4
User avatar
stevepusser
 
Posts: 9654
Joined: 2009-10-06 05:53

Re: Official Debian standpoint on Meltdown/Spectre

Postby Rildebai » 2018-02-28 18:46

stevepusser wrote:Stretch users will have to get spectre-meltdown-checker from stretch-backports.

Yes.
Write programs that do one thing and do it well. ~ Doug Mcllroy on the UNIX Philosophy
User avatar
Rildebai
 
Posts: 83
Joined: 2016-04-30 09:27
Location: Ireland

Re: Official Debian standpoint on Meltdown/Spectre

Postby stevepusser » 2018-02-28 22:39

Code: Select all
Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-5.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.15-1~mx17+1 (2018-02-25) x86_64
CPU is Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 78 stepping 3 ucode 0xba)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)


Intel has just released some newer firmware for most of their affected processors, so maybe these aren't utter crap like the previous release that they had to pull back.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: GIMP 2.10.2, Pale Moon 27.9.3, wine-staging 3.10, QuiteRSS 0.18.11, Linux kernel 4.17, Krita 4.0.4
User avatar
stevepusser
 
Posts: 9654
Joined: 2009-10-06 05:53

Previous

Return to General Discussion

Who is online

Users browsing this forum: makh and 6 guests

fashionable