Linux Mint users: Please read how to patch for Meltdown and Spectre vulnerabilities

Discussion in 'Linux' started by John Sutherland, Jan 10, 2018.

  1. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    629
    896
    30
    #1 John Sutherland, Jan 10, 2018
    Last edited: Jan 14, 2018
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. TinMan

    TinMan MDL Member

    Jul 31, 2009
    116
    154
    10
    And, a couple of hours later, a newer version of 4.13 series has been released (4.13.0-26)... Updated, with no issues so far...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    #3 Yen, Jan 11, 2018
    Last edited: Jan 11, 2018
    Updates are offered via mint updater. (Checked at 17.3 and 18.3 cinnamon 64-bit)
    I have received them all yesterday. I have got Nvidia 384.111 from an additionally added PPA.

    Make sure to have all levels enabled. The kernel update I received on 17.3 is Level 5 whereas on 18.3 it was a level 4 update.

    EDIT: Please do not install 4.4.0-108. Go for 109 or later if you are on the 4.4 tree.

    108 has issues: https://forums.mydigitallife.net/th...uge-performance-hit.76081/page-6#post-1403053
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Jason27224

    Jason27224 MDL Novice

    Jan 14, 2018
    2
    3
    0
    I checked with spectre-meltdown-checker after installing the updates and it still shows a Spectre vulnerability (?
     
  5. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    #5 Yen, Jan 14, 2018
    Last edited: Jan 14, 2018
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    629
    896
    30
    #6 John Sutherland, Jan 14, 2018
    Last edited: Jan 14, 2018
    (OP)
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Jason27224

    Jason27224 MDL Novice

    Jan 14, 2018
    2
    3
    0
    i checked again and it looks like some mitigations for the variant 2 are present (?
    Code:
    [1;34mCVE-2017-5715 [branch target injection] aka 'Spectre Variant 2
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation
    *     The SPEC_CTRL MSR is available: YES
    *     The SPEC_CTRL CPUID feature bit is set: YES
    *   Kernel support for IBRS: NO
    *   IBRS enabled for Kernel space: NO
    *   IBRS enabled for User space: NO 
    btw im using an I3 4160 with intel microcode version 3.20180108.0~ubuntu16.04.2 and im on linux mint 18
     
  8. oldsh_t

    oldsh_t MDL Expert

    Dec 23, 2009
    1,019
    484
    60
    #8 oldsh_t, Jan 14, 2018
    Last edited: Jan 14, 2018
    I'm on Linux 18.1. I was offered kernel 4.4.0-109 so I went ahead and installed it. When I check to see what I am running I see I have 4.4.0-53 installed????

    I had enable all 5 levels for mint updates but it was still the same as levels 1,2, and 3. Either way I was offered kernel 4.4.0-109.

    What am I missing here??

    UPDATE here: I just rebooted and now shows the kernel 4.4.0-109. Did not know a reboot was required. First time fooling with the kernel!!
     
  9. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    629
    896
    30
    It looks like the Intel Microcode update worked, or at least partially woked, on your machine. I imagine it will have different effects depending on how new or how old your processor is. In the case of my Core 2 Duo, it had no effect.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    629
    896
    30
    Update: I've been visiting the Linux Mint forum, some of the Ubuntu support websites, and the Phoronix website. I've learned two things:

    1.) Another round of kernel updates will begin today (Monday 1/15), starting with a kernel update for Ubuntu 17.10. Kernel updates for Ubuntu 16.04 LTS and 14.04 LTS should also be available before the end of this week (1/20). This means kernel updates for Linux Mint 18 and 17 will follow shortly afterwards.

    2.) Intel will release a second round of microcode updates for Linux, tentatively scheduled to occur before the end of January.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    #11 Yen, Jan 16, 2018
    Last edited: Jan 16, 2018
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    Yeah, lol
    A new 2018 release from Intel doesn't mean all CPUs listed there have got the new microcodes..I have fooled myself. :D

    After installation I got the latest for I7-930 which are dated 21/06/2013.....let's wait for the second round...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    629
    896
    30
    #13 John Sutherland, Jan 17, 2018
    Last edited: Jan 17, 2018
    (OP)
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    If I get this right I can summarize...

    Meltdown has been patched with (K)PTI (page table isolation). Current kernel updates on that are related to improvements.

    For spectre there are two measures

    Come with MC updates:
    IBRS (Indirect Branch Restricted Speculation) and Indirect Branch Prediction Barriers (IBPB)

    Alternative:
    Retpoline that requires no MC updates.

    I suppose new kernels will have configs for any (pti/ibrs/ibpb) and retpoline.

    Google distorted their success (no performance loss) of retpoline by re-compiling their source code!!!
    Slow-down strongly depends on structure of code..in other words how often a retpoline will be addressed and hence predictions partially disabled there.

    Since the end user hardly has source code to recompile, the performance loss due to retpoline depends on the application manufacturer (programmer) and their will to re-compile them for retpoline optimization.

    On the other hand microcode updates do more general work by disabling performance gaining features such as indirect speculations. Retpoline differentiates.....(partial disabling)...

    According to Intel they will release also MC updates for older CPUs. It's cool that Linux could load them on demand if applied and available.

    It seems KPTI and retpoline will be the combination for those without MC updates...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    629
    896
    30
    #15 John Sutherland, Jan 22, 2018
    Last edited: Jan 22, 2018
    (OP)
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    If I have got 'spectre' right it can't be fully patched at all. The cause resides in the CPU hardware itself.
    Spectre variant 1 is hard to patch. There can be still ways to get into speculative execution. Retpoline is made to prevent variant 2.

    Besides of that there can be new variants since there are different Covert Channels...
    Spectre will lose its importance with new CPU architecture only.

    But I think with KPTI meltdown has been stopped.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    11,251
    11,063
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. TinMan

    TinMan MDL Member

    Jul 31, 2009
    116
    154
    10
    Bad news, I'm afraid... The latest intel-microcode for Ubuntu and its derivatives, released today, has been reverted to version 3.20170707ubuntu16.04.1. This is from changelog: "Revert to 20170707 version of microcode because of regressions on certain hardware. (LP: #1742933)"
    I got this result with the latest version of Spectre and Meltdown mitigation detection tool (v0.32):

    Code:
    Checking for vulnerabilities against running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64
    CPU is  Intel(R) Core(TM) i7-2600K CPU @ 3.40GHz
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  NO
    > STATUS:  VULNERABLE  (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation
    *     The SPEC_CTRL MSR is available:  NO
    *     The SPEC_CTRL CPUID feature bit is set:  NO
    *   Kernel support for IBRS:  NO
    *   IBRS enabled for Kernel space:  NO
    *   IBRS enabled for User space:  NO
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO
    *   Kernel compiled with a retpoline-aware compiler:  NO
    > STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Kernel supports Page Table Isolation (PTI):  YES
    * PTI enabled and active:  YES
    * Checking if we're running under Xen PV (64 bits):  NO
    > STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
    
    A false sense of security is worse than no security at all, see --disclaimer
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    629
    896
    30
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    629
    896
    30
    @TinMan - Wonderful. Take one step forward, then two steps back. Don't take this personally, it's just the mood I'm in right now.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...