The Latest Kernel Release.

Quote:

Originally Posted by Lysander666 In 64bit. 32bit users are being rather left behind here. No mitigation for Meltdown as yet.

I think they should release all fixes at same time, at least for the same kernel version.
Is that because Meltdown affects only Intel? Maybe it is hard to fix.

4.14.18 and 4.15.2 for x86_64 seem ok now.

Code:

root@paulobash~# cat 4.14.18-x86_64 
/sys/devices/system/cpu/vulnerabilities/meltdown:       Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:     Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:     Mitigation: Full AMD retpoline
root@paulobash~# cat 4.15.2-custom-x86_64 
/sys/devices/system/cpu/vulnerabilities/meltdown:       Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:     Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:     Mitigation: Full AMD retpoline

The 4.16 "Mainline" Development Kernel has been released and
RC-1 is now available for testing.

https://www.kernel.org/

The tarball, https://git.kernel.org/torvalds/t/linux-4.16-rc1.tar.gz

Mr. Torvalds' announcement, http://lkml.iu.edu/hypermail/linux/k...utm_source=anz

The latest Stable Kernel update, 4.15.3, is now available at, https://www.kernel.org/.

The change logs,

https://cdn.kernel.org/pub/linux/ker...angeLog-4.15.3

Wrong thread sorry.

FWIW, to date, all the 4.15.x releases have ran perfectly in -current with the latest Nvidia "Long Lived Branch" driver.

Kernel updates 4.14.19 and 4.9.81 are now available at, https://www.kernel.org/.

The change logs,

https://cdn.kernel.org/pub/linux/ker...ngeLog-4.14.19

https://cdn.kernel.org/pub/linux/ker...angeLog-4.9.81

All --

Kernels 4.15.4, 4.14.20, 4.9.82, 4.4.116, 3.18.95, 3.16.54 and 3.2.99 are now available.

Handy Links:

Code:

stable:    4.15.4        Source ChangeLog [CVE] 2018-02-16
longterm:  4.14.20       Source ChangeLog [CVE] 2018-02-16 ( Slackware-current )
longterm:  4.9.82        Source ChangeLog [CVE] 2018-02-17
longterm:  4.4.116       Source ChangeLog [CVE] 2018-02-16 ( Slackware-14.2 )
longterm:  3.18.95 [EOL] Source ChangeLog [CVE] 2018-02-16
longterm:  3.16.54       Source ChangeLog [CVE] 2018-02-13
longterm:  3.2.99        Source ChangeLog [CVE] 2018-02-13 ( Slackware-14.0 )

CVE References:

ChangeLog-4.15.4 references CVE-2017-5715 and CVE-2017-5754.

ChangeLog-4.14.20 references CVE-2017-5715, CVE-2017-5754 and CVE-2017-8824.

ChangeLog-4.9.82 references CVE-2017-8824.

ChangeLog-4.4.116 references CVE-2017-8824.

ChangeLog-3.18.95 references CVE-2017-8824.

ChangeLog-3.16.54 references CVE-2011-1161 and CVE-2017-1000410.

ChangeLog-3.2.99 references CVE-2011-1161.

Check for the Latest Updates at www.kernel.org.

Have Fun All'Y'All !

-- kjh

Built and booted 4.4.116

While I am still vulnerable to Spectre Variant 1 ( see below ), there are a couple worthwhile backports into 4.4.116 for AMD and AMD hypervisors.

From the 4.4.116 ChangeLog:

Code:

commit ba929f5f3c263f3b975a3b95328f66203a57b536
Author: Borislav Petkov <bp@suse.de>
Date:   Thu Oct 12 13:23:16 2017 +0200

    x86/microcode: Do the family check first
    
    commit 1f161f67a272cc4f29f27934dd3f74cb657eb5c4 upstream with adjustments.
    
    On CPUs like AMD's Geode, for example, we shouldn't even try to load
    microcode because they do not support the modern microcode loading
    interface.
    ...

and

Code:

commit 3fe9cdee4205a4876154f469247c7a3176ccaac7
Author: Borislav Petkov <bp@suse.de>
Date:   Sun Dec 18 17:44:13 2016 +0100

    x86/microcode/AMD: Do not load when running on a hypervisor
    
    commit a15a753539eca8ba243d576f02e7ca9c4b7d7042 upstream with minor
    adjustments.
    
    Doing so is completely void of sense for multiple reasons so prevent
    it. Set dis_ucode_ldr to true and thus disable the microcode loader by
    default to address xen pv guests which execute the AP path but not the
    BSP path.
...

Have fun All'Y'All !

-- kjh

According to the 4.4.116 Kernel:

Code:

# gawk '{ print FILENAME ":\t" $0 }' /sys/devices/system/cpu/vulnerabilities/*  

/sys/devices/system/cpu/vulnerabilities/meltdown:       Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:     Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:     Mitigation: Full generic retpoline

And sccording to the latest spectre-meltdown-checker.sh

Code:

# /home/dld/spectre-meltdown-checker/spectre-meltdown-checker-0.35/spectre-meltdown-checker.sh

Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.4.116.kjh #1 SMP Sat Feb 17 07:20:06 CST 2018 x86_64
CPU is Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz
Possible disrepancy between your running kernel and the image we found (/boot/vmlinuz), results might be incorrect

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates IBRS capability:  NO 
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO 
    * CPU indicates IBPB capability:  NO 
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates STIBP capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 94 stepping 3 ucode 0xba)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
* Kernel has array_index_mask_nospec:  NO 
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Checking count of LFENCE instructions following a jump in kernel...  NO  (only 15 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

Installed the DUSK 4.15.4 kernel a few hours ago and all is well..... so far.


https://dusk.idlemoor.tk/

Release Candidate 2, of the 4.16 "Mainline" Development Kernel is now available for testing.

https://www.kernel.org/

The tarball, https://git.kernel.org/torvalds/t/linux-4.16-rc2.tar.gz

Mr. Torvalds' announcement, https://lkml.org/lkml/2018/2/18/188

Kernel updates 4.15.5, 4.14.21, 4.9.83 and 4.4.117 are now available at https://www.kernel.org/.

The change logs,

https://cdn.kernel.org/pub/linux/ker...angeLog-4.15.5

https://cdn.kernel.org/pub/linux/ker...ngeLog-4.14.21

https://cdn.kernel.org/pub/linux/ker...angeLog-4.9.83

https://cdn.kernel.org/pub/linux/ker...ngeLog-4.4.117

I've done some tests with new kernels 4.14, I think nouveau devs made lots of progress in between 4.4 and 4.14
For example this one card that I have reported only 512 MiB with kernel 4.4.115 but on 4.14.x it reports the true value:

Code:

nouveau 0000:01:00.0: DRM: VRAM: 1024 MiB

Quote:

Originally Posted by elcore I've done some tests with new kernels 4.14, I think nouveau devs made lots of progress in between 4.4 and 4.14 For example this one card that I have reported only 512 MiB with kernel 4.4.115 but on 4.14.x it reports the true value: Code: nouveau 0000:01:00.0: DRM: VRAM: 1024 MiB

There was a lot of progress done around 4.10 and after in regards to reclocking.

I am getting all ... itchy ...

Linux 4.4.118-rc1 is chock-full of patches with that magical 'spec' string in their descriptions...

Anxiously awaiting the release of linux-4.4.118 for my 14.2 boxen

-- kjh

All --

Kernels 4.15.6, 4.14.22, 4.9.84, 4.4.118 and 3.18.96 are now available.

Handy Links:

Code:

stable:    4.15.6        Source ChangeLog 2018-02-25
longterm:  4.14.22       Source ChangeLog 2018-02-25 ( Slackware-current )
longterm:  4.9.84        Source ChangeLog 2018-02-25
longterm:  4.4.118       Source ChangeLog 2018-02-25 ( Slackware-14.2 )
longterm:  3.18.96 [EOL] Source ChangeLog 2018-02-25

No CVE References were found for 4.15.6, 4.14.22, 4.9.84, 4.4.118 or 3.18.96

As always, do check the ChangeLogs for other security-related fixes.

EDIT: linux-4.4.118 does include back-ported mitigation code for Spectre V1. Check the ChangeLog for your Kernel Version for details.

And check for the Latest Updates at www.kernel.org.

Have Fun All'Y'All !

-- kjh