Intel processors with a security bug
-
- DEV Team
- Posts: 2109
- Joined: 09 Feb 2013, 09:55
- Distribution: APorteus-FVWM-ja-x86_64.iso
- Location: japan
Intel processors with a security bug
"64 bit kernel 4.14.13/4.9.76/4.4.111" example was built with prototype config "PAGE_TABLE_ISOLATION ON" and was uploaded.
Porteus Kernel Builder (Post by neko #57468)
Thanks.
Porteus Kernel Builder (Post by neko #57468)
Thanks.
- Ed_P
- Contributor
- Posts: 8369
- Joined: 06 Feb 2013, 22:12
- Distribution: Cinnamon 5.01 ISO
- Location: Western NY, USA
Intel processors with a security bug
I like this approach. Easier to impliment for ISO booters. Has anyone tried it with Porteus?wii07 wrote: ↑10 Jan 2018, 22:00The Intel Site says the following for the use of Microcodes:
"While the regular approach to getting this microcode update is via a BIOS update, Intel realizes that this can be an administrative hassle. The Linux* operating system has a mechanism to update the microcode after booting. For example, this file will be used by the operating system mechanism if the file is placed in the /etc/firmware directory of the Linux system."
Does it work this way with Porteus? In the /etc folder there isn't a folder named firmware.
Ed
-
- White ninja
- Posts: 20
- Joined: 28 Dec 2016, 23:25
- Distribution: Porteus 3.2.2 64 bit
- Location: Germany
Intel processors with a security bug
I got already a kernel running (thx to ncmprhnsbl for that) with PAGE_TABLE_ISOLATION ON activated. So i do not need the Intel Microcode?neko wrote: ↑10 Jan 2018, 23:37"64 bit kernel 4.14.13/4.9.76/4.4.111" example was built with prototype config "PAGE_TABLE_ISOLATION ON" and was uploaded.
Porteus Kernel Builder (Post by neko #57468)
Thanks.
I thought i need both for closing this Spectre and Meltdown security issue, because nearly every website speaks about a combination of a bios fix (or the microcode for people like me running an older pc/laptop, (x220 in my case) that wont receive a bios update anymore) and a software fix (kernel and chromium fix as example).
Or did i misunderstood something?
- ncmprhnsbl
- DEV Team
- Posts: 3941
- Joined: 20 Mar 2012, 03:42
- Distribution: v5.0-64bit
- Location: australia
- Contact:
Intel processors with a security bug
no, you're right
the microcode update is necessary (provided it actually covers your hardware, this is still a little unclear to me),
different distros handle this differently : here's how slackware does it:
https://slackbuilds.org/repository/14.2 ... microcode/
and porteus is a little different again..
brokenman has (previously) implemented microcode injection in the upcoming 4.0 release..
afaiui, it involves some modifications to the initrd.xz (i'll investigate this further)
hopefully brokenman will return shortly to set us straight..
for the moment:
page table isolation will protect us (intel users) from 'meltdown'
and apparently the 'spectre' vulnerabilities are much harder to exploit..
here's a script that checks your status
https://github.com/speed47/spectre-meltdown-checker
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44
-
- Contributor
- Posts: 1857
- Joined: 09 Aug 2013, 14:25
- Distribution: Porteus and Nemesis
- Location: USA
Intel processors with a security bug
What will the meltdown do to my Intel laptop? Will it burn up or stop working?
I just like Slackware because I think it teach you about Linux to build packages where Ubuntu is like Windows you just install programs you want.
- ncmprhnsbl
- DEV Team
- Posts: 3941
- Joined: 20 Mar 2012, 03:42
- Distribution: v5.0-64bit
- Location: australia
- Contact:
Intel processors with a security bug
'meltdown' is just the name they gave the security vulerability(hardware: intel cpus) that (could) enables a hacker to access (some) cpu memory >therefore possible passwords etc.
this flaw has been present since the day of manufacture, so unless someone hacks you, nothing will happen..
spectre is similar, but affects both intel and amd cpus(and others?)
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44
-
- White ninja
- Posts: 20
- Joined: 28 Dec 2016, 23:25
- Distribution: Porteus 3.2.2 64 bit
- Location: Germany
Intel processors with a security bug
Yeah my x220 has an i5-2520m intel cpu, so the microcode from the intel site works for it (if there will be an easy way to implant it somehow to porteus 3.2.2 64bit xfce):
https://downloadcenter.intel.com/downlo ... duct=52229
To bad the oldest x series laptop lenovo will be fixing with a bios update is the x230. That would be the easiest way if available i guess, i flashed bios firmwares several times, its no big deal.
My gf has a x230 and there the lenovo page says an updated bios for these security issues will come out 2.2.2018. x240 till x270 already got one.
https://downloadcenter.intel.com/downlo ... duct=52229
To bad the oldest x series laptop lenovo will be fixing with a bios update is the x230. That would be the easiest way if available i guess, i flashed bios firmwares several times, its no big deal.
My gf has a x230 and there the lenovo page says an updated bios for these security issues will come out 2.2.2018. x240 till x270 already got one.
- ncmprhnsbl
- DEV Team
- Posts: 3941
- Joined: 20 Mar 2012, 03:42
- Distribution: v5.0-64bit
- Location: australia
- Contact:
Intel processors with a security bug
what's not so clear to me is whether the meltdown/spectre bugs are adressed in this update for all the processors listed..
my Core™ i7-720QM is listed, but with mircocode loaded: (in voidlinux)
Code: Select all
sudo dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0x7, date = 2013-08-20
[ 1.611269] microcode: sig=0x106e5, pf=0x10, revision=0x7
[ 1.611849] microcode: Microcode Update Driver: v2.2.
i think i read somewhere, only cpus younger than five years have been fixed so far..
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44
-
- White ninja
- Posts: 20
- Joined: 28 Dec 2016, 23:25
- Distribution: Porteus 3.2.2 64 bit
- Location: Germany
Intel processors with a security bug
Damn, i just overflew the intel site and though they already fixed them all.
So its intels fault (again) and not lenovos, that there is not a new bios available for the x220 or in the pipe line till now. x230 and above are having cpus not older than 5 years i guess.
I really hope that intel also will bring out fixes for older cpus. I paid around 1300 euros early 2013 for my x220 (with 8gb ram and a sdd) and its still working perfect fast and flawless (for the stuff i am doing).
Its really a shame and it would be a bad feeling to use it without a fix for the next year(s).
So its intels fault (again) and not lenovos, that there is not a new bios available for the x220 or in the pipe line till now. x230 and above are having cpus not older than 5 years i guess.
I really hope that intel also will bring out fixes for older cpus. I paid around 1300 euros early 2013 for my x220 (with 8gb ram and a sdd) and its still working perfect fast and flawless (for the stuff i am doing).
Its really a shame and it would be a bad feeling to use it without a fix for the next year(s).
- Ed_P
- Contributor
- Posts: 8369
- Joined: 06 Feb 2013, 22:12
- Distribution: Cinnamon 5.01 ISO
- Location: Western NY, USA
Intel processors with a security bug
On my 3.2.2 system.ncmprhnsbl wrote: ↑11 Jan 2018, 23:11here's a script that checks your status
https://github.com/speed47/spectre-meltdown-checker
Code: Select all
guest@porteus:~$ su
Password:
root@porteus:/home/guest# sh spectre*
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 4.9.12-porteus #1 SMP PREEMPT Sun Feb 26 13:48:34 BRT 2017 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: UNKNOWN
> STATUS: UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: UNKNOWN (couldn't read your kernel configuration)
* Kernel compiled with a retpoline-aware compiler: UNKNOWN (couldn't find your kernel image or System.map)
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): UNKNOWN (couldn't read your kernel configuration nor System.map file)
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
root@porteus:/home/guest#
Code: Select all
root@porteus:/home/guest# ./bootdev.sh
System Memory: 3818M
Boot device: /mnt/sda6
Boot device format: "ntfs"
Boot folder: /porteus3.2/
Boot mode: ISO /ISOs/Porteus-CINNAMON-v3.2.2-x86_64.iso
OS: Porteus-v3.2.2
ARCH: x86_64
Desktop: cinnamon
Kernel: Linux porteus 4.9.12-porteus
Changes: /mnt/sda6//porteus3.2/changes/porteussave.dat
Cmdline: quiet BOOT_IMAGE=/porteus3.2/vmlinuz from=/ISOs/Porteus-CINNAMON-v3.2.2-x86_64.iso volume=33 reboot=cold changes=EXIT:/porteus3.2/changes/porteussave.dat extramod=/porteus3.2/Modules
Porteus-Livedbg log:
# Recognized devices:
/dev/sda1: LABEL="ESP" UUID="CE3C-F23D" TYPE="vfat"
/dev/sda3: LABEL="OS" UUID="A64AB3B24AB37D9D" TYPE="ntfs"
/dev/sda4: UUID="BC88CC8388CC3DA0" TYPE="ntfs"
/dev/sda5: LABEL="Image" UUID="0010ED9410ED90C8" TYPE="ntfs"
/dev/sda6: LABEL="Data" UUID="2628E9A628E974E9" TYPE="ntfs"
/dev/sda7: LABEL="Backups" UUID="F8ACEAFCACEAB472" TYPE="ntfs"
/dev/sda8: LABEL="Backup10.1" UUID="E842EC8742EC5C36" TYPE="ntfs"
/mnt/sda6//porteus3.2/changes/porteussave.dat: UUID="6e8e8e05-334b-4cdd-af0b-958965dd5687" TYPE="xfs"
# Booting device:
/mnt/isoloop
# Porteus data found in:
/mnt/isoloop/porteus
# Changes are stored in:
memory
# Non standard /rootcopy dir:
none
# Modules activated during boot time:
/mnt/isoloop/porteus/base/000-kernel.xzm
/mnt/isoloop/porteus/base/001-core.xzm
/mnt/isoloop/porteus/base/002-xorg.xzm
/mnt/isoloop/porteus/base/003-cinnamon.xzm
/mnt/sda6//porteus3.2/Modules/000-kernel.xzm
/mnt/sda6//porteus3.2/Modules/07-printing-x86_64-02.12.2016.xzm
/mnt/sda6//porteus3.2/Modules/firefox-52.5.2esr-x86_64-1.xzm
/mnt/sda6//porteus3.2/Modules/flashplayer-plugin-28.0.0.137-x86_64-1.xzm
/mnt/sda6//porteus3.2/Modules/gtk-browser-update-20171204.xzm
/mnt/sda6//porteus3.2/Modules/jre-8u151-x86_64-1.xzm
/mnt/sda6//porteus3.2/Modules/keepassx-2.0.3-x86_64-1alien.xzm
/mnt/sda6//porteus3.2/Modules/man-files-3.2.2-noarch-1.xzm
/mnt/sda6//porteus3.2/Modules/mtpaint-3.40-x86_64-2gvEd_P.xzm
/mnt/sda6//porteus3.2/Modules/qt-4.8.7-x86_64-6.xzm
/mnt/sda6//porteus3.2/Modules/tightvnc-1.3.10-x86_64-1_slonly.xzm
/mnt/sda6//porteus3.2/Modules/wine-1.9.16-x64-3.2-GeckoMono-2.xzm
/mnt/sda6//porteus3.2/changes/porteussave.dat/changes
ISO=/mnt/sda6//ISOs/Porteus-CINNAMON-v3.2.2-x86_64.iso
Devices:
00:00.0 Host bridge: Intel Corporation Skylake Host Bridge/DRAM Registers (rev 08)
00:02.0 VGA compatible controller: Intel Corporation Skylake Integrated Graphics (rev 07)
00:04.0 Signal processing controller: Intel Corporation Skylake Processor Thermal Subsystem (rev 08)
00:13.0 Non-VGA unclassified device: Intel Corporation Device 9d35 (rev 21)
00:14.0 USB controller: Intel Corporation Sunrise Point-LP USB 3.0 xHCI Controller (rev 21)
00:14.2 Signal processing controller: Intel Corporation Sunrise Point-LP Thermal subsystem (rev 21)
00:15.0 Signal processing controller: Intel Corporation Sunrise Point-LP Serial IO I2C Controller #0 (rev 21)
00:15.1 Signal processing controller: Intel Corporation Sunrise Point-LP Serial IO I2C Controller #1 (rev 21)
00:16.0 Communication controller: Intel Corporation Sunrise Point-LP CSME HECI #1 (rev 21)
00:17.0 SATA controller: Intel Corporation Sunrise Point-LP SATA Controller [AHCI mode] (rev 21)
00:1c.0 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #5 (rev f1)
00:1f.0 ISA bridge: Intel Corporation Sunrise Point-LP LPC Controller (rev 21)
00:1f.2 Memory controller: Intel Corporation Sunrise Point-LP PMC (rev 21)
00:1f.3 Audio device: Intel Corporation Sunrise Point-LP HD Audio (rev 21)
00:1f.4 SMBus: Intel Corporation Sunrise Point-LP SMBus (rev 21)
01:00.0 Network controller: Intel Corporation Wireless 3165 (rev 79)
root@porteus:/home/guest#
Ed
- ncmprhnsbl
- DEV Team
- Posts: 3941
- Joined: 20 Mar 2012, 03:42
- Distribution: v5.0-64bit
- Location: australia
- Contact:
Intel processors with a security bug
here's a stable kernel build(thanks neko) with page table isolation enabled (mitigates "meltdown" cpu security bug)
kernel-4.14.13 with PTI enabled and vmlinuz
md5sums:
kernel: 29c49245aa89e569e95cada184e03b5b
vmlinuz: 48c18530f2c1554a431f1c9bbe9822dc
instructions here: Intel processors with a security bug (Post by ncmprhnsbl #61546)
@Ed
kernel-4.14.13 with PTI enabled and vmlinuz
md5sums:
kernel: 29c49245aa89e569e95cada184e03b5b
vmlinuz: 48c18530f2c1554a431f1c9bbe9822dc
instructions here: Intel processors with a security bug (Post by ncmprhnsbl #61546)
@Ed
Code: Select all
cat /proc/cpuinfo | grep "model name"
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44
-
- Shogun
- Posts: 434
- Joined: 02 May 2017, 09:51
- Distribution: v3.2.2-32 and Porteus-Artix-64
- Location: Chennai,India
Intel processors with a security bug
microcode: sig=0x806e9, pf=0x80, revision=0x38
Spectre:
CONFIG_INTEL_MICROCODE and CONFIG_x86_MSR enabled in my custom kernel. /dev/cpu/microcode file as well as microcode reload facility in the Firmware folder exist. So software mitigation for 'spectre' is possible. Intel patch shall be applied in this directory. Patch for I3-7100u-2.4ghz is available. But I haven't applied, fearing a drastic performance fall, upto 30%.
Meltdown:
But a Firmware BIOS update from PC Vendor may offer permanent solution. Brokenman's placement of a Microcode update file in the syslinux folder is to help this.* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
Intel Instructions:
all the best for brave hearts. I am not too perturbed with such threats.-- Microcode update instructions --
This package contains Intel microcode files in two formats:
* microcode.dat
* intel-ucode directory
microcode.dat is in a traditional text format. It is still used in some
Linux distributions. It can be updated to the system through the old microcode
update interface which is avaialble in the kernel with
CONFIG_MICROCODE_OLD_INTERFACE=y.
To update the microcode.dat to the system, one need:
1. Ensure the existence of /dev/cpu/microcode
2. Write microcode.dat to the file, e.g.
dd if=microcode.dat of=/dev/cpu/microcode bs=1M
intel-ucode dirctory contains binary microcode files named in
family-model-stepping pattern. The file is supported in most modern Linux
distributions. It's generally located in the /lib/firmware directory,
and can be updated throught the microcode reload interface.
To update the intel-ucode package to the system, one need:
1. Ensure the existence of /sys/devices/system/cpu/microcode/reload
2. Copy intel-ucode directory to /lib/firmware, overwrite the files in
/lib/firmware/intel-ucode/
3. Write the reload interface to 1 to reload the microcode files, e.g.
echo 1 > /sys/devices/system/cpu/microcode/reload
Linux Kernel-4.4.272 -32 bit; Linux Kernel-5.4.185 - 64 bit
-
- Contributor
- Posts: 1857
- Joined: 09 Aug 2013, 14:25
- Distribution: Porteus and Nemesis
- Location: USA
Intel processors with a security bug
I will change kernel and vmlinuz on my Mate and LXDE builds USB.ncmprhnsbl wrote: ↑12 Jan 2018, 09:12here's a stable kernel build(thanks neko) with page table isolation enabled (mitigates "meltdown" cpu security bug)
kernel-4.14.13 with PTI enabled and vmlinuz
instructions here: [url=http://forum.porteus.org/viewtopic.php?p=61546#p61546]Intel processors with a security bug (Post by ncmprhnsbl #61546)[/url
I just like Slackware because I think it teach you about Linux to build packages where Ubuntu is like Windows you just install programs you want.
- Ed_P
- Contributor
- Posts: 8369
- Joined: 06 Feb 2013, 22:12
- Distribution: Cinnamon 5.01 ISO
- Location: Western NY, USA
Intel processors with a security bug
Code: Select all
guest@porteus:~$ cat /proc/cpuinfo | grep "model name"
model name : Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
model name : Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
model name : Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
model name : Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
guest@porteus:~$
Ed
-
- Contributor
- Posts: 1857
- Joined: 09 Aug 2013, 14:25
- Distribution: Porteus and Nemesis
- Location: USA
Intel processors with a security bug
I tested mind.
Code: Select all
guest@porteus:~$ cat /proc/cpuinfo | grep "model name"
model name : Intel(R) Core(TM)2 Duo CPU T8100 @ 2.10GHz
model name : Intel(R) Core(TM)2 Duo CPU T8100 @ 2.10GHz
guest@porteus:~$
I just like Slackware because I think it teach you about Linux to build packages where Ubuntu is like Windows you just install programs you want.