View previous topic :: View next topic |
Author |
Message |
while true Guru
Joined: 07 Apr 2010 Posts: 532 Location: Ljubljana, Slovenia
|
Posted: Thu Jan 11, 2018 8:02 pm Post subject: Meltdown and Spectre for Noobs |
|
|
Hello Gentoo people,
Blame authors of Gentoo Handbook and this forum's community
for allowing noobs like me to install Gentoo
and bother you with following questions and stealing your time.
That said, as noob, I am grateful for Gentoo Handbook and especially this community!
I work in a warehouse so I have weekend to make nice with Gentoo:
Code: | >$ uname -a
Linux keeshta 4.0.5-gentoo #19 SMP Wed Oct 7 16:25:30 CEST 2015 x86_64 AMD FX(tm)-8350 Eight-Core Processor AuthenticAMD GNU/Linux
>$ emerge -uDNa @world
!!! Your current profile is deprecated and not supported anymore.
!!! Use eselect profile to update your profile.
!!! Please upgrade to the following profile if possible:
default/linux/amd64/17.0/desktop
You may use the following command to upgrade:
eselect profile set default/linux/amd64/17.0/desktop
These are the packages that would be merged, in order:
...
...
...
!!! The following installed packages are masked:
- sys-kernel/gentoo-sources-4.14.8-r1::gentoo (masked by: package.mask)
/usr/portage/profiles/package.mask:
# Alice Ferrazzi <alicef@gentoo.org> (05 Jan 2018)
# kernel: Meltdown and Spectre - Processor flaw. (#643228)
# Please upgrade for Intel processor flaw workaround
# (currently KPTI patch are 64bit only),
# also excluding AMD from the fix as not affected.
# Please unmask your kernel version if you want to
# continue to use your kernel with AMD.
# Removal in a month. |
I gathered that bug is hardware thingy,
and software patches slow down performance,
and that is all I understand.
As always, I can copy and paste like a pro, but what?
So here I ask you kindly to help yours eternal noob for tip or two.
Thank you. _________________ Kind regards, Goran Mitic
alive
while true
kick ass |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Thu Jan 11, 2018 8:11 pm Post subject: |
|
|
while true,
These things are information leaks. Of themselves, they are not direct threats to your system security.
However, the information that can be leaked might aid a privilege escalation attack.
That is, it could leak your root password in clear text.
You would need to be running software that included one or more of the information leak exploits.
The leaked information would then need to be used in an attack.
You do need to fix it. How fast depends on how much you trust your users (including remote users) and your installed software base. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
while true Guru
Joined: 07 Apr 2010 Posts: 532 Location: Ljubljana, Slovenia
|
Posted: Thu Jan 11, 2018 8:29 pm Post subject: |
|
|
Hey NeddySeagoon, thank you for your prompt reply,
I am the only user, and my base apps are, well, like I know what I have, but I do have ff, evince, libre and such, smplayer...
So, I have to select my profile first, than I go and unmask gentoo-sources, and that should do the trick?
Thank you _________________ Kind regards, Goran Mitic
alive
while true
kick ass |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Thu Jan 11, 2018 8:48 pm Post subject: |
|
|
while true,
The patch set is not yet complete.
You may need a CPU microcode update too.
If you are going to apply the available fixes today, be aware that there will be more soon.
-- edit --
None of this is related to the Gentoo profile change. Do the changes separately.
Profile first, since that will give you a new gcc and you want all the parts of the kernel built with the same gcc.
Then do the security updates. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Last edited by NeddySeagoon on Thu Jan 11, 2018 8:51 pm; edited 1 time in total |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
|
Back to top |
|
|
mrbassie l33t
Joined: 31 May 2013 Posts: 772 Location: over here
|
Posted: Fri Jan 12, 2018 9:52 am Post subject: |
|
|
So am I understanding correctly that kpti + microcode is what/all we currently have to mitigate these? |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Fri Jan 12, 2018 10:01 am Post subject: |
|
|
mrbassie wrote: | So am I understanding correctly that kpti + microcode is what/all we currently have to mitigate these? |
yes
or that |
|
Back to top |
|
|
mrbassie l33t
Joined: 31 May 2013 Posts: 772 Location: over here
|
Posted: Fri Jan 12, 2018 10:05 am Post subject: |
|
|
Cool, I've already done both. I'll continue to keep an eye on the news. |
|
Back to top |
|
|
while true Guru
Joined: 07 Apr 2010 Posts: 532 Location: Ljubljana, Slovenia
|
Posted: Fri Jan 12, 2018 9:55 pm Post subject: |
|
|
Hello Gentoo people,
Sorry for delayed response, I just got from work, and yesterday was getting late as I read krinn's link (krinn, oh, i know you are trying to help, thank you, but as a noob I was hoping for something else, let me use those emoji to express my state: )...
So word "mitigate" has poped up couple of times, and I have no printed dictionary, and online one's is not understandible to me, so first, does mitigate means to, like, "ease the pain"?
And the rest of article... I understand the words, but I can not get the meanning...
I gathered that I have to look out for linux-firmware (amd cpu), that is the microcode, right?
I have old kernel, I am still not familliar with updating it, and still have gentoo-sources 4.0.5, if I need to add things to kernel.
Linux-firmware will work only with gentoo-sources 4.4.110 and newer (it has kernel patch, something to do with size), so, do I need to update kernel as well?
And at the end of amd section there is link to HowTo apply microcode, but page is for intel...
Also I use vpn, and that requires qemu package, which should be updated by regular emerge -uDN @world, right?
And what on pale blue dot is KPTI?
I must tell you, I have a big questionmark over my head, and I am having my first glass of white wine, but, last question, would it be easier for noob to go for fresh install, where all those updates are included, than to bother you guys and steal your time?
NeddySeagoon, I will change profile on the morrow, thank you for separating the two.
Thank you _________________ Kind regards, Goran Mitic
alive
while true
kick ass |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Fri Jan 12, 2018 10:15 pm Post subject: |
|
|
while true,
Mitigate means to "reduce the effects of" so "ease the pain" is a pretty good approximation.
You will need to update to a kernel that has had the patches backported. That's a recent 4.14 kernel.
The patches are also in 4.15.0 but that's still not released, it a release-candidate.
KPTI flushes the kernel page table every context switch, so that information is not leaked between the kernel and user space.
This is a new kernel configuration option in 4.15.0 that has been back ported to later 4.14 kernels.
You need a kernel with that option and you need to set the option on.
This is only a part of the fix. You will also need a microcode update.
Even with the microcode update and the KPTI optin in newer kernels, there is still more to do.
Not all the threats are yet addressed.
Like a pain killer, these mitigations come with a price. Performance is reduced.
There will be more changes in the coming weeks. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
roboto Apprentice
Joined: 15 Feb 2017 Posts: 156 Location: My IP address.
|
Posted: Sat Jan 13, 2018 5:47 pm Post subject: |
|
|
I have AMD Turion 64 x2 from 2007. Is it affected by Spectre and the three variants of Meltdown? _________________ Answers please.
The true hater of man expects nothing from him and is indiscriminate to his works.
-Ayn Rand
Quote: | Dude. Minus 30 credibility points. |
Yep |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sat Jan 13, 2018 5:58 pm Post subject: |
|
|
roboto,
There are some tests out there. Try it. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
fedeliallalinea Administrator
Joined: 08 Mar 2003 Posts: 30917 Location: here
|
|
Back to top |
|
|
while true Guru
Joined: 07 Apr 2010 Posts: 532 Location: Ljubljana, Slovenia
|
Posted: Sat Jan 13, 2018 9:47 pm Post subject: |
|
|
Good evening Gentoo people,
Oi oi Neddy, so this spectre and meltdown (or S&M, khehe) brought me to upgrade kernel for the first time, took me over 4 hours this morning, but:
Code: | Linux keeshta 4.14.8-gentoo-r1 #1 SMP Sat Jan 13 12:30:09 CET 2018 x86_64 AMD FX(tm)-8350 Eight-Core Processor AuthenticAMD GNU/Linux |
I can't wait for 4.15
So grep did not find KPTI in /usr/src/linux/.config:
Code: | # grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
unpatched :(
# cat /boot/config-4.14.8-gentoo-r1 | grep CONFIG_PAGE_TABLE_ISOLATION
#
# cat /boot/config-4.14.8-gentoo-r1 | grep kpti
#
# cat /boot/config-4.14.8-gentoo-r1 | grep KPTI
# |
Is there something I missed? There should be kpti in kernel now?
I have long night ahead, not just because it is orthodox new year's eve, but I have dozen of big emerge things, including linux-firmware (that is the microcode, right?) so I will report in the morning (technically next year) but for now:
Code: | # ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29
Checking for vulnerabilities against running kernel Linux 4.14.8-gentoo-r1 #1 SMP Sat Jan 13 12:30:09 CET 2018 x86_64
CPU is AMD FX(tm)-8350 Eight-Core Processor
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 38 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see --disclaimer |
Until next year, thank you _________________ Kind regards, Goran Mitic
alive
while true
kick ass |
|
Back to top |
|
|
elko n00b
Joined: 02 Feb 2010 Posts: 55
|
Posted: Sun Jan 14, 2018 7:10 am Post subject: |
|
|
while true wrote: |
Oi oi Neddy, so this spectre and meltdown (or S&M, khehe) brought me to upgrade kernel for the first time, took me over 4 hours this morning, but:
|
How did you upgrade your kernel? Did you updated your .config? See https://wiki.gentoo.org/wiki/Kernel/Upgrade#.config_file |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Sun Jan 14, 2018 9:09 am Post subject: |
|
|
roboto wrote: | I have AMD Turion 64 x2 from 2007. Is it affected by Spectre and the three variants of Meltdown? |
There are 3 variants. 2 are spectre and ONE is meltdown
KPTI stops meltdown,
Retpoline + microcode mitigates spectre _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
while true Guru
Joined: 07 Apr 2010 Posts: 532 Location: Ljubljana, Slovenia
|
Posted: Sun Jan 14, 2018 10:27 am Post subject: |
|
|
Good morning Gentoo people,
Hey elko, yes, I updated old .config with make silentoldconfig, that took hours to read and answer. I was on the lookout for kpti or CONFIG_PAGE_TABLE_ISOLATION, but I missed it. Also with make menuconfig, under Security Options I can not find it. Is it called by different name?
Firmware-linux, I remember that package now, I needed it for my radeon graphich card, I had to write in a list of cards in kernel via make menuconfig. I guess it was removed in the past, since it was brought back last night with emerge -uDN @world.
but still:
Code: | # ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29
Checking for vulnerabilities against running kernel Linux 4.14.8-gentoo-r1 #1 SMP Sat Jan 13 12:30:09 CET 2018 x86_64
CPU is AMD FX(tm)-8350 Eight-Core Processor
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 38 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see --disclaimer |
Am I to wait for further updates?
Thank you _________________ Kind regards, Goran Mitic
alive
while true
kick ass |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sun Jan 14, 2018 11:28 am Post subject: |
|
|
while true,
Happy new year!
Your 4.14.8-gentoo-r1 kernel is still too old.
There is a Gentoo Wiki Page
That page should be updated as kernel patches are added to gentoo-sources, so I won't quote it here. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Sun Jan 14, 2018 12:54 pm Post subject: |
|
|
while true wrote: | So grep did not find KPTI in /usr/src/linux/.config:
Code: | # grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
unpatched :(
# cat /boot/config-4.14.8-gentoo-r1 | grep CONFIG_PAGE_TABLE_ISOLATION
#
# cat /boot/config-4.14.8-gentoo-r1 | grep kpti
#
# cat /boot/config-4.14.8-gentoo-r1 | grep KPTI
# |
|
Off Topic: while true, just for information, you don't need to use two grep commands to find lower-case and upper-case variants of the same string, the following single command would do it:
Code: | cat /boot/config-4.14.8-gentoo-r1 | grep -i kpti |
which can be simplified even further:
Code: | grep -i kpti /boot/config-4.14.8-gentoo-r1 |
From 'man grep':
Quote: | -i, --ignore-case
Ignore case distinctions, so that characters that differ only in case match each other. |
_________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
while true Guru
Joined: 07 Apr 2010 Posts: 532 Location: Ljubljana, Slovenia
|
Posted: Sun Jan 14, 2018 2:43 pm Post subject: |
|
|
Good afternoon Gentoo people,
Hey NeddySeagoon, thank you, and happy new year to you too!
(before I forget, yesterday when I upgraded kernel to 4.14.8 on reboot I noticed (i have 2 monitors) that my right monitor was inversed in colour, as in white background and grey font colour. Now, with 4.14.13 is the same inversion. That stops once I go startx. How can I go about this?)
I licenced, ~amded and unmasked gentoo-sources, and emerge offered latest gentoo-sources:
Code: | # uname -a
Linux keeshta 4.14.13-gentoo #1 SMP Sun Jan 14 15:16:43 CET 2018 x86_64 AMD FX(tm)-8350 Eight-Core Processor AuthenticAMD GNU/Linux |
YES! I am upgragind kernel as pro!
As Fitzcarraldo suggested:
Code: | # grep -i kpti /boot/config-4.14.13-gentoo
# |
and:
Code: | # grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
CONFIG_PAGE_TABLE_ISOLATION=y
patched :)
# |
and still:
Code: | # ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29
Checking for vulnerabilities against running kernel Linux 4.14.13-gentoo #1 SMP Sun Jan 14 15:16:43 CET 2018 x86_64
CPU is AMD FX(tm)-8350 Eight-Core Processor
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 38 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see --disclaimer |
Code: | # eix linux-firmware
[I] sys-kernel/linux-firmware
Available versions: 20170314 ~20171206 ~20180103 20180103-r1 **99999999 {savedconfig}
Installed versions: 20180103-r1(12:15:05 AM 01/14/2018)(-savedconfig)
Homepage: https://git.kernel.org/?p=linux/kernel/git/firmware/linux-firmware.git
Description: Linux firmware files |
no "ease of pain"...
I guess that is all I can do at the moment? Or can I do more?
And what should I be looking after in the coming days?
Thank you _________________ Kind regards, Goran Mitic
alive
while true
kick ass |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Sun Jan 14, 2018 3:46 pm Post subject: |
|
|
you should just disable KPTI, it's not use because of your cpu, but lowering kernel size is never bad. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sun Jan 14, 2018 3:48 pm Post subject: |
|
|
while true,
Read this AMD page.
AMD wrote: | Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors.
Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors.
Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors. |
Code: | CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) |
PTI is in your kernel but its not needed on your CPU, so its not used. That avoids the performance penalty.
How do you load your CPU microcode?
Please put your kernel .config onto a pastebin site. wgetpaste is your friend. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
while true Guru
Joined: 07 Apr 2010 Posts: 532 Location: Ljubljana, Slovenia
|
Posted: Sun Jan 14, 2018 5:49 pm Post subject: |
|
|
Hello guys,
Like I know what I am doing, I understood I need KPTI, which comes with latest kernel, and microcode that is linux-firmware emerged.
Should I set CONFIG_PAGE_TABLE_ISOLATION to no?
And for microcode, I just emerged it (it was in emerge -uDN @world), but I am guessing that is not enough?
I skipped Fitzcarraldo's blog on updating microcode, since from here https://wiki.gentoo.org/wiki/Radeon#Firmware it says: "However, savedconfig editing is entirely optional, those in a hurry may not want to take this route. The system will work the same, with or without the savedconfig editing."
Did I read wrong linux-firmware page?
Code: | wgetpaste /usr/src/linux/.config
Your paste can be seen here: https://paste.pound-python.org/show/uxavFKbFNrBmACCIWibW/ |
Thank you _________________ Kind regards, Goran Mitic
alive
while true
kick ass |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sun Jan 14, 2018 6:26 pm Post subject: |
|
|
while true,
linux-firmware put the CPU microcode onto your PC. Into /lib/firmware.
Just like you build your radeon firmware into the kernel with
Code: | CONFIG_EXTRA_FIRMWARE="radeon/BTC_rlc.bin radeon/CAICOS_mc.bin radeon/CAICOS_me.bin radeon/CAICOS_pfp.bin radeon/CAICOS_smc.bin radeon/SUMO_uvd.bin"
CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware" | , you need to build the microcode in too.
Add it to that list and rebuild your kernel. What you have done is required but not sufficient.
With my Phenom II, I get Code: | $ dmesg | grep micro
[ 2.505202] microcode: microcode updated early to new patch_level=0x010000dc
[ 2.505548] microcode: CPU0: patch_level=0x010000dc
[ 2.507411] microcode: CPU1: patch_level=0x010000dc
[ 2.507752] microcode: CPU2: patch_level=0x010000dc
[ 2.509591] microcode: CPU3: patch_level=0x010000dc
[ 2.511404] microcode: CPU4: patch_level=0x010000dc
[ 2.513180] microcode: CPU5: patch_level=0x010000dc
[ 2.514915] microcode: Microcode Update Driver: v2.2. | You have a different CPU.
If you run that grep now, you will see the current microcode version.
After the kernel has the microcode built in, the version might be different.
AMD say that you don't need CONFIG_PAGE_TABLE_ISOLATION. The kernel contains a CPU test to turn it off on AMD CPUs as its not required.
You can leave it in your kernel. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
while true Guru
Joined: 07 Apr 2010 Posts: 532 Location: Ljubljana, Slovenia
|
Posted: Sun Jan 14, 2018 6:54 pm Post subject: |
|
|
Hey NeddySeagoon, thanks for sticking around
So here is the output for micro:
Code: | dmesg | grep micro
[ 6.095070] microcode: CPU0: patch_level=0x06000817
[ 6.095220] microcode: CPU1: patch_level=0x06000817
[ 6.095224] microcode: CPU2: patch_level=0x06000817
[ 6.095228] microcode: CPU3: patch_level=0x06000817
[ 6.095232] microcode: CPU4: patch_level=0x06000817
[ 6.095237] microcode: CPU5: patch_level=0x06000817
[ 6.095241] microcode: CPU6: patch_level=0x06000817
[ 6.095244] microcode: CPU7: patch_level=0x06000817
[ 6.095269] microcode: Microcode Update Driver: v2.2. |
Is this ok, or should I do as you suggested, like for my radeon I go to
Code: | Device Drivers --->
Generic Driver Options --->
-*- Userspace firmware loading support
[*] Include in-kernel firmware blobs in kernel binary
(radeon/<YOUR-MODEL>.bin)
(/lib/firmware) Firmware blobs root directory |
and add what...?
So above takes care of vulnerability number 1 and 2, now for number 3 I need do nothing, since I have amd cpu.
But I did upgrade kernel and in security section I found Remove the kernel mapping in user mode, and I can leave it built in kernel?
Thank you _________________ Kind regards, Goran Mitic
alive
while true
kick ass |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|