| View previous topic :: View next topic |
| Author |
Message |
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9678
Location: almost Mile High in the USA
|
 Posted: Mon Jan 08, 2018 4:54 am Post subject: |
 |
|
BTW, whoever can change the topic from "Meltdown/Spectre: Kernel Memory Leaking":
memory leak sort of means something ("malloc without free").
private memory content leakage or unauthorized memory read may mean something else...
just saying (yeah, I hate this term too, but I think it's well deserved for this topic.)
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
 |
gengreen
Apprentice
Joined: 23 Dec 2017
Posts: 150
|
| Posted: Mon Jan 08, 2018 5:02 am Post subject: |
|
|
Last firmware 20171117_p20171215-r1
| Code: | [ 0.000000] microcode: microcode updated early to revision 0xba, date = 2017-04-09
[ 2.692722] microcode: sig=0x506e3, pf=0x20, revision=0xba
[ 2.692854] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba |
Look better today, but still unable to known if I'm still vulnerable by meltdown
6 month they are aware of the problem and yet not capable to give a proper patch... |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Mon Jan 08, 2018 7:49 am Post subject: |
|
|
| gengreen wrote: | Last firmware 20171117_p20171215-r1
| Code: | [ 0.000000] microcode: microcode updated early to revision 0xba, date = 2017-04-09
[ 2.692722] microcode: sig=0x506e3, pf=0x20, revision=0xba
[ 2.692854] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba |
Look better today, but still unable to known if I'm still vulnerable by meltdown
6 month they are aware of the problem and yet not capable to give a proper patch... |
For meltdown you need a patched kernel (grep secure /proc/cpuinfo)
For spectre you need gcc,kernel patching plus microcode for intel (gcc + kernel only for amd)
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
Wallsandfences
Guru
Joined: 29 Mar 2010
Posts: 378
|
| Posted: Mon Jan 08, 2018 8:15 am Post subject: |
|
|
| What am I missing? There wasn't a new gcc in the last few days?? |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Mon Jan 08, 2018 9:46 am Post subject: |
|
|
| Wallsandfences wrote: | | What am I missing? There wasn't a new gcc in the last few days?? |
its not out yet... Spectre isn't resolved yet...
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54220
Location: 56N 3W
|
| Posted: Mon Jan 08, 2018 10:14 am Post subject: |
|
|
That will be another when the new gcc is out.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Mon Jan 08, 2018 10:45 am Post subject: |
|
|
| NeddySeagoon wrote: | | That will be another when the new gcc is out. |
Will it? or will it just be the kernel? I would have thought it would just be the kernel that needs to be rebuild with the new speculative branching mitigation (ie poisoning it)
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
luiztux
n00b
Joined: 31 Aug 2015
Posts: 27
Location: /usr/portage/distfiles
|
|
| Back to top |
|
|
EasterParade
l33t
Joined: 26 Jul 2003
Posts: 938
|
| Posted: Mon Jan 08, 2018 11:22 am Post subject: |
|
|
Got patched kernel and updated microcode
| Code: | [ 0.000000] microcode: microcode updated early to revision 0x22, date = 2017-01-27
[ 0.000000] Linux version 4.14.11-gentoo-r2 (root@aldebaran) (gcc version 6.4.0 (Gentoo 6.4.0 p1.1)) #2 SMP Sun Jan 7 10:09:37 CET 2018
|
I still see this:
| Code: | grep secure /proc/cpuinfo
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
|
Or is the patch in 4.14.11-r2 not complete yet? |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Mon Jan 08, 2018 11:24 am Post subject: |
|
|
| transsib wrote: | Got patched kernel and updated microcode
| Code: | [ 0.000000] microcode: microcode updated early to revision 0x22, date = 2017-01-27
[ 0.000000] Linux version 4.14.11-gentoo-r2 (root@aldebaran) (gcc version 6.4.0 (Gentoo 6.4.0 p1.1)) #2 SMP Sun Jan 7 10:09:37 CET 2018
|
I still see this:
| Code: | grep secure /proc/cpuinfo
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
bugs : cpu_insecure
|
Or is the patch in 4.14.11-r2 not complete yet? |
you will see that, that is just a verbose note that your CPU is classified as insecure. dmesg | grep -i isolation should indicate whether the page table isolation is loaded
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Mon Jan 08, 2018 11:25 am Post subject: |
|
|
| Naib wrote: | | Will it? or will it just be the kernel? |
Every program/library is vulnerable until recompiled with a gcc which has a corresponidng patch. |
|
| Back to top |
|
|
PrSo
Tux's lil' helper
Joined: 01 Jun 2017
Posts: 136
|
| Posted: Mon Jan 08, 2018 11:26 am Post subject: |
|
|
| Naib wrote: | | NeddySeagoon wrote: | | That will be another when the new gcc is out. |
Will it? or will it just be the kernel? I would have thought it would just be the kernel that needs to be rebuild with the new speculative branching mitigation (ie poisoning it) |
IMHO it is needed for Spectre v2 to recompile everything, but I am not sure about Spectre v1 tho:
https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html |
|
| Back to top |
|
|
transpetaflops
Apprentice
Joined: 16 May 2005
Posts: 159
|
| Posted: Mon Jan 08, 2018 11:47 am Post subject: |
|
|
| gengreen wrote: | Last firmware 20171117_p20171215-r1
| Code: | [ 0.000000] microcode: microcode updated early to revision 0xba, date = 2017-04-09
[ 2.692722] microcode: sig=0x506e3, pf=0x20, revision=0xba
[ 2.692854] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba |
Look better today, but still unable to known if I'm still vulnerable by meltdown
6 month they are aware of the problem and yet not capable to give a proper patch... |
What is the source of these new microcode files? On Intel's website I can only find the original microcode file from 20171117 and none of the updated ones.
https://downloadcenter.intel.com/download/27337 |
|
| Back to top |
|
|
Wallsandfences
Guru
Joined: 29 Mar 2010
Posts: 378
|
| Posted: Mon Jan 08, 2018 11:51 am Post subject: |
|
|
I can confirm that the microcode works on meltdown for skylake u/y
|
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Mon Jan 08, 2018 11:53 am Post subject: |
|
|
google guys:
- "hey, we had rumour krinn is about to switch to profile 17.0"
- "ok release spectre and meldown papers to delay him more!" |
|
| Back to top |
|
|
Wallsandfences
Guru
Joined: 29 Mar 2010
Posts: 378
|
| Posted: Mon Jan 08, 2018 12:12 pm Post subject: |
|
|
| Wallsandfences wrote: | I can confirm that the microcode works on meltdown for skylake u/y
|
Oops, on the next reboot it's gone. I can only speculate, since I updated my bios (intel nuc) and its revision is January the 3rd, that it got new microcode from bios now, skipping the early microcode patching.
R. |
|
| Back to top |
|
|
PrSo
Tux's lil' helper
Joined: 01 Jun 2017
Posts: 136
|
| Posted: Mon Jan 08, 2018 12:33 pm Post subject: |
|
|
This is another 3 in 1 meltdown-spectre mitigation checker:
https://github.com/speed47/spectre-meltdown-checker
It checks if any of the mitigations were applied.
On AMD apu , kernel 4.14.12-gentoo, without KPTI enabled in kernel config:
| Code: | sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.13
Checking vulnerabilities against Linux 4.14.12-gentoo #1 SMP Sun Jan 7 17:54:49 CET 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 23 opcodes found, should be >= 70)
> STATUS: VULNERABLE
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpolines: NO
> STATUS: NOT VULNERABLE (your CPU is not vulnerable as per the vendor)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU is not vulnerable as per the vendor) |
|
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Mon Jan 08, 2018 12:41 pm Post subject: |
|
|
Thats not new enough. That is Intels microcode from nov 2017... they have not made avail microcode for spectre ( well maybe to vendors for BIOS updates)
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Mon Jan 08, 2018 12:44 pm Post subject: |
|
|
it's all we have for now, and i didn't myself check, but it's possible that a nov2017 update is indeed the fix.
spectre has been release to public jan2018, it doesn't mean intel has discover the issue that day 
and "not quiet sure", but i think devs have find and report the flaw in feb or march 2017.
at least from https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre
| Quote: | | cpu:Haswell cpuid: 000306C3 rev need: 0x23 |
and i have | Quote: | >cpuid -1 | grep serial | tail -n1 | awk '{print $4}' | cut -d\- -f1,2 | sed 's/-//g'
000306C3
>iucode_tool -S -l /lib/firmware/intel-ucode/*
049/001: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 |
|
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Mon Jan 08, 2018 1:01 pm Post subject: |
|
|
Except...
Intel's PR release on 4th Jan: https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/
| Quote: | | Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services. |
Now the nov2017 update may have covered "products introduced within the past five years" as the press statement didn't actually state when that occured
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Mon Jan 08, 2018 1:20 pm Post subject: |
|
|
This tool is pretty good! Thanks for sharing this. I'm especially glad it's only a shell script - and not a sophisticated C program. So I can see easily what it does.
I just executed it on a newly updated RHEL 7 server. It looks like they already have implemented LFENCE and IBRS in the kernel - here is the output:
| Code: | Spectre and Meltdown mitigation detection tool v0.13
Checking vulnerabilities against Linux 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: YES (112 opcodes found, which is >= 70)
> STATUS: NOT VULNERABLE
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpolines: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability) |
Last edited by mike155 on Mon Jan 08, 2018 1:32 pm; edited 3 times in total |
|
| Back to top |
|
|
EasterParade
l33t
Joined: 26 Jul 2003
Posts: 938
|
| Posted: Mon Jan 08, 2018 1:23 pm Post subject: |
|
|
| Quote: | | ( well maybe to vendors for BIOS updates) |
not holding breath; no UEFI update available since 2015 for this system (ASUS).
Broadwell systems have had updates only this year though. |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Mon Jan 08, 2018 1:27 pm Post subject: |
|
|
| PrSo wrote: | This is another 3 in 1 meltdown-spectre mitigation checker:
https://github.com/speed47/spectre-meltdown-checker
It checks if any of the mitigations were applied.
On AMD apu , kernel 4.14.12-gentoo, without KPTI enabled in kernel config:
| Code: | sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.13
Checking vulnerabilities against Linux 4.14.12-gentoo #1 SMP Sun Jan 7 17:54:49 CET 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 23 opcodes found, should be >= 70)
> STATUS: VULNERABLE |
|
I wonder if that's a side effect of Gentoo kernels not compiling in thousands of useless drivers. Maybe we're fine there. |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
|
| Back to top |
|
|
|
Kernel & Hardware
