Page 1 of 2

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-08 10:49
by Lysander
Thorny wrote:I'm pedantic, but you probably already realise that. :-)
I think each case of pedantry has contextual validity. When it comes to Linux-learning, specificity is definitely a good thing.
Thorny wrote:I'm fairly sure you mean you invoke apt update and then apt upgrade if called for.
Just so lurkers and the inexperienced are clear.
That is indeed what I mean, thanks for the clarification.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-08 12:16
by n_hologram
Lysander wrote:My netbook [Slackware] runs an Atom N270 so is theoretically, and reportedly, immune. By reportedly, I mean that the output of spectre-meltdown-checker states such.
Are you running a 32 or 64-bit kernel.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-08 14:57
by acewiza
I believe the most important Debian-specific remediation's will involve what kernels are showing up where and when.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-08 15:42
by Lysander
n_hologram wrote:Are you running a 32 or 64-bit kernel.
The N270 is 32bit only, so I am running a 32bit smp.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-08 15:50
by n_hologram
I forgot that several atom processors are invulnerable, so I'm assuming yours is one. If so, correct me if I'm wrong, but I'm not sure the kernel makes much of a difference.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-08 15:56
by Lysander
n_hologram wrote:I forgot that several atom processors are invulnerable, so I'm assuming yours is one. If so, correct me if I'm wrong, but I'm not sure the kernel makes much of a difference.
I am pretty sure it doesn't, I just update it anyway. But yes, I remember reading that diamondville processors were among those unaffected.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-08 21:39
by stevepusser
I thought that only the most recent kernels are going to show that vulnerabilities folder in /sys. Currently, no 32-bit kernels have any mitigation for Meltdown, AFAIK, as has been stated in several threads here and confirmed by a kernel developer. There is some work being done towards fixing that sad situation. It seems browsers are easily able to block any Spectre attacks by reducing their timer resolution to a millisecond or so, which is far below the precision that those attacks depend on.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-08 22:10
by Lysander
NB: this post does not relate to Debian, apologies.
stevepusser wrote:I thought that only the most recent kernels are going to show that vulnerabilities folder in /sys. Currently, no 32-bit kernels have any mitigation for Meltdown, AFAIK, as has been stated in several threads here and confirmed by a kernel developer. There is some work being done towards fixing that sad situation.
Ah, that would explain why I got this:

Code: Select all

bash-4.3# gawk '{ print FILENAME ":\t" $0 }' /sys/devices/system/cpu/vulnerabilities/*

/sys/devices/system/cpu/vulnerabilities/meltdown:	Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:	Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:	Mitigation: Full generic retpoline
Thanks for clearing that up, Steve. Furthermore, the point that I was making re my CPU was that it is apparently immune to both vulnerabilties [N270]. But kernel-wise, yes, it seems we are not yet there with the mitigation for 32bit [though complete mitigation has been achieved now in 64bit {Slack} - sorry for taking this off-distro].

Resume normal service, I will bow out.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-18 16:35
by milomak
sorry guys. what does this mean for me

Code: Select all

grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline - vulnerable module loaded
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-18 18:19
by Head_on_a_Stick
milomak wrote:what does this mean for me
Looks good to me but I don't know what this means:

Code: Select all

vulnerable module loaded
My Arch box has the "full generic retpoline" message but without the module bit and my Alpine Linux machine has "minimal generic ASM retpoline", I think that is gcc-version-dependent.

Just remember to disable javascript whenever possible and you should be fine.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-20 17:44
by n_hologram
Lol I love that my thread is already completely ignored. Are we due for a Skyfall thread yet?

Here's a horrifying glimpse at the current 2018 CVE list: https://imgs.xkcd.com/comics/2018_cve_list.png

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-22 22:08
by stevepusser
Jessie and Stretch gcc compilers are now patched to support retpoline, and the Stretch 4.9 kernel is recompiled with its own retpoline support, in order to harden against some Spectre variants.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-24 04:15
by bw123
I know it's crazy, but I sort of feel let down by this whole thing. I know there has been a lot of work done though, and I appreciate that.

Code: Select all

$ uname -a
Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
$ grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
$ cat /proc/cpuinfo | grep -m1 "model name"
model name      : Intel(R) Atom(TM) CPU N450   @ 1.66GHz

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-24 14:07
by None1975
Here mine

Code: Select all

 grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
cat /proc/cpuinfo | grep -m1 "model name"
model name	: Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-24 23:03
by stevepusser
None1975 wrote:Here mine

Code: Select all

 grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
cat /proc/cpuinfo | grep -m1 "model name"
model name	: Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz
What kernel is that? I just backported 4.14.17 from upstream to Stretch and get this:

Code: Select all

/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
I also have installed a backport of Buster's 4.15.4, but haven't booted to it yet...here goes.

Better, equal to the recent 4.14 Liquorix kernels:

Code: Select all

/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
Though both these new backports are giving me an alarming but harmless string of boot messages about "pstore: decompression failed" that zip by too fast to really see what's going on. Let's see if the Net knows how to suppress that.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-25 00:35
by Lysander
Saw this come through earlier today. Very pleased.

Code: Select all

lysander@psychopig-xxxiii:~$ grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
lysander@psychopig-xxxiii:~$ cat /proc/cpuinfo | grep -m1 "model name"
model name	: Intel(R) Core(TM)2 Quad CPU    Q8400  @ 2.66GHz
lysander@psychopig-xxxiii:~$ uname -a
Linux psychopig-xxxiii 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
lysander@psychopig-xxxiii:~$ 

I'm covered by default on my other machine since it runs a diamondville Atom.
bw123 wrote:I know it's crazy, but I sort of feel let down by this whole thing. I know there has been a lot of work done though, and I appreciate that.
Why do you feel let down? A lot of the Atoms [maybe all, I haven't looked] are invulnerable.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-25 10:05
by anticapitalista
Here's mine.

Code: Select all

grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

uname -a
Linux antix1 4.15.5-antix.2-amd64-smp #1 SMP PREEMPT Fri Feb 23 01:05:42 EET 2018 x86_64 GNU/Linux

cat /proc/cpuinfo | grep -m1 "model name"
model name	: Intel(R) Core(TM) i5 CPU       M 520  @ 2.40GHz

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-26 14:08
by None1975
stevepusser wrote:What kernel is that?
Hello. It is standart Debian 9.3 kernel

Code: Select all

Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-26 20:52
by stevepusser
Thanks, they must have backported the user pointer sanitation to 4.9. The 4.14.17 that briefly appeared upstream doesn't have it.

Re: Official Debian standpoint on Meltdown/Spectre

Posted: 2018-02-28 16:22
by Rildebai
Run these to check if you are prone to meltdown & spectre.

Code: Select all

sudo apt install spectre-meltdown-checker

Code: Select all

sudo spectre-meltdown-checker