Linux Mint users: Please read how to patch for Meltdown and Spectre vulnerabilities

Discussion in 'Linux' started by John Sutherland, Jan 10, 2018.

  1. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    12,063
    12,600
    340
    Prediction is responsible for performance boost at CPU development. And prediction is vulnerable because it isn't realized with the same security aspects than the 'real' branch, hence the performance.
    Security costs time for additional checks. The development and the fixes will suffer from the same contrary aspects. This plays also a role at future changes of CPU architecture.

    The CPU developers are now in a dilemma. If they realize a future prediction with all security aspects, their new CPUs will be safer, but slower.
    I am curious what will come...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. TinMan

    TinMan MDL Member

    Jul 31, 2009
    126
    190
    10
    @John Sutherland - I'm happy you're in a good mood, John :D But, back to the issue - the microcode was reverted to the previous version "because of regressions on certain hardware". I have an i7 2600K at home and an i7 4790 at work and I had no issues, whatsoever, on either of them. Now I feel stupid for rushing to update the microcode :oops:... Well, at least I haven't had a chance to mess up my work machine :p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. TinMan

    TinMan MDL Member

    Jul 31, 2009
    126
    190
    10
    I'm sure they'll all come up with something... else. So, it's going to be "mine's faster, better, bigger" all over again. How else would they make profit? Certainly not by suddenly going: "O.K. We've decided to sacrifice speed for the sake of security!" Who's going to buy a brand new, but considerably slower CPU? Eventually, this vulnerability will be patched, hopefully at the hardware architecture level, but they'll have to make concessions somewhere else, and that's going to get exploited eventually... Vicious circle...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. TinMan

    TinMan MDL Member

    Jul 31, 2009
    126
    190
    10
    #24 TinMan, Jan 22, 2018
    Last edited: Jan 23, 2018
    Some good news: just a couple of minutes ago, LTS Kernel 4.4.0-112 and HWE Kernel 4.13.0-31 have been released through Linux Mint Update Manager. Now, on my home machine, Spectre and Meltdown mitigation detection tool gives this output:

    Code:
    Spectre and Meltdown mitigation detection tool v0.32
    
    Checking for vulnerabilities against running kernel Linux 4.13.0-31-generic #34~16.04.1-Ubuntu SMP Fri Jan 19 17:11:01 UTC 2018 x86_64
    CPU is  Intel(R) Core(TM) i7-2600K CPU @ 3.40GHz
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  YES
    > STATUS:  NOT VULNERABLE  (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation
    *     The SPEC_CTRL MSR is available:  NO
    *     The SPEC_CTRL CPUID feature bit is set:  NO
    *   Kernel support for IBRS:  YES
    *   IBRS enabled for Kernel space:  NO
    *   IBRS enabled for User space:  NO
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO
    *   Kernel compiled with a retpoline-aware compiler:  NO
    > STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Kernel supports Page Table Isolation (PTI):  YES
    * PTI enabled and active:  YES
    * Checking if we're running under Xen PV (64 bits):  NO
    > STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
    
    A false sense of security is worse than no security at all, see --disclaimer
    So, I guess that Spectre Variant 1 has been patched...

    EDIT:

    On the other hand, and this is really a great news, on my work machine (HP ProDesk 490 G2 MT, i7 4790), the Spectre and Meltdown mitigation detection tool v0.32 gives the following output:

    Code:
    Checking for vulnerabilities against running kernel Linux 4.13.0-31-generic #34~16.04.1-Ubuntu SMP Fri Jan 19 17:11:01 UTC 2018 x86_64
    CPU is  Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  YES
    > STATUS:  NOT VULNERABLE  (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation
    *     The SPEC_CTRL MSR is available:  YES
    *     The SPEC_CTRL CPUID feature bit is set:  YES
    *   Kernel support for IBRS:  YES
    *   IBRS enabled for Kernel space:  YES
    *   IBRS enabled for User space:  NO
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO
    *   Kernel compiled with a retpoline-aware compiler:  NO
    > STATUS:  NOT VULNERABLE  (IBRS mitigates the vulnerability)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Kernel supports Page Table Isolation (PTI):  YES
    * PTI enabled and active:  YES
    * Checking if we're running under Xen PV (64 bits):  NO
    > STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
    
    A false sense of security is worse than no security at all, see --disclaimer
    :clap:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    12,063
    12,600
    340
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Superfly

    Superfly MDL Expert

    Jan 12, 2010
    1,143
    543
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    824
    1,203
    30
    #27 John Sutherland, Feb 22, 2018
    Last edited: Feb 22, 2018
    (OP)
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. oldsh_t

    oldsh_t MDL Expert

    Dec 23, 2009
    1,063
    519
    60
    Thank you John for the update. I just installed kernel 4.4.0-116 which I had seen yesterday. Seems that every thing is OK now. I hope!! If this is all correct then these guys have it all over Intel and M$.
    :cheers:
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
    > STATUS: NOT VULNERABLE (Mitigation: OSB (observable speculation barrier, Intel v6))

    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
    * Mitigation 1
    * Kernel is compiled with IBRS/IBPB support: YES
    * Currently enabled features
    * IBRS enabled for Kernel space: NO (echo 1 > /proc/sys/kernel/ibrs_enabled)
    * IBRS enabled for User space: NO (echo 2 > /proc/sys/kernel/ibrs_enabled)
    * IBPB enabled: NO (echo 1 > /proc/sys/kernel/ibpb_enabled)
    * Mitigation 2
    * Kernel compiled with retpoline option: YES
    * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
    * Retpoline enabled: YES
    > STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)

    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
    * Kernel supports Page Table Isolation (PTI): YES
    * PTI enabled and active: YES
    * Running as a Xen PV DomU: NO
    > STATUS: NOT VULNERABLE (Mitigation: PTI)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. TinMan

    TinMan MDL Member

    Jul 31, 2009
    126
    190
    10
    #29 TinMan, Mar 29, 2018
    Last edited: Mar 30, 2018
    We now have a new intel-microcode update (3.20180312.0~ubuntu16.04.1) available from Linux Mint / Ubuntu Update Manager.
    This is the latest Spectre and Meltdown mitigation detection tool's (v0.36) output on my machine:

    Spectre and Meltdown mitigation detection tool v0.36

    Checking for vulnerabilities on current system
    Kernel is Linux 4.13.0-37-generic #42~16.04.1-Ubuntu SMP Wed Mar 7 16:03:28 UTC 2018 x86_64
    CPU is Intel(R) Core(TM) i7-2600K CPU @ 3.40GHz

    Hardware check
    * Hardware support (CPU microcode) for mitigation techniques
    * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available: YES
    * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
    * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available: YES
    * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
    * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available: YES
    * CPU indicates STIBP capability: YES
    * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability: NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
    * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
    * CPU microcode is known to cause stability problems: NO (model 42 stepping 7 ucode 0x2d)
    * CPU vulnerability to the three speculative execution attack variants
    * Vulnerable to Variant 1: YES
    * Vulnerable to Variant 2: YES
    * Vulnerable to Variant 3: YES

    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
    * Kernel has array_index_mask_nospec: NO
    * Kernel has the Red Hat/Ubuntu patch: YES
    > STATUS: NOT VULNERABLE (Mitigation: OSB (observable speculation barrier, Intel v6))

    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
    * Mitigation 1
    * Kernel is compiled with IBRS/IBPB support: YES
    * Currently enabled features
    * IBRS enabled for Kernel space: NO
    * IBRS enabled for User space: NO
    * IBPB enabled: YES
    * Mitigation 2
    * Kernel compiled with retpoline option: YES
    * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
    > STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline, IBPB (Intel v4))

    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
    * Kernel supports Page Table Isolation (PTI): YES
    * PTI enabled and active: YES
    * Running as a Xen PV DomU: NO
    > STATUS: NOT VULNERABLE (Mitigation: PTI)

    A false sense of security is worse than no security at all, see --disclaimer
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. oldsh_t

    oldsh_t MDL Expert

    Dec 23, 2009
    1,063
    519
    60
    And the good news just keeps on coming:)
    Thanks TinMan
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. TinMan

    TinMan MDL Member

    Jul 31, 2009
    126
    190
    10
    Just to let you know, we now have kernel 4.15.0-13 available in Linux Mint Update Manager (View - Linux kernels). I've just updated to the new kernel on my desktop, so it's too early to say if there are any bugs specific for my configuration...

    Anyway, this is the latest Spectre and Meltdown mitigation detection tool's (v0.36+) output on my machine:

    Code:
    Spectre and Meltdown mitigation detection tool v0.36+
    
    Checking for vulnerabilities on current system
    Kernel is Linux 4.15.0-13-generic #14~16.04.1-Ubuntu SMP Sat Mar 17 03:04:59 UTC 2018 x86_64
    CPU is Intel(R) Core(TM) i7-2600K CPU @ 3.40GHz
    
    Hardware check
    * Hardware support (CPU microcode) for mitigation techniques
      * Indirect Branch Restricted Speculation (IBRS)
        * SPEC_CTRL MSR is available:  YES
        * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
      * Indirect Branch Prediction Barrier (IBPB)
        * PRED_CMD MSR is available:  YES
        * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
      * Single Thread Indirect Branch Predictors (STIBP)
        * SPEC_CTRL MSR is available:  YES
        * CPU indicates STIBP capability:  YES
      * Enhanced IBRS (IBRS_ALL)
        * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
        * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
      * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
      * CPU microcode is known to cause stability problems:  NO  (model 42 stepping 7 ucode 0x2d)
    * CPU vulnerability to the three speculative execution attack variants
      * Vulnerable to Variant 1:  YES
      * Vulnerable to Variant 2:  YES
      * Vulnerable to Variant 3:  YES
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    * Kernel has array_index_mask_nospec (x86):  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
    * Kernel has the Red Hat/Ubuntu patch:  NO
    * Kernel has mask_nospec64 (arm):  NO
    > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    * Mitigation 1
      * Kernel is compiled with IBRS/IBPB support:  YES
      * Currently enabled features
        * IBRS enabled for Kernel space:  UNKNOWN
        * IBRS enabled for User space:  UNKNOWN
        * IBPB enabled:  UNKNOWN
    * Mitigation 2
      * Kernel has branch predictor hardening (arm):  NO
      * Kernel compiled with retpoline option:  YES
      * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
    > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    * Kernel supports Page Table Isolation (PTI):  YES  (found 'CONFIG_PAGE_TABLE_ISOLATION=y')
    * PTI enabled and active:  YES
    * Running as a Xen PV DomU:  NO
    > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
    
    A false sense of security is worse than no security at all, see --disclaimer
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    824
    1,203
    30
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    12,063
    12,600
    340
    I have just received a new level 5 kernel update I am on the 4.4 branch 4.4.0-119-generic.

    BTW: Due to recent frequent releases of new kernels one might get in trouble running out of space for the boot partition where the kernels are stored.
    One can check for free space looking at the boot folder. I only had 30 MBytes left there.

    To remove old kernels the easiest and safe way is to use the GUI of the mint updater. Just chose to show the kernels there and delete old ones there easily.
    You can scroll through any available kernels. Those who are installed are checked also the one in use. You can uninstall any but the one in use there. I have left back the latest 3....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. TinMan

    TinMan MDL Member

    Jul 31, 2009
    126
    190
    10
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. fabre gastro

    fabre gastro MDL Junior Member

    May 29, 2018
    72
    25
    0
    @John Sutherland
    did you try to install libreboot or coreboot? t400 good laptop even by todays standard and you can completely remove intel ME there.
    just curious.
     
  16. fabre gastro

    fabre gastro MDL Junior Member

    May 29, 2018
    72
    25
    0
    @Yen
    how about remove old kernels and or create a new boot partition, or even better use a usb stick and make appropriate adjustment in the fstab to boot it from the usb drive, you wont need it after you boot or performing a kernel upgrade and secondly modules are present in /lib/modules/`uname -r` anyway. and if you have encrypted boot and not just root plus encrypted root/lvm then make similar changes in crypttab....
    thats because on another coreboot laptop i have the kernel inside the bios chip itself. and its only 5mb (4.1 MiB), yes i removed/crippled Intel ME and its a custom kernel though.
    because you running out of space sounds a little amateurish to me... meh!
     
  17. John Sutherland

    John Sutherland MDL Addicted

    Oct 15, 2014
    824
    1,203
    30
    Why would I want re-flash my BIOS and replace it with libreboot or coreboot? How is that going to correct the inherent design flaw that makes my Intel Core 2 Duo processor vulnerable to Meltdown/Spectre? Just curious. Maybe you could explain it to me.

    BTW, you cannot encrypt the boot partition on a system using LVM/LUKS, if that's what you mean by using the term "encrypted boot".
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    12,063
    12,600
    340
    #38 Yen, Jun 15, 2018
    Last edited: Jun 15, 2018
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...