Intel processors with a security bug

Non release banter
neko
DEV Team
DEV Team
Posts: 1031
Joined: 09 Feb 2013, 09:55
Distribution: APorteus-FVWM-ja-x86_64.iso
Location: japan

Intel processors with a security bug

Post#16 by neko » 10 Jan 2018, 23:37

"64 bit kernel 4.14.13/4.9.76/4.4.111" example was built with prototype config "PAGE_TABLE_ISOLATION ON" and was uploaded.
Porteus Kernel Builder (Post by neko #57468)

Thanks.

User avatar
Ed_P
Contributor
Contributor
Posts: 3506
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 3.2.2 64-bit ISO
Location: Western NY, USA

Intel processors with a security bug

Post#17 by Ed_P » 11 Jan 2018, 15:44

wii07 wrote:
10 Jan 2018, 22:00
The Intel Site says the following for the use of Microcodes:

"While the regular approach to getting this microcode update is via a BIOS update, Intel realizes that this can be an administrative hassle. The Linux* operating system has a mechanism to update the microcode after booting. For example, this file will be used by the operating system mechanism if the file is placed in the /etc/firmware directory of the Linux system."

Does it work this way with Porteus? In the /etc folder there isn't a folder named firmware.
I like this approach. Easier to impliment for ISO booters. Has anyone tried it with Porteus?
Ed

wii07
White ninja
White ninja
Posts: 17
Joined: 28 Dec 2016, 23:25
Distribution: Porteus 3.2.2 64 bit
Location: Germany

Intel processors with a security bug

Post#18 by wii07 » 11 Jan 2018, 16:01

neko wrote:
10 Jan 2018, 23:37
"64 bit kernel 4.14.13/4.9.76/4.4.111" example was built with prototype config "PAGE_TABLE_ISOLATION ON" and was uploaded.
Porteus Kernel Builder (Post by neko #57468)

Thanks.
I got already a kernel running (thx to ncmprhnsbl for that) with PAGE_TABLE_ISOLATION ON activated. So i do not need the Intel Microcode?

I thought i need both for closing this Spectre and Meltdown security issue, because nearly every website speaks about a combination of a bios fix (or the microcode for people like me running an older pc/laptop, (x220 in my case) that wont receive a bios update anymore) and a software fix (kernel and chromium fix as example).

Or did i misunderstood something?

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 1101
Joined: 20 Mar 2012, 03:42
Distribution: 3.2.2-64bit xfce/openbox
Location: australia
Contact:

Intel processors with a security bug

Post#19 by ncmprhnsbl » 11 Jan 2018, 23:11

wii07 wrote:
11 Jan 2018, 16:01
Or did i misunderstood something?
no, you're right
the microcode update is necessary (provided it actually covers your hardware, this is still a little unclear to me),
different distros handle this differently : here's how slackware does it:
https://slackbuilds.org/repository/14.2 ... microcode/
and porteus is a little different again..
brokenman has (previously) implemented microcode injection in the upcoming 4.0 release..
afaiui, it involves some modifications to the initrd.xz (i'll investigate this further)
hopefully brokenman will return shortly to set us straight..
for the moment:
page table isolation will protect us (intel users) from 'meltdown'
and apparently the 'spectre' vulnerabilities are much harder to exploit..
here's a script that checks your status
https://github.com/speed47/spectre-meltdown-checker
Forum Rules : http://forum.porteus.org/viewtopic.php?f=35&t=44

Jack
Contributor
Contributor
Posts: 1359
Joined: 09 Aug 2013, 14:25
Distribution: Porteus 3.2.rc5 Mate 64 bit
Location: Marysville, OHIO USA

Intel processors with a security bug

Post#20 by Jack » 11 Jan 2018, 23:15

What will the meltdown do to my Intel laptop? Will it burn up or stop working?
I just like Slackware because I think it teach you about Linux to build packages where Ubuntu is like Windows you just install programs you want.

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 1101
Joined: 20 Mar 2012, 03:42
Distribution: 3.2.2-64bit xfce/openbox
Location: australia
Contact:

Intel processors with a security bug

Post#21 by ncmprhnsbl » 11 Jan 2018, 23:45

Jack wrote:
11 Jan 2018, 23:15
What will the meltdown do to my Intel laptop? Will it burn up or stop working?
'meltdown' is just the name they gave the security vulerability(hardware: intel cpus) that (could) enables a hacker to access (some) cpu memory >therefore possible passwords etc.
this flaw has been present since the day of manufacture, so unless someone hacks you, nothing will happen..
spectre is similar, but affects both intel and amd cpus(and others?)
Forum Rules : http://forum.porteus.org/viewtopic.php?f=35&t=44

wii07
White ninja
White ninja
Posts: 17
Joined: 28 Dec 2016, 23:25
Distribution: Porteus 3.2.2 64 bit
Location: Germany

Intel processors with a security bug

Post#22 by wii07 » 12 Jan 2018, 00:08

Yeah my x220 has an i5-2520m intel cpu, so the microcode from the intel site works for it (if there will be an easy way to implant it somehow to porteus 3.2.2 64bit xfce):

https://downloadcenter.intel.com/downlo ... duct=52229

To bad the oldest x series laptop lenovo will be fixing with a bios update is the x230. That would be the easiest way if available i guess, i flashed bios firmwares several times, its no big deal.

My gf has a x230 and there the lenovo page says an updated bios for these security issues will come out 2.2.2018. x240 till x270 already got one.

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 1101
Joined: 20 Mar 2012, 03:42
Distribution: 3.2.2-64bit xfce/openbox
Location: australia
Contact:

Intel processors with a security bug

Post#23 by ncmprhnsbl » 12 Jan 2018, 01:49

wii07 wrote:
12 Jan 2018, 00:08
Yeah my x220 has an i5-2520m intel cpu, so the microcode from the intel site works for it
what's not so clear to me is whether the meltdown/spectre bugs are adressed in this update for all the processors listed..
my Core™ i7-720QM is listed, but with mircocode loaded: (in voidlinux)

Code: Select all

 sudo dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x7, date = 2013-08-20
[    1.611269] microcode: sig=0x106e5, pf=0x10, revision=0x7
[    1.611849] microcode: Microcode Update Driver: v2.2.
this suggests to me that they aren't..
i think i read somewhere, only cpus younger than five years have been fixed so far..
Forum Rules : http://forum.porteus.org/viewtopic.php?f=35&t=44

wii07
White ninja
White ninja
Posts: 17
Joined: 28 Dec 2016, 23:25
Distribution: Porteus 3.2.2 64 bit
Location: Germany

Intel processors with a security bug

Post#24 by wii07 » 12 Jan 2018, 02:21

Damn, i just overflew the intel site and though they already fixed them all. :(

So its intels fault (again) and not lenovos, that there is not a new bios available for the x220 or in the pipe line till now. x230 and above are having cpus not older than 5 years i guess.

I really hope that intel also will bring out fixes for older cpus. I paid around 1300 euros early 2013 for my x220 (with 8gb ram and a sdd) and its still working perfect fast and flawless (for the stuff i am doing).

Its really a shame and it would be a bad feeling to use it without a fix for the next year(s).

User avatar
Ed_P
Contributor
Contributor
Posts: 3506
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 3.2.2 64-bit ISO
Location: Western NY, USA

Intel processors with a security bug

Post#25 by Ed_P » 12 Jan 2018, 07:22

ncmprhnsbl wrote:
11 Jan 2018, 23:11
here's a script that checks your status
https://github.com/speed47/spectre-meltdown-checker
On my 3.2.2 system.

Code: Select all

guest@porteus:~$ su
Password: 
root@porteus:/home/guest# sh spectre*
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.9.12-porteus #1 SMP PREEMPT Sun Feb 26 13:48:34 BRT 2017 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  UNKNOWN 
> STATUS:  UNKNOWN  (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  UNKNOWN  (couldn't read your kernel configuration)
*   Kernel compiled with a retpoline-aware compiler:  UNKNOWN  (couldn't find your kernel image or System.map)
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  UNKNOWN  (couldn't read your kernel configuration nor System.map file)
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
root@porteus:/home/guest# 
My system.

Code: Select all

root@porteus:/home/guest# ./bootdev.sh
System Memory: 3818M
Boot device:   /mnt/sda6
Boot device format: "ntfs" 
Boot folder:   /porteus3.2/
Boot mode:     ISO /ISOs/Porteus-CINNAMON-v3.2.2-x86_64.iso
OS:       Porteus-v3.2.2
ARCH:     x86_64
Desktop:  cinnamon
Kernel:   Linux porteus 4.9.12-porteus
Changes:  /mnt/sda6//porteus3.2/changes/porteussave.dat
Cmdline:  quiet BOOT_IMAGE=/porteus3.2/vmlinuz from=/ISOs/Porteus-CINNAMON-v3.2.2-x86_64.iso volume=33 reboot=cold changes=EXIT:/porteus3.2/changes/porteussave.dat extramod=/porteus3.2/Modules

Porteus-Livedbg log: 
# Recognized devices:
/dev/sda1: LABEL="ESP" UUID="CE3C-F23D" TYPE="vfat" 
/dev/sda3: LABEL="OS" UUID="A64AB3B24AB37D9D" TYPE="ntfs" 
/dev/sda4: UUID="BC88CC8388CC3DA0" TYPE="ntfs" 
/dev/sda5: LABEL="Image" UUID="0010ED9410ED90C8" TYPE="ntfs" 
/dev/sda6: LABEL="Data" UUID="2628E9A628E974E9" TYPE="ntfs" 
/dev/sda7: LABEL="Backups" UUID="F8ACEAFCACEAB472" TYPE="ntfs" 
/dev/sda8: LABEL="Backup10.1" UUID="E842EC8742EC5C36" TYPE="ntfs" 
/mnt/sda6//porteus3.2/changes/porteussave.dat: UUID="6e8e8e05-334b-4cdd-af0b-958965dd5687" TYPE="xfs" 

# Booting device:
/mnt/isoloop

# Porteus data found in:
/mnt/isoloop/porteus

# Changes are stored in:
memory

# Non standard /rootcopy dir:
none

# Modules activated during boot time:
/mnt/isoloop/porteus/base/000-kernel.xzm
/mnt/isoloop/porteus/base/001-core.xzm
/mnt/isoloop/porteus/base/002-xorg.xzm
/mnt/isoloop/porteus/base/003-cinnamon.xzm
/mnt/sda6//porteus3.2/Modules/000-kernel.xzm
/mnt/sda6//porteus3.2/Modules/07-printing-x86_64-02.12.2016.xzm
/mnt/sda6//porteus3.2/Modules/firefox-52.5.2esr-x86_64-1.xzm
/mnt/sda6//porteus3.2/Modules/flashplayer-plugin-28.0.0.137-x86_64-1.xzm
/mnt/sda6//porteus3.2/Modules/gtk-browser-update-20171204.xzm
/mnt/sda6//porteus3.2/Modules/jre-8u151-x86_64-1.xzm
/mnt/sda6//porteus3.2/Modules/keepassx-2.0.3-x86_64-1alien.xzm
/mnt/sda6//porteus3.2/Modules/man-files-3.2.2-noarch-1.xzm
/mnt/sda6//porteus3.2/Modules/mtpaint-3.40-x86_64-2gvEd_P.xzm
/mnt/sda6//porteus3.2/Modules/qt-4.8.7-x86_64-6.xzm
/mnt/sda6//porteus3.2/Modules/tightvnc-1.3.10-x86_64-1_slonly.xzm
/mnt/sda6//porteus3.2/Modules/wine-1.9.16-x64-3.2-GeckoMono-2.xzm
/mnt/sda6//porteus3.2/changes/porteussave.dat/changes

ISO=/mnt/sda6//ISOs/Porteus-CINNAMON-v3.2.2-x86_64.iso

Devices: 
00:00.0 Host bridge: Intel Corporation Skylake Host Bridge/DRAM Registers (rev 08)
00:02.0 VGA compatible controller: Intel Corporation Skylake Integrated Graphics (rev 07)
00:04.0 Signal processing controller: Intel Corporation Skylake Processor Thermal Subsystem (rev 08)
00:13.0 Non-VGA unclassified device: Intel Corporation Device 9d35 (rev 21)
00:14.0 USB controller: Intel Corporation Sunrise Point-LP USB 3.0 xHCI Controller (rev 21)
00:14.2 Signal processing controller: Intel Corporation Sunrise Point-LP Thermal subsystem (rev 21)
00:15.0 Signal processing controller: Intel Corporation Sunrise Point-LP Serial IO I2C Controller #0 (rev 21)
00:15.1 Signal processing controller: Intel Corporation Sunrise Point-LP Serial IO I2C Controller #1 (rev 21)
00:16.0 Communication controller: Intel Corporation Sunrise Point-LP CSME HECI #1 (rev 21)
00:17.0 SATA controller: Intel Corporation Sunrise Point-LP SATA Controller [AHCI mode] (rev 21)
00:1c.0 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #5 (rev f1)
00:1f.0 ISA bridge: Intel Corporation Sunrise Point-LP LPC Controller (rev 21)
00:1f.2 Memory controller: Intel Corporation Sunrise Point-LP PMC (rev 21)
00:1f.3 Audio device: Intel Corporation Sunrise Point-LP HD Audio (rev 21)
00:1f.4 SMBus: Intel Corporation Sunrise Point-LP SMBus (rev 21)
01:00.0 Network controller: Intel Corporation Wireless 3165 (rev 79)
root@porteus:/home/guest# 
Ed

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 1101
Joined: 20 Mar 2012, 03:42
Distribution: 3.2.2-64bit xfce/openbox
Location: australia
Contact:

Intel processors with a security bug

Post#26 by ncmprhnsbl » 12 Jan 2018, 09:12

here's a stable kernel build(thanks neko) with page table isolation enabled (mitigates "meltdown" cpu security bug)
kernel-4.14.13 with PTI enabled and vmlinuz
instructions here: Intel processors with a security bug (Post by ncmprhnsbl #61546)

@Ed

Code: Select all

cat /proc/cpuinfo | grep "model name"
Forum Rules : http://forum.porteus.org/viewtopic.php?f=35&t=44

raja
Black ninja
Black ninja
Posts: 79
Joined: 02 May 2017, 09:51
Distribution: v3.2.2-32bit and v3.2.2-64 bit
Location: Chennai,India

Intel processors with a security bug

Post#27 by raja » 12 Jan 2018, 11:20

microcode: sig=0x806e9, pf=0x80, revision=0x38


Spectre:

CONFIG_INTEL_MICROCODE and CONFIG_x86_MSR enabled in my custom kernel. /dev/cpu/microcode file as well as microcode reload facility in the Firmware folder exist. So software mitigation for 'spectre' is possible. Intel patch shall be applied in this directory. Patch for I3-7100u-2.4ghz is available. But I haven't applied, fearing a drastic performance fall, upto 30%.

Meltdown:
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
But a Firmware BIOS update from PC Vendor may offer permanent solution. Brokenman's placement of a Microcode update file in the syslinux folder is to help this.

Intel Instructions:
-- Microcode update instructions --
This package contains Intel microcode files in two formats:
* microcode.dat
* intel-ucode directory

microcode.dat is in a traditional text format. It is still used in some
Linux distributions. It can be updated to the system through the old microcode
update interface which is avaialble in the kernel with
CONFIG_MICROCODE_OLD_INTERFACE=y.

To update the microcode.dat to the system, one need:
1. Ensure the existence of /dev/cpu/microcode
2. Write microcode.dat to the file, e.g.
dd if=microcode.dat of=/dev/cpu/microcode bs=1M

intel-ucode dirctory contains binary microcode files named in
family-model-stepping pattern. The file is supported in most modern Linux
distributions. It's generally located in the /lib/firmware directory,
and can be updated throught the microcode reload interface.

To update the intel-ucode package to the system, one need:
1. Ensure the existence of /sys/devices/system/cpu/microcode/reload
2. Copy intel-ucode directory to /lib/firmware, overwrite the files in
/lib/firmware/intel-ucode/
3. Write the reload interface to 1 to reload the microcode files, e.g.
echo 1 > /sys/devices/system/cpu/microcode/reload
all the best for brave hearts. I am not too perturbed with such threats.

Jack
Contributor
Contributor
Posts: 1359
Joined: 09 Aug 2013, 14:25
Distribution: Porteus 3.2.rc5 Mate 64 bit
Location: Marysville, OHIO USA

Intel processors with a security bug

Post#28 by Jack » 12 Jan 2018, 14:35

ncmprhnsbl wrote:
12 Jan 2018, 09:12
here's a stable kernel build(thanks neko) with page table isolation enabled (mitigates "meltdown" cpu security bug)
kernel-4.14.13 with PTI enabled and vmlinuz
instructions here: [url=viewtopic.php?p=61546#p61546]Intel processors with a security bug (Post by ncmprhnsbl #61546)[/url
I will change kernel and vmlinuz on my Mate and LXDE builds USB.
I just like Slackware because I think it teach you about Linux to build packages where Ubuntu is like Windows you just install programs you want.

User avatar
Ed_P
Contributor
Contributor
Posts: 3506
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 3.2.2 64-bit ISO
Location: Western NY, USA

Intel processors with a security bug

Post#29 by Ed_P » 12 Jan 2018, 16:33

ncmprhnsbl wrote:
12 Jan 2018, 09:12
@Ed

Code: Select all

cat /proc/cpuinfo | grep "model name"

Code: Select all

guest@porteus:~$ cat /proc/cpuinfo | grep "model name"
model name	: Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
model name	: Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
model name	: Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
model name	: Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
guest@porteus:~$ 
Ed

Jack
Contributor
Contributor
Posts: 1359
Joined: 09 Aug 2013, 14:25
Distribution: Porteus 3.2.rc5 Mate 64 bit
Location: Marysville, OHIO USA

Intel processors with a security bug

Post#30 by Jack » 12 Jan 2018, 16:47

I tested mind.

Code: Select all

guest@porteus:~$ cat /proc/cpuinfo | grep "model name"
model name	: Intel(R) Core(TM)2 Duo CPU     T8100  @ 2.10GHz
model name	: Intel(R) Core(TM)2 Duo CPU     T8100  @ 2.10GHz
guest@porteus:~$
I just like Slackware because I think it teach you about Linux to build packages where Ubuntu is like Windows you just install programs you want.

Post Reply