[DISCUSSION] Linux Mint

You need to login to view this posts content.

 

i checked again and it looks like some mitigations for the variant 2 are present (?

Code:

[1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available: YES
*     The SPEC_CTRL CPUID feature bit is set: YES
*   Kernel support for IBRS: NO
*   IBRS enabled for Kernel space: NO
*   IBRS enabled for User space: NO 

btw im using an I3 4160 with intel microcode version 3.20180108.0~ubuntu16.04.2 and im on linux mint 18

 

I'm on Linux 18.1. I was offered kernel 4.4.0-109 so I went ahead and installed it. When I check to see what I am running I see I have 4.4.0-53 installed????

I had enable all 5 levels for mint updates but it was still the same as levels 1,2, and 3. Either way I was offered kernel 4.4.0-109.

What am I missing here??

UPDATE here: I just rebooted and now shows the kernel 4.4.0-109. Did not know a reboot was required. First time fooling with the kernel!!

 

It looks like the Intel Microcode update worked, or at least partially woked, on your machine. I imagine it will have different effects depending on how new or how old your processor is. In the case of my Core 2 Duo, it had no effect.

 

Update: I've been visiting the Linux Mint forum, some of the Ubuntu support websites, and the Phoronix website. I've learned two things:

1.) Another round of kernel updates will begin today (Monday 1/15), starting with a kernel update for Ubuntu 17.10. Kernel updates for Ubuntu 16.04 LTS and 14.04 LTS should also be available before the end of this week (1/20). This means kernel updates for Linux Mint 18 and 17 will follow shortly afterwards.

2.) Intel will release a second round of microcode updates for Linux, tentatively scheduled to occur before the end of January.

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

Bad news, I'm afraid... The latest intel-microcode for Ubuntu and its derivatives, released today, has been reverted to version 3.20170707ubuntu16.04.1. This is from changelog: "Revert to 20170707 version of microcode because of regressions on certain hardware. (LP: #1742933)"
I got this result with the latest version of Spectre and Meltdown mitigation detection tool (v0.32):

Code:

Checking for vulnerabilities against running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64
CPU is  Intel(R) Core(TM) i7-2600K CPU @ 3.40GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  NO
*     The SPEC_CTRL CPUID feature bit is set:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Checking if we're running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

 

You need to login to view this posts content.

 

@TinMan - Wonderful. Take one step forward, then two steps back. Don't take this personally, it's just the mood I'm in right now.

 

@John Sutherland - I'm happy you're in a good mood, John But, back to the issue - the microcode was reverted to the previous version "because of regressions on certain hardware". I have an i7 2600K at home and an i7 4790 at work and I had no issues, whatsoever, on either of them. Now I feel stupid for rushing to update the microcode ... Well, at least I haven't had a chance to mess up my work machine

 

I'm sure they'll all come up with something... else. So, it's going to be "mine's faster, better, bigger" all over again. How else would they make profit? Certainly not by suddenly going: "O.K. We've decided to sacrifice speed for the sake of security!" Who's going to buy a brand new, but considerably slower CPU? Eventually, this vulnerability will be patched, hopefully at the hardware architecture level, but they'll have to make concessions somewhere else, and that's going to get exploited eventually... Vicious circle...

 

Some good news: just a couple of minutes ago, LTS Kernel 4.4.0-112 and HWE Kernel 4.13.0-31 have been released through Linux Mint Update Manager. Now, on my home machine, Spectre and Meltdown mitigation detection tool gives this output:

Code:

Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities against running kernel Linux 4.13.0-31-generic #34~16.04.1-Ubuntu SMP Fri Jan 19 17:11:01 UTC 2018 x86_64
CPU is  Intel(R) Core(TM) i7-2600K CPU @ 3.40GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  YES
> STATUS:  NOT VULNERABLE  (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  NO
*     The SPEC_CTRL CPUID feature bit is set:  NO
*   Kernel support for IBRS:  YES
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Checking if we're running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

So, I guess that Spectre Variant 1 has been patched...

EDIT:

On the other hand, and this is really a great news, on my work machine (HP ProDesk 490 G2 MT, i7 4790), the Spectre and Meltdown mitigation detection tool v0.32 gives the following output:

Code:

Checking for vulnerabilities against running kernel Linux 4.13.0-31-generic #34~16.04.1-Ubuntu SMP Fri Jan 19 17:11:01 UTC 2018 x86_64
CPU is  Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  YES
> STATUS:  NOT VULNERABLE  (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  YES
*     The SPEC_CTRL CPUID feature bit is set:  YES
*   Kernel support for IBRS:  YES
*   IBRS enabled for Kernel space:  YES
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  NOT VULNERABLE  (IBRS mitigates the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Checking if we're running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer