LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 08-09-2018, 05:47 AM   #16
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,427

Rep: Reputation: 834Reputation: 834Reputation: 834Reputation: 834Reputation: 834Reputation: 834Reputation: 834

All --

Below are the S&M Vulnerabilities for the official linux 4.4.144 Kernel in Slackware 14.2 ( I run the Generic Kernel ):

I tested each of the three spec_store_bypass_disable= settings that I know of in the lilo.conf append= line ( reran lilo and rebooted for each test ).

EDIT: to answer john2x's original Q ... it seems that the latest official 4.4.144 kernel in Slackware 14.2 is still vulnerable to spec_store_bypass ...

Maybe time for a new Kernel in Slackware 14.2 ?

-- kjh

Code:
# no spec_store_bypass_disable= setting in the append= line

Linux kjhlt6 4.4.144 #1 SMP Thu Jul 26 12:26:39 CDT 2018 x86_64 Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz GenuineIntel GNU/Linux
meltdown:            Mitigation: PTI
spec_store_bypass:   Vulnerable
spectre_v1:          Mitigation: __user pointer sanitization
spectre_v2:          Mitigation: Full generic retpoline, IBPB, IBRS_FW

# auto

Linux kjhlt6 4.4.144 #1 SMP Thu Jul 26 12:26:39 CDT 2018 x86_64 Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz GenuineIntel GNU/Linux
meltdown:            Mitigation: PTI
spec_store_bypass:   Vulnerable
spectre_v1:          Mitigation: __user pointer sanitization
spectre_v2:          Mitigation: Full generic retpoline, IBPB, IBRS_FW

# on                                                                                                    
                                                                                                        
Linux kjhlt6 4.4.144 #1 SMP Thu Jul 26 12:26:39 CDT 2018 x86_64 Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz GenuineIntel GNU/Linux                                                                                 
meltdown:            Mitigation: PTI                                                                    
spec_store_bypass:   Vulnerable                                                                         
spectre_v1:          Mitigation: __user pointer sanitization                                            
spectre_v2:          Mitigation: Full generic retpoline, IBPB, IBRS_FW

Last edited by kjhambrick; 08-09-2018 at 06:14 AM. Reason: answer john2x's original Q
 
1 members found this post helpful.
Old 08-09-2018, 07:48 AM   #17
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 732

Rep: Reputation: 407Reputation: 407Reputation: 407Reputation: 407Reputation: 407
Quote:
Originally Posted by kjhambrick View Post
All --

EDIT: to answer john2x's original Q ... it seems that the latest official 4.4.144 kernel in Slackware 14.2 is still vulnerable to spec_store_bypass ...

Maybe time for a new Kernel in Slackware 14.2 ?

-- kjh
In my first reply to this thread I advised john2x to try instructing the kernel to enable the CVE-2018-3639 mitigation, finding it odd that it wasn't enabled by default (set on auto), but I couldn't find too many details in the kernel git/patches at that time (sorry). It's also important to remember that this kernel-patch mitigation requires also a capable microcode.
Regarding 4.4.144, it seems to already contain the CVE-2018-3639 patch:
https://git.kernel.org/pub/scm/linux...ea353eb5839475
https://git.kernel.org/pub/scm/linux...25e9c663b94a3d
https://git.kernel.org/pub/scm/linux...?h=linux-4.4.y

ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt
Code:
Fri Jul 27 21:01:22 UTC 2018
patches/packages/linux-4.4.144/*:  Upgraded.
  This kernel update enables additional mitigations for spectre_v2 (IBPB and
  IBRS_FW). It also enables reporting on the Speculative Store Bypass
  vulnerability (aka GPZ Variant 4) which affects Intel processors and must
  be patched with a microcode update.
  To see the status of CPU vulnerability mitigations on your system, look at
  the files in: /sys/devices/system/cpu/vulnerabilities
  In addition, these kernels enable SMB2. Here's the complete list of kernel
  config changes from the previous 4.4.132:
    -X86_DEBUG_STATIC_CPU_HAS n
     CIFS_SMB2 n -> y
    +CC_OPTIMIZE_FOR_PERFORMANCE y
    +CIFS_SMB311 n
    +X86_FAST_FEATURE_TESTS y
  Be sure to upgrade your initrd after upgrading the kernel packages.
  If you use lilo to boot your machine, be sure lilo.conf points to the correct
  kernel and initrd and run lilo as root to update the bootloader.
  If you use elilo to boot your machine, you should run eliloconfig to copy the
  kernel and initrd to the EFI System Partition.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
  (* Security fix *)
 
1 members found this post helpful.
Old 08-09-2018, 08:35 AM   #18
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,427

Rep: Reputation: 834Reputation: 834Reputation: 834Reputation: 834Reputation: 834Reputation: 834Reputation: 834
Sorry abga ...

Didn't mean to seem argumentative and I certainly can't argue with the info in your post.

Just reporting what I saw in /sys/devices/system/cpu/vulnerabilities/spec_store_bypass with the Official 4.4.144 Kernel in Slackware 14.2

EDIT: Hold the phone !

I just thought of something ... I did not rebuild my initrd for 4.4.144 after updating my intel-microcode.

I do need to do that but work is in my way ... Will do so later today and I'll report back.

-- kjh

Last edited by kjhambrick; 08-09-2018 at 09:09 AM.
 
Old 08-09-2018, 09:25 AM   #19
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 732

Rep: Reputation: 407Reputation: 407Reputation: 407Reputation: 407Reputation: 407
Quote:
Originally Posted by kjhambrick View Post
Sorry abga ...

Didn't mean to seem argumentative and I certainly can't argue with the info in your post.

Just reporting what I saw in /sys/devices/system/cpu/vulnerabilities/spec_store_bypass with the Official 4.4.144 Kernel in Slackware 14.2

-- kjh
No need to be sorry, I always enjoy your posts (the wit too) and the valuable info you're providing. This CVE-2018-3639 mitigation implementation confused me a little bit too, not realizing that you'll actually need a capable (updated) microcode to start with.
On the DELL i3 Haswell ULT I mentioned in this thread, the one I got a BIOS update (including microcode revision=0x24) 3 days ago, by booting 4.4.144 without any kernel boot parameters I get this in the kernel log (dmesg):
Code:
[Thu Aug  9 15:52:13 2018] Spectre V2 : Mitigation: Full generic retpoline
[Thu Aug  9 15:52:13 2018] Spectre V2 : Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier
[Thu Aug  9 15:52:13 2018] Spectre V2 : Enabling Restricted Speculation for firmware calls
[Thu Aug  9 15:52:13 2018] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl and seccomp
And the Spectre and Meltdown mitigation detection tool v0.38+ reports this:
Code:
VE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports speculation store bypass:  YES  (found in /proc/self/status)
> STATUS:  NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
Following all the developments on these CPU issues and making/understanding all the correlations between software patches and microcode updates isn't that simple and the HW manufacturers are not really making it easier (couldn't yet find a table telling me what the microcode revision is capable of - what is it mitigating). I remember, back in January, calling this a typical organized chaos
https://www.linuxquestions.org/quest...ml#post5810378
 
1 members found this post helpful.
Old 08-09-2018, 10:00 AM   #20
The_Dark_Passenger
LQ Newbie
 
Registered: Apr 2018
Distribution: Slackware64 14.2 & -Current
Posts: 24

Rep: Reputation: Disabled
Just updated to the 20180807 microcode on my Haswell ULT system as well. Upon rebooting, using the official 4.4.144 kernel in Slackware64 14.2, my system now reports it is using microcode revision 0x24 and is mitigated against speculative store bypass, with the same message as abga posted. I too have not added any kernel parameters to mitigate this vulnerability.

Last edited by The_Dark_Passenger; 08-09-2018 at 10:01 AM.
 
2 members found this post helpful.
Old 08-09-2018, 06:31 PM   #21
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,427

Rep: Reputation: 834Reputation: 834Reputation: 834Reputation: 834Reputation: 834Reputation: 834Reputation: 834
OK then ...

I rebuilt my 4.4.144 initrd with the latest intel-microcode ; reran lilo and booted 4.4.144.

The following is without any spec_store_bypass_disable= settings in the /etc/lilo.conf append= line

Now I've got the latest mitigations with the Official Slackware 14.2 4.4.144 Kernel:
Code:
Linux kjhlt6 4.4.144 #1 SMP Thu Jul 26 12:26:39 CDT 2018 x86_64 Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz GenuineIntel GNU/Linux
meltdown:            Mitigation: PTI
spec_store_bypass:   Mitigation: Speculative Store Bypass disabled via prctl and seccomp
spectre_v1:          Mitigation: __user pointer sanitization
spectre_v2:          Mitigation: Full generic retpoline, IBPB, IBRS_FW
It is exactly what Pat said in the ChangeLog: You need to update your microcode !

Sorry about the false alarm ...

-- kjh
 
1 members found this post helpful.
Old 08-09-2018, 06:38 PM   #22
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 732

Rep: Reputation: 407Reputation: 407Reputation: 407Reputation: 407Reputation: 407
And the "winner" is: teoberi - straight, clear and short answer in the post #2

Last edited by abga; 08-09-2018 at 06:40 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apply new Intel microcode- no microcode.dat file Naks110 Linux - Kernel 2 06-12-2018 06:20 PM
[SOLVED] Updated recent intel microcode firmware through update manager, now cannot boot linux mint 18.3 Chripcikas Linux - Newbie 60 01-23-2018 12:16 PM
Intel skylake CPU intel debugger may be vulnerable as per link aus9 Linux - Security 1 01-11-2017 11:20 AM
[SOLVED] Flashplayer Plugin 11.2.202.424: Firefox Says It's Vulnerable and Needs to be Updated tronayne Slackware 5 12-21-2014 12:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 07:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration