Re: Is Fedora Linux protected against the Meltdown and Spectre security flaws?

[Paul Allen Newell]

On 02/20/2018 12:39 AM, Ed Greshko wrote:

On 02/20/18 15:51, Paul Allen Newell wrote:

In earlier email in this thread, you stated:

 Yes.  As long as you don't have kernel modules which were built with a
 non-patched gcc.

 ls /sys/devices/system/cpu/vulnerabilities/*

 cat /sys/devices/system/cpu/vulnerabilities/*

This file is new to me ... do you happen to know about when it was introduced 
and
if there is any documentation on it (I couldn't find anything but I feel I was
grasping in the dark as I must be missing something).

Looking at the changelog for the kernel, my guess is that they were introduced 
around
Jan 10 of this year.  Maybe with the 4.14.13 kernel.  I don't happen to have an
earlier one running.  Except for a Live image which is at 4.13.9 and they 
aren't there.

I've not done, but probably should, look at the BZ reports noted in the 
changelog as
well as the CVE reports.

For example, the changelog has...

* Wed Jan 10 2018 Justin M. Forbes  - 4.14.13-300
- Linux v4.14.13
- Iniital retpoline fixes for Spectre v2


 From what I can tell in this thread, this is a good new addition


I would say so.





Ed:

Thanks for reply. Your answer is what I need to know ... it is a very 
recent addition (which helps explain why I haven't heard of it (smile)). 
I hadn't gotten far enough to figure out that the kernel is what I 
should be looking at


Best,
Paul
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is Fedora Linux protected against the Meltdown and Spectre security flaws?

[Ed Greshko]

On 02/20/18 15:51, Paul Allen Newell wrote:
> In earlier email in this thread, you stated:
>
> Yes.  As long as you don't have kernel modules which were built with a
> non-patched gcc.
>
> ls /sys/devices/system/cpu/vulnerabilities/*
>
> cat /sys/devices/system/cpu/vulnerabilities/*
>
> This file is new to me ... do you happen to know about when it was introduced 
> and
> if there is any documentation on it (I couldn't find anything but I feel I was
> grasping in the dark as I must be missing something).

Looking at the changelog for the kernel, my guess is that they were introduced 
around
Jan 10 of this year.  Maybe with the 4.14.13 kernel.  I don't happen to have an
earlier one running.  Except for a Live image which is at 4.13.9 and they 
aren't there.

I've not done, but probably should, look at the BZ reports noted in the 
changelog as
well as the CVE reports.

For example, the changelog has...

* Wed Jan 10 2018 Justin M. Forbes  - 4.14.13-300
- Linux v4.14.13
- Iniital retpoline fixes for Spectre v2

>
> From what I can tell in this thread, this is a good new addition


I would say so.

-- 
A motto of mine is: When in doubt, try it out



signature.asc
Description: OpenPGP digital signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is Fedora Linux protected against the Meltdown and Spectre security flaws?

[Paul Allen Newell]

On 02/19/2018 06:04 AM, Ed Greshko wrote:

On 02/19/18 21:51, Ranjan Maitra wrote:

What do these mean, and what is the needed mitigation, if any?


Basically, it means that everything that can currently be done to lessen the 
chances
of a security breach is being done.

Otherwise you may see something like...

Mitigation: Full generic retpoline - vulnerable module loaded



Ed:

In earlier email in this thread, you stated:

   Yes.  As long as you don't have kernel modules which were built with
   a non-patched gcc.

   ls /sys/devices/system/cpu/vulnerabilities/*

   cat /sys/devices/system/cpu/vulnerabilities/*

This file is new to me ... do you happen to know about when it was 
introduced and if there is any documentation on it (I couldn't find 
anything but I feel I was grasping in the dark as I must be missing 
something).


From what I can tell in this thread, this is a good new addition

Best,
Paul

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is Fedora Linux protected against the Meltdown and Spectre security flaws?

[Ranjan Maitra]

On Mon, 19 Feb 2018 22:04:41 +0800 Ed Greshko  wrote:

> On 02/19/18 21:51, Ranjan Maitra wrote:
> > What do these mean, and what is the needed mitigation, if any?
> 
> 
> Basically, it means that everything that can currently be done to lessen the 
> chances
> of a security breach is being done.
> 
> Otherwise you may see something like...
> 
> Mitigation: Full generic retpoline - vulnerable module loaded
> 

I see, so I guess that I am missing the additional words that would be 
concerning then:


$ cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTI
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline


Thanks!

Ranjan


> -- 
> A motto of mine is: When in doubt, try it out
> 


-- 
Important Notice: This mailbox is ignored: e-mails are set to be deleted on 
receipt. Please respond to the mailing list if appropriate. For those needing 
to send personal or professional e-mail, please use appropriate addresses.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is Fedora Linux protected against the Meltdown and Spectre security flaws?

[Ed Greshko]

On 02/19/18 21:51, Ranjan Maitra wrote:
> What do these mean, and what is the needed mitigation, if any?


Basically, it means that everything that can currently be done to lessen the 
chances
of a security breach is being done.

Otherwise you may see something like...

Mitigation: Full generic retpoline - vulnerable module loaded

-- 
A motto of mine is: When in doubt, try it out



signature.asc
Description: OpenPGP digital signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is Fedora Linux protected against the Meltdown and Spectre security flaws?

[Ranjan Maitra]

Mine are stock Fedora kernels, updated to the latest.

On Mon, 19 Feb 2018 21:44:09 +0800 Ed Greshko  wrote:

> On 02/19/18 20:14, Turritopsis Dohrnii Teo En Ming wrote:
> > What are the patches that I can download and install to be protected
> > against the Meltdown and Spectre security vulnerabilities?
> 
> (Resend to List, oops)
> 
> Yes.  As long as you don't have kernel modules which were built with a 
> non-patched gcc.
> 
> ls /sys/devices/system/cpu/vulnerabilities/*

I get:

sys/devices/system/cpu/vulnerabilities/meltdown
/sys/devices/system/cpu/vulnerabilities/spectre_v1
/sys/devices/system/cpu/vulnerabilities/spectre_v2



> cat /sys/devices/system/cpu/vulnerabilities/*


I get:

Mitigation: PTI
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline

What do these mean, and what is the needed mitigation, if any?

Many thanks and best wishes,
Ranjan
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is Fedora Linux protected against the Meltdown and Spectre security flaws?

[Ed Greshko]

On 02/19/18 20:14, Turritopsis Dohrnii Teo En Ming wrote:
> What are the patches that I can download and install to be protected
> against the Meltdown and Spectre security vulnerabilities?

(Resend to List, oops)

Yes.  As long as you don't have kernel modules which were built with a 
non-patched gcc.

ls /sys/devices/system/cpu/vulnerabilities/*

cat /sys/devices/system/cpu/vulnerabilities/*



-- 
A motto of mine is: When in doubt, try it out



signature.asc
Description: OpenPGP digital signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org