Support for MX and antiX Linux distros
http://www.forum.mxlinux.org/
Code: Select all
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YESThe changes in the kernels to mitigate Meltdown are currently only for 64-bit. It's hard to find any explanation online as to why this situation happened, though. O̶n̶e̶ ̶A̶r̶c̶h̶ ̶u̶s̶e̶r̶ ̶r̶e̶p̶o̶r̶t̶s̶ ̶t̶h̶a̶t̶ ̶h̶i̶s̶ ̶3̶2̶-̶b̶i̶t̶ ̶k̶e̶r̶n̶e̶l̶ ̶h̶a̶s̶ ̶K̶P̶T̶I̶ ̶m̶i̶t̶i̶g̶a̶t̶i̶o̶n̶ ̶w̶o̶r̶k̶i̶n̶g̶.̶.̶.̶w̶h̶i̶c̶h̶ ̶s̶e̶e̶m̶s̶ ̶o̶d̶d̶,̶ ̶s̶i̶n̶c̶e̶ ̶I̶ ̶t̶h̶o̶u̶g̶h̶t̶ ̶A̶r̶c̶h̶ ̶d̶r̶o̶p̶p̶e̶d̶ ̶3̶2̶-̶b̶i̶t̶ ̶s̶u̶p̶p̶o̶r̶t̶.̶ Edit: Sorry, it was a 64-bit kernel, my mistake.calinb wrote:Downloaded from github and my new Intel mobile quad core Pentium running MX-17 and old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely.
I wonder when the new kernels will float downstream to MX to at least reduce my vulnerabilities. I was hoping I could just use my Atom for javascript browsing. I just installed fresh Ubuntu Mate on my PPC G4 Mac-Mini. Maybe it's safe from S&M. Too bad PPC support is dropping like files--especially given S&M these days.
Good info, Stevo. Thanks! Hopefully at least 64-bit will be along soon. I could build a kernel myself, but haven't done it in years. If I resort to rolling my own, hopefully it will not be difficult to make a more resistant 32-bit kernel too. From my past experiences, the Gentoo forum may be of some assistance. Gentoo still supports PPC!Stevo wrote: The changes in the kernels to mitigate Meltdown are currently only for 64-bit. It's hard to find any explanation online as to why this situation happened, though. O̶n̶e̶ ̶A̶r̶c̶h̶ ̶u̶s̶e̶r̶ ̶r̶e̶p̶o̶r̶t̶s̶ ̶t̶h̶a̶t̶ ̶h̶i̶s̶ ̶3̶2̶-̶b̶i̶t̶ ̶k̶e̶r̶n̶e̶l̶ ̶h̶a̶s̶ ̶K̶P̶T̶I̶ ̶m̶i̶t̶i̶g̶a̶t̶i̶o̶n̶ ̶w̶o̶r̶k̶i̶n̶g̶.̶.̶.̶w̶h̶i̶c̶h̶ ̶s̶e̶e̶m̶s̶ ̶o̶d̶d̶,̶ ̶s̶i̶n̶c̶e̶ ̶I̶ ̶t̶h̶o̶u̶g̶h̶t̶ ̶A̶r̶c̶h̶ ̶d̶r̶o̶p̶p̶e̶d̶ ̶3̶2̶-̶b̶i̶t̶ ̶s̶u̶p̶p̶o̶r̶t̶.̶ Edit: Sorry, it was a 64-bit kernel, my mistake.
Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...
That's what puzzled me about the script's output. It said my Atom was vulnerable to Spectra (Variant 1 and 2) and also Meltdown (Variant 3) with both current MX-16 PAE and Liquorix kernels.asqwerth wrote:Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...
Yes--I suspect that you may have already stumbled upon this page, timkb4cq:timkb4cq wrote:Looking at the 7447a's functional schematic and explanation, it's probably pretty safe. It does do some speculative branching, but only puts one instruction after each of the (up to 4) predicted branch targets on the queue. That would leave little footprint to leak compared to an i7 which will speculatively perform dozens of commands on a speculative branch.
n.b. I'm not a CPU guru and the docs I saw could be oversimplified, so take the opinion for what it's worth...
Thanks again, Stevo. That is really a bummer, because sometimes I really appreciate the small size of my Atom netbook and the script is saying it's vulnerable to all three variants, but maybe the script is wrong about the Meltdown variant and my netbook's old Atom CPU.Stevo wrote:<snip>
I think it is very difficult to adapt the KPTI patches to 32-bit, otherwise the fixes would have been pushed to Ubuntu and Debian already. It's not just a matter of adding PROCESS_TABLE_ISOLATION=y to the 32-bit configuration.
does not resolve for old cpu, it is vulnerable as b4 after updated intel-microcode.Stevo wrote:Just backported the latest intel-microcode from Sid, the script is now a little better:
For my i5-6200U CPU.Code: Select all
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Hardware (CPU microcode) support for mitigation: YES
The Debian changelog also mentions this mitigation. The new microcode should come down the pipe soon, but requires a reboot in order to load.
Code: Select all
2018-01-13 12:32:08 upgrade intel-microcode amd64 3.20171215.1~mx17+1 3.20180108.1~mx17+1Code: Select all
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 4.14.0-13.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.14-16 (2018-01-11) x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 34 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
I installed MX 4.14 KernelUpdated kernels are also available for our 32 bit versions, but be advised that there have not been any upstream 32 bit patches for meltdown made available as yet.
Code: Select all
$ uname -r
4.14.0-3-686-paeThanks asqwerth then it is no use in installing MX-4.14 kernel then i think i need to uninstall itasqwerth wrote:Means there are no patches for meltdown in the updated 32-bit kernels. All the usual big distros upstream have not created any so far.
Code: Select all
Thanks asqwerth then it is no use in installing MX-4.14 kernel then i think i need to uninstall it
Nope, missed that one. I just searched for info about 7447a speculative instructions & wound up here:calinb wrote:Yes--I suspect that you may have already stumbled upon this page, timkb4cq:
https://tenfourfox.blogspot.com/2018/01 ... r-why.html
I'm seeing the same here.caprea wrote:It seems there is a patched 32bit antix-kernelCode: Select all
Thanks asqwerth then it is no use in installing MX-4.14 kernel then i think i need to uninstall it
https://www.antixforum.com/spectre-and- ... -upgrades/
I just installed the Debian 3.16 64bit kernel on mx-16 from the mx-package installer.
It still shows it is vulnerable for three vulnerablities.
Then I tried the 4.9.0-0.bpo.5-amd64 , this worked.
The 3.16 most certainly not.
Code: Select all
$ apt-cache policy linux-image-3.16.0-5-amd64
linux-image-3.16.0-5-amd64:
Installed: (none)
Candidate: 3.16.51-3+deb8u1
Version table:
3.16.51-3+deb8u1 0
500 http://security.debian.org/ jessie/updates/main amd64 PackagesCode: Select all
Script started, file is /var/log/mxpi.log
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libfile-homedir-perl libfile-which-perl
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
linux-compiler-gcc-4.8-x86 linux-headers-3.16.0-4-common linux-kbuild-3.16
Suggested packages:
linux-doc-3.16 debian-kernel-handbook
Recommended packages:
irqbalance
The following NEW packages will be installed:
linux-compiler-gcc-4.8-x86 linux-headers-3.16.0-4-amd64 linux-headers-3.16.0-4-common
linux-image-3.16.0-4-amd64 linux-kbuild-3.16
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 39.6 MB of archives.
After this operation, 190 MB of additional disk space will be used.
Do you want to continue? [Y/n]Haha--and that's a good AP Note, timkb4cq. I'll archive it. Thanks!timkb4cq wrote:Nope, missed that one. I just searched for info about 7447a speculative instructions & wound up here:calinb wrote:Yes--I suspect that you may have already stumbled upon this page, timkb4cq:
https://tenfourfox.blogspot.com/2018/01 ... r-why.html
https://www.nxp.com/docs/en/application-note/AN2797.pdf.
<snip>
I'm fairly certain that any current 32-bit kernel does not support the Meltdown kpti mitigation. I think the antiX announcement should be changed to make this clear. But I hope that someone can prove me wrong!It seems there is a patched 32bit antix-kernel
https://www.antixforum.com/spectre-and- ... -upgrades/
So that's the situation now.> Hi,
> I'm writing to you because I noticed your involement with the KPTI/KAISER
> patches. Across several varieties of linux distributions, users have
> noticed that kpti is impossible to enable because it depends on x86_64.
> Many of us are concerned that we are running 32-bit systems that are
> still vulnerable to meltdown; we are also concerned because it's a
> handful of users who have brought this to light, and major news and
> information from our distros are keeping silent on the topic. We are all
> wondering if you could shed some light: in particular, is x86 vulnerable?
Yes, 32bit is vulnerable. We haven't yet had time to look into that as the
vast majority of systems, especially the most endangered cloud stuff, runs
64bit. We know about it and the 32bit mitigation has been under discussion
already, but I can't tell at the moment when we are going to have that.
Sorry that I can't tell you better news.
Thanks,
Thomas
From a practical perspective, 32bit is alot less likely to be attacked for that very reason. Plus, 32bit MX uses about 70MB less RAM!Stevo wrote:A user on the Debian forums emailed and got a reply from one of the developers of the KPTI patch in the kernel:
the
vast majority of systems, especially the most endangered cloud stuff, runs
64bit.
Update:asqwerth wrote:Vulnerable to which? My understanding is that pre 2013 Atoms are not affected by Meltdown but everything's going to be vulnerable to Spectre.calinb wrote:Downloaded from github and my ... old Atom (manufactured in 2011) running MX-16 PAE or Liquorix are "vulnerable" through and through. I'd read that Atom CPUs more than 5 years old are not vulnerable, but there's a lot of misinformation out there about S&M or maybe the script doesn't comprehend Atom. I'll have to look at the script more closely...
and PPC G4 
I think old and slow CPUs rock! Good thing my Big Board II and old Kaypro machines quit working decades or I'd probably be running CPM too. 
Code: Select all
Spectre and Meltdown mitigation detection tool v0.32
Checking for vulnerabilities on current system
Kernel is Linux 4.14.15 #1 SMP PREEMPT Wed Jan 24 18:30:48 +08 2018 x86_64
CPU is Pentium(R) Dual-Core CPU E5400 @ 2.70GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
> STATUS: VULNERABLE (Vulnerable)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
* Mitigation 1
* Hardware support (CPU microcode)
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: NO (kernel reports minimal retpoline compilation)
* Retpoline enabled: YES
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running under Xen PV (64 bits): UNKNOWN (dmesg truncated, please reboot and relaunch this script)
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see --disclaimer
For it's day, perhaps. But what I remember was Put in Wordstar disk, start the program, go to the kitchen & get a drink while it loaded up. Work efficiently once it was loaded.Richard wrote:Off-topic:
CP/M 2.2 was great and fast.
Not so pretty but efficient
Code: Select all
Spectre and Meltdown mitigation detection tool v0.33
Checking for vulnerabilities on current system
Kernel is Linux 4.14.15 #1 SMP PREEMPT Wed Jan 24 18:30:48 +08 2018 x86_64
CPU is Pentium(R) Dual-Core CPU E5400 @ 2.70GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: NO
* Vulnerable to Variant 3: NO
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
> STATUS: VULNERABLE (Vulnerable)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: NO (kernel reports minimal retpoline compilation)
* Retpoline enabled: YES
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see --disclaimer