Greetings!

Recently, I ran a spectre and meltdown vulnerability checker to see if my Ubuntu system was vulnerable to these vulnerabilities. With my previous 4.15 kernel, the script showed it was not vulnerable until I upgraded to 4.16. I am currently compiling the latest kernels myself. Here is the output: https://pastebin.com/P6W9VVXG

The script I used is found here: https://github.com/speed47/spectre-meltdown-checker

It said that IBPB and retpoline were disabled and that they needed to be enabled. I currently upgraded gcc to 7.3.0 by building and compiling it manually to see if that would help. I am not sure if it did. :/

I would be curious if there is a good way to mitigate these vulnerabilities completely with my current setup.

Thank you in advance!


Sincerely,

donald3.heckel

I'd look here since I have no idea either...?

Good Luck!

Hello Habitual!

Sorry for the delay in getting back to you as I have been very busy. I guess this can be a learning experience for the both of us. XD For the most part, I even tried hacking around with the Makefile to see if I could manually insert the flags -IBPB and/or -IBRS. I gave that a try and recompiled. Retpoline was already enabled, but it seemed like that did not work either. One other last ditch effort that I tried was installing stock versions from the Ubuntu repos. Unfortunately, that only made the status show my system vulnerable to all three CVEs and slowed my system down dramatically. I switched back to the kernels that I compiled myself and my system went back to being speedy without a hitch or those two vulnerabilities. It seemed that I was much better off configuring and compiling those kernels myself in Ubuntu to begin with. I just downloaded the latest 4.16.2 sources from kernel.org so that I can compile them myself and see what happens. I will let you all know!

I guess it seems what one guy in a different community I was in said cannot be more true: "Compiling so much stuff yourself in Ubuntu that you might as well use Arch".

Speaking of the whole 18.04 shakeup with the removal of unity and data collection compounded with Ubuntu's/Canonical's whole set of blunders in not really maintaining their stuff properly and getting cozy with Micro$oft, I guess the time is coming soon for me to switch to Fedora or CentOS. Out of curiosity, I ran the script on my i5 laptop running Fedora just to see the results. It wasn't vulnerable to any of the three CVEs! It seems that CentOS/Fedora/Red Hat seem to fix a great many things and holes ahead of others by patching the crap out of their kernels just when they come out. At least they are modern and not ancient! On my honorable relic (the great Core 2 Quad Q6600), I still haven't figured it out yet, but I guess I will keep looking to consider my options. Red Hat/Fedora/CentOS do a far superior job in taking security seriously as well as maintaining their repos properly. Let me know if you come up with anything else that might also be worth a look.


Sincerely,


donald3.heckel