Some clues about CPU vulnerabilities? Spectre and meltdown

Post your bugs here.
User avatar
eselma
Posts: 166
Joined: 24 Mar 2013 09:55
Location: Catalonia

Some clues about CPU vulnerabilities? Spectre and meltdown

Postby eselma » 05 Jan 2018 13:55

Today there was a new kernel to update (4.9.65-3+deb9u2). Do not know if it is related to a new patch trying to fix the recent vulnerability in some recent x86 CPUs (not only intel ones).

After downloading the intel tool to detect this flaw (intel_sa00086.py), either 4.9.0-4 or 4.9.0-5 appears to be vulnerable, according this tool. Anybody knows the state of this patch with Debian/Solydxk kernels?

Thanks in advance for your comments.

User avatar
bas_otten
Posts: 199
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: Some clues about intel CPU vulnerabilities?

Postby bas_otten » 05 Jan 2018 14:26

This latest kernel you are referring to is related to the Intel-only Meltdown vulnerability.
For the general processor Spectre vulnerability there is not a fix available at this time.
See https://www.debian.org/security/2018/dsa-4078.

User avatar
smitty1
Posts: 237
Joined: 23 Jun 2013 13:50
Location: Pittsburgh, PA USA

Re: Some clues about intel CPU vulnerabilities?

Postby smitty1 » 05 Jan 2018 14:30

The update today installed linux-image-4.9.0-5-amd64 (4.9.65-3+deb9u2) which is the fixed version for stretch, according to https://security-tracker.debian.org/tracker/DSA-4078-1.
See also https://security-tracker.debian.org/tra ... -2017-5754.

No Good Deed Goes Unpunished

User avatar
eselma
Posts: 166
Joined: 24 Mar 2013 09:55
Location: Catalonia

Re: Some clues about intel CPU vulnerabilities?

Postby eselma » 05 Jan 2018 15:58

Many thanks for your answers, Bas_oten and smitty. This was what I presumed.
Anyway, the output of the test utility says:

Code: Select all

*** Host Computer Information ***
Name: orion
Manufacturer: MSI
Model: MS-7793
Processor Name: AMD A10-6800K APU with Radeon(tm) HD Graphics
OS Version: SolydXK 9 solydxk-9 (4.9.0-5-amd64)
*** Risk Assessment ***
Detection Error: This system may be vulnerable,
  either the Intel(R) MEI/TXEI driver is not installed
  (available from your system manufacturer)
  or the system manufacturer does not permit access
  to the ME/TXE from the host driver.
As you can see, my CPU is AMD, but is said that any x86 CPU (including Atom) and even some ARM) are vulnerable to this flaw.
Do you know any utility suitable for this CPU?

Thanks again.

User avatar
ilu
Posts: 1912
Joined: 09 Oct 2013 12:45

Re: Some clues about CPU vulnerabilities?

Postby ilu » 05 Jan 2018 17:00

@eselma: The tool is not working on your AMD cpu, that's all the message says.

If I understand correctly spectre is still completely unfixed for either Intel, AMD or ARM. Page table isolation (PTI) is only against meltdown and thus solely relevant for Intel cpus. But I might be wrong.

This is the debian CVE for meltdown - Intel only: https://security-tracker.debian.org/tra ... -2017-5754
This is the debian CVE for spectre - all cpu https://security-tracker.debian.org/tra ... -2017-5715

Can somebody clarify which bug is mitigated by PTI and whether this fix is applied to the kernel in general or only on the kernel modules for Intel CPUs? Should AMD and ARM users set the nopti boot parameter to avoid unnecessary slowdown?

User avatar
ScottQuier
Posts: 1779
Joined: 18 Jul 2013 15:55
Location: Newport News, VA

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby ScottQuier » 05 Jan 2018 19:23

eselma wrote:After downloading the intel tool to detect this flaw (intel_sa00086.py), either 4.9.0-4 or 4.9.0-5 appears to be vulnerable, according this tool. Anybody knows the state of this patch with Debian/Solydxk kernels?

Thanks in advance for your comments.
I, also, downloaded the script and ran it against both 4.9.65-3+deb9u1 and 4.9.65-3+deb9u2 and got similar results:

Code: Select all

INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.152
Scan date: 2018-01-05 19:17:08 GMT

*** Host Computer Information ***
Name: sagerk
Manufacturer: Notebook
Model: W65_67SZ
Processor Name: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz
OS Version: SolydXK 9 solydxk-9 (4.9.0-4-amd64)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 9.0.20.1447
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support
Both kernels were/are noted as being "not vulnerable".

I'm confused.....
Scott
Quoting zerozero, "The usage of PPA's in debian-based
systems is risky at best and entails serious compatibility
problems; usually it's the best way to destroy an install"

kurotsugi
Posts: 2040
Joined: 09 Jan 2014 00:17

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby kurotsugi » 06 Jan 2018 04:45

AFAIK PTI only fix meltdown. OTOH we didn't have any solution for spectre yet. as long as we exclusively only use softwares from the official repo, we'll be relatively safe. though, I don't know much about the possibility of attack from websites. theorically our browser has it's own sandboxing mechanism but since we're dealing with hardware issue, there's a possibility that the sandboxing mechanism didn't work.

User avatar
bas_otten
Posts: 199
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby bas_otten » 06 Jan 2018 12:35

ilu wrote: Can somebody clarify which bug is mitigated by PTI and whether this fix is applied to the kernel in general or only on the kernel modules for Intel CPUs? Should AMD and ARM users set the nopti boot parameter to avoid unnecessary slowdown?
It is just the nature of these vulnerabilities that PTI only eliminates the Meltdown vulnerability. For Spectre there is no patch yet, and there does not seem to be information so far in what area of the kernel this patch needs to be implemented. Both patches, however, are only software-workarounds for what basically is a hardware/firmware issue. The PTI patch, for instance, only prevents the Meltdown vulnerability from being exploitable.
As far as I can see from the kernel-configuration and what I have been reading in https://en.wikipedia.org/wiki/Kernel_pa ... _isolation, the PTI-patch is applied into the kernel generically. Using the boot-parameter nopti on non-Intel systems will not make you vulnerable to the same degree as on Intel systems, but it is still recommended to leave PTI on, citing the wikipedia link: "However, AMD processors are still susceptible to KASLR bypass when KPTI is disabled".
ScottQuier wrote: Both kernels were/are noted as being "not vulnerable".
I'm confused...
I am pretty sure that the Intel Detection Tool only assesses your system hardware/firmware-wise. The root-cause vulnerability essentially is and remains present (or not, as I find surprising in your case!). Whether you have a kernel running that has a software-workaround-patch on it that prevents the vulnerability from being exploitable is a wholly different view on the subject. In my case, both with the previous and the latest kernel, the Intel Tool indicates my system is vulnerable.

In any case you can check whether you are safe from Meltdown exploitation by issuing the following command to see if PTI is enabled:

Code: Select all

root@bashost:/ #>>> dmesg | grep 'page tables isolation'
[    0.000000] Kernel/User page tables isolation: enabled
The output will only be exactly like this when you are on the latest kernel that has the PTI patch and do not have the nopti boot-parameter active.
EDIT: this is true when on Intel, on AMD this is intentionally disabled by default.

User avatar
grizzler
Posts: 1986
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby grizzler » 06 Jan 2018 13:47

The SA-00086 tool has absolutely nothing to do with Meltdown/Spectre. It's about the Intel Management Engine issue that came up earlier.

https://www.wired.com/story/intel-manag ... rvers-iot/
https://hackaday.com/2017/12/11/what-yo ... nt-engine/
https://www.intel.com/content/www/us/en ... tware.html
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
eselma
Posts: 166
Joined: 24 Mar 2013 09:55
Location: Catalonia

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby eselma » 06 Jan 2018 14:19

grizzler wrote:The SA-00086 tool has absolutely nothing to do with Meltdown/Spectre. It's about the Intel Management Engine issue that came up earlier.
Ooops! That explains a lot of things, specially the references to 'ME/TXE' in the output.

Sorry for having misguided someone. I got the reference of this test from another forum. Thanks for clarifying this, Grizzler.

User avatar
bas_otten
Posts: 199
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby bas_otten » 06 Jan 2018 15:46

You are right, @grizzler, thanx !
To avoid confusion, I edited my post above, indicating which paragraph is [wrong].
I was actually looking for strikethrough, but not all BBCode parses this;-)

User avatar
Arjen Balfoort
Site Admin
Posts: 8698
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby Arjen Balfoort » 06 Jan 2018 16:11

bas_otten wrote:You are right, @grizzler, thanx !
To avoid confusion, I edited my post above, indicating which paragraph is [wrong].
I was actually looking for strikethrough, but not all BBCode parses this;-)
I never realised there was no strike through in our forum. Well now there is!


SolydXK needs you!
Development | Testing | Translations

User avatar
bas_otten
Posts: 199
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby bas_otten » 06 Jan 2018 16:24

Schoelje wrote: I never realised there was no strike through in our forum. Well now there is!
Fancy that, so quickly! Nice :)
Re-edited my post above to use it.

User avatar
eselma
Posts: 166
Joined: 24 Mar 2013 09:55
Location: Catalonia

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby eselma » 06 Jan 2018 16:37

All right. So, I tried your suggestion (with newer kernel):

Code: Select all

[root@orion eselma]# dmesg | grep 'page tables isolation'
[    0.000000] Kernel/User page tables isolation: disabled
Well, disabled should mean safe. I did not put the argument 'nopti' in grub.cfg

User avatar
bas_otten
Posts: 199
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby bas_otten » 06 Jan 2018 18:44

I was going to say: you are not safe because PTI should be enabled. But, I checked on my old AMD-desktop and it shows that, apparently, the kernel has a routine that checks the CPU-brand and only enables PTI by default when on Intel. As you, @eselma, are on AMD, this will be the intended behaviour, and you are safe. This also answers @ilu's earlier question more specifically: AMD users need not explicitely specify nopti and will not suffer unnecessary performance impact. I'll go strikeout one more paragraph of my post today ;)

User avatar
ilu
Posts: 1912
Joined: 09 Oct 2013 12:45

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby ilu » 08 Jan 2018 14:53

Thank you very much for your research basotten.

User avatar
eselma
Posts: 166
Joined: 24 Mar 2013 09:55
Location: Catalonia

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby eselma » 08 Jan 2018 16:05

ilu wrote:Thank you very much for your research bas_otten.
+1

User avatar
bas_otten
Posts: 199
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby bas_otten » 08 Jan 2018 20:40

You're welcome!

User avatar
Arjen Balfoort
Site Admin
Posts: 8698
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby Arjen Balfoort » 18 Jan 2018 06:45

Just thought to share this with you.

I tweeted Asus to ask whether or not there's going to be a BIOS update to address the Meltdown and Spectre vulnerabilities. This was the first reply:
I think no BIOS update can mitigate this issues. Linux kernels have been updated with KPTI and Retpoline which is the only way to protect your computer at the moment.
I then told them that I hoped it could have been solved by a BIOS update because of the performance impact a software solution would have. This was their last response:
The problem is the BIOS is not responsible of managing memory access, nor the CPU, as it is mostly a software concept, and therefore OS dependent, even application dependent as Firefox or Chrome had to fix it too. As for performance lose, it is not as dramatic.


SolydXK needs you!
Development | Testing | Translations

User avatar
Arjen Balfoort
Site Admin
Posts: 8698
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Some clues about CPU vulnerabilities? Spectre and meltdown

Postby Arjen Balfoort » 18 Jan 2018 07:09

I've also run this script: https://www.cyberciti.biz/faq/check-lin ... erability/

My current output:

Code: Select all

Checking for vulnerabilities against running kernel Linux 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64                                                                                             
CPU is Intel(R) Core(TM) i7-4785T CPU @ 2.20GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 25 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  NO 
*     The SPEC_CTRL CPUID feature bit is set:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Checking if we're running under Xen PV (64 bits):  NO 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)


SolydXK needs you!
Development | Testing | Translations


Return to “Bug control”

Who is online

Users browsing this forum: No registered users and 2 guests