Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Meltdown and Spectre for Noobs
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
while true
Guru
Guru


Joined: 07 Apr 2010
Posts: 427
Location: Ljubljana, Slovenia

PostPosted: Thu Jan 11, 2018 8:02 pm    Post subject: Meltdown and Spectre for Noobs Reply with quote

Hello Gentoo people,

Blame authors of Gentoo Handbook and this forum's community
for allowing noobs like me to install Gentoo
and bother you with following questions and stealing your time.

That said, as noob, I am grateful for Gentoo Handbook and especially this community!
I work in a warehouse so I have weekend to make nice with Gentoo:

Code:
>$ uname -a
Linux keeshta 4.0.5-gentoo #19 SMP Wed Oct 7 16:25:30 CEST 2015 x86_64 AMD FX(tm)-8350 Eight-Core Processor AuthenticAMD GNU/Linux
>$ emerge -uDNa @world

!!! Your current profile is deprecated and not supported anymore.
!!! Use eselect profile to update your profile.
!!! Please upgrade to the following profile if possible:

        default/linux/amd64/17.0/desktop

You may use the following command to upgrade:

        eselect profile set default/linux/amd64/17.0/desktop

These are the packages that would be merged, in order:
...
...
...
!!! The following installed packages are masked:
- sys-kernel/gentoo-sources-4.14.8-r1::gentoo (masked by: package.mask)
/usr/portage/profiles/package.mask:
# Alice Ferrazzi <alicef@gentoo.org> (05 Jan 2018)
# kernel: Meltdown and Spectre - Processor flaw. (#643228)
# Please upgrade for Intel processor flaw workaround
# (currently KPTI patch are 64bit only),
# also excluding AMD from the fix as not affected.
# Please unmask your kernel version if you want to
# continue to use your kernel with AMD.
# Removal in a month.

I gathered that bug is hardware thingy,
and software patches slow down performance,
and that is all I understand.
As always, I can copy and paste like a pro, but what?
So here I ask you kindly to help yours eternal noob for tip or two.

Thank you.
_________________
Kind regards, Goran Mitic

alive
while true
kick ass
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 39647
Location: 56N 3W

PostPosted: Thu Jan 11, 2018 8:11 pm    Post subject: Reply with quote

while true,

These things are information leaks. Of themselves, they are not direct threats to your system security.
However, the information that can be leaked might aid a privilege escalation attack.
That is, it could leak your root password in clear text.

You would need to be running software that included one or more of the information leak exploits.
The leaked information would then need to be used in an attack.

You do need to fix it. How fast depends on how much you trust your users (including remote users) and your installed software base.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
while true
Guru
Guru


Joined: 07 Apr 2010
Posts: 427
Location: Ljubljana, Slovenia

PostPosted: Thu Jan 11, 2018 8:29 pm    Post subject: Reply with quote

Hey NeddySeagoon, thank you for your prompt reply,

I am the only user, and my base apps are, well, like I know what I have, but I do have ff, evince, libre and such, smplayer...

So, I have to select my profile first, than I go and unmask gentoo-sources, and that should do the trick?

Thank you
_________________
Kind regards, Goran Mitic

alive
while true
kick ass
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 39647
Location: 56N 3W

PostPosted: Thu Jan 11, 2018 8:48 pm    Post subject: Reply with quote

while true,

The patch set is not yet complete.
You may need a CPU microcode update too.

If you are going to apply the available fixes today, be aware that there will be more soon.

-- edit --

None of this is related to the Gentoo profile change. Do the changes separately.
Profile first, since that will give you a new gcc and you want all the parts of the kernel built with the same gcc.
Then do the security updates.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.


Last edited by NeddySeagoon on Thu Jan 11, 2018 8:51 pm; edited 1 time in total
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6175

PostPosted: Thu Jan 11, 2018 8:49 pm    Post subject: Reply with quote

while true wrote:
I am the only user

alas that is not enough to secure yourself, as information could be leak from browser.
how much you judge the severity of a forged website, leaking your bank account and password to use your bank account from your browser?

please refer to https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre
Back to top
View user's profile Send private message
mrbassie
Guru
Guru


Joined: 31 May 2013
Posts: 486

PostPosted: Fri Jan 12, 2018 9:52 am    Post subject: Reply with quote

So am I understanding correctly that kpti + microcode is what/all we currently have to mitigate these?
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6175

PostPosted: Fri Jan 12, 2018 10:01 am    Post subject: Reply with quote

mrbassie wrote:
So am I understanding correctly that kpti + microcode is what/all we currently have to mitigate these?

yes

or that :)
Back to top
View user's profile Send private message
mrbassie
Guru
Guru


Joined: 31 May 2013
Posts: 486

PostPosted: Fri Jan 12, 2018 10:05 am    Post subject: Reply with quote

Cool, I've already done both. I'll continue to keep an eye on the news.
Back to top
View user's profile Send private message
while true
Guru
Guru


Joined: 07 Apr 2010
Posts: 427
Location: Ljubljana, Slovenia

PostPosted: Fri Jan 12, 2018 9:55 pm    Post subject: Reply with quote

Hello Gentoo people,

Sorry for delayed response, I just got from work, and yesterday was getting late as I read krinn's link (krinn, oh, i know you are trying to help, thank you, but as a noob I was hoping for something else, let me use those emoji to express my state: :evil: )...

So word "mitigate" has poped up couple of times, and I have no printed dictionary, and online one's is not understandible to me, so first, does mitigate means to, like, "ease the pain"?

And the rest of article... I understand the words, but I can not get the meanning...
I gathered that I have to look out for linux-firmware (amd cpu), that is the microcode, right?
I have old kernel, I am still not familliar with updating it, and still have gentoo-sources 4.0.5, if I need to add things to kernel.
Linux-firmware will work only with gentoo-sources 4.4.110 and newer (it has kernel patch, something to do with size), so, do I need to update kernel as well?
And at the end of amd section there is link to HowTo apply microcode, but page is for intel...


Also I use vpn, and that requires qemu package, which should be updated by regular emerge -uDN @world, right?

And what on pale blue dot is KPTI?

I must tell you, I have a big questionmark over my head, and I am having my first glass of white wine, but, last question, would it be easier for noob to go for fresh install, where all those updates are included, than to bother you guys and steal your time?

NeddySeagoon, I will change profile on the morrow, thank you for separating the two.

Thank you
_________________
Kind regards, Goran Mitic

alive
while true
kick ass
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 39647
Location: 56N 3W

PostPosted: Fri Jan 12, 2018 10:15 pm    Post subject: Reply with quote

while true,

Mitigate means to "reduce the effects of" so "ease the pain" is a pretty good approximation.

You will need to update to a kernel that has had the patches backported. That's a recent 4.14 kernel.
The patches are also in 4.15.0 but that's still not released, it a release-candidate.

KPTI flushes the kernel page table every context switch, so that information is not leaked between the kernel and user space.
This is a new kernel configuration option in 4.15.0 that has been back ported to later 4.14 kernels.
You need a kernel with that option and you need to set the option on.

This is only a part of the fix. You will also need a microcode update.

Even with the microcode update and the KPTI optin in newer kernels, there is still more to do.
Not all the threats are yet addressed.

Like a pain killer, these mitigations come with a price. Performance is reduced.

There will be more changes in the coming weeks.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
roboto
Tux's lil' helper
Tux's lil' helper


Joined: 15 Feb 2017
Posts: 148
Location: My IP address.

PostPosted: Sat Jan 13, 2018 5:47 pm    Post subject: Reply with quote

I have AMD Turion 64 x2 from 2007. Is it affected by Spectre and the three variants of Meltdown?
_________________
Answers please.

The true hater of man expects nothing from him and is indiscriminate to his works.
-Ayn Rand
Quote:
Dude. Minus 30 credibility points.

Yep
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 39647
Location: 56N 3W

PostPosted: Sat Jan 13, 2018 5:58 pm    Post subject: Reply with quote

roboto,

There are some tests out there. Try it.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 17373
Location: here

PostPosted: Sat Jan 13, 2018 6:15 pm    Post subject: Reply with quote

roboto wrote:
I have AMD Turion 64 x2 from 2007. Is it affected by Spectre and the three variants of Meltdown?

https://forums.gentoo.org/viewtopic-p-8168584.html#8168584
https://forums.gentoo.org/viewtopic-p-8167424.html#8167424
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
while true
Guru
Guru


Joined: 07 Apr 2010
Posts: 427
Location: Ljubljana, Slovenia

PostPosted: Sat Jan 13, 2018 9:47 pm    Post subject: Reply with quote

Good evening Gentoo people,

Oi oi Neddy, so this spectre and meltdown (or S&M, khehe) brought me to upgrade kernel for the first time, took me over 4 hours this morning, but:
Code:
Linux keeshta 4.14.8-gentoo-r1 #1 SMP Sat Jan 13 12:30:09 CET 2018 x86_64 AMD FX(tm)-8350 Eight-Core Processor AuthenticAMD GNU/Linux

I can't wait for 4.15 ;)

So grep did not find KPTI in /usr/src/linux/.config:
Code:
# grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
unpatched :(
# cat /boot/config-4.14.8-gentoo-r1 | grep CONFIG_PAGE_TABLE_ISOLATION
#
# cat /boot/config-4.14.8-gentoo-r1 | grep kpti
#
# cat /boot/config-4.14.8-gentoo-r1 | grep KPTI
#

Is there something I missed? There should be kpti in kernel now?

I have long night ahead, not just because it is orthodox new year's eve, but I have dozen of big emerge things, including linux-firmware (that is the microcode, right?) so I will report in the morning (technically next year) but for now:
Code:
# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29

Checking for vulnerabilities against running kernel Linux 4.14.8-gentoo-r1 #1 SMP Sat Jan 13 12:30:09 CET 2018 x86_64
CPU is AMD FX(tm)-8350 Eight-Core Processor

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 38 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO
* PTI enabled and active:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

Until next year, thank you
_________________
Kind regards, Goran Mitic

alive
while true
kick ass
Back to top
View user's profile Send private message
elko
n00b
n00b


Joined: 02 Feb 2010
Posts: 47

PostPosted: Sun Jan 14, 2018 7:10 am    Post subject: Reply with quote

while true wrote:

Oi oi Neddy, so this spectre and meltdown (or S&M, khehe) brought me to upgrade kernel for the first time, took me over 4 hours this morning, but:


How did you upgrade your kernel? Did you updated your .config? See https://wiki.gentoo.org/wiki/Kernel/Upgrade#.config_file
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5148
Location: Removed by Neddy

PostPosted: Sun Jan 14, 2018 9:09 am    Post subject: Reply with quote

roboto wrote:
I have AMD Turion 64 x2 from 2007. Is it affected by Spectre and the three variants of Meltdown?

There are 3 variants. 2 are spectre and ONE is meltdown

KPTI stops meltdown,
Retpoline + microcode mitigates spectre
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
while true
Guru
Guru


Joined: 07 Apr 2010
Posts: 427
Location: Ljubljana, Slovenia

PostPosted: Sun Jan 14, 2018 10:27 am    Post subject: Reply with quote

Good morning Gentoo people,

Hey elko, yes, I updated old .config with make silentoldconfig, that took hours to read and answer. I was on the lookout for kpti or CONFIG_PAGE_TABLE_ISOLATION, but I missed it. Also with make menuconfig, under Security Options I can not find it. Is it called by different name?

Firmware-linux, I remember that package now, I needed it for my radeon graphich card, I had to write in a list of cards in kernel via make menuconfig. I guess it was removed in the past, since it was brought back last night with emerge -uDN @world.

but still:
Code:
# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29

Checking for vulnerabilities against running kernel Linux 4.14.8-gentoo-r1 #1 SMP Sat Jan 13 12:30:09 CET 2018 x86_64
CPU is AMD FX(tm)-8350 Eight-Core Processor

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 38 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO
* PTI enabled and active:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see --disclaimer


Am I to wait for further updates?

Thank you
_________________
Kind regards, Goran Mitic

alive
while true
kick ass
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 39647
Location: 56N 3W

PostPosted: Sun Jan 14, 2018 11:28 am    Post subject: Reply with quote

while true,

Happy new year!

Your 4.14.8-gentoo-r1 kernel is still too old.
There is a Gentoo Wiki Page

That page should be updated as kernel patches are added to gentoo-sources, so I won't quote it here.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1357
Location: United Kingdom

PostPosted: Sun Jan 14, 2018 12:54 pm    Post subject: Reply with quote

while true wrote:
So grep did not find KPTI in /usr/src/linux/.config:
Code:
# grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
unpatched :(
# cat /boot/config-4.14.8-gentoo-r1 | grep CONFIG_PAGE_TABLE_ISOLATION
#
# cat /boot/config-4.14.8-gentoo-r1 | grep kpti
#
# cat /boot/config-4.14.8-gentoo-r1 | grep KPTI
#


Off Topic: while true, just for information, you don't need to use two grep commands to find lower-case and upper-case variants of the same string, the following single command would do it:

Code:
cat /boot/config-4.14.8-gentoo-r1 | grep -i kpti

which can be simplified even further:
Code:
grep -i kpti /boot/config-4.14.8-gentoo-r1


From 'man grep':
Quote:
-i, --ignore-case
Ignore case distinctions, so that characters that differ only in case match each other.

_________________
Clevo W230SS: amd64, OpenRC, nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64, OpenRC, xf86-video-ati, dual booting with Win 7 Pro 64-bit.
KDE on both laptops.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
while true
Guru
Guru


Joined: 07 Apr 2010
Posts: 427
Location: Ljubljana, Slovenia

PostPosted: Sun Jan 14, 2018 2:43 pm    Post subject: Reply with quote

Good afternoon Gentoo people,

Hey NeddySeagoon, thank you, and happy new year to you too!

(before I forget, yesterday when I upgraded kernel to 4.14.8 on reboot I noticed (i have 2 monitors) that my right monitor was inversed in colour, as in white background and grey font colour. Now, with 4.14.13 is the same inversion. That stops once I go startx. How can I go about this?)

I licenced, ~amded and unmasked gentoo-sources, and emerge offered latest gentoo-sources:
Code:
# uname -a
Linux keeshta 4.14.13-gentoo #1 SMP Sun Jan 14 15:16:43 CET 2018 x86_64 AMD FX(tm)-8350 Eight-Core Processor AuthenticAMD GNU/Linux

YES! I am upgragind kernel as pro! ;)
As Fitzcarraldo suggested:
Code:
# grep -i kpti /boot/config-4.14.13-gentoo
#

and:
Code:
# grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
CONFIG_PAGE_TABLE_ISOLATION=y
patched :)
#

and still:
Code:
# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29

Checking for vulnerabilities against running kernel Linux 4.14.13-gentoo #1 SMP Sun Jan 14 15:16:43 CET 2018 x86_64
CPU is AMD FX(tm)-8350 Eight-Core Processor

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 38 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

Code:
# eix linux-firmware
[I] sys-kernel/linux-firmware
     Available versions:  20170314 ~20171206 ~20180103 20180103-r1 **99999999 {savedconfig}
     Installed versions:  20180103-r1(12:15:05 AM 01/14/2018)(-savedconfig)
     Homepage:            https://git.kernel.org/?p=linux/kernel/git/firmware/linux-firmware.git
     Description:         Linux firmware files

no "ease of pain"...

I guess that is all I can do at the moment? Or can I do more?
And what should I be looking after in the coming days?

Thank you
_________________
Kind regards, Goran Mitic

alive
while true
kick ass
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6175

PostPosted: Sun Jan 14, 2018 3:46 pm    Post subject: Reply with quote

you should just disable KPTI, it's not use because of your cpu, but lowering kernel size is never bad.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 39647
Location: 56N 3W

PostPosted: Sun Jan 14, 2018 3:48 pm    Post subject: Reply with quote

while true,

Read this AMD page.

AMD wrote:
Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors.
Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors.
Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors.


Code:
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)


PTI is in your kernel but its not needed on your CPU, so its not used. That avoids the performance penalty.

How do you load your CPU microcode?
Please put your kernel .config onto a pastebin site. wgetpaste is your friend.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
while true
Guru
Guru


Joined: 07 Apr 2010
Posts: 427
Location: Ljubljana, Slovenia

PostPosted: Sun Jan 14, 2018 5:49 pm    Post subject: Reply with quote

Hello guys,

Like I know what I am doing, I understood I need KPTI, which comes with latest kernel, and microcode that is linux-firmware emerged.
Should I set CONFIG_PAGE_TABLE_ISOLATION to no?
And for microcode, I just emerged it (it was in emerge -uDN @world), but I am guessing that is not enough?
I skipped Fitzcarraldo's blog on updating microcode, since from here https://wiki.gentoo.org/wiki/Radeon#Firmware it says: "However, savedconfig editing is entirely optional, those in a hurry may not want to take this route. The system will work the same, with or without the savedconfig editing."
Did I read wrong linux-firmware page?

Code:
wgetpaste /usr/src/linux/.config
Your paste can be seen here: https://paste.pound-python.org/show/uxavFKbFNrBmACCIWibW/


Thank you
_________________
Kind regards, Goran Mitic

alive
while true
kick ass
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 39647
Location: 56N 3W

PostPosted: Sun Jan 14, 2018 6:26 pm    Post subject: Reply with quote

while true,

linux-firmware put the CPU microcode onto your PC. Into /lib/firmware.

Just like you build your radeon firmware into the kernel with
Code:
CONFIG_EXTRA_FIRMWARE="radeon/BTC_rlc.bin radeon/CAICOS_mc.bin radeon/CAICOS_me.bin radeon/CAICOS_pfp.bin radeon/CAICOS_smc.bin radeon/SUMO_uvd.bin"
CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware"
, you need to build the microcode in too.

Add it to that list and rebuild your kernel. What you have done is required but not sufficient.

With my Phenom II, I get
Code:
$ dmesg | grep micro
[    2.505202] microcode: microcode updated early to new patch_level=0x010000dc
[    2.505548] microcode: CPU0: patch_level=0x010000dc
[    2.507411] microcode: CPU1: patch_level=0x010000dc
[    2.507752] microcode: CPU2: patch_level=0x010000dc
[    2.509591] microcode: CPU3: patch_level=0x010000dc
[    2.511404] microcode: CPU4: patch_level=0x010000dc
[    2.513180] microcode: CPU5: patch_level=0x010000dc
[    2.514915] microcode: Microcode Update Driver: v2.2.
You have a different CPU.
If you run that grep now, you will see the current microcode version.
After the kernel has the microcode built in, the version might be different.

AMD say that you don't need CONFIG_PAGE_TABLE_ISOLATION. The kernel contains a CPU test to turn it off on AMD CPUs as its not required.
You can leave it in your kernel.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
while true
Guru
Guru


Joined: 07 Apr 2010
Posts: 427
Location: Ljubljana, Slovenia

PostPosted: Sun Jan 14, 2018 6:54 pm    Post subject: Reply with quote

Hey NeddySeagoon, thanks for sticking around

So here is the output for micro:
Code:
dmesg | grep micro
[    6.095070] microcode: CPU0: patch_level=0x06000817
[    6.095220] microcode: CPU1: patch_level=0x06000817
[    6.095224] microcode: CPU2: patch_level=0x06000817
[    6.095228] microcode: CPU3: patch_level=0x06000817
[    6.095232] microcode: CPU4: patch_level=0x06000817
[    6.095237] microcode: CPU5: patch_level=0x06000817
[    6.095241] microcode: CPU6: patch_level=0x06000817
[    6.095244] microcode: CPU7: patch_level=0x06000817
[    6.095269] microcode: Microcode Update Driver: v2.2.


Is this ok, or should I do as you suggested, like for my radeon I go to
Code:
Device Drivers  --->
    Generic Driver Options  --->
        -*- Userspace firmware loading support
        [*] Include in-kernel firmware blobs in kernel binary
            (radeon/<YOUR-MODEL>.bin)
            (/lib/firmware) Firmware blobs root directory

and add what...?

So above takes care of vulnerability number 1 and 2, now for number 3 I need do nothing, since I have amd cpu.
But I did upgrade kernel and in security section I found Remove the kernel mapping in user mode, and I can leave it built in kernel?

Thank you
_________________
Kind regards, Goran Mitic

alive
while true
kick ass
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum