Page 21 of 22 FirstFirst ... 1119202122 LastLast
Results 201 to 210 of 211

Thread: Meltdown and Spectre Discussion Sticky

  1. #201
    Join Date
    Nov 2014
    Beans
    2

    Re: Meltdown and Spectre Discussion Sticky

    Hi

    i need some help please with interpreting the results of the speed47 tool. What does it say?

    Mainly, my questions are
    • Does Ubuntu recognize the patched firmware, even though the firmware version is not exposed to the virtual machine (ucode 0xffffffff), but the individual mitigation capability flags seem to be exposed?
    • What is the meaning of STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline, IBPB (Intel v4)) for Spectre v2 and it is in any way better than it would be if the firmware wasn't patched?


    system info:
    The system is Sandy Bridge (Core i5-2500) with patched firmware.
    Microcode version in the firmware is 0x2d (with Spectre v2 mitigation)
    The operating system is Ubuntu server 17.10 with kernel 4.13.0-37-generic running in a virtual machine on Windows Server 2016 with Hyper-V.

    Code:
    Spectre and Meltdown mitigation detection tool v0.36+
    
    Checking for vulnerabilities on current system
    Kernel is Linux 4.13.0-37-generic #42-Ubuntu SMP Wed Mar 7 14:13:23 UTC 2018 x86_64
    CPU is Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz
    
    Hardware check
    * Hardware support (CPU microcode) for mitigation techniques
      * Indirect Branch Restricted Speculation (IBRS)
        * SPEC_CTRL MSR is available:  YES
        * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
      * Indirect Branch Prediction Barrier (IBPB)
        * PRED_CMD MSR is available:  NO
        * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
      * Single Thread Indirect Branch Predictors (STIBP)
        * SPEC_CTRL MSR is available:  YES
        * CPU indicates STIBP capability:  YES
      * Enhanced IBRS (IBRS_ALL)
        * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
        * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
      * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
      * CPU microcode is known to cause stability problems:  NO  (model 42 stepping 7 ucode 0xffffffff)
    * CPU vulnerability to the three speculative execution attack variants
      * Vulnerable to Variant 1:  YES
      * Vulnerable to Variant 2:  YES
      * Vulnerable to Variant 3:  YES
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    * Kernel has array_index_mask_nospec:  NO
    * Kernel has the Red Hat/Ubuntu patch:  YES
    > STATUS:  NOT VULNERABLE  (Mitigation: OSB (observable speculation barrier, Intel v6))
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    * Mitigation 1
      * Kernel is compiled with IBRS/IBPB support:  YES
      * Currently enabled features
        * IBRS enabled for Kernel space:  NO
        * IBRS enabled for User space:  NO
        * IBPB enabled:  YES
    * Mitigation 2
      * Kernel has branch predictor hardening (ARM):  NO
      * Kernel compiled with retpoline option:  YES
      * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
    > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline, IBPB (Intel v4))
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    * Kernel supports Page Table Isolation (PTI):  YES  (found 'CONFIG_PAGE_TABLE_ISOLATION=y')
    * PTI enabled and active:  YES
    * Running as a Xen PV DomU:  NO
    > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
    Code:
    root@ownCloud:/tmp# cat /proc/cpuinfo
    processor       : 0
    vendor_id       : GenuineIntel
    cpu family      : 6
    model           : 42
    model name      : Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz
    stepping        : 7
    microcode       : 0xffffffff
    cpu MHz         : 3300.021
    cache size      : 6144 KB
    physical id     : 0
    siblings        : 4
    core id         : 0
    cpu cores       : 4
    apicid          : 0
    initial apicid  : 0
    fpu             : yes
    fpu_exception   : yes
    cpuid level     : 13
    wp              : yes
    flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 popcnt aes xsave avx hypervisor lahf_lm pti retpoline spec_ctrl xsaveopt
    bugs            : cpu_meltdown spectre_v1 spectre_v2
    bogomips        : 6600.04
    clflush size    : 64
    cache_alignment : 64
    address sizes   : 36 bits physical, 48 bits virtual
    power management:

  2. #202
    Join Date
    Oct 2008
    Location
    Rezzoaglio (GE) Italy
    Beans
    257
    Distro
    Ubuntu Development Release

    Re: Meltdown and Spectre Discussion Sticky

    Intel has published the new microcode revision https://newsroom.intel.com/wp-conten...e-guidance.pdf and for for some CPUs the microcode will NEVER be updated

  3. #203
    Join Date
    Jun 2008
    Location
    Byron, CA, USA
    Beans
    506
    Distro
    Ubuntu 16.04 Xenial Xerus

    Unhappy Re: Meltdown and Spectre Discussion Sticky

    Thanks for the confirmation. That shelves the Gateway®/Acer® DX4822-01 desktop proposal for ubuntu® 18.04.0-LTS, as the Wolfdale platform (on which the intel® Pentium Processor® E5300 (FCLGA775) is built) is excluded from the fix, probably due to microarchitectural limitations making restrictions on indirect-branch processing (necessary to mitigate CVE-2017-5715) impossible to implement. I've decided to repurpose the DX4822 as a mission-specific music hardware for an implementation of Aeolus under ubuntustudio® 18.04.0-LTS; the Creative Laboratories® SB0350 pulled from the Hot Rod gPC™ should have enough outputs in the Creative® E-MU® CA0102. The main problem now will be an implementation of an Artisan Classic Organs two-manual and pedal console (consistent with input implementation for Milan Digital® Hauptwerk®) with one row of 24 drawknobs above Manual II than can communicate with the DX4822 via IEEE 1394....
    Gigabyte® GA-MA78GM-S2HP (AMD® Athlon 64® 3500+ CPU, RS780G NB, SB710 SB)
    Audio: ASUS® XONARESSENCESTX/A (PCIe, C-Media® CMI-8788 via PCIe-PCI bridge)

  4. #204
    Join Date
    Apr 2017
    Beans
    13

    Design Flaw or Intentional

    Is Spectre likely to be intentional by these companies to apease certain government agencies, or is this truely a design flaw, as it is being told to us??

  5. #205
    Join Date
    Oct 2009
    Location
    Reykjavík, Ísland
    Beans
    13,209
    Distro
    Xubuntu 19.10 Eoan Ermine

    Re: Meltdown and Spectre Discussion Sticky

    The government agencies don't need software to get access to the contents of a suspect's computer. Any modern computer with Intel Management Engine can be monitored remotely. Copy the screen picture, monitor the keys pressed, watch witch applications are running and so on.

    I am not familiar with AMD but I guess that they offer similar 'functionality'.
    Bringing old hardware back to life. About problems due to upgrading.
    Please visit Quick Links -> Unanswered Posts.
    Don't use this space for a list of your hardware. It only creates false hits in the search engines.

  6. #206
    Join Date
    Jun 2018
    Beans
    Hidden!

    Re: Meltdown and Spectre Discussion Sticky

    I really don't believe these flaws were implemented on purpose. I'm a occasional reader of Bruce Schneier's blog and here is one of his numerous interesting posts :

    https://www.schneier.com/blog/archiv...r_spectre.html

    IMHO, it was far too risky to implement this kind of vulnerabilities, thinking it won't be discovered by anyone else. I believe in flaws intentionally implemented such as kernel code bugs, the kind of stuff you won't even figure out it could have been possibly done on purpose, such as races conditions, all that things. But yes, it could have been. On the other hand, such critical flaws (spectre, meltdown) that can't even be patched remotely, or in the worse case, that can't even be patched, period, it's something you can't reasonably assume it's been done on purpose, and that everything which has been following has been working exactly as planned. I don't think that shuttles or military devices only use flawless hardwares. Just as I don't believe in God, I won't believe in a more unlikely story.

    To come back to meltdown and spectre, I waited several weeks before patching to a new PTI kernels, as I was using a unofficial fork of Grsecurity, I thought my outer computer boundary was hardened enough to be safe for some months more. But it seems that the team who was in charge of maintaining this Grsecurity fork didn't get over the PTI implementation and gave up. A shame as it was a really a great job done. But I feared much more to let an exploit get through my browser, my torrent client or anything else, than to find out that my computer's been taken over from the inside (kernel exploit such as metldown, etc)...

  7. #207
    Join Date
    Oct 2008
    Location
    Rezzoaglio (GE) Italy
    Beans
    257
    Distro
    Ubuntu Development Release

    Re: Meltdown and Spectre Discussion Sticky

    New Vulnerability Variants 3a and 4 also in US security site: https://www.us-cert.gov/ncas/alerts/TA18-141A

  8. #208
    Join Date
    Jun 2009
    Location
    0:0:0:0:0:0:0:1
    Beans
    4,915
    Distro
    Xubuntu

    Re: Meltdown and Spectre Discussion Sticky

    Intel has released some new microcode for my CPU:
    https://downloadcenter.intel.com/dow...?product=80811
    Should I update it myself or will there be a normal update for it?
    Code:
    $ sudo ./spectre-meltdown-checker.sh --explain
    Spectre and Meltdown mitigation detection tool v0.39+
    
    Checking for vulnerabilities on current system
    Kernel is Linux 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64
    CPU is Intel(R) Core(TM) i5-4690K CPU @ 3.50GHz
    
    Hardware check
    * Hardware support (CPU microcode) for mitigation techniques
      * Indirect Branch Restricted Speculation (IBRS)
        * SPEC_CTRL MSR is available:  YES 
        * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
      * Indirect Branch Prediction Barrier (IBPB)
        * PRED_CMD MSR is available:  YES 
        * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
      * Single Thread Indirect Branch Predictors (STIBP)
        * SPEC_CTRL MSR is available:  YES 
        * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
      * Speculative Store Bypass Disable (SSBD)
        * CPU indicates SSBD capability:  NO 
      * L1 data cache invalidation
        * FLUSH_CMD MSR is available:  NO 
      * Enhanced IBRS (IBRS_ALL)
        * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
        * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
      * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
      * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
      * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO 
      * CPU microcode is known to cause stability problems:  NO  (model 0x3c family 0x6 stepping 0x3 ucode 0x24 cpuid 0x306c3)
      * CPU microcode is the latest known available version:  NO  (you have version 0x24 and latest known version is 0x25)
    * CPU vulnerability to the speculative execution attack variants
      * Vulnerable to Variant 1:  YES 
      * Vulnerable to Variant 2:  YES 
      * Vulnerable to Variant 3:  YES 
      * Vulnerable to Variant 3a:  YES 
      * Vulnerable to Variant 4:  YES 
      * Vulnerable to Variant l1tf:  YES 
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
    * Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
    * Kernel has the Red Hat/Ubuntu patch:  NO 
    * Kernel has mask_nospec64 (arm64):  NO 
    > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
    * Mitigation 1
      * Kernel is compiled with IBRS support:  YES 
        * IBRS enabled and active:  YES  (for kernel and firmware code)
      * Kernel is compiled with IBPB support:  YES 
        * IBPB enabled and active:  YES 
    * Mitigation 2
      * Kernel has branch predictor hardening (arm):  NO 
      * Kernel compiled with retpoline option:  YES 
        * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
    > STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
    * Kernel supports Page Table Isolation (PTI):  YES 
      * PTI enabled and active:  YES 
      * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
    * Running as a Xen PV DomU:  NO 
    > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
    
    CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
    * CPU microcode mitigates the vulnerability:  NO 
    > STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)
    
    > How to fix: The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed.
    
    CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
    * Mitigated according to the /sys interface:  NO  (Vulnerable)
    * Kernel supports speculation store bypass:  YES  (found in /proc/self/status)
    > STATUS:  VULNERABLE  (Your CPU doesn't support SSBD)
    
    > How to fix: Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actually provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).
    
    CVE-2018-3615/3620/3646 [L1 terminal fault] aka 'Foreshadow & Foreshadow-NG'
    * Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
    > STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
    
    A false sense of security is worse than no security at all, see --disclaimer
    $ dmesg | grep microcode
    [    0.840992] microcode: sig=0x306c3, pf=0x2, revision=0x24
    [    0.841029] microcode: Microcode Update Driver: v2.2.
    EDIT:
    manual update does work:
    Code:
    $ cp -r /lib/firmware/intel-ucode intel-ucode.backup
    $ sudo cp -r intel-ucode/* /lib/firmware/intel-ucode/
    $ echo 1 | sudo tee /sys/devices/system/cpu/microcode/reload
    $ dmesg | grep microcode
    [    0.840992] microcode: sig=0x306c3, pf=0x2, revision=0x24
    [    0.841029] microcode: Microcode Update Driver: v2.2.
    [56165.335616] microcode: updated to revision 0x25, date = 2018-04-02
    [56165.338238] x86/CPU: CPU features have changed after loading microcode, but might not take effect.
    $ sudo ./spectre-meltdown-checker.sh --explain
    Spectre and Meltdown mitigation detection tool v0.39+
    
    Checking for vulnerabilities on current system
    Kernel is Linux 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64
    CPU is Intel(R) Core(TM) i5-4690K CPU @ 3.50GHz
    
    Hardware check
    * Hardware support (CPU microcode) for mitigation techniques
      * Indirect Branch Restricted Speculation (IBRS)
        * SPEC_CTRL MSR is available:  YES 
        * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
      * Indirect Branch Prediction Barrier (IBPB)
        * PRED_CMD MSR is available:  YES 
        * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
      * Single Thread Indirect Branch Predictors (STIBP)
        * SPEC_CTRL MSR is available:  YES 
        * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
      * Speculative Store Bypass Disable (SSBD)
        * CPU indicates SSBD capability:  YES  (Intel SSBD)
      * L1 data cache invalidation
        * FLUSH_CMD MSR is available:  YES 
      * Enhanced IBRS (IBRS_ALL)
        * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
        * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
      * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
      * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
      * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO 
      * CPU microcode is known to cause stability problems:  NO  (model 0x3c family 0x6 stepping 0x3 ucode 0x25 cpuid 0x306c3)
      * CPU microcode is the latest known available version:  YES  (you have version 0x25 and latest known version is 0x25)
    * CPU vulnerability to the speculative execution attack variants
      * Vulnerable to Variant 1:  YES 
      * Vulnerable to Variant 2:  YES 
      * Vulnerable to Variant 3:  YES 
      * Vulnerable to Variant 3a:  YES 
      * Vulnerable to Variant 4:  YES 
      * Vulnerable to Variant l1tf:  YES 
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
    * Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
    * Kernel has the Red Hat/Ubuntu patch:  NO 
    * Kernel has mask_nospec64 (arm64):  NO 
    > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
    * Mitigation 1
      * Kernel is compiled with IBRS support:  YES 
        * IBRS enabled and active:  YES  (for kernel and firmware code)
      * Kernel is compiled with IBPB support:  YES 
        * IBPB enabled and active:  YES 
    * Mitigation 2
      * Kernel has branch predictor hardening (arm):  NO 
      * Kernel compiled with retpoline option:  YES 
        * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
    > STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
    * Kernel supports Page Table Isolation (PTI):  YES 
      * PTI enabled and active:  YES 
      * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
    * Running as a Xen PV DomU:  NO 
    > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
    
    CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
    * CPU microcode mitigates the vulnerability:  YES 
    > STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)
    
    CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
    * Mitigated according to the /sys interface:  NO  (Vulnerable)
    * Kernel supports speculation store bypass:  YES  (found in /proc/self/status)
    > STATUS:  NOT VULNERABLE  (your system provides the necessary tools for software mitigation)
    
    CVE-2018-3615/3620/3646 [L1 terminal fault] aka 'Foreshadow & Foreshadow-NG'
    * Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
    > STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
    
    A false sense of security is worse than no security at all, see --disclaimer
    Now lets see how much a performance hit it gives...
    Well this is a surprise, it loos like it buffed performance, i only did one pass with no rebooting between test, so it is not a good sample size
    Attached Files Attached Files
    Last edited by pqwoerituytrueiwoq; August 26th, 2018 at 02:47 PM.
    Laptop: ASUS A54C-NB91 (Storage: WD3200BEKT + MKNSSDCR60GB-DX); Desktop: Custom Build - Images included; rPi Server
    Putting your Networked Printer's scanner software to shame PHP Scanner Server
    I frequently edit my post when I have the last post

  9. #209
    Join Date
    Apr 2011
    Location
    Mystletainn Kick!
    Beans
    10,617
    Distro
    Ubuntu

    Re: Meltdown and Spectre Discussion Sticky

    Intel has released some new microcode for my CPU:
    https://downloadcenter.intel.com/dow...?product=80811
    Should I update it myself or will there be a normal update for it?
    microcode packages are now dependencies of the linux-generic meta packages.
    So whenever the linux-generic or linux-image-generic packages get an update, it should pull in the latest microcode updates.
    https://bugs.launchpad.net/ubuntu/+s...e/+bug/1780399

    I guess the real question (for me, at least) would probably be the lag time between when intel (or amd) releases the updated microcode and the time it gets updated in Ubuntu's repositories.
    I think Ubuntu is trying to keep the microcode as up-to-date as possible, or at least within a reasonable time frame from when the packages is initially released upstream and when it becomes available for regular user updates in Ubuntu's ecosystem.
    Splat Double Splat Triple Splat
    Earn Your Keep
    Don't mind me, I'm only passing through.
    Once in a blue moon, I'm actually helpful
    .

  10. #210
    Join Date
    Sep 2019
    Beans
    1

    Re: Meltdown and Spectre Discussion Sticky

    thank you for sharing it !

Page 21 of 22 FirstFirst ... 1119202122 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •