...footprints? You mean on your particular systems? What is your install and hardware? (hint: inxi -F)
new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints. is anybody knows why?
bump .. (
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Meltdown and Spectre patches
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Meltdown and Spectre patches
MX Linux packager and developer
Re: Meltdown and Spectre patches
I mean i686 kernel has no any kpti patch at allstevepusser wrote:...footprints? You mean on your particular systems? What is your install and hardware? (hint: inxi -F)
new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints. is anybody knows why?
bump .. (
WHY?
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Meltdown and Spectre patches
sounds like a JOB FOR GOOGLEMANrinatik wrote:I mean i686 kernel has no any kpti patch at allstevepusser wrote:...footprints? You mean on your particular systems? What is your install and hardware? (hint: inxi -F)
new stable i386 kernel 4.9.65-3+deb9u2 has no any kpti footprints. is anybody knows why?
bump .. (
WHY?
BTW, Pale Moon says their timer is "fuzzy" enough to be immune to those timer-based SPECTRE attacks.
MX Linux packager and developer
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Meltdown and Spectre patches
Backported the 4.14.12 upstream kernel, but it leaves out an important dependency in the headers: https://bugs.debian.org/cgi-bin/bugrepo ... bug=886474
That also affects broadcom-sta-dkms and ndiswrapper builds. Kernel was a pain to backport already and takes a looong time to build, what wth extra realtime versions and 550 MB -dbg packages for each kernel variant. Will make some other metapackage pull in libelf-dev until the bug gets fixed.
That also affects broadcom-sta-dkms and ndiswrapper builds. Kernel was a pain to backport already and takes a looong time to build, what wth extra realtime versions and 550 MB -dbg packages for each kernel variant. Will make some other metapackage pull in libelf-dev until the bug gets fixed.
MX Linux packager and developer
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Meltdown and Spectre patches
@rinatik: If you look at the kernel source, PAGE_TABLE_ISOLATION requires x86_64 bit, and is auto-disabled if one is not building a 64-bit kernel (aka, if your kernel is 32-bits). Based on this, to be completely honest, I have no idea if this means that a 32-bit kernel (686) is mitigated against Meltdown or not. I shared in a previous post that i686 users can grep "cpu_insecure" from /proc/cpuinfo (not that it indicates much), but dmesg doesn't report anything, and obviously x86_64 is a dependency; I'm not even sure what criteria to Google at this point. Perhaps someone more knowledgeable can shed insight.
EDIT: From the link I shared above:
EDIT 2: I'm investigating this page, but I'm on the move and won't be able to read it in-depth until later.
EDIT: From the link I shared above:
It would appear, then, that dmesg is one's best bet for confirming the presence of KPTI. Nonetheless, I feel like I'm misinterpreting something.In standard kernels, the strings Kernel/User page tables isolation: enabled or Kernel/User page tables isolation: force enabled on command line in the dmesg output means that the kernel is performing kernel page table isolation. The latter message additionally means that the kernel thinks page-table isolation is not required for this CPU.
In some vendor-patched kernels (mainly RedHat and derivatives): a nonzero value in /sys/kernel/debug/x86/pti_enabled. The absence of this file does not mean anything, however: the standard kernel does not provide it.
EDIT 2: I'm investigating this page, but I'm on the move and won't be able to read it in-depth until later.
Last edited by n_hologram on 2018-01-08 19:37, edited 3 times in total.
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Meltdown and Spectre patches
The kernel for wheezy has been fixed (for Meltdown) but jessie is still wanting, which is a bit strange.
https://security-tracker.debian.org/tra ... -2017-5754
https://security-tracker.debian.org/tra ... -2017-5754
deadbang
Re: Meltdown and Spectre patches
Yes, I came to the same conclusion.n_hologram wrote:@rinatik: If you look at the kernel source, PAGE_TABLE_ISOLATION requires x86_64 bit, and is auto-disabled if one is not building a 64-bit kernel (aka, if your kernel is 32-bits). Based on this, to be completely honest, I have no idea if this means that a 32-bit kernel (686) is mitigated against Meltdown or not. I shared in a previous post that i686 users can grep "cpu_insecure" from /proc/cpuinfo, but dmesg doesn't report anything, and obviously x86_64 is a dependency; I'm not even sure what criteria to Google at this point. Perhaps someone more knowledgeable can shed insight.
And I'm under impression how deeply ignorant some replies were.
Re: Meltdown and Spectre patches
n_hologram, thanks for this info.n_hologram wrote:@rinatik: If you look at the kernel source, PAGE_TABLE_ISOLATION requires x86_64 bit, and is auto-disabled if one is not building a 64-bit kernel (aka, if your kernel is 32-bits). Based on this, to be completely honest, I have no idea if this means that a 32-bit kernel (686) is mitigated against Meltdown or not. I shared in a previous post that i686 users can grep "cpu_insecure" from /proc/cpuinfo, but dmesg doesn't report anything, and obviously x86_64 is a dependency; I'm not even sure what criteria to Google at this point. Perhaps someone more knowledgeable can shed insight.
i'm trying to find some statement about whether 32bit (i686 in my case) actually need the patch?
the vanilla i686 kernel for jessie is NOT yet patched, but marked vulnerable on some debian bugtracker.
Re: Meltdown and Spectre patches
I've been reading around and yes, Itanium and Atom CPUs manufactured before 2013 are exempt from Meltdown.bw123 wrote:
I read another blurb somewhere or other that some of the atom processors might be exempt from one issue or the other. I have one of those on my netbook that I use online, so if anybody runs across any actual info that hasn't signed any non-disclosures or retaineded an attorney, or sells clicks as news, let me know...
Source:
https://meltdownattack.com/
https://techtalk.gfi.com/is-your-proces ... -meltdown/
https://www.theguardian.com/technology/ ... -explainer
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Meltdown and Spectre patches
No problem. It is my understanding that 32-bit is exploitable, but it's still unclear if there is a sensible way to mitigate it. I would be willing to compile a kernel myself if I knew what preventative features (if any) are necessary.debiman wrote: n_hologram, thanks for this info.
i'm trying to find some statement about whether 32bit (i686 in my case) actually need the patch?
the vanilla i686 kernel for jessie is NOT yet patched, but marked vulnerable on some debian bugtracker.
In similar news, I found this proof of concept, for anyone who wants to check their kernel against it: https://github.com/mniip/spectre-meltdown-poc
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
Re: Meltdown and Spectre patches
So As i think to understand, there are three kind of possible solutions,
- Browser isolation solutions
- Kernel isolation tablespace
- microcode firmware
I think any of them is in some way a valid solution, I will go for new microcode or for the new browsers ..I dont want to use a slowed kernel and downgrade my whole system performance.
- Browser isolation solutions
- Kernel isolation tablespace
- microcode firmware
I think any of them is in some way a valid solution, I will go for new microcode or for the new browsers ..I dont want to use a slowed kernel and downgrade my whole system performance.
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...
-
- Posts: 429
- Joined: 2007-12-14 23:16
- Has thanked: 12 times
- Been thanked: 13 times
Re: Meltdown and Spectre patches
The 3 solutions are ALL required to be 'more secure'. It's not a question of which one do you want to use.
antiX with runit - lean and mean.
https://antixlinux.com
https://antixlinux.com
Re: Meltdown and Spectre patches
The original topic was a good one I think, maybe the thread got off-topic but I don't see why it is posted in off-topic?n_hologram wrote:If any of this information is in error or outdated, please let me know.
The security tracker claims that there is a patched stretch kernel (4.9.65-3+deb9u2) to avoid meltdown, but as of this post, the packages page (along with apt-cache policy) suggests that the current version is at 4.9.65-3+deb9u1, with jessie-backport version at 4.9.65-3+deb9u1~bpo8+1 (the same thing). At the time of this posting, it appears that there is no patch for Spectre.
In the meantime, what is the best course of action for users, just short of burning all of our technology and burying our money in the ground?
Unrelated: is there any information on how effective grsecurity might be for preventing this exploit?
Meltdown:
-fixed version: 4.9.65-3+deb9u2 (stretch)
https://security-tracker.debian.org/tra ... -2017-5754
Spectre:
-fixed version: none
https://security-tracker.debian.org/tra ... -2017-5753
The question asked that still gets me is, "In the meantime, what is the best course of action for users, just short of burning all of our technology and burying our money in the ground?"
My answer would be, continue being careful what code/apps you install on your computer. Be aware that using or posting private information on a network has risks. My opinion is that no network is truly secure, but that's just an opinion. Passwords, credit card numbers, account information, medical history, other types of proprietary information can be "hacked" on a network, it happens to some real big players in IT. The best security money can buy seems to get penetrated somehow.
I don't think anybody should be scared, but just be aware. And thanks for the info on the topic so far, I have learned a lot.
resigned by AI ChatGPT
Re: Meltdown and Spectre patches
Schneier has posted an article on his blog.
https://www.schneier.com/
He says
https://www.schneier.com/
He says
Linux is of course generally much safer than Windows.For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don't click on strange e-mail attachments, don't visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Meltdown and Spectre patches
@bw123: I may have been unclear about what I said earlier: my comment was not directed at you, but rather at certain users (one in particular) who routinely intrude and derail -- often times successfully -- genuine security threads with meaningless trolling, often disguised in the form of commentary about how any security is too much security (or something of the ilk). Like, it's not wrong, nor is it completely off topic; however, unsurprisingly, it typically encourages more discussion about judgments, rather than research (and the research used in response is, also unsurprisingly, usually available through the first few hits of a superficial Google search); by contrast, threads like this are meant to encourage relevant, fact-based findings. Again, though, all of this was meant for (an)other user(s).
Unrelated, I updated my original post with some details.
Unrelated, I updated my original post with some details.
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Meltdown and Spectre patches
https://github.com/speed47/spectre-meltdown-checker
A script to check your vulnerabilities. There's a long way to go with Spectre.
Don't run random scripts without vetting them, though.
A script to check your vulnerabilities. There's a long way to go with Spectre.
Don't run random scripts without vetting them, though.
MX Linux packager and developer
Re: Meltdown and Spectre patches
I'm expecting for a new wave of "We make your PC great again! Click here to download our cure!" ads now mentioning mentioning Spectre and Meltdown.stevepusser wrote:Don't run random scripts without vetting them, though.
Hmmmm... they might already be there... I should disable my naïve adblocking...
"I have a natural instinct for science" — DJ Trump.
"Vrijdag voor VT100!" — Yeti.
"There is no PLANET-B!" — ???
"Vrijdag voor VT100!" — Yeti.
"There is no PLANET-B!" — ???
Re: Meltdown and Spectre patches
thanks again.n_hologram wrote:No problem. It is my understanding that 32-bit is exploitable, but it's still unclear if there is a sensible way to mitigate it.
the chosen answer does not suggest that there is any difference between 32 and 64 bit architectures wrt meltdown.
anyhow, i did another update on my debian jessie 32bit system, and now have this:
Code: Select all
uname -rv
3.16.0-5-686-pae #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08)
it would seem that my 32bit machine now has a kernel patched against meltdown.
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Meltdown and Spectre patches
Thanks for the info; good to know jessie/686 isn't left astray ^_^
Were you able to check it against the spectre-meltdown-checker that steve shared?
Were you able to check it against the spectre-meltdown-checker that steve shared?
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
Re: Meltdown and Spectre patches
For Opera Browsers, some mitigations.:
https://blogs.opera.com/security/2018/0 ... abilities/
https://blogs.opera.com/security/2018/0 ... abilities/
bester69 wrote:STOP 2030 globalists demons, keep the fight for humanity freedom against NWO...