LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-21-2019, 06:53 AM   #16
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,315

Original Poster
Blog Entries: 15

Rep: Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107

Quote:
Originally Posted by abga View Post
Looks like a typo, should be IBPB - Indirect Branch Prediction Barrier
https://access.redhat.com/articles/3...rriers-ibpb-10
https://lwn.net/Articles/764209/
So how do I enable it? That Red Hat article assumes more knowledge than I have! Do I need to add ibpb=1 to my command line?
 
Old 05-21-2019, 10:31 AM   #17
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,315

Original Poster
Blog Entries: 15

Rep: Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107
I just ran the same script on my LFS 8.2 system which now runs linux-4.19.43. With this kernel, all the vulnerabilities are patched except Rogue system register read, which needs later firmware than I can get hold of. Perhaps I should run my Slackware with this kernel.
 
Old 05-21-2019, 10:51 AM   #18
Lysander666
Senior Member
 
Registered: Apr 2017
Location: The Underearth
Distribution: Ubuntu, Debian, Slackware
Posts: 2,146
Blog Entries: 6

Rep: Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414
I suppose there's no harm in giving it a go as long as you retain at least one working version of an older kernel. However, does it really matter that much? Pat has not released a 4.4.180 which, rather than being tardiness on his part, is probably more by intention, at least to an extent.

I am still running 4.4.153 on my main 14.2 machine. The script does say:

"a false sense of security is worse than no security at all".

So maybe better to just wait.

Last edited by Lysander666; 05-22-2019 at 03:47 AM.
 
Old 05-21-2019, 12:22 PM   #19
magicm
Member
 
Registered: May 2003
Distribution: Slackware
Posts: 226

Rep: Reputation: 144Reputation: 144
I'm running a fully patched SW 14.2 using kernel 4.4.180 x86_64 from DUSK (https://blog.idlemoor.tk/2016/12/17/dusk.html)
plus an initrd that incorporates the intel-microcode-20190514a-noarch-1_SBo generated /boot/intel-ucode.cpio
My CPU is Dual Core Intel Core i5-2540M.

# spectre-meltdown-checker.sh --batch
CVE-2017-5753: OK (Mitigation: __user pointer sanitization)
CVE-2017-5715: OK (Full retpoline + IBPB are mitigating the vulnerability)
CVE-2017-5754: OK (Mitigation: PTI)
CVE-2018-3640: OK (your CPU microcode mitigates the vulnerability)
CVE-2018-3639: OK (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
CVE-2018-3615: OK (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-3620: OK (Mitigation: PTE Inversion)
CVE-2018-3646: OK (this system is not running a hypervisor)
CVE-2018-12126: OK (Mitigation: Clear CPU buffers; SMT vulnerable)
CVE-2018-12130: OK (Mitigation: Clear CPU buffers; SMT vulnerable)
CVE-2018-12127: OK (Mitigation: Clear CPU buffers; SMT vulnerable)
CVE-2019-11091: OK (Mitigation: Clear CPU buffers; SMT vulnerable)

I'm not ready to run my daily driver on -current yet, and feel using a 4.4 kernel there is better than trying to pry a 4.19 kernel to a 14.2 base

Just wanted to report that between SBo and DUSK (much thanks to both !!) that a fairly simple, effective patching is possible
 
Old 05-21-2019, 02:11 PM   #20
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,633

Rep: Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925
Quote:
Originally Posted by hazel View Post
So how do I enable it? That Red Hat article assumes more knowledge than I have! Do I need to add ibpb=1 to my command line?
AFAIK, there is(was) ongoing improvement in the kernel mitigation for theses CPU vulnerabilities, more automation and the more in-depth kernel documentation looks unavailable. You could learn more form the kernel mailing list and the patch descriptions...
ibpb=1 is documented by RedHat, but it's also dependent on the CPU type, microcode update and supposedly also on the kernel version (mitigation level/patch).
https://access.redhat.com/articles/3...al-defaults-11

Related to the kernel version (mitigation version) you can follow these developments:
http://lkml.iu.edu/hypermail/linux/k...9.3/02927.html
https://lkml.org/lkml/2018/11/22/225

And the latest kernel-parameters doc:
https://www.kernel.org/doc/Documenta...parameters.txt
- look after spectre_v2= & spectre_v2_user= & co

If you like to understand more about IBPB, Intel has a short description:
https://software.intel.com/security-...dictor-barrier
They also cover all the CPU vulnerabilities in different docs:
https://software.intel.com/security-...tware-guidance

Last edited by abga; 05-21-2019 at 03:44 PM. Reason: removed Skylake reference
 
1 members found this post helpful.
Old 05-22-2019, 06:08 AM   #21
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,315

Original Poster
Blog Entries: 15

Rep: Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107
Thanks for all the links but this is way above my intellectual level. I think I will just use the LFS kernel (or, if I have time, a rebuild of the same kernel version from source with the Slackware configuration) and be thankful that the main vulnerabilities are patched. No doubt we shall soon get a compiled Slackware kernel that rings all the bells.
 
Old 05-22-2019, 12:17 PM   #22
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,633

Rep: Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925
Quote:
Originally Posted by hazel View Post
Thanks for all the links but this is way above my intellectual level. I think I will just use the LFS kernel (or, if I have time, a rebuild of the same kernel version from source with the Slackware configuration) and be thankful that the main vulnerabilities are patched. No doubt we shall soon get a compiled Slackware kernel that rings all the bells.
In #9 you stated that you were running the 4.4.172 kernel and then in #13 you presented a snippet from the Spectre and Meltdown mitigation detection tool:
Quote:
CVE-2017-5753 Spectre 1: Mitigated, not vulnerable
CVE-2017-7515 Spectre 2: Mitigated, not vulnerable but should enable IBBP
CVE-2017-5754 Meltdown: Mitigated, not vulnerable
CVE-2018-3640 Variant 3A: Vulnerable. More up-to-date firmware required.
CVE-2018-12126 Fallout: Vulnerable. Microcode supports mitigation but kernel does not.
CVE-2018-12130 Zombieload: Vulnerable. Microcode supports mitigation but kernel does not.
CVE-2018-12127 RIDL: Vulnerable. Microcode supports mitigation but kernel does not.
CVE-2019-11091 RIDL: Vulnerable. Microcode supports mitigation but kernel does not.
In my case, a Haswell Core i3, latest microcode, running the latest Slackware 64 - 14.2 kernel 4.4.172, related to the Spectre 2 & IBPB & Spectre 3a (rogue system register read), I have the following:
Code:
Spectre and Meltdown mitigation detection tool v0.40

Checking for vulnerabilities on current system
Kernel is Linux 4.4.172 #2 SMP Wed Jan 30 17:11:07 CST 2019 x86_64
....
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  YES  (Intel SSBD)
....
  * CPU microcode is known to cause stability problems:  NO  (model 0x45 family 0x6 stepping 0x1 ucode 0x25 cpuid 0x40651)
  * CPU microcode is the latest known available version:  YES  (latest version is 0x25 dated 2019/02/26 according to builtin MCExtractor DB v110 - 2019/05/11)
...
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES
...
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  YES  (for firmware code only)
  * Kernel is compiled with IBPB support:  YES
    * IBPB enabled and active:  YES
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO
  * Kernel compiled with retpoline option:  YES
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)
...
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  YES
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)
Which shows that the latest 4.4.172 kernel Slackware 14.2 is providing "rings all the bells". All the bells except the latest MDS vulnerabilities.
Your CPU might not support IBPB ... you need to check that:
https://software.intel.com/security-...dictor-barrier
Quote:
A processor supports IBPB if it enumerates CPUID.(EAX=7H,ECX=0):EDX[26] as 1.
- easier - Spectre and Meltdown mitigation detection tool should check&report that

Speaking of patch level, by only looking(comparing) at the kernel-parameters.txt, found in the kernel source archive, noticed that the 4.4.172 doesn't have:
Code:
	spectre_v2_user=
			[X86] Control mitigation of Spectre variant 2
		        (indirect branch speculation) vulnerability between
		        user space tasks
Option that is present in both 4.4.180 (not yet available for Slackware 14.2) and 4.19.44 (latest for Slackware -current).

Last edited by abga; 05-22-2019 at 12:19 PM. Reason: typo
 
Old 05-22-2019, 01:26 PM   #23
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,315

Original Poster
Blog Entries: 15

Rep: Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107
Quote:
Originally Posted by Intel
A processor supports IBPB if it enumerates CPUID.(EAX=7H,ECX=0):EDX[26] as 1.
Sorry but that's Greek to me! No, worse actually because I do have some knowledge of Greek.
 
2 members found this post helpful.
Old 05-22-2019, 01:27 PM   #24
Lysander666
Senior Member
 
Registered: Apr 2017
Location: The Underearth
Distribution: Ubuntu, Debian, Slackware
Posts: 2,146
Blog Entries: 6

Rep: Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414
Quote:
Originally Posted by hazel View Post
Sorry but that's Greek to me! No, worse actually because I do have some knowledge of Greek.
Latin, maybe. I always hated Latin.
 
Old 05-22-2019, 02:16 PM   #25
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,633

Rep: Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925
Quote:
Originally Posted by hazel View Post
Sorry but that's Greek to me! No, worse actually because I do have some knowledge of Greek.


Well, I said it's easier to use the Spectre and Meltdown mitigation detection tool and verify if your CPU supports IBPB.
https://raw.githubusercontent.com/sp...own-checker.sh
It's the section between the lines 2110-2171 that is doing the IBPB checking and apparently they are using the msr module - exposing /dev/cpu/CPUNUM/msr for that:
http://man7.org/linux/man-pages/man4/msr.4.html
https://en.wikipedia.org/wiki/Model-specific_register
(I'm not experienced with this - actually it's the first time I'm learning about it)

You could do it on your own, load the msr module and use the msr-tools, but that'll be definitely harder than Greek
https://superuser.com/questions/1068...sters-on-linux
http://slackbuilds.org/repository/14...tem/msr-tools/
 
Old 05-22-2019, 02:24 PM   #26
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,633

Rep: Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925
- off-topic
Quote:
Originally Posted by Lysander666 View Post
Latin, maybe. I always hated Latin.
You shouldn't, a great part of the English language (German too, but at least there are native (official) alternatives for many Latin words) is comprised of anglicized Latin words...
Besides, in German, there's a deliberate use of Latin originated words by (what I call) 2 digit IQ people just to sound "posh".
- end of off-topic
 
Old 05-22-2019, 02:28 PM   #27
Lysander666
Senior Member
 
Registered: Apr 2017
Location: The Underearth
Distribution: Ubuntu, Debian, Slackware
Posts: 2,146
Blog Entries: 6

Rep: Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414
Quote:
Originally Posted by abga View Post
- off-topic

You shouldn't, a great part of the English language (German too, but at least there are native (official) alternatives for many Latin words) is comprised of anglicized Latin words...
Besides, in German, there's a deliberate use of Latin originated words by (what I call) 2 digit IQ people just to sound "posh".
- end of off-topic
Absolutely understood and acknowledged, I just couldn't get my head around it. Greek, I preferred. But to know the etymological root of certain words is of great benefit, I feel.

Sorry for OT.
 
Old 05-31-2019, 06:50 AM   #28
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,315

Original Poster
Blog Entries: 15

Rep: Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107
So I built the 4.19.43 kernel that I use in LFS using the Slackware config file from /boot. I got a few warnings about things being configured as modules that can't be modules in that kernel version. But that problem seems to have been self-correcting because it built without problems except that it took forever (all those modules!). I just booted it and ran that test script and everything is now cleared except CVE-2018-3640 aka 'Variant 3a, rogue system register read', which needs more up-to-date firmware.

It's not an orthodox solution, but I don't want to go to -current, so it will have to do until the next release comes out.
 
1 members found this post helpful.
Old 06-05-2019, 03:06 PM   #29
Tonus
Member
 
Registered: Jan 2007
Location: Paris, France
Distribution: Slackware-current
Posts: 888
Blog Entries: 3

Rep: Reputation: 238Reputation: 238Reputation: 238
Hi all,

Since I'm totally new to that stuff, could you confirm that for my cpu wich is

Code:
Famille de processeur*:                 6
Modèle*:                                69
Nom de modèle*:                         Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz
Révision*:                              1
I would find the cpio microcode file with number 06-45-1 here ?
(assuming that 69 in hex is 45)

If this is right, I could download it somwhere and rename it to date_of_release.cpio and rebuilt my initrd with additional -P flag. Still right ?
(might look for the good option to add in mkinitrd.conf)

Thanks in advance for your lights !

Last edited by Tonus; 06-05-2019 at 03:08 PM. Reason: try to fix bad english
 
Old 06-05-2019, 06:49 PM   #30
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,633

Rep: Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925
@Tonus

Your CPU is listed to have received a microcode update - page 9 - bottom - Haswell U (i7-4510U) - latest microcode 0x25
https://www.intel.com/content/dam/ww...e_05132019.pdf

I have no experience in using the already generated cpio microcode file from GitHub, instead I'd advise to follow the tested procedure, build & install these in the following order:
http://www.slackbuilds.org/repositor...m/iucode_tool/
http://www.slackbuilds.org/repositor...tel-microcode/

If you're already using an initrd image, then follow Petri Kaukasoina/Chuck56 hints:
https://www.linuxquestions.org/quest...3/#post5996557
https://www.linuxquestions.org/quest...3/#post5996594

If you're using lilo and no initrd image, just add initrd=/boot/intel-ucode.cpio in /etc/lilo.conf and run lilo to update.

After your first reboot check if your microcode was successfully updated to 0x25
Code:
dmesg | grep micro
Reported here (on a Haswell i3 CPU):
https://www.linuxquestions.org/quest...ml#post5996246
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
'Cognitive performance may peak in late summer and early fall and decline in late winter and early spring - at least in the Northern hemisp RandomTroll General 2 11-16-2018 03:12 AM
slackbuilds' intel-microcode will no longer load early grobber Slackware 2 08-25-2018 10:46 AM
How to load the ipw2100 (intel pro wireless) firmware on a live cd? hkl8324 Linux - Hardware 1 01-01-2009 10:58 PM
Unable to load firmware for Intel wireless card Crushing Belial *BSD 0 01-26-2007 03:29 PM
ipw2200 - Unable to load ucode, unable to load firmware blizinsk Linux - Wireless Networking 2 10-10-2004 08:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration