I am pretty sure it doesn't, I just update it anyway. But yes, I remember reading that diamondville processors were among those unaffected.n_hologram wrote:I forgot that several atom processors are invulnerable, so I'm assuming yours is one. If so, correct me if I'm wrong, but I'm not sure the kernel makes much of a difference.
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Official Debian standpoint on Meltdown/Spectre
Re: Official Debian standpoint on Meltdown/Spectre
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Official Debian standpoint on Meltdown/Spectre
I thought that only the most recent kernels are going to show that vulnerabilities folder in /sys. Currently, no 32-bit kernels have any mitigation for Meltdown, AFAIK, as has been stated in several threads here and confirmed by a kernel developer. There is some work being done towards fixing that sad situation. It seems browsers are easily able to block any Spectre attacks by reducing their timer resolution to a millisecond or so, which is far below the precision that those attacks depend on.
MX Linux packager and developer
Re: Official Debian standpoint on Meltdown/Spectre
NB: this post does not relate to Debian, apologies.
Thanks for clearing that up, Steve. Furthermore, the point that I was making re my CPU was that it is apparently immune to both vulnerabilties [N270]. But kernel-wise, yes, it seems we are not yet there with the mitigation for 32bit [though complete mitigation has been achieved now in 64bit {Slack} - sorry for taking this off-distro].
Resume normal service, I will bow out.
Ah, that would explain why I got this:stevepusser wrote:I thought that only the most recent kernels are going to show that vulnerabilities folder in /sys. Currently, no 32-bit kernels have any mitigation for Meltdown, AFAIK, as has been stated in several threads here and confirmed by a kernel developer. There is some work being done towards fixing that sad situation.
Code: Select all
bash-4.3# gawk '{ print FILENAME ":\t" $0 }' /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown: Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1: Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2: Mitigation: Full generic retpoline
Resume normal service, I will bow out.
Re: Official Debian standpoint on Meltdown/Spectre
sorry guys. what does this mean for me
Code: Select all
grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline - vulnerable module loaded
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
Desktop: A320M-A PRO MAX, AMD Ryzen 5 3600, GALAX GeForce RTX™ 2060 Super EX (1-Click OC) - Sid, Win10, Arch Linux, Gentoo, Solus
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid
Laptop: hp 250 G8 i3 11th Gen - Sid
Kodi: AMD Athlon 5150 APU w/Radeon HD 8400 - Sid
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Official Debian standpoint on Meltdown/Spectre
Looks good to me but I don't know what this means:milomak wrote:what does this mean for me
My Arch box has the "full generic retpoline" message but without the module bit and my Alpine Linux machine has "minimal generic ASM retpoline", I think that is gcc-version-dependent.Code: Select all
vulnerable module loaded
Just remember to disable javascript whenever possible and you should be fine.
deadbang
-
- Posts: 459
- Joined: 2013-06-16 00:10
Re: Official Debian standpoint on Meltdown/Spectre
Lol I love that my thread is already completely ignored. Are we due for a Skyfall thread yet?
Here's a horrifying glimpse at the current 2018 CVE list: https://imgs.xkcd.com/comics/2018_cve_list.png
Here's a horrifying glimpse at the current 2018 CVE list: https://imgs.xkcd.com/comics/2018_cve_list.png
the crunkbong project: scripts, operating system, the list goes on...bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Official Debian standpoint on Meltdown/Spectre
Jessie and Stretch gcc compilers are now patched to support retpoline, and the Stretch 4.9 kernel is recompiled with its own retpoline support, in order to harden against some Spectre variants.
MX Linux packager and developer
Re: Official Debian standpoint on Meltdown/Spectre
I know it's crazy, but I sort of feel let down by this whole thing. I know there has been a lot of work done though, and I appreciate that.
Code: Select all
$ uname -a
Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
$ grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
$ cat /proc/cpuinfo | grep -m1 "model name"
model name : Intel(R) Atom(TM) CPU N450 @ 1.66GHz
resigned by AI ChatGPT
- None1975
- df -h | participant
- Posts: 1388
- Joined: 2015-11-29 18:23
- Location: Russia, Kaliningrad
- Has thanked: 45 times
- Been thanked: 65 times
Re: Official Debian standpoint on Meltdown/Spectre
Here mine
Code: Select all
grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
cat /proc/cpuinfo | grep -m1 "model name"
model name : Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github
Debian Wiki | DontBreakDebian, My config files on github
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Official Debian standpoint on Meltdown/Spectre
What kernel is that? I just backported 4.14.17 from upstream to Stretch and get this:None1975 wrote:Here mineCode: Select all
grep -r . /sys/devices/system/cpu/vulnerabilities /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI cat /proc/cpuinfo | grep -m1 "model name" model name : Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz
Code: Select all
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
Better, equal to the recent 4.14 Liquorix kernels:
Code: Select all
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
MX Linux packager and developer
Re: Official Debian standpoint on Meltdown/Spectre
Saw this come through earlier today. Very pleased.
I'm covered by default on my other machine since it runs a diamondville Atom.
Code: Select all
lysander@psychopig-xxxiii:~$ grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
lysander@psychopig-xxxiii:~$ cat /proc/cpuinfo | grep -m1 "model name"
model name : Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz
lysander@psychopig-xxxiii:~$ uname -a
Linux psychopig-xxxiii 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
lysander@psychopig-xxxiii:~$
Why do you feel let down? A lot of the Atoms [maybe all, I haven't looked] are invulnerable.bw123 wrote:I know it's crazy, but I sort of feel let down by this whole thing. I know there has been a lot of work done though, and I appreciate that.
-
- Posts: 428
- Joined: 2007-12-14 23:16
- Has thanked: 12 times
- Been thanked: 13 times
Re: Official Debian standpoint on Meltdown/Spectre
Here's mine.
Code: Select all
grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
uname -a
Linux antix1 4.15.5-antix.2-amd64-smp #1 SMP PREEMPT Fri Feb 23 01:05:42 EET 2018 x86_64 GNU/Linux
cat /proc/cpuinfo | grep -m1 "model name"
model name : Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz
antiX with runit - lean and mean.
https://antixlinux.com
https://antixlinux.com
- None1975
- df -h | participant
- Posts: 1388
- Joined: 2015-11-29 18:23
- Location: Russia, Kaliningrad
- Has thanked: 45 times
- Been thanked: 65 times
Re: Official Debian standpoint on Meltdown/Spectre
Hello. It is standart Debian 9.3 kernelstevepusser wrote:What kernel is that?
Code: Select all
Linux debian 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github
Debian Wiki | DontBreakDebian, My config files on github
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Official Debian standpoint on Meltdown/Spectre
Thanks, they must have backported the user pointer sanitation to 4.9. The 4.14.17 that briefly appeared upstream doesn't have it.
MX Linux packager and developer
Re: Official Debian standpoint on Meltdown/Spectre
Run these to check if you are prone to meltdown & spectre.
Code: Select all
sudo apt install spectre-meltdown-checker
Code: Select all
sudo spectre-meltdown-checker
Write programs that do one thing and do it well. ~ Doug Mcllroy on the UNIX Philosophy
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Official Debian standpoint on Meltdown/Spectre
Stretch users will have to get spectre-meltdown-checker from stretch-backports.
MX Linux packager and developer
Re: Official Debian standpoint on Meltdown/Spectre
Yes.stevepusser wrote:Stretch users will have to get spectre-meltdown-checker from stretch-backports.
Write programs that do one thing and do it well. ~ Doug Mcllroy on the UNIX Philosophy
- stevepusser
- Posts: 12930
- Joined: 2009-10-06 05:53
- Has thanked: 41 times
- Been thanked: 71 times
Re: Official Debian standpoint on Meltdown/Spectre
Code: Select all
Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-5.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.15-1~mx17+1 (2018-02-25) x86_64
CPU is Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO (model 78 stepping 3 ucode 0xba)
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec: YES (1 occurence(s) found of 64 bits array_index_mask_nospec())
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Retpoline enabled: NO
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
MX Linux packager and developer