Official Debian standpoint on Meltdown/Spectre

Here you can discuss every aspect of Debian. Note: not for support requests!

Re: Official Debian standpoint on Meltdown/Spectre

Postby Lysander » 2018-02-08 10:49

Thorny wrote:I'm pedantic, but you probably already realise that. :-)


I think each case of pedantry has contextual validity. When it comes to Linux-learning, specificity is definitely a good thing.

Thorny wrote:I'm fairly sure you mean you invoke apt update and then apt upgrade if called for.
Just so lurkers and the inexperienced are clear.


That is indeed what I mean, thanks for the clarification.
User avatar
Lysander
 
Posts: 558
Joined: 2017-02-23 10:07
Location: London

Re: Official Debian standpoint on Meltdown/Spectre

Postby n_hologram » 2018-02-08 12:16

Lysander wrote:My netbook [Slackware] runs an Atom N270 so is theoretically, and reportedly, immune. By reportedly, I mean that the output of spectre-meltdown-checker states such.

Are you running a 32 or 64-bit kernel.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 444
Joined: 2013-06-16 00:10

Re: Official Debian standpoint on Meltdown/Spectre

Postby acewiza » 2018-02-08 14:57

I believe the most important Debian-specific remediation's will involve what kernels are showing up where and when.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 358
Joined: 2013-05-28 12:38
Location: Out West

Re: Official Debian standpoint on Meltdown/Spectre

Postby Lysander » 2018-02-08 15:42

n_hologram wrote:Are you running a 32 or 64-bit kernel.


The N270 is 32bit only, so I am running a 32bit smp.
User avatar
Lysander
 
Posts: 558
Joined: 2017-02-23 10:07
Location: London

Re: Official Debian standpoint on Meltdown/Spectre

Postby n_hologram » 2018-02-08 15:50

I forgot that several atom processors are invulnerable, so I'm assuming yours is one. If so, correct me if I'm wrong, but I'm not sure the kernel makes much of a difference.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 444
Joined: 2013-06-16 00:10

Re: Official Debian standpoint on Meltdown/Spectre

Postby Lysander » 2018-02-08 15:56

n_hologram wrote:I forgot that several atom processors are invulnerable, so I'm assuming yours is one. If so, correct me if I'm wrong, but I'm not sure the kernel makes much of a difference.


I am pretty sure it doesn't, I just update it anyway. But yes, I remember reading that diamondville processors were among those unaffected.
User avatar
Lysander
 
Posts: 558
Joined: 2017-02-23 10:07
Location: London

Re: Official Debian standpoint on Meltdown/Spectre

Postby stevepusser » 2018-02-08 21:39

I thought that only the most recent kernels are going to show that vulnerabilities folder in /sys. Currently, no 32-bit kernels have any mitigation for Meltdown, AFAIK, as has been stated in several threads here and confirmed by a kernel developer. There is some work being done towards fixing that sad situation. It seems browsers are easily able to block any Spectre attacks by reducing their timer resolution to a millisecond or so, which is far below the precision that those attacks depend on.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Flightgear 2018.2.2, 4.19.5 kernel, wine-staging 4.0~rc1, Pale Moon 28.2.2, Mesa 18.2.6, Midori 7.0
User avatar
stevepusser
 
Posts: 10273
Joined: 2009-10-06 05:53

Re: Official Debian standpoint on Meltdown/Spectre

Postby Lysander » 2018-02-08 22:10

NB: this post does not relate to Debian, apologies.

stevepusser wrote:I thought that only the most recent kernels are going to show that vulnerabilities folder in /sys. Currently, no 32-bit kernels have any mitigation for Meltdown, AFAIK, as has been stated in several threads here and confirmed by a kernel developer. There is some work being done towards fixing that sad situation.


Ah, that would explain why I got this:

Code: Select all
bash-4.3# gawk '{ print FILENAME ":\t" $0 }' /sys/devices/system/cpu/vulnerabilities/*

/sys/devices/system/cpu/vulnerabilities/meltdown:   Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:   Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:   Mitigation: Full generic retpoline


Thanks for clearing that up, Steve. Furthermore, the point that I was making re my CPU was that it is apparently immune to both vulnerabilties [N270]. But kernel-wise, yes, it seems we are not yet there with the mitigation for 32bit [though complete mitigation has been achieved now in 64bit {Slack} - sorry for taking this off-distro].

Resume normal service, I will bow out.
User avatar
Lysander
 
Posts: 558
Joined: 2017-02-23 10:07
Location: London

Re: Official Debian standpoint on Meltdown/Spectre

Postby milomak » 2018-02-18 16:35

sorry guys. what does this mean for me

Code: Select all
grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline - vulnerable module loaded
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
Desktop: iMac Late-2015 27" 5K Retina (17,1 - 3.3GHz) - MacOS and Windows 10 (Bootcamp)/ Debian Sid (External SSD)
Laptop: Lenovo ideapad Y700 [nVidia Optimus] (64-bit) - Debian Sid, Win10,
Kodi Box: AMD Athlon 5150 APU w/Radeon HD 8400 - Debian Sid
milomak
 
Posts: 1855
Joined: 2009-06-09 22:20

Re: Official Debian standpoint on Meltdown/Spectre

Postby Head_on_a_Stick » 2018-02-18 18:19

milomak wrote:what does this mean for me

Looks good to me but I don't know what this means:
Code: Select all
vulnerable module loaded

My Arch box has the "full generic retpoline" message but without the module bit and my Alpine Linux machine has "minimal generic ASM retpoline", I think that is gcc-version-dependent.

Just remember to disable javascript whenever possible and you should be fine.
dbruce wrote:Ubuntu forums try to be like a coffee shop in Seattle. Debian forums strive for the charm and ambience of a skinhead bar in Bacau. We intend to keep it that way.
User avatar
Head_on_a_Stick
 
Posts: 8321
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Official Debian standpoint on Meltdown/Spectre

Postby n_hologram » 2018-02-20 17:44

Lol I love that my thread is already completely ignored. Are we due for a Skyfall thread yet?

Here's a horrifying glimpse at the current 2018 CVE list: https://imgs.xkcd.com/comics/2018_cve_list.png
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 444
Joined: 2013-06-16 00:10

Re: Official Debian standpoint on Meltdown/Spectre

Postby stevepusser » 2018-02-22 22:08

Jessie and Stretch gcc compilers are now patched to support retpoline, and the Stretch 4.9 kernel is recompiled with its own retpoline support, in order to harden against some Spectre variants.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Flightgear 2018.2.2, 4.19.5 kernel, wine-staging 4.0~rc1, Pale Moon 28.2.2, Mesa 18.2.6, Midori 7.0
User avatar
stevepusser
 
Posts: 10273
Joined: 2009-10-06 05:53

Re: Official Debian standpoint on Meltdown/Spectre

Postby bw123 » 2018-02-24 04:15

I know it's crazy, but I sort of feel let down by this whole thing. I know there has been a lot of work done though, and I appreciate that.

Code: Select all
$ uname -a
Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
$ grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
$ cat /proc/cpuinfo | grep -m1 "model name"
model name      : Intel(R) Atom(TM) CPU N450   @ 1.66GHz
User avatar
bw123
 
Posts: 3575
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Official Debian standpoint on Meltdown/Spectre

Postby None1975 » 2018-02-24 14:07

Here mine
Code: Select all
 grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
cat /proc/cpuinfo | grep -m1 "model name"
model name   : Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz
User avatar
None1975
 
Posts: 701
Joined: 2015-11-29 18:23
Location: Lithuania, Vilnius

Re: Official Debian standpoint on Meltdown/Spectre

Postby stevepusser » 2018-02-24 23:03

None1975 wrote:Here mine
Code: Select all
 grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
cat /proc/cpuinfo | grep -m1 "model name"
model name   : Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz


What kernel is that? I just backported 4.14.17 from upstream to Stretch and get this:

Code: Select all
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline


I also have installed a backport of Buster's 4.15.4, but haven't booted to it yet...here goes.

Better, equal to the recent 4.14 Liquorix kernels:
Code: Select all
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline


Though both these new backports are giving me an alarming but harmless string of boot messages about "pstore: decompression failed" that zip by too fast to really see what's going on. Let's see if the Net knows how to suppress that.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Flightgear 2018.2.2, 4.19.5 kernel, wine-staging 4.0~rc1, Pale Moon 28.2.2, Mesa 18.2.6, Midori 7.0
User avatar
stevepusser
 
Posts: 10273
Joined: 2009-10-06 05:53

PreviousNext

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 1 guest

fashionable