Info about Meltdown and Spectre Bugs

[musca]

Hello,
like any other operating system siduction 18.1.0 is affected by the Meltdown and Spectre security issues caused by faulty processor design.
As a rolling release siduction integrates security fixes with its latest dist-upgrades:

MELTDOWN:
Processes can read the page table of other processes and so may gain secret information.
Since version 4.14.11-towo.2 the siduction kernel sets

CONFIG_PAGE_TABLE_ISOLATION=y

and towo' has integrated the upcoming 4.14.12-rc1 patch in the 4.14.11-towo.3-kernel.


SPECTRE:
The Speculative Execution Side-Channel Attack needs to be mitigated in the application layer, i.e. software developers need to include some mitigation measure in their products. Basically this means the whole world has to be recompiled with a patched compiler.


intel-microcode   3.20171215.1 contains some fixes for CVE-2017-5715 and Spectre variant 2.
Chromium 63.0.3239.84 provides experimental "Strict Site Isolation" (to be enabled on chrome://flags/#enable-site-per-process )
Firefox 57.0.4 contains a mitigation ( https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ )


(list to be continued ...)


greetings
musca

[devil]

What is recommended for Chrome also goes for Opera and Vivaldi, as they use the same Engine as Chrome.

[Mte90]

Tried right now what is suggested on https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/
what I got it:

Code: [Select]

pectre and Meltdown mitigation detection tool v0.19

Checking for vulnerabilities against live running kernel Linux 4.14.12-towo.2-siduction-amd64 #1 SMP PREEMPT siduction 4.14-22 (2018-01-08) x86_64
Will use vmlinux image /boot/vmlinuz-4.14.12-towo.2-siduction-amd64
Will use kconfig /proc/config.gz
Will use System.map file /proc/kallsyms

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO  (only 34 opcodes found, should be >= 70)
> STATUS:  VULNERABLE  (heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

[musca]

Hello Mte90,

thanks for the suggestion.
These results are expected as only Meltdown has been fixed in the kernel yet.

According to Greg's Blog it will take weeks of the kernel comunity to develope the needed counter measures against spectre.

greetings
musca

[CCarpenter]

Tried right now what is suggested on https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/

Tested my System ...

Code: [Select]

Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.14.13-towo.2-siduction-amd64 #1 SMP PREEMPT siduction 4.14-24 (2018-01-15) x86_64
CPU is AMD Ryzen 7 1800X Eight-Core Processor

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable: Minimal AMD ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that your CPU is unaffected)
> STATUS:  NOT VULNERABLE  (Not affected)

A false sense of security is worse than no security at all, see --disclaimer


[whistler_mb]

Here is mine

Code: [Select]

Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.14.13-towo.2-siduction-amd64 #1 SMP PREEMPT siduction 4.14-24 (2018-01-15) x86_64
CPU is Intel(R) Core(TM) i7-4702MQ CPU @ 2.20GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

[threepio]

Thanks a lot for this very good info.
I don`t need it for SIDU, it is safe, but it is helpfully for others in Linux community. 

[devil]

The vulnerability against Spectre might be mitigated after the weekend if:

Kernel 4.15 is released (most likely)

and

GCC 7.3 is released in Debian (needed to build 4.15 in a useful way (where it makes use of Retpoline-Patches against Spectre-Types Variant 1 (Bounds Check Bypass) and Variant 2 (Branch Target Injection)).

[ayla]

http://www.tagesschau.de/wirtschaft/intel-update-101.html

[devil]

Flog heut mittag auch hier beim d-u. Dazu auch: https://linuxnews.de/2018/01/23/intel-zieht-microcode-gegen-spectre-zurueck/

[CCarpenter]

Hätten wir kein Intel ME (MeltdownEmbedded ) und kein AMD PSP würde es den ganzen BUG wahrscheinlich nicht in dem Ausmaß geben!

[towo]

Es bessert sich:

[CCarpenter]

Fehlt nur noch Variante 1 .... Vielen Dank towo für die schnellen Patches!

[devil]

Variante 1 kommt erst mit 4.16

[jaegermeister]

Actually, I just updated to 4.15, although hardware is permanently shown as vulnerable, also variant 1 looks fixed

Code: [Select]

Spectre and Meltdown mitigation detection tool v0.34+

Checking for vulnerabilities on current system
Kernel is Linux 4.15.1-towo.2-siduction-amd64 #1 SMP PREEMPT siduction 4.15-4 (2018-02-06) x86_64
CPU is Intel(R) Xeon(R) CPU           X5650  @ 2.67GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 44 stepping 2 ucode 0x1d)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)