Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Meltdown and Spectre patches

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Meltdown and Spectre patches

#46 Post by Head_on_a_Stick »

The kernel for wheezy has been fixed (for Meltdown) but jessie is still wanting, which is a bit strange.

https://security-tracker.debian.org/tra ... -2017-5754
deadbang

rinatik
Posts: 7
Joined: 2018-01-06 16:43

Re: Meltdown and Spectre patches

#47 Post by rinatik »

n_hologram wrote:@rinatik: If you look at the kernel source, PAGE_TABLE_ISOLATION requires x86_64 bit, and is auto-disabled if one is not building a 64-bit kernel (aka, if your kernel is 32-bits). Based on this, to be completely honest, I have no idea if this means that a 32-bit kernel (686) is mitigated against Meltdown or not. I shared in a previous post that i686 users can grep "cpu_insecure" from /proc/cpuinfo, but dmesg doesn't report anything, and obviously x86_64 is a dependency; I'm not even sure what criteria to Google at this point. Perhaps someone more knowledgeable can shed insight.
Yes, I came to the same conclusion.
And I'm under impression how deeply ignorant some replies were.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Meltdown and Spectre patches

#48 Post by debiman »

n_hologram wrote:@rinatik: If you look at the kernel source, PAGE_TABLE_ISOLATION requires x86_64 bit, and is auto-disabled if one is not building a 64-bit kernel (aka, if your kernel is 32-bits). Based on this, to be completely honest, I have no idea if this means that a 32-bit kernel (686) is mitigated against Meltdown or not. I shared in a previous post that i686 users can grep "cpu_insecure" from /proc/cpuinfo, but dmesg doesn't report anything, and obviously x86_64 is a dependency; I'm not even sure what criteria to Google at this point. Perhaps someone more knowledgeable can shed insight.
n_hologram, thanks for this info.

i'm trying to find some statement about whether 32bit (i686 in my case) actually need the patch?

the vanilla i686 kernel for jessie is NOT yet patched, but marked vulnerable on some debian bugtracker.

User avatar
Lysander
Posts: 643
Joined: 2017-02-23 10:07
Location: London
Been thanked: 1 time

Re: Meltdown and Spectre patches

#49 Post by Lysander »

bw123 wrote:
I read another blurb somewhere or other that some of the atom processors might be exempt from one issue or the other. I have one of those on my netbook that I use online, so if anybody runs across any actual info that hasn't signed any non-disclosures or retaineded an attorney, or sells clicks as news, let me know...
I've been reading around and yes, Itanium and Atom CPUs manufactured before 2013 are exempt from Meltdown.

Source:
https://meltdownattack.com/
https://techtalk.gfi.com/is-your-proces ... -meltdown/
https://www.theguardian.com/technology/ ... -explainer

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

#50 Post by n_hologram »

debiman wrote: n_hologram, thanks for this info.
i'm trying to find some statement about whether 32bit (i686 in my case) actually need the patch?
the vanilla i686 kernel for jessie is NOT yet patched, but marked vulnerable on some debian bugtracker.
No problem. It is my understanding that 32-bit is exploitable, but it's still unclear if there is a sensible way to mitigate it. I would be willing to compile a kernel myself if I knew what preventative features (if any) are necessary.
In similar news, I found this proof of concept, for anyone who wants to check their kernel against it: https://github.com/mniip/spectre-meltdown-poc
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
bester69
Posts: 2072
Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times

Re: Meltdown and Spectre patches

#51 Post by bester69 »

So As i think to understand, there are three kind of possible solutions,
- Browser isolation solutions
- Kernel isolation tablespace
- microcode firmware

I think any of them is in some way a valid solution, I will go for new microcode or for the new browsers ..I dont want to use a slowed kernel and downgrade my whole system performance.
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...

anticapitalista
Posts: 428
Joined: 2007-12-14 23:16
Has thanked: 12 times
Been thanked: 13 times

Re: Meltdown and Spectre patches

#52 Post by anticapitalista »

The 3 solutions are ALL required to be 'more secure'. It's not a question of which one do you want to use.
antiX with runit - lean and mean.
https://antixlinux.com

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Meltdown and Spectre patches

#53 Post by bw123 »

n_hologram wrote:If any of this information is in error or outdated, please let me know.

The security tracker claims that there is a patched stretch kernel (4.9.65-3+deb9u2) to avoid meltdown, but as of this post, the packages page (along with apt-cache policy) suggests that the current version is at 4.9.65-3+deb9u1, with jessie-backport version at 4.9.65-3+deb9u1~bpo8+1 (the same thing). At the time of this posting, it appears that there is no patch for Spectre.

In the meantime, what is the best course of action for users, just short of burning all of our technology and burying our money in the ground?

Unrelated: is there any information on how effective grsecurity might be for preventing this exploit?

Meltdown:
-fixed version: 4.9.65-3+deb9u2 (stretch)
https://security-tracker.debian.org/tra ... -2017-5754

Spectre:
-fixed version: none
https://security-tracker.debian.org/tra ... -2017-5753
The original topic was a good one I think, maybe the thread got off-topic but I don't see why it is posted in off-topic?

The question asked that still gets me is, "In the meantime, what is the best course of action for users, just short of burning all of our technology and burying our money in the ground?"

My answer would be, continue being careful what code/apps you install on your computer. Be aware that using or posting private information on a network has risks. My opinion is that no network is truly secure, but that's just an opinion. Passwords, credit card numbers, account information, medical history, other types of proprietary information can be "hacked" on a network, it happens to some real big players in IT. The best security money can buy seems to get penetrated somehow.

I don't think anybody should be scared, but just be aware. And thanks for the info on the topic so far, I have learned a lot.
resigned by AI ChatGPT

PeterB
Posts: 122
Joined: 2010-10-03 16:53
Has thanked: 1 time
Been thanked: 2 times

Re: Meltdown and Spectre patches

#54 Post by PeterB »

Schneier has posted an article on his blog.
https://www.schneier.com/

He says
For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don't click on strange e-mail attachments, don't visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.
Linux is of course generally much safer than Windows.

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

#55 Post by n_hologram »

@bw123: I may have been unclear about what I said earlier: my comment was not directed at you, but rather at certain users (one in particular) who routinely intrude and derail -- often times successfully -- genuine security threads with meaningless trolling, often disguised in the form of commentary about how any security is too much security (or something of the ilk). Like, it's not wrong, nor is it completely off topic; however, unsurprisingly, it typically encourages more discussion about judgments, rather than research (and the research used in response is, also unsurprisingly, usually available through the first few hits of a superficial Google search); by contrast, threads like this are meant to encourage relevant, fact-based findings. Again, though, all of this was meant for (an)other user(s).

Unrelated, I updated my original post with some details.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Meltdown and Spectre patches

#56 Post by stevepusser »

https://github.com/speed47/spectre-meltdown-checker

A script to check your vulnerabilities. There's a long way to go with Spectre.

Don't run random scripts without vetting them, though.
MX Linux packager and developer

User avatar
yeti
Posts: 68
Joined: 2009-03-30 14:22

Re: Meltdown and Spectre patches

#57 Post by yeti »

stevepusser wrote:Don't run random scripts without vetting them, though.
I'm expecting for a new wave of "We make your PC great again! Click here to download our cure!" ads now mentioning mentioning Spectre and Meltdown.

Hmmmm... they might already be there... I should disable my naïve adblocking... ;-)
"I have a natural instinct for science" — DJ Trump.
"Vrijdag voor VT100!" — Yeti.
"There is no PLANET-B!" — ???

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Meltdown and Spectre patches

#58 Post by debiman »

n_hologram wrote:No problem. It is my understanding that 32-bit is exploitable, but it's still unclear if there is a sensible way to mitigate it.
thanks again.
the chosen answer does not suggest that there is any difference between 32 and 64 bit architectures wrt meltdown.

anyhow, i did another update on my debian jessie 32bit system, and now have this:

Code: Select all

uname -rv
3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08)
compared to: https://security-tracker.debian.org/tra ... -2017-5754
it would seem that my 32bit machine now has a kernel patched against meltdown.

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

#59 Post by n_hologram »

Thanks for the info; good to know jessie/686 isn't left astray ^_^
Were you able to check it against the spectre-meltdown-checker that steve shared?
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

User avatar
bester69
Posts: 2072
Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times

Re: Meltdown and Spectre patches

#60 Post by bester69 »

For Opera Browsers, some mitigations.:
https://blogs.opera.com/security/2018/0 ... abilities/
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...

Seventh
Posts: 44
Joined: 2017-04-01 10:13

Re: Meltdown and Spectre patches

#61 Post by Seventh »

Zenwalk linux is claiming firefox have "fixed" spectre and meltdown timing attacks for linux with firefox 58 ?

https://zenwalkgnulinux.blogspot.com.au/

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: Meltdown and Spectre patches

#62 Post by steve_v »

Seventh wrote:Zenwalk linux is claiming firefox have "fixed" spectre and meltdown timing attacks for linux with firefox 58
Reduced the accuracy of timers available to javascript, like chrome has. A rather dirty workaround, not a fix.
You can't really "fix" CPU sidechannel attacks in software, and there are plenty of other ways to generate a fast enough tick for cache timing analysis.
If one is concerned about a browser drive-by, disable javascript.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

User avatar
bester69
Posts: 2072
Joined: 2015-04-02 13:15
Has thanked: 24 times
Been thanked: 14 times

Re: Meltdown and Spectre patches

#63 Post by bester69 »

Im using for long (Head_on_a_Stick gave a a good contribution, Thanks to him here): Adblocking with /etc/hosts (I guess It can help against ad javacripts)
http://forums.debian.net/viewtopic.php?f=16&t=129202

It updates very often; all these people contribuite (I just hope they gone bad eventually :shock: )
# Bill Allison, Harj Basi, Lance Russhing, Marshall Drew-Brook,
# Leigh Brasington, Scott Terbush, Cary Newfeldt, Kaye, Jeff
# Scrivener, Mark Hudson, Matt Bells, T. Kim Nguyen, Lino Demasi,
# Marcelo Volmaro, Troy Martin, Donald Kerns, B.Patten-Walsh,
# bobeangi, Chris Maniscalco, George Gilbert, Kim Nilsson, zeromus,
# Robert Petty, Rob Morrison, Clive Smith, Cecilia Varni, OleKing
# Cole, William Jones, Brian Small, Raj Tailor, Richard Heritage,
# Alan Harrison, Ordorica, Crimson, Joseph Cianci, sirapacz,
# Dvixen, Matthew Craig, Tobias Hessem, Kevin F. Quinn, Thomas
# Corthals, Chris McBee, Jaime A. Guerra, Anders Josefson,
# Simon Manderson, Spectre Ghost, Darren Tay, Dallas Eschenauer, Cecilia
# Varni, Adam P. Cole, George Lefkaditis, grzesiek, Adam Howard, Mike
# Bizon, Samuel P. Mallare, Leinweber, Walter Novak, Stephen Genus,
# Zube, Johny Provoost, Peter Grafton, Johann Burkard, Magus, Ron Karner,
# Fredrik Dahlman, Michele Cybula, Bernard Conlu, Riku B, Twillers,
# Shaika-Dzari, Vartkes Goetcherian, Michael McCown, Garth, Richard Nairn,
# Exzar Reed, Robert Gauthier, Floyd Wilder, Mark Drissel, Kenny Lyons,
# Paul Dunne, Tirath Pannu, Mike Lambert, Dan Kolcun, Daniel Aleksandersen,
# Chris Heegard, Miles Golding, Daniel Bisca, Frederic Begou, Charles
# Fordyce, Mark Lehrer, Sebastien Nadeau-Jean, Russell Gordon, Alexey
# Gopachenko, Stirling Pearson, Alan Segal, Bobin Joseph, Chris Wall, Sean
# Flesch, Brent Getz, Jerry Cain, Brian Micek, Lee Hancock, Kay Thiele,
# Kwan Ting Chan, Wladimir Labeikovsky, Lino Demasi, Bowie Bailey, Andreas
# Marschall, Michael Tompkins, Michael O'Donnell, José Lucas Teixeira
# de Oliveira, M. Ömer Gölgeli, and Anthony Gelibert for helping to build
# the hosts file.
# Russell O'Connor for OS/2 information
# kwadronaut for Windows 7 and Vista information
# John Mueller and Lawrence H Smith for Mac Pre-OSX information
# Jesse Baird for the Cisco IOS script
http://someonewhocares.org/hosts/zero/
# Last updated: Wed, 03 Jan 2018 at 18:00:26 GMT
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Meltdown and Spectre patches

#64 Post by debiman »

n[i]hologram wrote:Thanks for the info; good to know jessie/686 isn't left astray ^[/i]^
Were you able to check it against the spectre-meltdown-checker that steve shared?
i did now.

Code: Select all

$ dmesg | grep isolation
$ grep TABLE_ISOLATION /boot/config-$(uname -r)
$ sudo ./spectre-meltdown-checker.sh 
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) i686

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

as i said before, the kernel version surely is the patched one, but according to these outputs it does not apply to my 32bit intel processor?

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Meltdown and Spectre patches

#65 Post by n_hologram »

debiman wrote:as i said before, the kernel version surely is the patched one, but according to these outputs it does not apply to my 32bit intel processor?
This is exactly the crux of the 32-bit issue: no one knows. I'm going to email the patch developer later and ask what's going on.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

Post Reply