Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Vincent Lefevre]

On 2018-02-19 14:10:14 +, Brad Rogers wrote:
> If anyone wants to check their (linux) system specifically for the
> current state of spectre+meltdown mitigation on a given machine then
> have a look here:
> 
> https://github.com/speed47/spectre-meltdown-checker
> 
> Really simple instructions are as follows:
> 
> cd [to some directory where you want to keep this]
> 
> wget meltdown.ovh -O spectre-meltdown-checker.sh

This is insecure. You should use the https URL directly, without
the redirection. Or the Debian package.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Henrique de Moraes Holschuh]

On Mon, 26 Feb 2018, Curt wrote:
> What does that mean 'bugs   : cpu_meltdown spectre_v1 spectre_v2
> exactly?

It it is supposed to mean your processor has those defects.  It does not
say anything about the mitigation strategy being employed to avoid those
defects.

Obviously, that thing is buggy, since it is listing cpu_meltdown on an
AMD box...  meh.

Hopefully to be corrected by the next round of kernel updates, along
with an updated Intel microcode blacklist, required to use the microcode
updates Intel "un-recalled" :p

> curty@einstein:~$ grep . /sys/devices/system/cpu/vulnerabilities/*
> /sys/devices/system/cpu/vulnerabilities/meltdown:Not affected

At least this one is correct...

> /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user
> pointer sanitization
> /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD
> retpoline

And so are those.

> The directly above seems more comforting in its verbose clarity somehow.

Indeed.

-- 
  Henrique Holschuh

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Curt]

On 2018-02-23, Reco  wrote:

> So it seems. New kernel came today with the usual 'apt update && apt
> upgrade' routine:
>
> $ uname -r
> 4.9.0-6-amd64
>
> $ grep bug /proc/cpuinfo
> bugs: cpu_meltdown spectre_v1 spectre_v2
> ...

What does that mean 'bugs   : cpu_meltdown spectre_v1 spectre_v2
exactly?

curty@einstein:~$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user
pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD
retpoline

The directly above seems more comforting in its verbose clarity somehow.

> Reco
>
>


-- 
“Be yourself; everyone else is already taken.”
-Oscar Wilde

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 18:41, Michael Lange  wrote:

> On Fri, 23 Feb 2018 16:27:23 +
> Michael Fothergill  wrote:
>
> >
> > ​Sure enough, looking at the spectre meltdown checker on the kernel I am
> > using in gentoo
> > shows the ​
> >
> > ​retpoline is enabled and that the vulnerability status is "not
> > vulnerable".
> >
> > ​It's not recent enough a kernel to address the spectre variant 1
> > problem as far as I am aware.
> >
> > Oh well...
>
> Ha! Then it seems like for once debian is one step ahead :))
>

​OK.

I installed kernel 4.15.4 in gentoo.

I ran the​ spectre-checker again and got some odd results:


jt /home/mikef/spectre-meltdown-checker # ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities on current system
Kernel is Linux 4.15.4-gentoo #1 SMP Fri Feb 23 19:14:21 GMT 2018 x86_64
CPU is AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
the mitigation is active)
* Mitigation 1
  * Hardware support (CPU microcode)
* Indirect Branch Restricted Speculation (IBRS)
  * SPEC_CTRL MSR is available:  NO
  * CPU indicates IBRS capability:  NO
* Indirect Branch Prediction Barrier (IBPB)
  * PRED_CMD MSR is available:  NO
  * CPU indicates IBPB capability:  NO
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
* IBRS enabled for Kernel space:  NO
* IBRS enabled for User space:  NO
* IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports
full retpoline compilation)
  * Retpoline enabled:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
your CPU is unaffected)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  NO
* Running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not
vulnerable)

A false sense of security is worse than no security at all, see --disclaimer
djt /home/mikef/spectre-meltdown-checker #


​Even though the previous kernel check I think had retpoline enabled and
the STATUS not vulnerable flag set,
here the retpoline enabled says NO and the STATUS flag says not vulnerable.

So now the schizophrenia has migrated to gentoo (stop laughing).​

Regards

MF​






>
> scnr
>
> Michael
>
> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.
>
> Fascinating, a totally parochial attitude.
> -- Spock, "Metamorphosis", stardate 3219.8
>
>

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

On Fri, 23 Feb 2018 16:27:23 +
Michael Fothergill  wrote:

> 
> ​Sure enough, looking at the spectre meltdown checker on the kernel I am
> using in gentoo
> shows the ​
> 
> ​retpoline is enabled and that the vulnerability status is "not
> vulnerable".
> 
> ​It's not recent enough a kernel to address the spectre variant 1
> problem as far as I am aware.
> 
> Oh well...

Ha! Then it seems like for once debian is one step ahead :))

scnr

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Fascinating, a totally parochial attitude.
-- Spock, "Metamorphosis", stardate 3219.8

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

On Fri, 23 Feb 2018 16:40:00 +
Michael Fothergill  wrote:

(...)
> > * Mitigation 2
> >   * Kernel compiled with retpoline option:  YES
> >   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
> > reports full retpoline compilation)
> > > STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)
> >
> 
> ​That is a bit topsy turvy
> 
> But maybe it's saying that the compilation did work after all.

I cannot see anything topsy-turvy in the output of that command, it
clearly says that the mitigation for "spectre-2" is in place (as well as
the mitigations for "spectre-1" and "meltdown"). So as far as I can see,
since yesterday's updates this whole discussion seems quite obsolete now.

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

No more blah, blah, blah!
-- Kirk, "Miri", stardate 2713.6

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 16:28, Michael Lange  wrote:

> Hi,
>
> On Fri, 23 Feb 2018 16:52:12 +0100
> Felipe Salvador  wrote:
>
> (...)
> > > CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> > > * Mitigated according to the /sys interface:  YES  (kernel confirms
> > > that the mitigation is active)
> > > * Mitigation 1
> > >   * Kernel is compiled with IBRS/IBPB support:  NO
> > >   * Currently enabled features
> > > * IBRS enabled for Kernel space:  NO
> > > * IBRS enabled for User space:  NO
> > > * IBPB enabled:  NO
> > > * Mitigation 2
> > >   * Kernel compiled with retpoline option:  YES
> > >   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
> > > reports full retpoline compilation)
> > >   * Retpoline enabled:  NO
> > ^^
> > I get the same result. I wonder why reptoline is disabled.
>
> I asked myself the same question (same result here). Maybe the answer is
> that it is a bug in the script? With the latest version from github the
> respective part here now looks like:
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  NO
>   * Currently enabled features
> * IBRS enabled for Kernel space:  NO
> * IBRS enabled for User space:  NO
> * IBPB enabled:  NO
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES
>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports
> full retpoline compilation)
> > STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)
>

​That is a bit topsy turvy

But maybe it's saying that the compilation did work after all.

Regards

MF
​



>
> Regards
>
> Michael
>
> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.
>
> Death.  Destruction.  Disease.  Horror.  That's what war is all about.
> That's what makes it a thing to be avoided.
> -- Kirk, "A Taste of Armageddon", stardate 3193.0
>
>

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 16:14, Michael Fothergill <
michael.fotherg...@gmail.com> wrote:

>
>
> On 23 February 2018 at 14:14, Michael Fothergill <
> michael.fotherg...@gmail.com> wrote:
>
>>
>>
>> On 23 February 2018 at 14:05, mlnl  wrote:
>>
>>> Hi,
>>>
>>> > ​Can it be true?  A version of gcc that runs on stretch that will
>>> > compile the latest fancy spectre fixes etc?
>>>
>>> with latest vanilla kernel 4.15.4 and updated gcc-6:
>>>
>>> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
>>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>>> the mitigation is active)
>>> * Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64
>>> bits array_index_mask_nospec())
>>> > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
>>>
>>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
>>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>>> the mitigation is active)
>>> * Mitigation 1
>>>   * Kernel is compiled with IBRS/IBPB support:  NO
>>>   * Currently enabled features
>>> * IBRS enabled for Kernel space:  NO
>>> * IBRS enabled for User space:  NO
>>> * IBPB enabled:  NO
>>> * Mitigation 2
>>>   * Kernel compiled with retpoline option:  YES
>>>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
>>> reports full retpoline compilation)
>>>   * Retpoline enabled:  NO
>>>
>>
> ​Wot?  How can retpoline not be  enabled but the status is not
> vulnerable..
>

​Sure enough, looking at the spectre meltdown checker on the kernel I am
using in gentoo
shows the ​

​retpoline is enabled and that the vulnerability status is "not vulnerable".

​It's not recent enough a kernel to address the spectre variant 1 problem
as far as I am aware.

Oh well...

Cheers MF



> djt /home/mikef/spectre-meltdown-checker # ./spectre-meltdown-checker.sh
> Spectre and Meltdown mitigation detection tool v0.32
>
> Checking for vulnerabilities on current system
> Kernel is Linux 4.14.15-gentoo #1 SMP Tue Jan 30 16:22:47 GMT 2018 x86_64
> CPU is AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Mitigated according to the /sys interface:  NO  (kernel confirms your
> system is vulnerable)
> > STATUS:  VULNERABLE  (Vulnerable)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Mitigation 1
>   * Hardware support (CPU microcode)
> * Indirect Branch Restricted Speculation (IBRS)
>   * SPEC_CTRL MSR is available:  NO
>   * CPU indicates IBRS capability:  NO
> * Indirect Branch Prediction Barrier (IBPB)
>   * PRED_CMD MSR is available:  NO
>   * CPU indicates IBPB capability:  NO
>   * Kernel is compiled with IBRS/IBPB support:  NO
>   * Currently enabled features
> * IBRS enabled for Kernel space:  NO
> * IBRS enabled for User space:  NO
> * IBPB enabled:  NO
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES
>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports
> full retpoline compilation)
>   * Retpoline enabled:  YES
> > STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> your CPU is unaffected)
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  NO
> * Running under Xen PV (64 bits):  NO
> > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not
> vulnerable)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
> djt /home/mikef/spectre-meltdown-checker #
>
> ​
>
>
>
>> > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
>>>
>>> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
>>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>>> the mitigation is active)
>>> * Kernel supports Page Table Isolation (PTI):  YES
>>> * PTI enabled and active:  YES
>>> * Running as a Xen PV DomU:  NO
>>> > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
>>>
>> ​
>> Absolutely whale harpooned it
>>
>> Great stuff.
>>
>> Cheers
>>
>> MF
>> ​
>>
>>>
>>> grep bugs /proc/cpuinfo
>>> bugs: cpu_meltdown spectre_v1 spectre_v2
>>> model name  : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
>>>
>>>
>>>
>>> stepping: 3
>>>
>>>
>>>
>>> microcode   : 0x22
>>>
>>> --
>>> mlnl
>>>
>>>
>>
>

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

Hi,

On Fri, 23 Feb 2018 16:52:12 +0100
Felipe Salvador  wrote:

(...)
> > CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> > * Mitigated according to the /sys interface:  YES  (kernel confirms
> > that the mitigation is active)
> > * Mitigation 1
> >   * Kernel is compiled with IBRS/IBPB support:  NO
> >   * Currently enabled features
> > * IBRS enabled for Kernel space:  NO
> > * IBRS enabled for User space:  NO
> > * IBPB enabled:  NO
> > * Mitigation 2
> >   * Kernel compiled with retpoline option:  YES
> >   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
> > reports full retpoline compilation)
> >   * Retpoline enabled:  NO
> ^^
> I get the same result. I wonder why reptoline is disabled.

I asked myself the same question (same result here). Maybe the answer is
that it is a bug in the script? With the latest version from github the
respective part here now looks like:

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the 
mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
* IBRS enabled for Kernel space:  NO 
* IBRS enabled for User space:  NO 
* IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full 
retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Death.  Destruction.  Disease.  Horror.  That's what war is all about.
That's what makes it a thing to be avoided.
-- Kirk, "A Taste of Armageddon", stardate 3193.0

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 14:14, Michael Fothergill <
michael.fotherg...@gmail.com> wrote:

>
>
> On 23 February 2018 at 14:05, mlnl  wrote:
>
>> Hi,
>>
>> > ​Can it be true?  A version of gcc that runs on stretch that will
>> > compile the latest fancy spectre fixes etc?
>>
>> with latest vanilla kernel 4.15.4 and updated gcc-6:
>>
>> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>> the mitigation is active)
>> * Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64
>> bits array_index_mask_nospec())
>> > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
>>
>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>> the mitigation is active)
>> * Mitigation 1
>>   * Kernel is compiled with IBRS/IBPB support:  NO
>>   * Currently enabled features
>> * IBRS enabled for Kernel space:  NO
>> * IBRS enabled for User space:  NO
>> * IBPB enabled:  NO
>> * Mitigation 2
>>   * Kernel compiled with retpoline option:  YES
>>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
>> reports full retpoline compilation)
>>   * Retpoline enabled:  NO
>>
>
​Wot?  How can retpoline not be  enabled but the status is not
vulnerable..

​



> > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
>>
>> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
>> * Mitigated according to the /sys interface:  YES  (kernel confirms that
>> the mitigation is active)
>> * Kernel supports Page Table Isolation (PTI):  YES
>> * PTI enabled and active:  YES
>> * Running as a Xen PV DomU:  NO
>> > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
>>
> ​
> Absolutely whale harpooned it
>
> Great stuff.
>
> Cheers
>
> MF
> ​
>
>>
>> grep bugs /proc/cpuinfo
>> bugs: cpu_meltdown spectre_v1 spectre_v2
>> model name  : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
>>
>>
>>
>> stepping: 3
>>
>>
>>
>> microcode   : 0x22
>>
>> --
>> mlnl
>>
>>
>

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Felipe Salvador]

On Fri, Feb 23, 2018 at 03:05:18PM +0100, mlnl wrote:
> Hi,
> 
> > ​Can it be true?  A version of gcc that runs on stretch that will
> > compile the latest fancy spectre fixes etc?
> 
> with latest vanilla kernel 4.15.4 and updated gcc-6:
> 
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64
> bits array_index_mask_nospec())
> > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
> 
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  NO
>   * Currently enabled features
> * IBRS enabled for Kernel space:  NO
> * IBRS enabled for User space:  NO
> * IBPB enabled:  NO
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES
>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
> reports full retpoline compilation)
>   * Retpoline enabled:  NO
  ^^
I get the same result. I wonder why reptoline is disabled.

> > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
> 
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  YES
> * Running as a Xen PV DomU:  NO
> > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
> 
> grep bugs /proc/cpuinfo
> bugs: cpu_meltdown spectre_v1 spectre_v2
> model name  : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
> 
> 
> 
> stepping: 3
> 
> 
> 
> microcode   : 0x22
> 
> -- 
> mlnl

-- 
Felipe Salvador

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 14:05, mlnl  wrote:

> Hi,
>
> > ​Can it be true?  A version of gcc that runs on stretch that will
> > compile the latest fancy spectre fixes etc?
>
> with latest vanilla kernel 4.15.4 and updated gcc-6:
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64
> bits array_index_mask_nospec())
> > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  NO
>   * Currently enabled features
> * IBRS enabled for Kernel space:  NO
> * IBRS enabled for User space:  NO
> * IBPB enabled:  NO
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES
>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
> reports full retpoline compilation)
>   * Retpoline enabled:  NO
> > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Mitigated according to the /sys interface:  YES  (kernel confirms that
> the mitigation is active)
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  YES
> * Running as a Xen PV DomU:  NO
> > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
>
​
Absolutely whale harpooned it

Great stuff.

Cheers

MF
​

>
> grep bugs /proc/cpuinfo
> bugs: cpu_meltdown spectre_v1 spectre_v2
> model name  : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
>
>
>
> stepping: 3
>
>
>
> microcode   : 0x22
>
> --
> mlnl
>
>

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 14:08, Reco  wrote:

> Hi.
>
> On Fri, Feb 23, 2018 at 01:47:25PM +, Michael Fothergill wrote:
> > On 23 February 2018 at 13:42, Reco  wrote:
> >
> > > Hi.
> > >
> > > On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> > > > On 23 February 2018 at 12:43, Reco  wrote:
> > > >
> > > > > Hi.
> > > > >
> > > > > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > > > > Hi,
> > > > > >
> > > > > > Do you have any clue on when the gcc fix for stretch is to be
> > > released ?
> > > > > >
> > > > > > Actually the retpoline-compliant kernel is ready, and gcc fixes
> for
> > > > > stretch
> > > > > > seem to have already been implemented. So I dunno what is still
> > > blocking
> > > > > > the release. :'(
> > > > >
> > > > > https://www.debian.org/security/2018/dsa-4120
> > > >
> > > >
> > > > ​Can it be true?  A version of gcc that runs on stretch that will
> compile
> > > > the latest fancy spectre fixes etc?
> > > >
> > > > ​Cheers
> > >
> > > So it seems. New kernel came today with the usual 'apt update && apt
> > > upgrade' routine:
> > >
> > > $ uname -r
> > > 4.9.0-6-amd64
> > >
> > > $ grep bug /proc/cpuinfo
> > > bugs: cpu_meltdown spectre_v1 spectre_v2
> > >
> >
> > ​Could you install this kernel in stretch at present or only in buster?
>
> I *only* use Debian stable, so yes, it's definitely possible to install
> this kernel in stretch. This particular package is provided by
> security.debian.org, so entire world is installing it on Debian stable
> as I'm writing this.
>

​Excellent news. Stellar stuff.

Cheers

MF​


>
> Theoretically, of course, it should be possible to install this kernel
> in testing (buster) and even get a bootable system.
>
> Reco
>
>

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Reco]

Hi.

On Fri, Feb 23, 2018 at 01:47:25PM +, Michael Fothergill wrote:
> On 23 February 2018 at 13:42, Reco  wrote:
> 
> > Hi.
> >
> > On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> > > On 23 February 2018 at 12:43, Reco  wrote:
> > >
> > > > Hi.
> > > >
> > > > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > > > Hi,
> > > > >
> > > > > Do you have any clue on when the gcc fix for stretch is to be
> > released ?
> > > > >
> > > > > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> > > > stretch
> > > > > seem to have already been implemented. So I dunno what is still
> > blocking
> > > > > the release. :'(
> > > >
> > > > https://www.debian.org/security/2018/dsa-4120
> > >
> > >
> > > ​Can it be true?  A version of gcc that runs on stretch that will compile
> > > the latest fancy spectre fixes etc?
> > >
> > > ​Cheers
> >
> > So it seems. New kernel came today with the usual 'apt update && apt
> > upgrade' routine:
> >
> > $ uname -r
> > 4.9.0-6-amd64
> >
> > $ grep bug /proc/cpuinfo
> > bugs: cpu_meltdown spectre_v1 spectre_v2
> >
> 
> ​Could you install this kernel in stretch at present or only in buster?

I *only* use Debian stable, so yes, it's definitely possible to install
this kernel in stretch. This particular package is provided by
security.debian.org, so entire world is installing it on Debian stable
as I'm writing this.

Theoretically, of course, it should be possible to install this kernel
in testing (buster) and even get a bootable system.

Reco

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[mlnl]

Hi,

> ​Can it be true?  A version of gcc that runs on stretch that will
> compile the latest fancy spectre fixes etc?

with latest vanilla kernel 4.15.4 and updated gcc-6:

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64
bits array_index_mask_nospec())
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
* IBRS enabled for Kernel space:  NO
* IBRS enabled for User space:  NO
* IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel
reports full retpoline compilation)
  * Retpoline enabled:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that
the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

grep bugs /proc/cpuinfo
bugs: cpu_meltdown spectre_v1 spectre_v2
model name  : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz



stepping: 3



microcode   : 0x22

-- 
mlnl

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 13:42, Reco  wrote:

> Hi.
>
> On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> > On 23 February 2018 at 12:43, Reco  wrote:
> >
> > > Hi.
> > >
> > > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > > Hi,
> > > >
> > > > Do you have any clue on when the gcc fix for stretch is to be
> released ?
> > > >
> > > > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> > > stretch
> > > > seem to have already been implemented. So I dunno what is still
> blocking
> > > > the release. :'(
> > >
> > > https://www.debian.org/security/2018/dsa-4120
> >
> >
> > ​Can it be true?  A version of gcc that runs on stretch that will compile
> > the latest fancy spectre fixes etc?
> >
> > ​Cheers
>
> So it seems. New kernel came today with the usual 'apt update && apt
> upgrade' routine:
>
> $ uname -r
> 4.9.0-6-amd64
>
> $ grep bug /proc/cpuinfo
> bugs: cpu_meltdown spectre_v1 spectre_v2
>

​Could you install this kernel in stretch at present or only in buster?

Regards

MF
​


> ...
>
> Reco
>
>

apt vs apt-get (was: Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?)

[Reco]

Hi.

On Fri, Feb 23, 2018 at 08:54:31AM -0500, Greg Wooledge wrote:
> On Fri, Feb 23, 2018 at 04:42:01PM +0300, Reco wrote:
> > So it seems. New kernel came today with the usual 'apt update && apt
> > upgrade' routine:
> > 
> > $ uname -r
> > 4.9.0-6-amd64
> 
> You mean "apt (or apt-get) dist-upgrade", right?

What works too.


> /me tries it on a different computer that hasn't dist-upgraded yet...
> Wait, wait, wait... what?  WHAT?!
> "apt upgrade" and "apt-get upgrade" DON'T DO THE SAME THING ?!?

apt(8) has this to say on this:

   upgrade (apt-get(8))
   upgrade is used to install available upgrades of all packages
currently installed on the system from the sources configured via
sources.list(5). New packages will be installed if required to satisfy
dependencies, but existing packages will never be removed.

So yes, "apt-get upgrade" and "apt upgrade" are different, that's
intended, and once again Debian project choose sane default behavior.

In this particular case, "linux-image-4.9.0-6-amd64" was pulled as a
dependency of "linux-image-amd64", and old "linux-image-4.9.0-5-amd64"
was not removed. Neat, isn't it?

Reco

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Greg Wooledge]

On Fri, Feb 23, 2018 at 04:42:01PM +0300, Reco wrote:
> So it seems. New kernel came today with the usual 'apt update && apt
> upgrade' routine:
> 
> $ uname -r
> 4.9.0-6-amd64

You mean "apt (or apt-get) dist-upgrade", right?

/me tries it on a different computer that hasn't dist-upgraded yet...

Wait, wait, wait... what?  WHAT?!

"apt upgrade" and "apt-get upgrade" DON'T DO THE SAME THING ?!?

What the hell, Debian?

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Reco]

Hi.

On Fri, Feb 23, 2018 at 01:14:16PM +, Michael Fothergill wrote:
> On 23 February 2018 at 12:43, Reco  wrote:
> 
> > Hi.
> >
> > On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > > Hi,
> > >
> > > Do you have any clue on when the gcc fix for stretch is to be released ?
> > >
> > > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> > stretch
> > > seem to have already been implemented. So I dunno what is still blocking
> > > the release. :'(
> >
> > https://www.debian.org/security/2018/dsa-4120
> 
> 
> ​Can it be true?  A version of gcc that runs on stretch that will compile
> the latest fancy spectre fixes etc?
> 
> ​Cheers

So it seems. New kernel came today with the usual 'apt update && apt
upgrade' routine:

$ uname -r
4.9.0-6-amd64

$ grep bug /proc/cpuinfo
bugs: cpu_meltdown spectre_v1 spectre_v2
...

Reco

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 23 February 2018 at 12:43, Reco  wrote:

> Hi.
>
> On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> > Hi,
> >
> > Do you have any clue on when the gcc fix for stretch is to be released ?
> >
> > Actually the retpoline-compliant kernel is ready, and gcc fixes for
> stretch
> > seem to have already been implemented. So I dunno what is still blocking
> > the release. :'(
>
> https://www.debian.org/security/2018/dsa-4120


​Can it be true?  A version of gcc that runs on stretch that will compile
the latest fancy spectre fixes etc?

​Cheers

MF



>
>
> Reco
>
>

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Reco]

Hi.

On Wed, Feb 21, 2018 at 06:46:05PM +0100, Julien Aubin wrote:
> Hi,
> 
> Do you have any clue on when the gcc fix for stretch is to be released ?
> 
> Actually the retpoline-compliant kernel is ready, and gcc fixes for stretch
> seem to have already been implemented. So I dunno what is still blocking
> the release. :'(

https://www.debian.org/security/2018/dsa-4120

Reco

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 21 February 2018 at 17:46, Julien Aubin  wrote:

> Hi,
>
> Do you have any clue on when the gcc fix for stretch is to be released ?
>
> Actually the retpoline-compliant kernel is ready, and gcc fixes for
> stretch seem to have already been implemented. So I dunno what is still
> blocking the release. :'(
>

​Ooooh! Tantalazing stuff

The solution is to collectively burst into song; singing e.g. the Climb
Every Mountain song from the sound of music
and "To Dream the Impossible Dream" etc. and then suggest we are going to
post it on the site here in some way.

Then we relent and say we are happy to forget all about that idea if the
fixes are released soon etc

That would persuade me.

Cheers

MF

​



>
> Thanks a lot.
>

Re: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Julien Aubin]

Hi,

Do you have any clue on when the gcc fix for stretch is to be released ?

Actually the retpoline-compliant kernel is ready, and gcc fixes for stretch
seem to have already been implemented. So I dunno what is still blocking
the release. :'(

Thanks a lot.

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Andy Smith]

Hi Stephen,

On Tue, Feb 20, 2018 at 10:09:52AM +0100, Stephan Seitz wrote:
> On Di, Feb 20, 2018 at 05:09:12 +, Andy Smith wrote:
> >CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere
> >yet, not even in Linux upstream.
> 
> Are you sure?

[…]

> >STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
> 
> Kernel is Linux 4.15.4 #1 SMP Sat Feb 17 23:19:56 CET 2018 x86_64, compiled
> myself with gcc 7.3 from testing.

Ah, I think you might be right that the known exploit for Spectre v1
is fixed now.

The commit message¹ speaks of infrastructure for future mitigations,
I think because further exploits are expected to be thought up for
this, but when they do I imagine they will have their own CVE
numbers (and names :)).

Cheers,
Andy

¹ https://lkml.org/lkml/2018/1/20/152

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 20 February 2018 at 10:01, Michael Lange  wrote:

> Hi,
>
> On Tue, 20 Feb 2018 08:05:19 +
> Michael Fothergill  wrote:
>
> > ​For me at any rate if the new version of gcc 4.9 makes it easier for a
> > new user to get access to that portion of Spectre vulnerability jointly
> > with the the availability of Meltdown as is, then as I said I would be
> > very pleased.  and if a third person comes on the site asking about
> > this problem then we could encourage them to try it.
>
> As I understood from what you wrote earlier you are using Buster, so why
> not just stick with its default gcc-7 which from what
> https://packages.debian.org/search?keywords=gcc-7;
> searchon=names=testing=all
> says has been updated to 7.3.0 which was iirc what you were waiting for.
>

​I am not worried about what I would need personally to compile a kernel to
use in Debian.
I am currently using sid so there is no problem for me using e.g. gcc 7.3
etc.

And installing new kernels in gentoo that I run is easy.

What interests me more here are the options for a new user.

Greg's latest post suggests the new gcc 4.9 only works in oldstable ie
jessie not stretch.

So perhaps I have to revise my thinking on this once again.

Cheers

MF​


>
> Regards
>
> Michael
>
> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.
>
> Deflector shields just came on, Captain.
>
>

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Greg Wooledge]

On Tue, Feb 20, 2018 at 04:52:45AM +, Andy Smith wrote:
> Versions of gcc that have the retpoline feature backported into them
> have already hit stable and oldstable (and maybe others; haven't
> checked),

Just oldstable, actually.  Not stable yet.

 is for oldstable only.

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

Hi,

On Tue, 20 Feb 2018 08:05:19 +
Michael Fothergill  wrote:

> ​For me at any rate if the new version of gcc 4.9 makes it easier for a
> new user to get access to that portion of Spectre vulnerability jointly
> with the the availability of Meltdown as is, then as I said I would be
> very pleased.  and if a third person comes on the site asking about
> this problem then we could encourage them to try it.

As I understood from what you wrote earlier you are using Buster, so why
not just stick with its default gcc-7 which from what
https://packages.debian.org/search?keywords=gcc-7=names=testing=all
says has been updated to 7.3.0 which was iirc what you were waiting for.

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Deflector shields just came on, Captain.

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Stephan Seitz]

On Di, Feb 20, 2018 at 05:09:12 +, Andy Smith wrote:

CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere
yet, not even in Linux upstream.


Are you sure?

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the 
mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits 
array_index_mask_nospec())
* Checking count of LFENCE instructions following a jump in kernel:  NO  (only 3 
jump-then-lfence instructions found, should be >= 30 (heuristic))

STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)


Kernel is Linux 4.15.4 #1 SMP Sat Feb 17 23:19:56 CET 2018 x86_64, 
compiled myself with gcc 7.3 from testing.


According to spectre-meltdown-checker all three vulnerabilities are 
mitigated.


Shade and sweet water!

Stephan

--
| Public Keys: http://fsing.rootsland.net/~stse/keys.html |


smime.p7s
Description: S/MIME cryptographic signature

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 20 February 2018 at 05:09, Andy Smith  wrote:

> Hello,
>
> On Mon, Feb 19, 2018 at 09:03:20PM +, Michael Fothergill wrote:
> > On 19 February 2018 at 19:10, Michael Lange 
> wrote:
> > > no, I meant to say that you were looking at the wrong place if you
> wanted
> > > to see if the "spectre-2" fix has arrived in debian, for this one you
> > > will have to look here:
> > >
> > > https://security-tracker.debian.org/tracker/CVE-2017-5715
> >
> > ​No, we were not looking for it.  I think a joint fix for meltdown and
> > spectre 1 would fit the bill at present .
>
> They are different bugs with different fixes. No one is even certain
> HOW to fix Spectre variant 1 yet, or if it can be without entirely
> new CPUs. Things have only got as far as kicking around ideas on how
> to make exploiting it harder.
>
> Your suggestion makes about as much sense as lumping every single
> buffer overflow bug into one CVE and then saying almost all software
> ever made is vulnerable, until there is one patch that fixes
> everything at once.
>

​I think I just got Spectre 1 and 2 mixed up in the discussion.  I did not
think
the Spectre fix worked for the entirety of the the Spectre vulnerability.
​
​I also read in quite a few places that fixing all of it was an open ended
problem.​


>
> Your comments along the lines of "I thought it was fixed…", as
> Michael Lange pointed out, were about Spectre variant 2 but you are
> looking at the security tracker page for Spectre variant 1.
> CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere
> yet, not even in Linux upstream.
>
> Spectre v2, which you are talking about, is CVE-2017-5715, again as
> Michael Lange just pointed out to you. As you can see from the link
> that Michael gave you, Spectre v2 is fixed in the kernel package in
> sid. Read it again:
>
> 
>
> That's the retpoline stuff you're talking about.
>

​For me at any rate if the new version of gcc 4.9 makes it easier for a
new user to get access to that portion of Spectre vulnerability jointly
with the the availability of Meltdown as is, then as I said I would be
very pleased.  and if a third person comes on the site asking about
this problem then we could encourage them to try it.

Cheers

MF​




> Cheers,
> Andy
>
> --
> https://bitfolk.com/ -- No-nonsense VPS hosting
>
>

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Andy Smith]

Hello,

On Mon, Feb 19, 2018 at 09:03:20PM +, Michael Fothergill wrote:
> On 19 February 2018 at 19:10, Michael Lange  wrote:
> > no, I meant to say that you were looking at the wrong place if you wanted
> > to see if the "spectre-2" fix has arrived in debian, for this one you
> > will have to look here:
> >
> > https://security-tracker.debian.org/tracker/CVE-2017-5715
> 
> ​No, we were not looking for it.  I think a joint fix for meltdown and
> spectre 1 would fit the bill at present .

They are different bugs with different fixes. No one is even certain
HOW to fix Spectre variant 1 yet, or if it can be without entirely
new CPUs. Things have only got as far as kicking around ideas on how
to make exploiting it harder.

Your suggestion makes about as much sense as lumping every single
buffer overflow bug into one CVE and then saying almost all software
ever made is vulnerable, until there is one patch that fixes
everything at once.

Your comments along the lines of "I thought it was fixed…", as
Michael Lange pointed out, were about Spectre variant 2 but you are
looking at the security tracker page for Spectre variant 1.
CVE-2017-5753 is Spectre v1. There is no fix for Spectre v1 anywhere
yet, not even in Linux upstream.

Spectre v2, which you are talking about, is CVE-2017-5715, again as
Michael Lange just pointed out to you. As you can see from the link
that Michael gave you, Spectre v2 is fixed in the kernel package in
sid. Read it again:



That's the retpoline stuff you're talking about.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Andy Smith]

Hello,

> On 19 February 2018 at 13:13, Turritopsis Dohrnii Teo En Ming <
> tdteoenm...@gmail.com> wrote:
> 
> > What are the patches that I can download and install to be protected
> > against the Meltdown and Spectre security vulnerabilities?

The linux-kernel-* packages in Debian stable already have the KPTI
feature which protects you against Meltdown.

For variant 2 of Spectre you need a kernel with the so-called
retpoline feature that was also compiled with a compiler that
supports that feature. At the moment I think that the only packaged
kernel which has this (has feature and is compiled with new enough
gcc) is the one in unstable:



Versions of gcc that have the retpoline feature backported into them
have already hit stable and oldstable (and maybe others; haven't
checked), so another alternative would be to compile your own
upstream kernel package using that gcc. Since Debian stable uses the
4.9.x long term stable kernel releases, you could use the latest
upstream of those. Anything past 4.9.77 has the retpoline feature.

Or just wait a bit longer for a kernel package that is compiled with
a newer gcc to arrive as a stable security update. This is probably
the most reasonable approach for the average user of Debian.

Patches for variant 1 of Spectre are still in development in the
upstream kernel, and in other software. You will also need updated
CPU microcode and possibly a new BIOS.

It is likely that there will be further exploit techniques
discovered in this general area, that will require different fixes.

There are some other considerations if your machine is not running
on bare metal. In that case you should check with your
virtualisation provider about that.

On Mon, Feb 19, 2018 at 01:23:25PM +, Michael Fothergill wrote:
> ​Checkout the debian backports suite (kindly resourcefully suggested by
> Andy Smith)

Please note that I provided these details to Michael Fothergill as
part of Michael's general query about how a user could obtain a
newer kernel package, not as an answer to how to obtain a kernel
that was secured against any particular thing.

Backports is not the correct answer for security purposes. Security
support in the backports suite is done by the package uploaders and
not the security team. Although, updates for the kernel packages do
tend to arrive pretty quickly so I personally would not feel too bad
about short term use of a backports kernel.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Gene Heskett]

On Monday 19 February 2018 15:43:16 Greg Wooledge wrote:

> On Mon, Feb 19, 2018 at 03:27:36PM -0500, Gene Heskett wrote:
> > On Monday 19 February 2018 13:31:46 Michael Lange wrote:
> > > apt-get install spectre-meltdown-checker
> >
> > not available for stretch on arm64, why?
>
> Because this package did not exist at the time stretch was frozen.
> Nor even at the time stretch was released.

Humph!

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

On Mon, 19 Feb 2018 15:43:16 -0500
Greg Wooledge  wrote:

> On Mon, Feb 19, 2018 at 03:27:36PM -0500, Gene Heskett wrote:
> > On Monday 19 February 2018 13:31:46 Michael Lange wrote:
> > > apt-get install spectre-meltdown-checker
> > not available for stretch on arm64, why?
> 
> Because this package did not exist at the time stretch was frozen.
> Nor even at the time stretch was released.
> 
> 

Yes, with Stretch you need the backports.

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

You!  What PLANET is this!
-- McCoy, "The City on the Edge of Forever", stardate
3134.0

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 19 February 2018 at 19:10, Michael Lange  wrote:

> Hi,
>
> On Mon, 19 Feb 2018 18:46:15 +
> Michael Fothergill  wrote:
>
> > Are you saying that this link:
> > ​
> > https://security-tracker.debian.org/tracker/CVE-2017-5753
> >
> > ​which looks like it should be going to a spectre 1 fix is actually a
> > discussion and tables etc
> > of the spectre 2 fixes that are in the pipeline ie it is incorrectly
> > labelled?
>
> no, I meant to say that you were looking at the wrong place if you wanted
> to see if the "spectre-2" fix has arrived in debian, for this one you
> will have to look here:
>
> https://security-tracker.debian.org/tracker/CVE-2017-5715


​No, we were not looking for it.  I think a joint fix for meltdown and
spectre 1 would fit the bill at present .

I think this gcc 4.9 thing is an excellent development for this objective
and I salute it enthusiastically.

Regards

Michael​


>
>
> Regards
>
> Michael
>
> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.
>
> We'll pivot at warp 2 and bring all tubes to bear, Mr. Sulu!
>
>

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Greg Wooledge]

On Mon, Feb 19, 2018 at 03:27:36PM -0500, Gene Heskett wrote:
> On Monday 19 February 2018 13:31:46 Michael Lange wrote:
> > apt-get install spectre-meltdown-checker
> not available for stretch on arm64, why?

Because this package did not exist at the time stretch was frozen.
Nor even at the time stretch was released.

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Gene Heskett]

On Monday 19 February 2018 13:31:46 Michael Lange wrote:

> Hi,
>
> On Mon, 19 Feb 2018 14:10:14 +
> Brad Rogers  wrote:
>
> (...)
>
> > If anyone wants to check their (linux) system specifically for the
> > current state of spectre+meltdown mitigation on a given machine then
> > have a look here:
> >
> > https://github.com/speed47/spectre-meltdown-checker
> >
> > Really simple instructions are as follows:
>
> (...)
>
> With debian it is even simpler:
>
> apt-get install spectre-meltdown-checker
not available for stretch on arm64, why?

> sudo spectre-meltdown-checker
>
> Regards
>
> Michael
>
>
> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. .
> .-.
>
> The sight of death frightens them [Earthers].
>   -- Kras the Klingon, "Friday's Child", stardate 3497.2



-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

Hi,

On Mon, 19 Feb 2018 18:46:15 +
Michael Fothergill  wrote:

> Are you saying that this link:
> ​
> https://security-tracker.debian.org/tracker/CVE-2017-5753
> 
> ​which looks like it should be going to a spectre 1 fix is actually a
> discussion and tables etc
> of the spectre 2 fixes that are in the pipeline ie it is incorrectly
> labelled?

no, I meant to say that you were looking at the wrong place if you wanted
to see if the "spectre-2" fix has arrived in debian, for this one you
will have to look here:

https://security-tracker.debian.org/tracker/CVE-2017-5715

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

We'll pivot at warp 2 and bring all tubes to bear, Mr. Sulu!

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Brad Rogers]

On Mon, 19 Feb 2018 19:31:46 +0100
Michael Lange  wrote:

Hello Michael,

>With debian it is even simpler:
>apt-get install spectre-meltdown-checker
>sudo spectre-meltdown-checker

I hadn't realised it was in the repos.

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
Hey there, Mr Average, you don't exist, you never did
Persons Unknown - Poison Girls


pgpq0oec1UPLO.pgp
Description: OpenPGP digital signature

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 19 February 2018 at 18:24, Michael Lange  wrote:

> Hi,
>
> On Mon, 19 Feb 2018 16:40:19 +
> Michael Fothergill  wrote:
>
> > On 19 February 2018 at 14:10, Greg Wooledge  wrote:
> >
> > > On Mon, Feb 19, 2018 at 09:13:42PM +0800, Turritopsis Dohrnii Teo En
> > > Ming wrote:
> > > > What are the patches that I can download and install to be protected
> > > > against the Meltdown and Spectre security vulnerabilities?
> > >
> > > Meltdown patch went out a month ago.
> > >
> > > Spectre, see here:
> > > https://security-tracker.debian.org/tracker/CVE-2017-5753
> >
> >
> > ​Please excuse my extreme ignorance here, but there is something
> > puzzling me a bit in the spectre web page..
> >
> > For the sid entry, the table says the following:
> >
> > Source PackageReleaseVersionStatus
> > sid 4.15.4-1vulnerable
> >
> > I had thought up to now that e.g. kernel 4.15.4-1 was new enough that if
> > you compiled it with gcc 7.3 then the spectre fix would then work.
> >
> > Does the status indicator here refer to the spectre problem?
> >
> > If it does why does it say vulnerable?
>
> There seems to be some confusion in this thread.
> The page linked above refers to CVE-2017-5753 a.k.a. "Spectre-1".
>

Are you saying that this link:
​
https://security-tracker.debian.org/tracker/CVE-2017-5753

​which looks like it should be going to a spectre 1 fix is actually a
discussion and tables etc
of the spectre 2 fixes that are in the pipeline ie it is incorrectly
labelled?

Cheers

MF​



> You mean CVE-2017-5715 a.k.a. "Spectre-2".
>
> Regards
>
> Michael
>
> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.
>
> It would be illogical to assume that all conditions remain stable.
> -- Spock, "The Enterprise Incident", stardate 5027.3
>
>

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

Hi,

On Mon, 19 Feb 2018 14:10:14 +
Brad Rogers  wrote:

(...)
> If anyone wants to check their (linux) system specifically for the
> current state of spectre+meltdown mitigation on a given machine then
> have a look here:
> 
> https://github.com/speed47/spectre-meltdown-checker
> 
> Really simple instructions are as follows:
(...)

With debian it is even simpler:

apt-get install spectre-meltdown-checker
sudo spectre-meltdown-checker

Regards

Michael


.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

The sight of death frightens them [Earthers].
-- Kras the Klingon, "Friday's Child", stardate 3497.2

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

On Mon, 19 Feb 2018 21:00:08 +0300
Reco  wrote:

> On Mon, Feb 19, 2018 at 05:24:18PM +, Michael Fothergill wrote:
> > On 19 February 2018 at 17:03, Reco  wrote:
> > 
> > > Hi.
> > >
> > > On Mon, Feb 19, 2018 at 04:40:19PM +, Michael Fothergill wrote:
> > > > I had thought up to now that e.g. kernel 4.15.4-1 was new enough
> > > > that if you compiled it with gcc 7.3 then the spectre fix would
> > > > then work.
> > >
> > > Not unless you apply the retpoline patch to the gcc.
> > >
> > > For instance, just today said patch was applied to the Debian stable
> > > version of gcc, gcc-4.9:
> > >
> > > https://www.debian.org/security/2018/dsa-4117

I believe gcc-4.9 is "oldstable" (Jessie). 

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

Totally illogical, there was no chance.
-- Spock, "The Galileo Seven", stardate 2822.3

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Lange]

Hi,

On Mon, 19 Feb 2018 16:40:19 +
Michael Fothergill  wrote:

> On 19 February 2018 at 14:10, Greg Wooledge  wrote:
> 
> > On Mon, Feb 19, 2018 at 09:13:42PM +0800, Turritopsis Dohrnii Teo En
> > Ming wrote:
> > > What are the patches that I can download and install to be protected
> > > against the Meltdown and Spectre security vulnerabilities?
> >
> > Meltdown patch went out a month ago.
> >
> > Spectre, see here:
> > https://security-tracker.debian.org/tracker/CVE-2017-5753
> 
> 
> ​Please excuse my extreme ignorance here, but there is something
> puzzling me a bit in the spectre web page..
> 
> For the sid entry, the table says the following:
> 
> Source PackageReleaseVersionStatus
> sid 4.15.4-1vulnerable
> 
> I had thought up to now that e.g. kernel 4.15.4-1 was new enough that if
> you compiled it with gcc 7.3 then the spectre fix would then work.
> 
> Does the status indicator here refer to the spectre problem?
> 
> If it does why does it say vulnerable?

There seems to be some confusion in this thread.
The page linked above refers to CVE-2017-5753 a.k.a. "Spectre-1".
You mean CVE-2017-5715 a.k.a. "Spectre-2".

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

It would be illogical to assume that all conditions remain stable.
-- Spock, "The Enterprise Incident", stardate 5027.3

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Reco]

On Mon, Feb 19, 2018 at 05:24:18PM +, Michael Fothergill wrote:
> On 19 February 2018 at 17:03, Reco  wrote:
> 
> > Hi.
> >
> > On Mon, Feb 19, 2018 at 04:40:19PM +, Michael Fothergill wrote:
> > > I had thought up to now that e.g. kernel 4.15.4-1 was new enough that if
> > > you compiled it with gcc 7.3 then the spectre fix would then work.
> >
> > Not unless you apply the retpoline patch to the gcc.
> >
> > For instance, just today said patch was applied to the Debian stable
> > version of gcc, gcc-4.9:
> >
> > https://www.debian.org/security/2018/dsa-4117
> >
> > Reco
> >
> > Doesn't that mean that if you installed this version of gcc 4.9 and one
> of the most recent kernels debian has e.g. 4.15.4-1 above
> then it will be able to correct install the microcode or whatever it is
> called and you don't need a compiler as new as gcc 7.3?
> 
> If so that is excellent news indeed.

I'm unsure of linux-4.15, but it should be possible to use patched
gcc-4.9 to build backported linux-4.14+89. Whenever they applied the
second part of retpoline patch to this kernel remains to seen.

Being lazy I'll just wait while Debian Kernel Team builds a patched
kernel for all of us.

Reco

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 19 February 2018 at 17:03, Reco  wrote:

> Hi.
>
> On Mon, Feb 19, 2018 at 04:40:19PM +, Michael Fothergill wrote:
> > I had thought up to now that e.g. kernel 4.15.4-1 was new enough that if
> > you compiled it with gcc 7.3 then the spectre fix would then work.
>
> Not unless you apply the retpoline patch to the gcc.
>
> For instance, just today said patch was applied to the Debian stable
> version of gcc, gcc-4.9:
>
> https://www.debian.org/security/2018/dsa-4117
>
> Reco
>
> ​Doesn't that mean that if you installed this version of gcc 4.9 and one
of the most recent kernels debian has e.g. 4.15.4-1 above
then it will be able to correct install the microcode or whatever it is
called and you don't need a compiler as new as gcc 7.3?

If so that is excellent news indeed.

No chrooting needed there..

Not a sausage of it.

You would have to run the compiler but the kernel source for 4.15.4-1 would
already be in the debian format.

So it should not be that difficult.

Regards

MF











​

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Reco]

Hi.

On Mon, Feb 19, 2018 at 04:40:19PM +, Michael Fothergill wrote:
> I had thought up to now that e.g. kernel 4.15.4-1 was new enough that if
> you compiled it with gcc 7.3 then the spectre fix would then work.

Not unless you apply the retpoline patch to the gcc.

For instance, just today said patch was applied to the Debian stable
version of gcc, gcc-4.9:

https://www.debian.org/security/2018/dsa-4117

Reco

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 19 February 2018 at 14:10, Greg Wooledge  wrote:

> On Mon, Feb 19, 2018 at 09:13:42PM +0800, Turritopsis Dohrnii Teo En Ming
> wrote:
> > What are the patches that I can download and install to be protected
> > against the Meltdown and Spectre security vulnerabilities?
>
> Meltdown patch went out a month ago.
>
> Spectre, see here:
> https://security-tracker.debian.org/tracker/CVE-2017-5753


​Please excuse my extreme ignorance here, but there is something puzzling
me a bit in the spectre web page..

For the sid entry, the table says the following:

Source PackageReleaseVersionStatus
sid 4.15.4-1vulnerable

I had thought up to now that e.g. kernel 4.15.4-1 was new enough that if
you compiled it with gcc 7.3 then the spectre fix would then work.

Does the status indicator here refer to the spectre problem?

If it does why does it say vulnerable?

Is there something else causing a problem or barrier here that means you
can't use gcc 7.3 with what seems to be source code for this kernel
(maybe it's not the kernel source, please correct me here) or some other
confounding factor here?

Regards

MF









​

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Roberto C . Sánchez]

On Mon, Feb 19, 2018 at 01:23:25PM +, Michael Fothergill wrote:
> 
>​Checkout the debian backports suite (kindly resourcefully suggested by
>Andy Smith)
>Easiest thing to do when requiring a newer kernel would be to check
>the backports suite, so in this case in stretch-backports we find
>linux-image-amd64:
> 
>    <[5]https://packages.debian.org/stretch-backports/linux-image-amd64>
> 
>That's a virtual package that gets you the latest real kernel
>package available in that suite, which right now is
>linux-image-4.14.0-0.bpo.3-amd64:
> 
>    <[6]https://packages.debian.org/stretch-backports/linux-image-amd64>
> 
>>From there, if you look on the right you will see the Debian
>changelog link
>
> <[7]http://ftp-master.metadata.debian.org/changelogs//main/l/linux/linux_4.14.13-1~bpo9+1_changelog>
>which tells us that this corresponds to upstream release 4.14.13.
>The upstream release was made on 10 January and this backports
>package came on 14 January, so that's pretty swift.
> 
>Newer kernels should be there now and there may well be one that deals
>with both the meltdown and spectre vaulbnerabilities jointly.
> 
No!!

That is not at all how the backports repository is intended to be used.
I have been maintaining Debian packages for many years and I have on
occasion uploaded backports of my packages.

The packages in backports are not specifically supported by the security
team. They are supported only by the maintainer of the package (or the
uploader of the backport, as any Debain Developer can technically upload
backports of any package).

Security updates are nearly always handled by the security team,
somtimes with the support of the package maintainer (the kernel is a
good example where the maintainers do much of the heavy lifting). That
said, packages in the backports repository can easily be outdated (both
with respect the to the latest version in testing/unstable and with
respect to security fixes in stable).

Don't get me wrong, backports are immensely useful in some cases. In
particular, for the kernel, backports are quite handy when you need
support for newer hardware than what is available in stable. That said,
users of backports must understand that part of the cost of using
backports is that security fixes may be delayed, or may never arrive in
backports.

I understand what you are trying to advise the OP, but your reasoning is
all wrong. For someone running stable, the most secure configuration is
stable-only. In this particular instance it happens that there is a new
upstream release available in backports that addresses the specific
security vulnerability which concerns the OP. However, this is by far
the case for security vulnerabilities in general.

I would stronly recommend against your approach as a means to obtain
proper security fixes. It will inevitably lead to the mistaken
impression that a system is properly secured when it in fact may have
outstanding security vulnerabilities.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Brad Rogers]

On Mon, 19 Feb 2018 21:13:42 +0800
Turritopsis Dohrnii Teo En Ming  wrote:

Hello Turritopsis,

>What are the patches that I can download and install to be protected
>against the Meltdown and Spectre security vulnerabilities?

First, you might want to check whether your system is vulnerable.

Mr. Meowski, on a local LUG ML pointed out this;

If anyone wants to check their (linux) system specifically for the
current state of spectre+meltdown mitigation on a given machine then
have a look here:

https://github.com/speed47/spectre-meltdown-checker

Really simple instructions are as follows:

cd [to some directory where you want to keep this]

wget meltdown.ovh -O spectre-meltdown-checker.sh
cat spectre-meltdown-checker.sh
chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh

-- 
 Regards  _
 / )   "The blindingly obvious is
/ _)radnever immediately apparent"
You're not so safe in the safety of your room
Nasty - The Damned


pgpF8cWuisivS.pgp
Description: OpenPGP digital signature

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Greg Wooledge]

On Mon, Feb 19, 2018 at 09:13:42PM +0800, Turritopsis Dohrnii Teo En Ming wrote:
> What are the patches that I can download and install to be protected
> against the Meltdown and Spectre security vulnerabilities?

Meltdown patch went out a month ago.

Spectre, see here:
https://security-tracker.debian.org/tracker/CVE-2017-5753

Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

[Michael Fothergill]

On 19 February 2018 at 13:13, Turritopsis Dohrnii Teo En Ming <
tdteoenm...@gmail.com> wrote:

> What are the patches that I can download and install to be protected
> against the Meltdown and Spectre security vulnerabilities?
>
> ===BEGIN SIGNATURE===
>
> Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017
>
> [1] https://tdtemcerts.wordpress.com/
>
> [2] http://tdtemcerts.blogspot.sg/
>
> [3] https://www.scribd.com/user/270125049/Teo-En-Ming
>
> ===END SIGNATURE===
>


​Checkout the debian backports suite (kindly resourcefully suggested by
Andy Smith)

Easiest thing to do when requiring a newer kernel would be to check
the backports suite, so in this case in stretch-backports we find
linux-image-amd64:



That's a virtual package that gets you the latest real kernel
package available in that suite, which right now is
linux-image-4.14.0-0.bpo.3-amd64:



>From there, if you look on the right you will see the Debian
changelog link

which tells us that this corresponds to upstream release 4.14.13.
The upstream release was made on 10 January and this backports
package came on 14 January, so that's pretty swift.

Newer kernels should be there now and there may well be one that deals with
both the meltdown and spectre vaulbnerabilities jointly.

Regards

Michael Fothergill