Autor Thema: Meltdown and Spectre Linux Kernel Status  (Gelesen 242 mal)

0 Mitglieder und 1 Gast betrachten dieses Thema.

Offline virtual-dev

  • Global Moderator
  • *****
  • Beiträge: 281
  • Dankeschön: 622 mal
  • Desktop: Xfce4
  • Grafikkarte: Intel HD Graphics 630
  • Grafikkartentreiber: free
  • Kernel: 4.14 lts
  • Prozessor: i7-7700HQ
  • Skill: Fortgeschritten
  • Zweig: *
Meltdown and Spectre Linux Kernel Status
« am: 08. Januar 2018, 15:43:43 »
Zitat
Meltdown and Spectre Linux Kernel Status

By now, everyone knows that something “big” just got announced regarding computer security. Heck, when the Daily Mail does a report on it , you know something is bad…

Anyway, I’m not going to go into the details about the problems being reported, other than to point you at the wonderfully written Project Zero paper on the issues involved here. They should just give out the 2018 Pwnie award right now, it’s that amazingly good.

If you do want technical details for how we are resolving those issues in the kernel, see the always awesome lwn.net writeup for the details.

Also, here’s a good summary of lots of other postings that includes announcements from various vendors.

As for how this was all handled by the companies involved, well this could be described as a textbook example of how NOT to interact with the Linux kernel community properly. The people and companies involved know what happened, and I’m sure it will all come out eventually, but right now we need to focus on fixing the issues involved, and not pointing blame, no matter how much we want to.

What you can do right now

If your Linux systems are running a normal Linux distribution, go update your kernel. They should all have the updates in them already. And then keep updating them over the next few weeks, we are still working out lots of corner case bugs given that the testing involved here is complex given the huge variety of systems and workloads this affects. If your distro does not have kernel updates, then I strongly suggest changing distros right now.

However there are lots of systems out there that are not running “normal” Linux distributions for various reasons (rumor has it that it is way more than the “traditional” corporate distros). They rely on the LTS kernel updates, or the normal stable kernel updates, or they are in-house franken-kernels. For those people here’s the status of what is going on regarding all of this mess in the upstream kernels you can use.

Meltdown – x86

Right now, Linus’s kernel tree contains all of the fixes we currently know about to handle the Meltdown vulnerability for the x86 architecture. Go enable the CONFIG_PAGE_TABLE_ISOLATION kernel build option, and rebuild and reboot and all should be fine.

Link

Offline linuxkumpel

  • Held Mitglied
  • *****
  • Beiträge: 677
  • Dankeschön: 42 mal
  • "Sei klug und stell Dich dumm!"
  • Desktop: Xfce x86_64 4.12.4
  • Grafikkarte: Intel HD Graphics 4400
  • Grafikkartentreiber: nonfree
  • Kernel: 4.14 / 4.9
  • Prozessor: Intel Core i3-4010U
  • Skill: Durchschnitt
  • Zweig: testing
Re: Meltdown and Spectre Linux Kernel Status
« Antwort #1 am: 08. Januar 2018, 15:50:29 »
Für die nicht so Englischfesten Klick  ;)
Lenovo M 30-70 Manjaro 17.1.2 Hakoila Xfce - Kernel: x86_64 Linux 4.14.14-1 MANJARO, Intel Core i3-4010U, Intel HD Graphics 4400 | Packard Bell Easynote F4085 - Linux Lite, PeppermintOS, Pop!_OS | Netbook Packard Bell Dot's - Manjaro 17.1.2 Hakoila LXDE | Dell Inspiron 11-3162 PeppermintOS 8 | Asus EeePC 701 4 G - Peppermint OS | Dell Latitude E7240 - Windows 10   "Lieber mit Linux üben, als Microsoft eine Chance."

Offline Sahel

  • Neuling
  • *
  • Beiträge: 5
  • Desktop: Manjaro 17.1.1 Deepin 15.5
  • Grafikkarte: in CPU integrierter Intel HD GrafikchipIntel Device 5912
  • Kernel: 4.14.13-1
  • Prozessor: Intel i7-7700T 2.90GHz
  • Skill: Anfänger
  • Zweig: stable
Re: Meltdown and Spectre Linux Kernel Status
« Antwort #2 am: 12. Januar 2018, 23:32:04 »
Hallo,
dies ist mein erster Post überhaupt hier im Forum. Habe Manjaro seit 2 Wochen installiert und bin super happy damit.

Heute nun das Update auf Kernel 4.14.13-1. Dann Neustart. Paketmanager meldet "System ist auf dem neuesten Stand".
Dann spectre-meltdown-checker installiert. Ausgabe:
sudo spectre-meltdown-checker
Spectre and Meltdown mitigation detection tool v0.28

Checking for vulnerabilities against running kernel Linux 4.14.13-1-MANJARO #1 SMP PREEMPT Wed Jan 10 21:11:43 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-7700T CPU @ 2.90GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 21 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

Also zwei mal Status Vulnerable.  Wie kann ich das interpretieren? Ist der Patch noch unvollständig und ich muss auf weitere Aktualisierungen warten?

Vielen Dank schon mal im Voraus und beste Grüße an alle hier im Forum.
Matthias

Offline Sahel

  • Neuling
  • *
  • Beiträge: 5
  • Desktop: Manjaro 17.1.1 Deepin 15.5
  • Grafikkarte: in CPU integrierter Intel HD GrafikchipIntel Device 5912
  • Kernel: 4.14.13-1
  • Prozessor: Intel i7-7700T 2.90GHz
  • Skill: Anfänger
  • Zweig: stable
Re: Meltdown and Spectre Linux Kernel Status
« Antwort #3 am: 12. Januar 2018, 23:48:27 »
edit: wie so oft: Wer lesen kann, ist im Vorteil.

Die Antworten auf meine Frage steht ja da :
"STATUS:  VULNERABLE  (only 21 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
und
STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

also abwarten...