LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 04-13-2018, 03:43 PM   #1
sebre
LQ Newbie
 
Registered: Jun 2013
Location: France
Distribution: Slackware
Posts: 24

Rep: Reputation: Disabled
Spectre vulnerabilities on 14.2 : upgrade current kernel ?


Hello,
The last 14.2 updated kernel (4.4.115) allows Spectre vulnerabilies on my laptop (according to the well-known spectre-meltdown-checker.sh).

Is it usefull/safe to upgrade whith the current kernel ?

Thank you.
 
Old 04-13-2018, 03:50 PM   #2
Skaendo
Member
 
Registered: Dec 2014
Location: West Texas, USA
Distribution: Slackware64-14.2
Posts: 613

Rep: Reputation: Disabled
The up-to-date kernel for 14.2 (x86_64) is 4.4.118 and is fixed for SPECTRE/MELTDOWN.

You may need to just update your Slackware.

Last edited by Skaendo; 04-13-2018 at 03:53 PM.
 
Old 04-13-2018, 03:53 PM   #3
sebre
LQ Newbie
 
Registered: Jun 2013
Location: France
Distribution: Slackware
Posts: 24

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Skaendo View Post
The up-to-date kernel for 14.2 (x86_64) is 4.4.118 that is fixed for SPECTRE/MELTDOWN.

You may need to just update your Slackware.
OK thank you. Sorry I guess I missed a mailing announce.
 
Old 04-13-2018, 07:27 PM   #4
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 Multilib
Posts: 507

Rep: Reputation: 129Reputation: 129
Remember when you do a slackpkg update, slackpkg install-new, slackpkg upgrade-all that IF you have the recommended /etc/slackpkg/blacklist your efforts will not load the latest kernel. You'll either need to remove your blacklist, OR individually download the packages from https://mirrors.slackware.com/slackw...linux-4.4.118/. Then installpkg (don't upgradepkg) the packages (txz) chooseing all except only generic or huge. Don't forget to correct your /etc/lilo.conf, do a mkinitrd if needed. Ask if you need more detailed instructions. Cheers
 
Old 04-14-2018, 02:39 AM   #5
sebre
LQ Newbie
 
Registered: Jun 2013
Location: France
Distribution: Slackware
Posts: 24

Original Poster
Rep: Reputation: Disabled
Yes bamunds thank you. I don't use slackpkg to upgrade kernels, as generally speaking there is no need for me to upgrade kernel. And if I do, I rely on the Slackware security advisory process, with mkinitrd, lilo. My mistake this time was to miss the security advisory mail and not check http://www.slackware.com/security/li...ecurity&y=2018. What a daze I am.

Quote:
Originally Posted by bamunds View Post
Then installpkg (don't upgradepkg) the packages (txz) chooseing all except only generic or huge.
This surprised me, the security advisory says :

Quote:
Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg kernel-*.txz
I guess installpkg instead of upgradepkg allows you to keep old kernel as a backup if the new one does not reboot.
 
Old 04-14-2018, 04:40 AM   #6
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1 on Lenovo Thinkpad W520
Posts: 8,195

Rep: Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977
Quote:
Originally Posted by sebre View Post
I guess installpkg instead of upgradepkg allows you to keep old kernel as a backup if the new one does not reboot.
Which would happen in case the user forgets to update the bootloader to boot the new kernel instead of the old one.

I assume that's the reason why other distributions when they provide an upgraded kernel, install it alongside the previous one, removing the old one after having checked that the new boots okay being either left to the user or done after the next kernel upgrade.

But of course this policy needs more space on a mass storage device, even more so for Slackware that ships the kernel source and upgrades it to match the upgraded kernel.

Last edited by Didier Spaier; 04-14-2018 at 06:19 AM.
 
Old 04-14-2018, 06:08 AM   #7
Lysander666
Member
 
Registered: Apr 2017
Location: London
Distribution: Debian, Slackware
Posts: 250

Rep: Reputation: 107Reputation: 107
Just so you know, OP, 4.4.118 does not give mitigation for Meltdown on 32bit. Spectre is OK though.

See

https://www.linuxquestions.org/quest...ml#post5824947

and

https://www.linuxquestions.org/quest...ml#post5835142

It's clearly not considered an issue for some reason. It's not a problem for me though since my CPU is reported as not vulnerable. I'm sure that's not the case for everyone though.

Last edited by Lysander666; 04-14-2018 at 06:11 AM.
 
Old 04-15-2018, 02:49 AM   #8
drgibbon
Member
 
Registered: Nov 2014
Distribution: Slackware64 14.2
Posts: 360

Rep: Reputation: 213Reputation: 213Reputation: 213
Quote:
Originally Posted by Skaendo View Post
The up-to-date kernel for 14.2 (x86_64) is 4.4.118 and is fixed for SPECTRE/MELTDOWN.

You may need to just update your Slackware.
A fully patched 14.2 x86_64 system is protected against Spectre variant 1 and Meltdown (variant 3), but it looks like some pieces are missing for Spectre variant 2 mitigation (according to the checker script):

Code:
sh-4.3# ./spectre-meltdown-checker.sh      
Spectre and Meltdown mitigation detection tool v0.36+

Checking for vulnerabilities on current system
Kernel is Linux 4.4.118 #1 SMP Sun Feb 25 14:18:45 CST 2018 x86_64
CPU is Intel(R) Core(TM) i7-5820K CPU @ 3.30GHz

[...]

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline)
* Mitigation 1
  * Kernel is compiled with IBRS support:  NO
    * IBRS enabled and active:  UNKNOWN
  * Kernel is compiled with IBPB support:  NO
    * IBPB enabled and active:  NO
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  VULNERABLE  (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

> How to fix: To mitigate this vulnerability, you need either IBRS +
  IBPB, both requiring hardware support from your CPU microcode in
  addition to kernel support, or a kernel compiled with retpoline and
  IBPB, with retpoline requiring a retpoline-aware compiler (re-run this
  script with -v to know if your version of gcc is retpoline-aware) and
  IBPB requiring hardware support from your CPU microcode. The retpoline
  + IBPB approach is generally preferred as the performance impact is
  lower. More information about how to enable the missing bits for those
  two possible mitigations on your system follow. You only need to take
  one of the two approaches.

[...]
 
Old 04-15-2018, 02:53 AM   #9
nobodino
Member
 
Registered: Jul 2010
Location: in France
Distribution: slackware, slackware from scratch, LFS, linux Mint, Niresh (MacOS)...
Posts: 293

Rep: Reputation: 218Reputation: 218Reputation: 218
Could it be possible to have in "testing" kernels with "IBRS+IPPB" activated for Skylake ?
 
Old 04-15-2018, 04:02 AM   #10
55020
Senior Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 1,203
Blog Entries: 4

Rep: Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699Reputation: 1699
Quote:
Originally Posted by drgibbon View Post
A fully patched 14.2 x86_64 system is protected against Spectre variant 1 and Meltdown (variant 3), but it looks like some pieces are missing for Spectre variant 2 mitigation (according to the checker script)
- and -

Quote:
Originally Posted by nobodino View Post
Could it be possible to have in "testing" kernels with "IBRS+IPPB" activated for Skylake ?
NO. NO!!!

This is a BUG in that bloody script. See here (thanks abga) and the github links that abga provides.

"A false sense of insecurity is worse than no sense of insecurity at all."

Last edited by 55020; 04-15-2018 at 04:04 AM.
 
2 members found this post helpful.
Old 04-15-2018, 05:01 AM   #11
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,267

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
EDIT: I am way too slow ! By the time I found the links and tested s-m-c.sh ... 55020 said what I wanted to say

I agree with 55020.

There does seem to be a bug in spectre-meltdown-checker.sh version 0.36.

See the links in LQ User abga's post: https://www.linuxquestions.org/quest...ml#post5842866

The last post by speed47 ( the author of spectre-meltdown-checker.sh ) in this thread https://github.com/speed47/spectre-m...ker/issues/178 indicates that there is a bug in spectre-meltdown-checker.sh version 0.36.

The only other Q that I would ask is whether you're running the latest intel microcode ?

According to what I've read about Skylake CPUs, you need the intel microcode along with the gcc and kernel mitigations ??

Or not ... I am really not sure anymore

HTH.

-- kjh

Last edited by kjhambrick; 04-15-2018 at 05:03 AM.
 
Old 04-15-2018, 07:10 PM   #12
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 384

Rep: Reputation: 185Reputation: 185
Quote:
Originally Posted by kjhambrick View Post

According to what I've read about Skylake CPUs, you need the intel microcode along with the gcc and kernel mitigations ??

Or not ... I am really not sure anymore

HTH.

-- kjh
Slightly off-topic, hope we won't get criticized/kicked out from this thread, but I don't know where to reply anymore, since there are already too many spectre+meltdown related threads available and your questions confused me too

My understanding is that you'll need a patched gcc that can handle retpolines only for building the kernel, the kernel modules and some applications that use the kernel modules to run code in kernel space, see - Retpoline Kernels - Section:
https://access.redhat.com/articles/3...ulation-ibrs-9
What speed47 was reporting related to the bug in his spectre-meltdown-checker, was that Ubuntu dropped the use of IBRS for Skylake CPUs (last post):
https://github.com/speed47/spectre-m...ker/issues/178
Quote:
speed47 commented Apr 13, 2018

Thanks for the details. Apparently recent Ubuntu kernels have dropped the "Red Hat" patch (that allows use of complete IBRS, not only in firmware as this is the case here), and are now acting like upstream.
For Skylake, they rely on retpoline + IBPB + RSB stuffing. I have to implement detection of proper RSB filling, expect a commit about this sometime during the weekend
reference: https://elixir.bootlin.com/linux/v4....pu/bugs.c#L286
Some details about the RSB vs. IBRS in this "very old" article, good only as a starting point:
https://lwn.net/Articles/744287/
 
1 members found this post helpful.
Old 04-16-2018, 02:08 AM   #13
drgibbon
Member
 
Registered: Nov 2014
Distribution: Slackware64 14.2
Posts: 360

Rep: Reputation: 213Reputation: 213Reputation: 213
Quote:
Originally Posted by 55020 View Post
NO. NO!!!

This is a BUG in that bloody script. See here (thanks abga) and the github links that abga provides.
From my limited understanding and reading, it seems like retpoline should be combined with IBPB. At least that's what I got from this message on LKML and this issue thread for the checker script. Specifically from LKML:

Quote:
We build with retpoline, use IBPB on context switches/vmexit (which is in the first part of this patch series before IBRS is added), and we're safe. We even refactored the patch series to put retpoline first.

[...]

The early part of the series adds the new feature bits and detects when it can turn KPTI off on non-Meltdown-vulnerable Intel CPUs, and also supports the IBPB barrier that we need to make retpoline complete. That much I think we definitely *do* want. There have been a bunch of us working on this behind the scenes; one of us will probably post that bit in the next day or so.
and from the GitHub issue:

Quote:
This is my understanding too. To try to summarize a bit, to mitigate Variant 2, either
  • You enable IBRS + IBPB (hardware support thu CPU microcode required for both). This works for all CPUs, as long as the microcode is updated.
    or
  • You don't have a Skylake CPU, you compile the kernel with the RETPOLINE option, with a retpoline-aware compiler. You also need IBPB to have a complete protection (but IBRS is not needed).
  • You have a Skylake CPU, you compile the kernel with the RETPOLINE option, with a retpoline-aware compiler, a kernel that is recent enough to have the RETPOLINE_UNDERFLOW feature that is needed to have a completely functional retpoline for these CPUs. You also need IBPB to have a complete protection (but IBRS is not needed).

In addition to all that, STIBP might or might not be a good addition, there's not yet a real consensus over it.
 
Old 04-16-2018, 02:17 AM   #14
drgibbon
Member
 
Registered: Nov 2014
Distribution: Slackware64 14.2
Posts: 360

Rep: Reputation: 213Reputation: 213Reputation: 213
By the way, the script has recently been updated, and on my system now produces the following ambiguous output:

Code:
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline)
* Mitigation 1
  * Kernel is compiled with IBRS support:  NO 
    * IBRS enabled and active:  UNKNOWN 
  * Kernel is compiled with IBPB support:  NO 
    * IBPB enabled and active:  NO 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Full retpoline is mitigating the vulnerability)
You should enable IBPB to complete retpoline as a Variant 2 mitigation
 
Old 04-16-2018, 09:06 PM   #15
drgibbon
Member
 
Registered: Nov 2014
Distribution: Slackware64 14.2
Posts: 360

Rep: Reputation: 213Reputation: 213Reputation: 213
Well I finally got around to updating to the latest microcode (20180312), and I see that Intel has now included IBPB support in the hardware (at least on my i7-5820K, Haswell E, released 2014):
Code:
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Enhanced IBRS (IBRS_ALL)
So it seems like IBPB support (not IBRS) in the kernel would be a useful thing.

Last edited by drgibbon; 04-16-2018 at 09:17 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Update on the Meltdown & Spectre vulnerabilities LXer Syndicated Linux News 0 03-19-2018 10:42 AM
Vulnerabilities such as Meltdown and Spectre caseyl Linux - Security 7 01-22-2018 09:14 PM
LXer: Linux Mint Devs Respond to Meltdown and Spectre Security Vulnerabilities LXer Syndicated Linux News 0 01-09-2018 03:00 PM
LXer: All Raspberry Pi Devices Are Immune to the Meltdown and Spectre Vulnerabilities LXer Syndicated Linux News 0 01-05-2018 03:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 12:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration