Intel processors with a security bug

Non release banter
User avatar
Blaze
DEV Team
DEV Team
Posts: 1645
Joined: 28 Dec 2010, 11:31
Distribution: ⟰ Porteus 3.2 Cinnamon x86_64
Location: ☭ Russian Federation, Lipetsk region, Dankov
Contact:

Intel processors with a security bug

Post#31 by Blaze » 12 Jan 2018, 18:10

Code: Select all

model name	: Intel(R) Core(TM) i5-6600K CPU @ 3.50GHz
model name	: Intel(R) Core(TM) i5-6600K CPU @ 3.50GHz
model name	: Intel(R) Core(TM) i5-6600K CPU @ 3.50GHz
model name	: Intel(R) Core(TM) i5-6600K CPU @ 3.50GHz

Code: Select all

Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.15.0-rc6-porteus #1 SMP PREEMPT Sun Jan 7 15:55:13 UTC 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  UNKNOWN 
> STATUS:  UNKNOWN  (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  UNKNOWN  (couldn't read your kernel configuration)
*   Kernel compiled with a retpoline-aware compiler:  UNKNOWN  (couldn't find your kernel image or System.map)
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  UNKNOWN  (couldn't read your kernel configuration nor System.map file)
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
Linux porteus 4.13.3-porteus #1 SMP PREEMPT Sat Sep 23 18:22:13 x86_64 Intel(R) Core(TM) i5-6600K CPU @ 3.50GHz GenuineIntel GNU/Linux
MS-7A12 » [AMD/ATI] Tobago PRO [Radeon R7 360 / R9 360 OEM] (rev 81) » Vengeance LPX 16GB DDR4 K2 3200MHz C16




User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 1182
Joined: 20 Mar 2012, 03:42
Distribution: 3.2.2-64bit xfce/openbox
Location: australia
Contact:

Intel processors with a security bug

Post#32 by ncmprhnsbl » 12 Jan 2018, 23:13

Forum Rules : http://forum.porteus.org/viewtopic.php?f=35&t=44

User avatar
brokenman
Site Admin
Site Admin
Posts: 5761
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Intel processors with a security bug

Post#33 by brokenman » 13 Jan 2018, 11:59

i suspect brokenman will be on to this, as soon as he returns from the wilderness
Thanks. Yes I am compiling the latest kernel tonight, and I am back from the land of no radio wave pollution. Really clears your head when you have no radio/micro waves passing through it all day long.

As more and more people get into cyber security, these bugs/sploits are only going to increase in number. It's not that our systems are like swiss cheese, these holes didn't exist until someone poked them there. People are now tapping on weak areas until something breaks in order to build a more robust base, which we will certainly need as more and more people get into cyber security.

Added in 1 day 4 hours 14 minutes 14 seconds:
ncmprhnsbl wrote:
11 Jan 2018, 23:11
brokenman has (previously) implemented microcode injection in the upcoming 4.0 release..
afaiui, it involves some modifications to the initrd.xz (i'll investigate this further)
hopefully brokenman will return shortly to set us straight..
The newer kernel (4.14.13) with page table isolation will protect from meltdown and the latest microcode will help protect from spectre. You can get the latest microcode from the slackbuilds.org website. Just build the slackbuild and then copy th file inside the slackware package to replace the file in porteus boot older. The created file is a 'cpio' file.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
fanthom
Site Admin
Site Admin
Posts: 4663
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Intel processors with a security bug

Post#34 by fanthom » 14 Jan 2018, 17:15

Hi brokenman,

"Just build the slackbuild and then copy th file inside the slackware package to replace the file in porteus boot older. The created file is a 'cpio' file."
Is this method working for you?

Do you get this output:

Code: Select all

# dmesg | grep micro
[    0.000000] microcode: microcode updated early to revision 0x23, date = 2017-11-20
[    0.714037] microcode: sig=0x306c3, pf=0x2, revision=0x23
[    0.714198] microcode: Microcode Update Driver: v2.2.
Asking cause cpio archive never worked for me so i just compiled all microcode directly into kernel and now its updating "early".

Thanks
Please add [Solved] to your thread title if the solution was found.

User avatar
brokenman
Site Admin
Site Admin
Posts: 5761
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Intel processors with a security bug

Post#35 by brokenman » 14 Jan 2018, 17:33

Yes this is the correct output. The previous was: date = 2017-01-xx
You'll now be protected against one vector of spectre2. Keep a close eye on updates because we still need to mitigate other areas. IBRS support or retpoline options in the kernel should be coming soon. The latter will require a new version of gcc that is retpoline-aware.
Asking cause cpio archive never worked for me so i just compiled all microcode directly into kernel and now its updating "early".
Did it add a large amount of size? I would prefer it all in the kernel but it also has disadvantages.

Running the spectre/meltdown checker script will tell you if the intel-microcode update did indeed work. The older versions are vulnerable to branch target injection. The newer version is not.

Be sure in porteus to use the --kernel and --config arguments when running this script as we don't keep everything in /boot
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
Ed_P
Contributor
Contributor
Posts: 3623
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 3.2.2 64-bit ISO
Location: Western NY, USA

Intel processors with a security bug

Post#36 by Ed_P » 14 Jan 2018, 22:24

Too bad those options don't help with Porteus ISOs. :(
Ed

raja
Black ninja
Black ninja
Posts: 98
Joined: 02 May 2017, 09:51
Distribution: v3.2.2-32bit and v3.2.2-64 bit
Location: Chennai,India

Intel processors with a security bug

Post#37 by raja » 15 Jan 2018, 07:54

microcode: updated to revision 0x80, date = 2018-01-04

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
Performance Variations:

Blowfish-before :3.316
Blowfish after :3.401

CryptoHash-before:368.949
CryptoHash-after : 356.334

Fibonacci-before:2.040
Fibonacci-after :1.766

FPU Raytracing-before:4.524
FPU Raytracing-after :4.713

30% deterioration , as speculated is highly exaggerated!

User avatar
fanthom
Site Admin
Site Admin
Posts: 4663
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Intel processors with a security bug

Post#38 by fanthom » 15 Jan 2018, 08:28

@brokenman
"Did it add a large amount of size?"
kernel is compressed with xz so its same size as it would go to initrd or xzm: +1.5 MB.

It would be nicer to have all the microcode in initrd for the sake of cleaner kernel config. Currently i have:

Code: Select all

CONFIG_EXTRA_FIRMWARE="amd-ucode/microcode_amd.bin amd-ucode/microcode_amd_fam15h.bin amd-ucode/microcode_amd_fam16h.bin intel-ucode/06-56-04 intel-ucode/06-8e-0a intel-ucode/0f-01-02 intel-ucode/06-08-06 intel-ucode/06-0f-02 intel-ucode/0f-03-03 intel-ucode/0f-00-07 intel-ucode/06-0b-01 intel-ucode/06-08-03 intel-ucode/06-03-02 intel-ucode/06-2a-07 intel-ucode/06-0f-07 intel-ucode/06-3e-06 intel-ucode/06-3f-02 intel-ucode/06-2f-02 intel-ucode/06-06-0a intel-ucode/0f-04-09 intel-ucode/0f-02-09 intel-ucode/06-07-01 intel-ucode/0f-06-04 intel-ucode/0f-06-08 intel-ucode/0f-04-03 intel-ucode/06-05-01 intel-ucode/06-0f-06 intel-ucode/0f-04-04 intel-ucode/0f-04-0a intel-ucode/06-3f-04 intel-ucode/06-8e-09 intel-ucode/06-5c-09 intel-ucode/06-2d-06 intel-ucode/06-4f-01 intel-ucode/06-2d-07 intel-ucode/06-3d-04 intel-ucode/06-17-06 intel-ucode/06-9e-0b intel-ucode/06-0e-0c intel-ucode/06-3a-09 intel-ucode/0f-02-04 intel-ucode/06-05-02 intel-ucode/06-0a-00 intel-ucode/0f-04-08 intel-ucode/06-4e-03 intel-ucode/0f-03-04 intel-ucode/06-45-01 intel-ucode/06-0f-0a intel-ucode/06-06-0d intel-ucode/06-9e-0a intel-ucode/06-08-01 intel-ucode/06-08-0a intel-ucode/06-0f-0d intel-ucode/06-0f-0b intel-ucode/06-3e-04 intel-ucode/06-1a-05 intel-ucode/06-06-00 intel-ucode/06-9e-09 intel-ucode/06-3e-07 intel-ucode/06-17-0a intel-ucode/0f-02-05 intel-ucode/06-1a-04 intel-ucode/06-1c-02 intel-ucode/06-0a-01 intel-ucode/0f-00-0a intel-ucode/0f-02-06 intel-ucode/0f-02-07 intel-ucode/06-1c-0a intel-ucode/0f-06-05 intel-ucode/0f-03-02 intel-ucode/06-25-05 intel-ucode/0f-06-02 intel-ucode/0f-04-07 intel-ucode/06-7a-01 intel-ucode/06-0d-06 intel-ucode/06-46-01 intel-ucode/06-55-04 intel-ucode/06-05-00 intel-ucode/06-1d-01 intel-ucode/06-05-03 intel-ucode/06-56-03 intel-ucode/06-3c-03 intel-ucode/06-16-01 intel-ucode/06-1e-05 intel-ucode/06-0b-04 intel-ucode/06-25-02 intel-ucode/06-09-05 intel-ucode/06-0e-08 intel-ucode/06-26-01 intel-ucode/06-5e-03 intel-ucode/0f-04-01 intel-ucode/06-47-01 intel-ucode/06-07-03 intel-ucode/06-56-02 intel-ucode/06-07-02 intel-ucode/06-06-05 intel-ucode/06-17-07"
And you cant really update it from 'make manuconfig' as ncurses crashes :) Probably this line is too long.
Please add [Solved] to your thread title if the solution was found.

raja
Black ninja
Black ninja
Posts: 98
Joined: 02 May 2017, 09:51
Distribution: v3.2.2-32bit and v3.2.2-64 bit
Location: Chennai,India

Intel processors with a security bug

Post#39 by raja » 16 Jan 2018, 09:11

Proof of Concept and Theory behind Spectre,Meltdown

https://medium.com/@mattklein123/meltdo ... ned-6bc863(4cc0c2

https://support.google.com/faqs/answer/7625886

Hardly gets in for layman like me...but may be fun to digest for Computer Engineers.

Cheers.

wii07
White ninja
White ninja
Posts: 17
Joined: 28 Dec 2016, 23:25
Distribution: Porteus 3.2.2 64 bit
Location: Germany

Intel processors with a security bug

Post#40 by wii07 » 16 Jan 2018, 16:50

Will there be a "ready to use" kernel.xzm and vmlinuz file with the microcodes and table isolation already integrated for 3.2.2-64 Porteus?

I guess there will be quite a lot "average experience user" (like me) that would welcome that.

Atm im just running a kernel (4.14.13) only with table isolation enabled, because i dont get this microcode stuff to work. :(

Kulle
White ninja
White ninja
Posts: 21
Joined: 28 Jan 2017, 10:39
Distribution: v3.1 32bit
Location: Berlin

Intel processors with a security bug

Post#41 by Kulle » 24 Jan 2018, 18:26

I have downloaded the files kernel, crippled, vmlinuz
On the website mega.nz : kernel 58,1 MB
But after downloading it on my computer : 60,9 MB
How can that be?
Is there a md5sum for this?
What is the crippled_sources-4.15-rc6-64bit.xzm needed for?
Does this file need to be stored in the base folder?
Thanks for the help.

donald
Full of knowledge
Full of knowledge
Posts: 1294
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Intel processors with a security bug

Post#42 by donald » 24 Jan 2018, 22:17

Decimal = one kilobyte is 1000 bytes
Binary = one kilobyte is 1024 Bytes
(1 Megabyte =1 048 576 Byte)
so:
58.1 (MB) x 1 048 576 (1024x1024) = 60922265.6 = 60.9 (MB)
but i agree, a md5sum would be nice

crippled_sources
you need them if you want to compile kernel modules e.g. nvidia driver.

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 1182
Joined: 20 Mar 2012, 03:42
Distribution: 3.2.2-64bit xfce/openbox
Location: australia
Contact:

Intel processors with a security bug

Post#43 by ncmprhnsbl » 24 Jan 2018, 22:52

donald wrote:
24 Jan 2018, 22:17
but i agree, a md5sum would be nice
yeah, i am slack :oops: , in the future, i promise to supply md5sum s for all my downloads :hypocrite:
Forum Rules : http://forum.porteus.org/viewtopic.php?f=35&t=44

Post Reply