It seems that high profile Linux OS like Arch and others have yet to find solutions to the security issues brought about with Sceptre and Meltdown.
Does Mate differ in tackling that?
It will come in steps. Kernel Page Tables Isolation is available with kernel:
Linux 4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64
$ dmesg | grep isolation:
[ 0.000000] Kernel/User page tables isolation: disabled
and
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
- Kernel supports Page Table Isolation (PTI): YES
- PTI enabled and active: NO
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
Hi Dave my system monitor reports.
“Kernel Linux 4.4.0-109-generic x86_64”
and copying your code above I get this
"dmesg | grep isolation:
[ 0.000000] Kernel/User page tables isolation: enabled "
This is opposite to yours, but it reads like my system is isolated yours isn’t.
Which is right and how do you change it?
Just curious…
Have an Intel processor version which seems will never be updated.
Can Mate overcome this problem?
If not, then a whole slew of old computers around the world are going to be in the gutter!
I know that Firefox and others akin except for Chrome based ones are less vulnerable, but this whole issue is beyond my understanding.
You have an Intel CPU and the fix for Meltdown is active. I have an AMD CPU that doesn’t need the Meltdown fix.
Thanks Dave, that’s good news! I was concerned that I wasn’t protected.
I saw this script on GitHub to provide a Spectre and Meltdown vulnerability test. Below are my results. I am not sure what it all means. Apparently I am vulnerable to variant 1 & 2 but not 3.
$ sudo sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31
Checking for vulnerabilities against running kernel Linux 4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64
CPU is AMD FX-8320E Eight-Core Processor
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 33 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: NO
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
A false sense of security is worse than no security at all, see --disclaimer
$AFAIK the vulnerability of the PileDriver CPU (your 8320E) to variant 2 is near zero. AMD is planning microcode updates to eliminate any residual vulnerability to variant 2.
The kernel is supposed to already have code to suppress variant 1.
1 Like