Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Spectre v3 y v4 como protegerse de el? [Solucionado]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Spanish
View previous topic :: View next topic  
Author Message
brutico
Tux's lil' helper
Tux's lil' helper


Joined: 16 Feb 2014
Posts: 121

PostPosted: Wed Jun 27, 2018 1:01 pm    Post subject: Spectre v3 y v4 como protegerse de el? [Solucionado] Reply with quote

Code:
 sudo ./spectre-meltdown-checker.sh
Contraseña:
Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is Linux 4.17.2-gentoo-elover #2 SMP Sun Jun 24 23:37:36 CEST 2018 x86_64
CPU is Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 0x5e family 0x6 stepping 0x3 ucode 0xba cpuid 0x506e3)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES
  * Vulnerable to Variant 3a:  YES
  * Vulnerable to Variant 4:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec (x86):  YES  (1 occurrence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO
* Kernel has mask_nospec64 (arm):  NO
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  NO
  * Kernel is compiled with IBPB support:  YES
    * IBPB enabled and active:  NO
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO
  * Kernel compiled with retpoline option:  YES
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Kernel supports RSB filling:  YES
> STATUS:  NOT VULNERABLE  (Full retpoline is mitigating the vulnerability)
IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it                                                                                         

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES
  * PTI enabled and active:  YES
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability:  NO
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

> How to fix: The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed.

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* Kernel supports speculation store bypass:  YES  (found in /proc/self/status)
> STATUS:  VULNERABLE  (Your CPU doesn't support SSBD)

> How to fix: Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actually provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).

A false sense of security is worse than no security at all, see --disclaimer


Me falta algo con microcode?

He recompilado el kernel y ahora me dice que ya no soy vulnerable
Back to top
View user's profile Send private message
papu
Guru
Guru


Joined: 25 Jan 2008
Posts: 588
Location: Sota algun pi o alzina...

PostPosted: Mon Aug 13, 2018 9:20 pm    Post subject: Reply with quote

lo del microcode es usar sys-firmware/intel-microcode
con MICROCODE_SIGNATURES="-S" en el make.conf para que se detecta el necesario

y luego lo cargo en el kernel segun el microcode que corresponda:
Code:
egrep -i 'CONFIG_FW_LOADER|CONFIG_EXTRA_FIRMWARE' /boot/config-`uname -r`
CONFIG_FW_LOADER=y
CONFIG_EXTRA_FIRMWARE="intel-ucode/06-5e-03"
CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware"
# CONFIG_FW_LOADER_USER_HELPER is not set


https://paste.pound-python.org/show/RzaWrWWN7UlEo4e6sqGg/

puedes actualizar el script con :
Code:
git clone https://github.com/speed47/spectre-meltdown-checker.git


pero ya dices que te va bien :)

p.d: parece salio otra variante Vulnerable to Variant l1tf , al final la cpu con tanto parche ni va ni arrancar :lol:
_________________
--Intel i5 6600 --GA-Z170-HD3P --Ripjaws V 2x8 2400 --Radeon RX 470 G1 4G --Gentoo & Windows
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Spanish All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum