Page 14 of 22 FirstFirst ... 41213141516 ... LastLast
Results 131 to 140 of 211

Thread: Meltdown and Spectre Discussion Sticky

  1. #131
    Join Date
    Apr 2011
    Location
    Mystletainn Kick!
    Beans
    11,321
    Distro
    Ubuntu
    I sort of now understand the layout of the microcode updates
    To find out if you have the new microcode that actually works for your machine, you need to
    run
    Code:
    lscpu
    and find the output for Family, Model, and Stepping.
    and then look through the /lib/firmware/intel-ucode directory and see if what your have matches anything in that directory.
    If it matches good on you as you should have patched up microcode for your system, if not well then we wait and see
    (though I think it'll be akin to Waiting for Godot)

    FWIW

    Quote Originally Posted by Frogs Hair View Post
    Enabled proposed updates on 17.10 and eliminated one more vulnerability. I don't recommend this unless you want to deal with potential problems caused by proposed packages.

    Before Proposed Updates:
    Code:
    Checking for vulnerabilities against live running kernel Linux 4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:14:41 UTC 2018 x86_64
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  NO 
    > STATUS:  VULNERABLE  (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
    After Proposed:
    Code:
    Spectre and Meltdown mitigation detection tool v0.28
    
    
    Checking for vulnerabilities against running kernel Linux 4.13.0-29-generic #32-Ubuntu SMP Fri Jan 12 12:02:18 UTC 2018 x86_64
    CPU is Intel(R) Core(TM) i5-2540M CPU @ 2.60GHz
    
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  YES 
    > STATUS:  NOT VULNERABLE  (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
    Good to know something more might be coming soon.
    I wonder if they've got that patch to anything other than the 4.13 series.
    Last edited by deadflowr; January 13th, 2018 at 06:48 PM. Reason: merged
    Splat Double Splat Triple Splat
    Earn Your Keep
    Don't mind me, I'm only passing through.
    Once in a blue moon, I'm actually helpful
    .

  2. #132
    maglin2 is offline Gee! These Aren't Roasted!
    Join Date
    Feb 2014
    Beans
    181

    Re: Meltdown and Spectre Discussion Sticky

    Quote Originally Posted by deadflowr View Post
    I sort of now understand the layout of the microcode updates
    To find out if you have the new microcode that actually works for your machine, you need to
    run
    Code:
    lscpu
    and find the output for Family, Model, and Stepping.
    and then look through the /lib/firmware/intel-ucode directory and see if what your have matches anything in that directory.
    If it matches good on you as you should have patched up microcode for your system, if not well then we wait and see
    (though I think it'll be akin to Waiting for Godot)
    I'm now as confused by intel microcode as I was by Waiting for Godot!

    Looking in Software and Updates I see that intel microcode firmware is in use (and I know it was recently updated).

    Looking at /lib/firmware/intel-ucode directory I see nothing that matches my processor's Family, Model, and Stepping.

    So what is it that is in use, and would I be better off selecting Do not use the device?

    This is a 9 year old cpu, so perhaps Godot is dead!

  3. #133
    Join Date
    Jun 2007
    Beans
    17,319

    Re: Meltdown and Spectre Discussion Sticky

    Quote Originally Posted by maglin2 View Post
    I'm now as confused by intel microcode as I was by Waiting for Godot!

    Looking in Software and Updates I see that intel microcode firmware is in use (and I know it was recently updated).

    Looking at /lib/firmware/intel-ucode directory I see nothing that matches my processor's Family, Model, and Stepping.

    So what is it that is in use, and would I be better off selecting Do not use the device?

    This is a 9 year old cpu, so perhaps Godot is dead!
    If you want to see where you *may* stand download this script, unpack, & run. As far as to intel microcode part of it's name may be partially in hex, for example here my family is 6, model is 60, stepping is 3, the microcode file name is 06-3c-03.initramfs (3c=60

    https://github.com/speed47/spectre-meltdown-checker

    Ex. here see screen, notice this latest 16.04 hwe kernel doesn't have or is reported not to have the kernel opcodes..
    Overall as simple home user I'm not concerned in the least.
    Attached Images Attached Images
    Last edited by mc4man; January 14th, 2018 at 06:08 PM.

  4. #134
    maglin2 is offline Gee! These Aren't Roasted!
    Join Date
    Feb 2014
    Beans
    181

    Re: Meltdown and Spectre Discussion Sticky

    Thanks - I hadn't twigged to the hex.

  5. #135
    Join Date
    Jun 2008
    Location
    Byron, CA, USA
    Beans
    514
    Distro
    Ubuntu 16.04 Xenial Xerus

    Thumbs up Re: Meltdown and Spectre Discussion Sticky

    @mc4man Thank speed47 @ github.com for us. I can run Spectre-Meltdown-Checker.sh during offline installation testing, come back with any returned issues detected.
    Last edited by bcschmerker; January 15th, 2018 at 04:40 AM. Reason: Bot: False mailto.
    Video Drivers:
    nVIDIA® nForce® chipsets require discrete GPU's up to Kepler and the nvidia-current metapackage.
    Most intel® ExpressSets™ and AMD® RS-Series are fully supported in open source.

  6. #136
    Join Date
    Mar 2006
    Location
    Oxford, OH, USA
    Beans
    1,055
    Distro
    Ubuntu 16.04 Xenial Xerus

    Question Re: Meltdown and Spectre Discussion Sticky

    Running Xenial 16.04.3 LTS and updated to 4.13.0-29-generic via SOFTWARE UPDATES and machine will no longer boot. Had to roll back to 4.13.0-26-generic.

    Anyone else have this issue with *-29 being unbootable with 16.04?

    Code:
    $ inxi -SCGx
    System:    Host: ******-******* Kernel: 4.13.0-26-generic x86_64 (64 bit gcc: 5.4.0)
               Desktop: Unity 7.4.5 (Gtk 3.18.9-1ubuntu3.3)
               Distro: Ubuntu 16.04 xenial
    CPU:       Dual core Intel Core i7-7500U (-HT-MCP-) cache: 4096 KB
               flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 11616
               clock speeds: max: 3500 MHz 1: 2900 MHz 2: 2900 MHz 3: 2900 MHz
               4: 2900 MHz
    Graphics:  Card: Intel Device 5916 bus-ID: 00:02.0
               Display Server: X.Org 1.19.5 drivers: (unloaded: fbdev,vesa)
               Resolution: 1920x1080@60.02hz
               GLX Renderer: Mesa DRI Intel HD Graphics 620 (Kaby Lake GT2)
               GLX Version: 3.0 Mesa 17.2.4 Direct Rendering: Yes
    Code:
    $ sudo ./spectre-meltdown-checker.sh 
    Spectre and Meltdown mitigation detection tool v0.31
    
    Checking for vulnerabilities against running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64
    CPU is Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  NO 
    > STATUS:  VULNERABLE  (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation
    *     The SPEC_CTRL MSR is available:  YES 
    *     The SPEC_CTRL CPUID feature bit is set:  YES 
    *   Kernel support for IBRS:  NO 
    *   IBRS enabled for Kernel space:  NO 
    *   IBRS enabled for User space:  NO 
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO 
    *   Kernel compiled with a retpoline-aware compiler:  NO 
    > STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Kernel supports Page Table Isolation (PTI):  YES 
    * PTI enabled and active:  YES 
    * Checking if we're running under Xen PV (64 bits):  NO 
    > STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
    
    A false sense of security is worse than no security at all, see --disclaimer
    ________________________________
    System76 Lemur Laptop
    Ubuntu Xenial Xerus LTS 16.04
    Linux Registered User #434330

  7. #137
    Join Date
    Jun 2007
    Beans
    17,319

    Re: Meltdown and Spectre Discussion Sticky

    Quote Originally Posted by frogotronic View Post
    Running Xenial 16.04.3 LTS and updated to 4.13.0-29-generic via SOFTWARE UPDATES and machine will no longer boot. Had to roll back to 4.13.0-26-generic.

    Anyone else have this issue with *-29 being unbootable with 16.04?
    works ok here on a haswell machine though it's still in proposed. Possibly 10+ hrs ago it wasn't as ready to be used.
    Maybe wait till released then see how it treats you...
    For what it's worth or not fleshes out the ...
    Code:
    Spectre and Meltdown mitigation detection tool v0.31
    Checking for vulnerabilities against running kernel Linux 4.13.0-29-generic #32~16.04.1-Ubuntu SMP Fri Jan 12 13:08:03 UTC 2018 x86_64
    CPU is Intel(R) Core(TM) i7-4700MQ CPU @ 2.40GHz
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  YES 
    > STATUS:  NOT VULNERABLE  (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation
    *     The SPEC_CTRL MSR is available:  YES 
    *     The SPEC_CTRL CPUID feature bit is set:  YES 
    *   Kernel support for IBRS:  YES 
    *   IBRS enabled for Kernel space:  YES 
    *   IBRS enabled for User space:  NO 
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO 
    *   Kernel compiled with a retpoline-aware compiler:  NO 
    > STATUS:  NOT VULNERABLE  (IBRS mitigates the vulnerability)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Kernel supports Page Table Isolation (PTI):  YES 
    * PTI enabled and active:  YES 
    * Checking if we're running under Xen PV (64 bits):  NO 
    > STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

  8. #138
    Join Date
    Mar 2006
    Location
    Oxford, OH, USA
    Beans
    1,055
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Meltdown and Spectre Discussion Sticky

    My update came through on Thursday night and it won't boot.
    ________________________________
    System76 Lemur Laptop
    Ubuntu Xenial Xerus LTS 16.04
    Linux Registered User #434330

  9. #139
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Meltdown and Spectre Discussion Sticky

    Quote Originally Posted by frogotronic View Post
    My update came through on Thursday night and it won't boot.
    You appear to have "proposed" activated. Incompatibilities are only to be expected with proposed. Unfortunately, turning it off at this point is also problematic. It probably dragged in tons of forward apps the first time you updated, so now you have a vegetable stew of old and new. For now, your best bet is simply to use the 4.13.0-26 kernel.

  10. #140
    Join Date
    Jan 2018
    Beans
    51

    meltdown-spectre

    In the case of Ubuntu 16.04.2 which kernel is safer to use that fixes the flaws mentioned in this notice
    https://insights.ubuntu.com/2018/01/...lnerabilities/
    This version is safe or I have to upgrade 4.13.0-26-generic # 29 ~ 16.04.2-Ubuntu
    I should add this ppa ppa: canonical-kernel-team / pti. to be safer?
    How do I add this ppa?Thanks for listening.

Page 14 of 22 FirstFirst ... 41213141516 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •