Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Turritopsis Dohrnii Teo En Ming-2
What are the patches that I can download and install to be protected
against the Meltdown and Spectre security vulnerabilities?

===BEGIN SIGNATURE===

Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017

[1] https://tdtemcerts.wordpress.com/

[2] http://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

===END SIGNATURE===

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Colin Watson
On Mon, Feb 19, 2018 at 08:11:05PM +0800, Turritopsis Dohrnii Teo En Ming wrote:
> What are the patches that I can download and install to be protected
> against the Meltdown and Spectre security vulnerabilities?

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
has details on this.

--
Colin Watson                                       [[hidden email]]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Ralf Mardorf-2
In reply to this post by Turritopsis Dohrnii Teo En Ming-2
On Mon, 19 Feb 2018 20:11:05 +0800, Turritopsis Dohrnii Teo En Ming wrote:
>What are the patches that I can download and install to be protected
>against the Meltdown and Spectre security vulnerabilities?

Hi,

at least the kaiser patch set is applied. I'm not booted to my Ubuntu
install, so I provided some informaton how to check if mitigation is
enabled, after logging out the systemd-nspawn container, by my Arch
Linux install:

[root@archlinux rocketmouse]# systemd-nspawn -qD /mnt/moonstudio
[root@moonstudio ~]# lsb_release -rc
Release: 16.04
Codename: xenial
[root@moonstudio ~]# apt changelog linux-image-4.4.0.112-lowlatency 2>/dev/null | grep -i kaiser
    - SAUCE: kaiser: fix perf crashes - fix to original commit
    - kaiser: Set _PAGE_NX only if supported
    - KAISER: Kernel Address Isolation
    - kaiser: merged update
    - kaiser: do not set _PAGE_NX on pgd_none
    - kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE
    - kaiser: fix build and FIXME in alloc_ldt_struct()
    - kaiser: KAISER depends on SMP
    - kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER
    - kaiser: fix perf crashes
    - kaiser: ENOMEM if kaiser_pagetable_walk() NULL
    - kaiser: tidied up asm/kaiser.h somewhat
    - kaiser: tidied up kaiser_add/remove_mapping slightly
    - kaiser: kaiser_remove_mapping() move along the pgd
    - kaiser: cleanups while trying for gold link
    - kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET
    - kaiser: delete KAISER_REAL_SWITCH option
    - kaiser: vmstat show NR_KAISERTABLE as nr_overhead
    - kaiser: enhanced by kernel and user PCIDs
    - kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user
    - kaiser: PCID 0 for kernel and 128 for user
    - kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user
    - kaiser: paranoid_entry pass cr3 need to paranoid_exit
    - kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls
    - kaiser: fix unlikely error in alloc_ldt_struct()
    - kaiser: add "nokaiser" boot option, using ALTERNATIVE
    - x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling
    - x86/kaiser: Check boottime cmdline params
    - kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush
    - kaiser: drop is_atomic arg to kaiser_pagetable_walk()
    - kaiser: asm/tlbflush.h handle noPGE at lower level
    - kaiser: kaiser_flush_tlb_on_return_to_user() check PCID
    - x86/kaiser: Reenable PARAVIRT
    - kaiser: disabled on Xen PV
    - x86/kaiser: Move feature detection up
    - [Config]: CONFIG_KAISER=y
[root@moonstudio ~]# apt changelog linux-image-4.4.0.112-lowlatency 2>/dev/null | grep "KPTI: Report when enabled" -B10 -A10
    - x86/mm: Disable PCID on 32-bit kernels

 -- Marcelo Henrique Cerri <[hidden email]>  Sun, 07 Jan 2018 11:46:05 -0200

linux (4.4.0-107.130) xenial; urgency=low

  * linux: 4.4.0-107.130 -proposed tracker (LP: #1741643)

  * CVE-2017-5754
    - Revert "UBUNTU: SAUCE: arch/x86/entry/vdso: temporarily disable vdso"
    - KPTI: Report when enabled
    - x86, vdso, pvclock: Simplify and speed up the vdso pvclock reader
    - x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap
    - x86/kasan: Clear kasan_zero_page after TLB flush
    - kaiser: Set _PAGE_NX only if supported

 -- Kleber Sacilotto de Souza <[hidden email]>  Sat, 06 Jan 2018 17:13:03 +0100

linux (4.4.0-106.129) xenial; urgency=low

  * linux: 4.4.0-106.129 -proposed tracker (LP: #1741528)
[root@moonstudio ~]# logout
[root@archlinux rocketmouse]# dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x23, date = 2017-11-20
[    0.000000] Intel Spectre v2 broken microcode detected; disabling Speculation Control
[    0.326377] microcode: sig=0x306c3, pf=0x2, revision=0x23
[    0.326507] microcode: Microcode Update Driver: v2.2.
[root@archlinux rocketmouse]# ls -hAl /sys/devices/system/cpu/vulnerabilities/
total 0
-r--r--r-- 1 root root 4.0K Feb 19 19:44 meltdown
-r--r--r-- 1 root root 4.0K Feb 19 19:44 spectre_v1
-r--r--r-- 1 root root 4.0K Feb 19 19:44 spectre_v2
[root@archlinux rocketmouse]# cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTI
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline
[root@archlinux rocketmouse]# lsb_release -r
Release: rolling

If I boot with nopti, the output looks like this:

[rocketmouse@archlinux ~]$ cat /sys/devices/system/cpu/vulnerabilities/*
Vulnerable
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline

Regards,
Ralf


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Bret Busby-2
In reply to this post by Colin Watson
On 19/02/2018, Colin Watson <[hidden email]> wrote:

> On Mon, Feb 19, 2018 at 08:11:05PM +0800, Turritopsis Dohrnii Teo En Ming
> wrote:
>> What are the patches that I can download and install to be protected
>> against the Meltdown and Spectre security vulnerabilities?
>
> https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
> has details on this.
>
> --
> Colin Watson                                       [[hidden email]]
>
> --
> ubuntu-users mailing list
> [hidden email]
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>

From the wording on that web page, relating to the updates released on
21 February, is it correct that the problem of the three (S1, S2 and
Meltdown) problems are now fixed, and that the threat is now overcome?

I had the impression that one or more of the three problems required
new CPU hardware microcode, to fix the problem, and that, apart from
keeping the operating system updated, as security updates became
available, we need to wait for a new generation of CPU's - at least
six months in the future, to get the three problems fixed beyond
mitigations (as partial fixes) as they become available.

Could this understanding be comfirmed or refuted?

Thank you in anticipation.


--
Bret Busby
Armadale
West Australia
..............

"So once you do know what the question actually is,
 you'll know what the answer means."
- Deep Thought,
 Chapter 28 of Book 1 of
 "The Hitchhiker's Guide to the Galaxy:
 A Trilogy In Four Parts",
 written by Douglas Adams,
 published by Pan Books, 1992

....................................................

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Colin Watson
On Fri, Mar 02, 2018 at 01:54:50AM +0800, Bret Busby wrote:

> On 19/02/2018, Colin Watson <[hidden email]> wrote:
> > On Mon, Feb 19, 2018 at 08:11:05PM +0800, Turritopsis Dohrnii Teo En Ming
> > wrote:
> >> What are the patches that I can download and install to be protected
> >> against the Meltdown and Spectre security vulnerabilities?
> >
> > https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
> > has details on this.
>
> From the wording on that web page, relating to the updates released on
> 21 February, is it correct that the problem of the three (S1, S2 and
> Meltdown) problems are now fixed, and that the threat is now overcome?

As far as the kernel goes, I think that's at least somewhere in the
general area of being correct, but updated microcode is necessary to
defend against Spectre variant 2 attacks without recompiling all of
userspace (which will likely happen over time at least for sensitive
targets, but won't happen quickly).  As that web page says, "No
microcode updates are currently available for AMD or Intel, which means
Spectre v2 is still unmitigated out of the box on Ubuntu on x86 CPUs for
userspace."

These are not simple attacks where one can reasonably and confidently
say that the work is complete, in any case: they're essentially a whole
class of vulnerabilities.  Expect more updates as time goes on, both to
extend the existing mitigations and to improve the performance of what
we have.

> I had the impression that one or more of the three problems required
> new CPU hardware microcode, to fix the problem,

  https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ#Retpoline

> and that, apart from keeping the operating system updated, as security
> updates became available, we need to wait for a new generation of
> CPU's - at least six months in the future, to get the three problems
> fixed beyond mitigations (as partial fixes) as they become available.

That seems like a reasonable summary.

--
Colin Watson                                       [[hidden email]]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Robert Heller
In reply to this post by Bret Busby-2
At Fri, 2 Mar 2018 01:54:50 +0800 "Ubuntu user technical support,  not for general discussions" <[hidden email]> wrote:

>
> On 19/02/2018, Colin Watson <[hidden email]> wrote:
> > On Mon, Feb 19, 2018 at 08:11:05PM +0800, Turritopsis Dohrnii Teo En Ming
> > wrote:
> >> What are the patches that I can download and install to be protected
> >> against the Meltdown and Spectre security vulnerabilities?
> >
> > https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
> > has details on this.
> >
> > --
> > Colin Watson                                       [[hidden email]]
> >
> > --
> > ubuntu-users mailing list
> > [hidden email]
> > Modify settings or unsubscribe at:
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
> >
>
> >From the wording on that web page, relating to the updates released on
> 21 February, is it correct that the problem of the three (S1, S2 and
> Meltdown) problems are now fixed, and that the threat is now overcome?
>
> I had the impression that one or more of the three problems required
> new CPU hardware microcode, to fix the problem, and that, apart from
> keeping the operating system updated, as security updates became
> available, we need to wait for a new generation of CPU's - at least
> six months in the future, to get the three problems fixed beyond
> mitigations (as partial fixes) as they become available.
>
> Could this understanding be comfirmed or refuted?

Part of the boot up sequence is to download microcode to the processors, if
needed.  It is also possible to update the BIOS/EFI code to do that also, in
which case Linux's start up skips the microcode download (or else it is
redundent).  If the updates included new microcode, then yes your systems are
protected.  You do need to reboot for the new microcode to be downloaded.

>
> Thank you in anticipation.
>
>

--
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
[hidden email]       -- Webhosting Services
                                                                                                           

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Ralf Mardorf-2
In reply to this post by Bret Busby-2
The old KAISER and now the KPTI Linux patch sets, as well as the microcode, aka firmware, do not fix those issues, they "mitigate" the vulnerabilities.


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Ralf Mardorf-2
On Thu, 1 Mar 2018 21:23:03 +0100, Ralf Mardorf wrote:
>The old KAISER and now the KPTI Linux patch sets, as well as the
>microcode, aka firmware, do not fix those issues, they "mitigate" the
>vulnerabilities.

I'm running an Ubuntu session right now.

[weremouse@moonstudio ~]$ lsb_release -rc
Release: 16.04
Codename: xenial
[weremouse@moonstudio ~]$ hwinfo --cpu | grep Model | sort -u
  Model: 6.60.3 "Intel(R) Celeron(R) CPU G1840 @ 2.80GHz"
[weremouse@moonstudio ~]$ apt list -qq intel-microcode linux-image-lowlatency
intel-microcode/xenial-updates,xenial-security,now 3.20180108.0+really20170707ubuntu16.04.1 amd64 [installed]
linux-image-lowlatency/xenial-updates,xenial-security,now 4.4.0.116.122 amd64 [installed]
[weremouse@moonstudio ~]$ dmesg | grep microcode | grep -v CPU0
[    0.059749] microcode: CPU1 microcode updated early to revision 0x22, date = 2017-01-27
[    0.686853] microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x22
[    0.687029] microcode: Microcode Update Driver: v2.01 <[hidden email]>, Peter Oruba
[weremouse@moonstudio ~]$ ls -hAl /sys/devices/system/cpu/vulnerabilities/
total 0
-r--r--r-- 1 root root 4.0K Mar  1 22:09 meltdown
-r--r--r-- 1 root root 4.0K Mar  1 22:09 spectre_v1
-r--r--r-- 1 root root 4.0K Mar  1 22:09 spectre_v2
[weremouse@moonstudio ~]$ cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTI
Mitigation: OSB (observable speculation barrier, Intel v6)
Mitigation: Full generic retpoline


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Bret Busby-2
On 02/03/2018, Ralf Mardorf <[hidden email]> wrote:
> On Thu, 1 Mar 2018 21:23:03 +0100, Ralf Mardorf wrote:
>>The old KAISER and now the KPTI Linux patch sets, as well as the
>>microcode, aka firmware, do not fix those issues, they "mitigate" the
>>vulnerabilities.
>
> I'm running an Ubuntu session right now.
>
> [weremouse@moonstudio ~]$ lsb_release -rc
>

Is a weremouse like a wererabbit?


--

Bret Busby
Armadale
West Australia

..............

"So once you do know what the question actually is,
 you'll know what the answer means."
- Deep Thought,
 Chapter 28 of Book 1 of
 "The Hitchhiker's Guide to the Galaxy:
 A Trilogy In Four Parts",
 written by Douglas Adams,
 published by Pan Books, 1992

....................................................

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Ralf Mardorf-2
On Fri, 2 Mar 2018 05:40:24 +0800, Bret Busby wrote:

>On 02/03/2018, Ralf Mardorf <[hidden email]> wrote:
>> On Thu, 1 Mar 2018 21:23:03 +0100, Ralf Mardorf wrote:  
>>>The old KAISER and now the KPTI Linux patch sets, as well as the
>>>microcode, aka firmware, do not fix those issues, they "mitigate" the
>>>vulnerabilities.  
>>
>> I'm running an Ubuntu session right now.
>>
>> [weremouse@moonstudio ~]$ lsb_release -rc
>>  
>
>Is a weremouse like a wererabbit?

At least wererabbits, as well as weremice have concerns about the name
change from "qupzilla" to "falkon". What's the developers intention? A
rodent pogrom? FWIW http://xffm.org/ existed a long time before bloated
DE's introduced opaque lukewarm "GUI CLI combination apps".


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Ralf Mardorf-2
On Fri, 2 Mar 2018 21:58:59 +0100, Ralf Mardorf wrote:

>On Fri, 2 Mar 2018 05:40:24 +0800, Bret Busby wrote:
>>On 02/03/2018, Ralf Mardorf <[hidden email]> wrote:  
>>> On Thu, 1 Mar 2018 21:23:03 +0100, Ralf Mardorf wrote:    
>>>>The old KAISER and now the KPTI Linux patch sets, as well as the
>>>>microcode, aka firmware, do not fix those issues, they "mitigate"
>>>>the vulnerabilities.    
>>>
>>> I'm running an Ubuntu session right now.
>>>
>>> [weremouse@moonstudio ~]$ lsb_release -rc
>>>    
>>
>>Is a weremouse like a wererabbit?  
>
>At least wererabbits, as well as weremice have concerns about the name
>change from "qupzilla" to "falkon". What's the developers intention? A
>rodent pogrom? FWIW http://xffm.org/ existed a long time before bloated
>DE's introduced opaque lukewarm "GUI CLI combination apps".

PS: "Rabbits, hares, and pikas are sometimes called rodents, because
they also have teeth that keep growing. But in 1912 biologists decided
to put them in a new, separate order, Lagomorpha, because they have two
extra incisors in their upper jaw." -
https://simple.wikipedia.org/wiki/Rodent

Yes, and Pluto isn't a planet. ;).


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Peter Flynn
On 02/03/18 21:08, Ralf Mardorf wrote:
> On Fri, 2 Mar 2018 21:58:59 +0100, Ralf Mardorf wrote:
[...]
> PS: "Rabbits, hares, and pikas are sometimes called rodents, because
> they also have teeth that keep growing. But in 1912 biologists decided
> to put them in a new, separate order, Lagomorpha,

I thought that was Trump's resort in Florida

> Yes, and Pluto isn't a planet. ;).

Me: 'Tis, 'tis, 'tis, 'tis, and 'tis.
Astronomers: Oh all right.
Me: Spoken like a gentleman, sir.

[Apologies to Monty Python]

///Peter

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Ralf Mardorf-2
On Sat, 3 Mar 2018 14:02:12 +0000, Peter Flynn wrote:

>On 02/03/18 21:08, Ralf Mardorf wrote:
>> On Fri, 2 Mar 2018 21:58:59 +0100, Ralf Mardorf wrote:  
>[...]
>> PS: "Rabbits, hares, and pikas are sometimes called rodents, because
>> they also have teeth that keep growing. But in 1912 biologists
>> decided to put them in a new, separate order, Lagomorpha,  
>
>I thought that was Trump's resort in Florida
>
>> Yes, and Pluto isn't a planet. ;).  
>
>Me: 'Tis, 'tis, 'tis, 'tis, and 'tis.
>Astronomers: Oh all right.
>Me: Spoken like a gentleman, sir.
>
>[Apologies to Monty Python]
>
>///Peter

While we're on it, a few minutes ago I read a thread about FreeBSD's
new CoC. It's unintentionally funny:

https://www.freebsd.org/internal/code-of-conduct.html


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users