[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?



On 23 February 2018 at 18:41, Michael Lange <klappnase@freenet.de> wrote:
On Fri, 23 Feb 2018 16:27:23 +0000
Michael Fothergill <michael.fothergill@gmail.com> wrote:

>
> ​Sure enough, looking at the spectre meltdown checker on the kernel I am
> using in gentoo
> shows the ​
>
> ​retpoline is enabled and that the vulnerability status is "not
> vulnerable".
>
> ​It's not recent enough a kernel to address the spectre variant 1
> problem as far as I am aware.
>
> Oh well...

Ha! Then it seems like for once debian is one step ahead :))

​OK. 

I installed kernel 4.15.4 in gentoo.

I ran the​ spectre-checker again and got some odd results:


jt /home/mikef/spectre-meltdown-checker # ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities on current system
Kernel is Linux 4.15.4-gentoo #1 SMP Fri Feb 23 19:14:21 GMT 2018 x86_64
CPU is AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Hardware support (CPU microcode)
    * Indirect Branch Restricted Speculation (IBRS)
      * SPEC_CTRL MSR is available:  NO
      * CPU indicates IBRS capability:  NO
    * Indirect Branch Prediction Barrier (IBPB)
      * PRED_CMD MSR is available:  NO
      * CPU indicates IBPB capability:  NO
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that your CPU is unaffected)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  NO
* Running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer
djt /home/mikef/spectre-meltdown-checker #


​Even though the previous kernel check I think had retpoline enabled and the STATUS not vulnerable flag set,
here the retpoline enabled says NO and the STATUS flag says not vulnerable.

So now the schizophrenia has migrated to gentoo (stop laughing).....​

Regards

MF​




 

scnr

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Fascinating, a totally parochial attitude.
                -- Spock, "Metamorphosis", stardate 3219.8


Reply to: