Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Official Debian standpoint on Meltdown/Spectre

Here you can discuss every aspect of Debian. Note: not for support requests!
Message
Author
User avatar
Lysander
Posts: 643
Joined: 2017-02-23 10:07
Location: London
Been thanked: 1 time

Re: Official Debian standpoint on Meltdown/Spectre

#16 Post by Lysander »

Thorny wrote:I'm pedantic, but you probably already realise that. :-)
I think each case of pedantry has contextual validity. When it comes to Linux-learning, specificity is definitely a good thing.
Thorny wrote:I'm fairly sure you mean you invoke apt update and then apt upgrade if called for.
Just so lurkers and the inexperienced are clear.
That is indeed what I mean, thanks for the clarification.

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Official Debian standpoint on Meltdown/Spectre

#17 Post by n_hologram »

Lysander wrote:My netbook [Slackware] runs an Atom N270 so is theoretically, and reportedly, immune. By reportedly, I mean that the output of spectre-meltdown-checker states such.
Are you running a 32 or 64-bit kernel.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Official Debian standpoint on Meltdown/Spectre

#18 Post by acewiza »

I believe the most important Debian-specific remediation's will involve what kernels are showing up where and when.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

User avatar
Lysander
Posts: 643
Joined: 2017-02-23 10:07
Location: London
Been thanked: 1 time

Re: Official Debian standpoint on Meltdown/Spectre

#19 Post by Lysander »

n_hologram wrote:Are you running a 32 or 64-bit kernel.
The N270 is 32bit only, so I am running a 32bit smp.

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Official Debian standpoint on Meltdown/Spectre

#20 Post by n_hologram »

I forgot that several atom processors are invulnerable, so I'm assuming yours is one. If so, correct me if I'm wrong, but I'm not sure the kernel makes much of a difference.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
Lysander
Posts: 643
Joined: 2017-02-23 10:07
Location: London
Been thanked: 1 time

Re: Official Debian standpoint on Meltdown/Spectre

#21 Post by Lysander »

n_hologram wrote:I forgot that several atom processors are invulnerable, so I'm assuming yours is one. If so, correct me if I'm wrong, but I'm not sure the kernel makes much of a difference.
I am pretty sure it doesn't, I just update it anyway. But yes, I remember reading that diamondville processors were among those unaffected.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Official Debian standpoint on Meltdown/Spectre

#22 Post by stevepusser »

I thought that only the most recent kernels are going to show that vulnerabilities folder in /sys. Currently, no 32-bit kernels have any mitigation for Meltdown, AFAIK, as has been stated in several threads here and confirmed by a kernel developer. There is some work being done towards fixing that sad situation. It seems browsers are easily able to block any Spectre attacks by reducing their timer resolution to a millisecond or so, which is far below the precision that those attacks depend on.
MX Linux packager and developer

User avatar
Lysander
Posts: 643
Joined: 2017-02-23 10:07
Location: London
Been thanked: 1 time

Re: Official Debian standpoint on Meltdown/Spectre

#23 Post by Lysander »

NB: this post does not relate to Debian, apologies.
stevepusser wrote:I thought that only the most recent kernels are going to show that vulnerabilities folder in /sys. Currently, no 32-bit kernels have any mitigation for Meltdown, AFAIK, as has been stated in several threads here and confirmed by a kernel developer. There is some work being done towards fixing that sad situation.
Ah, that would explain why I got this:

Code: Select all

bash-4.3# gawk '{ print FILENAME ":\t" $0 }' /sys/devices/system/cpu/vulnerabilities/*

/sys/devices/system/cpu/vulnerabilities/meltdown:	Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:	Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:	Mitigation: Full generic retpoline
Thanks for clearing that up, Steve. Furthermore, the point that I was making re my CPU was that it is apparently immune to both vulnerabilties [N270]. But kernel-wise, yes, it seems we are not yet there with the mitigation for 32bit [though complete mitigation has been achieved now in 64bit {Slack} - sorry for taking this off-distro].

Resume normal service, I will bow out.

milomak
Posts: 2158
Joined: 2009-06-09 22:20
Been thanked: 1 time

Re: Official Debian standpoint on Meltdown/Spectre

#24 Post by milomak »

sorry guys. what does this mean for me

Code: Select all

grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline - vulnerable module loaded
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Official Debian standpoint on Meltdown/Spectre

#25 Post by Head_on_a_Stick »

milomak wrote:what does this mean for me
Looks good to me but I don't know what this means:

Code: Select all

vulnerable module loaded
My Arch box has the "full generic retpoline" message but without the module bit and my Alpine Linux machine has "minimal generic ASM retpoline", I think that is gcc-version-dependent.

Just remember to disable javascript whenever possible and you should be fine.
deadbang

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Official Debian standpoint on Meltdown/Spectre

#26 Post by n_hologram »

Lol I love that my thread is already completely ignored. Are we due for a Skyfall thread yet?

Here's a horrifying glimpse at the current 2018 CVE list: https://imgs.xkcd.com/comics/2018_cve_list.png
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Official Debian standpoint on Meltdown/Spectre

#27 Post by stevepusser »

Jessie and Stretch gcc compilers are now patched to support retpoline, and the Stretch 4.9 kernel is recompiled with its own retpoline support, in order to harden against some Spectre variants.
MX Linux packager and developer

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Official Debian standpoint on Meltdown/Spectre

#28 Post by bw123 »

I know it's crazy, but I sort of feel let down by this whole thing. I know there has been a lot of work done though, and I appreciate that.

Code: Select all

$ uname -a
Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
$ grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
$ cat /proc/cpuinfo | grep -m1 "model name"
model name      : Intel(R) Atom(TM) CPU N450   @ 1.66GHz
resigned by AI ChatGPT

User avatar
None1975
df -h | participant
df -h | participant
Posts: 1389
Joined: 2015-11-29 18:23
Location: Russia, Kaliningrad
Has thanked: 45 times
Been thanked: 66 times

Re: Official Debian standpoint on Meltdown/Spectre

#29 Post by None1975 »

Here mine

Code: Select all

 grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
cat /proc/cpuinfo | grep -m1 "model name"
model name	: Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Official Debian standpoint on Meltdown/Spectre

#30 Post by stevepusser »

None1975 wrote:Here mine

Code: Select all

 grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
cat /proc/cpuinfo | grep -m1 "model name"
model name	: Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz
What kernel is that? I just backported 4.14.17 from upstream to Stretch and get this:

Code: Select all

/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
I also have installed a backport of Buster's 4.15.4, but haven't booted to it yet...here goes.

Better, equal to the recent 4.14 Liquorix kernels:

Code: Select all

/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
Though both these new backports are giving me an alarming but harmless string of boot messages about "pstore: decompression failed" that zip by too fast to really see what's going on. Let's see if the Net knows how to suppress that.
MX Linux packager and developer

User avatar
Lysander
Posts: 643
Joined: 2017-02-23 10:07
Location: London
Been thanked: 1 time

Re: Official Debian standpoint on Meltdown/Spectre

#31 Post by Lysander »

Saw this come through earlier today. Very pleased.

Code: Select all

lysander@psychopig-xxxiii:~$ grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
lysander@psychopig-xxxiii:~$ cat /proc/cpuinfo | grep -m1 "model name"
model name	: Intel(R) Core(TM)2 Quad CPU    Q8400  @ 2.66GHz
lysander@psychopig-xxxiii:~$ uname -a
Linux psychopig-xxxiii 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
lysander@psychopig-xxxiii:~$ 

I'm covered by default on my other machine since it runs a diamondville Atom.
bw123 wrote:I know it's crazy, but I sort of feel let down by this whole thing. I know there has been a lot of work done though, and I appreciate that.
Why do you feel let down? A lot of the Atoms [maybe all, I haven't looked] are invulnerable.

anticapitalista
Posts: 428
Joined: 2007-12-14 23:16
Has thanked: 12 times
Been thanked: 13 times

Re: Official Debian standpoint on Meltdown/Spectre

#32 Post by anticapitalista »

Here's mine.

Code: Select all

grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

uname -a
Linux antix1 4.15.5-antix.2-amd64-smp #1 SMP PREEMPT Fri Feb 23 01:05:42 EET 2018 x86_64 GNU/Linux

cat /proc/cpuinfo | grep -m1 "model name"
model name	: Intel(R) Core(TM) i5 CPU       M 520  @ 2.40GHz
antiX with runit - lean and mean.
https://antixlinux.com

User avatar
None1975
df -h | participant
df -h | participant
Posts: 1389
Joined: 2015-11-29 18:23
Location: Russia, Kaliningrad
Has thanked: 45 times
Been thanked: 66 times

Re: Official Debian standpoint on Meltdown/Spectre

#33 Post by None1975 »

stevepusser wrote:What kernel is that?
Hello. It is standart Debian 9.3 kernel

Code: Select all

Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Official Debian standpoint on Meltdown/Spectre

#34 Post by stevepusser »

Thanks, they must have backported the user pointer sanitation to 4.9. The 4.14.17 that briefly appeared upstream doesn't have it.
MX Linux packager and developer

User avatar
Rildebai
Posts: 87
Joined: 2016-04-30 09:27
Location: Ireland

Re: Official Debian standpoint on Meltdown/Spectre

#35 Post by Rildebai »

Run these to check if you are prone to meltdown & spectre.

Code: Select all

sudo apt install spectre-meltdown-checker

Code: Select all

sudo spectre-meltdown-checker
Write programs that do one thing and do it well. ~ Doug Mcllroy on the UNIX Philosophy

Post Reply