Some clues about CPU vulnerabilities? Spectre and meltdown
Some clues about CPU vulnerabilities? Spectre and meltdown
Today there was a new kernel to update (4.9.65-3+deb9u2). Do not know if it is related to a new patch trying to fix the recent vulnerability in some recent x86 CPUs (not only intel ones).
After downloading the intel tool to detect this flaw (intel_sa00086.py), either 4.9.0-4 or 4.9.0-5 appears to be vulnerable, according this tool. Anybody knows the state of this patch with Debian/Solydxk kernels?
Thanks in advance for your comments.
After downloading the intel tool to detect this flaw (intel_sa00086.py), either 4.9.0-4 or 4.9.0-5 appears to be vulnerable, according this tool. Anybody knows the state of this patch with Debian/Solydxk kernels?
Thanks in advance for your comments.

Re: Some clues about intel CPU vulnerabilities?
This latest kernel you are referring to is related to the Intel-only Meltdown vulnerability.
For the general processor Spectre vulnerability there is not a fix available at this time.
See https://www.debian.org/security/2018/dsa-4078.
For the general processor Spectre vulnerability there is not a fix available at this time.
See https://www.debian.org/security/2018/dsa-4078.
Re: Some clues about intel CPU vulnerabilities?
The update today installed linux-image-4.9.0-5-amd64 (4.9.65-3+deb9u2) which is the fixed version for stretch, according to https://security-tracker.debian.org/tracker/DSA-4078-1.
See also https://security-tracker.debian.org/tra ... -2017-5754.
See also https://security-tracker.debian.org/tra ... -2017-5754.

No Good Deed Goes Unpunished
Re: Some clues about intel CPU vulnerabilities?
Many thanks for your answers, Bas_oten and smitty. This was what I presumed.
Anyway, the output of the test utility says:
As you can see, my CPU is AMD, but is said that any x86 CPU (including Atom) and even some ARM) are vulnerable to this flaw.
Do you know any utility suitable for this CPU?
Thanks again.
Anyway, the output of the test utility says:
Code: Select all
*** Host Computer Information ***
Name: orion
Manufacturer: MSI
Model: MS-7793
Processor Name: AMD A10-6800K APU with Radeon(tm) HD Graphics
OS Version: SolydXK 9 solydxk-9 (4.9.0-5-amd64)
*** Risk Assessment ***
Detection Error: This system may be vulnerable,
either the Intel(R) MEI/TXEI driver is not installed
(available from your system manufacturer)
or the system manufacturer does not permit access
to the ME/TXE from the host driver.
Do you know any utility suitable for this CPU?
Thanks again.

Re: Some clues about CPU vulnerabilities?
@eselma: The tool is not working on your AMD cpu, that's all the message says.
If I understand correctly spectre is still completely unfixed for either Intel, AMD or ARM. Page table isolation (PTI) is only against meltdown and thus solely relevant for Intel cpus. But I might be wrong.
This is the debian CVE for meltdown - Intel only: https://security-tracker.debian.org/tra ... -2017-5754
This is the debian CVE for spectre - all cpu https://security-tracker.debian.org/tra ... -2017-5715
Can somebody clarify which bug is mitigated by PTI and whether this fix is applied to the kernel in general or only on the kernel modules for Intel CPUs? Should AMD and ARM users set the nopti boot parameter to avoid unnecessary slowdown?
If I understand correctly spectre is still completely unfixed for either Intel, AMD or ARM. Page table isolation (PTI) is only against meltdown and thus solely relevant for Intel cpus. But I might be wrong.
This is the debian CVE for meltdown - Intel only: https://security-tracker.debian.org/tra ... -2017-5754
This is the debian CVE for spectre - all cpu https://security-tracker.debian.org/tra ... -2017-5715
Can somebody clarify which bug is mitigated by PTI and whether this fix is applied to the kernel in general or only on the kernel modules for Intel CPUs? Should AMD and ARM users set the nopti boot parameter to avoid unnecessary slowdown?
- ScottQuier
- Posts: 1781
- Joined: 18 Jul 2013 15:55
- Location: Newport News, VA
Re: Some clues about CPU vulnerabilities? Spectre and meltdown
I, also, downloaded the script and ran it against both 4.9.65-3+deb9u1 and 4.9.65-3+deb9u2 and got similar results:eselma wrote:After downloading the intel tool to detect this flaw (intel_sa00086.py), either 4.9.0-4 or 4.9.0-5 appears to be vulnerable, according this tool. Anybody knows the state of this patch with Debian/Solydxk kernels?
Thanks in advance for your comments.
Code: Select all
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved
Application Version: 1.0.0.152
Scan date: 2018-01-05 19:17:08 GMT
*** Host Computer Information ***
Name: sagerk
Manufacturer: Notebook
Model: W65_67SZ
Processor Name: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz
OS Version: SolydXK 9 solydxk-9 (4.9.0-4-amd64)
*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 9.0.20.1447
SVN: 0
*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.
For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
Intel Security Advisory Intel-SA-00086 at the following link:
https://www.intel.com/sa-00086-support
I'm confused.....
Scott
Quoting zerozero, "The usage of PPA's in debian-based
systems is risky at best and entails serious compatibility
problems; usually it's the best way to destroy an install"

Quoting zerozero, "The usage of PPA's in debian-based
systems is risky at best and entails serious compatibility
problems; usually it's the best way to destroy an install"

Re: Some clues about CPU vulnerabilities? Spectre and meltdown
AFAIK PTI only fix meltdown. OTOH we didn't have any solution for spectre yet. as long as we exclusively only use softwares from the official repo, we'll be relatively safe. though, I don't know much about the possibility of attack from websites. theorically our browser has it's own sandboxing mechanism but since we're dealing with hardware issue, there's a possibility that the sandboxing mechanism didn't work.
Re: Some clues about CPU vulnerabilities? Spectre and meltdown
It is just the nature of these vulnerabilities that PTI only eliminates the Meltdown vulnerability. For Spectre there is no patch yet, and there does not seem to be information so far in what area of the kernel this patch needs to be implemented. Both patches, however, are only software-workarounds for what basically is a hardware/firmware issue. The PTI patch, for instance, only prevents the Meltdown vulnerability from being exploitable.ilu wrote: Can somebody clarify which bug is mitigated by PTI and whether this fix is applied to the kernel in general or only on the kernel modules for Intel CPUs? Should AMD and ARM users set the nopti boot parameter to avoid unnecessary slowdown?
As far as I can see from the kernel-configuration and what I have been reading in https://en.wikipedia.org/wiki/Kernel_pa ... _isolation, the PTI-patch is applied into the kernel generically. Using the boot-parameter nopti on non-Intel systems will not make you vulnerable to the same degree as on Intel systems, but it is still recommended to leave PTI on, citing the wikipedia link: "However, AMD processors are still susceptible to KASLR bypass when KPTI is disabled".
I am pretty sure that the Intel Detection Tool only assesses your system hardware/firmware-wise. The root-cause vulnerability essentially is and remains present (or not, as I find surprising in your case!). Whether you have a kernel running that has a software-workaround-patch on it that prevents the vulnerability from being exploitable is a wholly different view on the subject. In my case, both with the previous and the latest kernel, the Intel Tool indicates my system is vulnerable.ScottQuier wrote: Both kernels were/are noted as being "not vulnerable".
I'm confused...
In any case you can check whether you are safe from Meltdown exploitation by issuing the following command to see if PTI is enabled:
Code: Select all
root@bashost:/ #>>> dmesg | grep 'page tables isolation'
[ 0.000000] Kernel/User page tables isolation: enabled
EDIT: this is true when on Intel, on AMD this is intentionally disabled by default.
Re: Some clues about CPU vulnerabilities? Spectre and meltdown
The SA-00086 tool has absolutely nothing to do with Meltdown/Spectre. It's about the Intel Management Engine issue that came up earlier.
https://www.wired.com/story/intel-manag ... rvers-iot/
https://hackaday.com/2017/12/11/what-yo ... nt-engine/
https://www.intel.com/content/www/us/en ... tware.html
https://www.wired.com/story/intel-manag ... rvers-iot/
https://hackaday.com/2017/12/11/what-yo ... nt-engine/
https://www.intel.com/content/www/us/en ... tware.html
Frank

SolydX EE 64 - tracking Debian Testing

SolydX EE 64 - tracking Debian Testing
Re: Some clues about CPU vulnerabilities? Spectre and meltdown
Ooops! That explains a lot of things, specially the references to 'ME/TXE' in the output.grizzler wrote:The SA-00086 tool has absolutely nothing to do with Meltdown/Spectre. It's about the Intel Management Engine issue that came up earlier.
Sorry for having misguided someone. I got the reference of this test from another forum. Thanks for clarifying this, Grizzler.

Re: Some clues about CPU vulnerabilities? Spectre and meltdown
You are right, @grizzler, thanx !
To avoid confusion, I edited my post above, indicating which paragraph is [wrong].
I was actually looking for strikethrough, but not all BBCode parses this;-)
To avoid confusion, I edited my post above, indicating which paragraph is [wrong].
I was actually looking for strikethrough, but not all BBCode parses this;-)
- Arjen Balfoort
- Site Admin
- Posts: 9331
- Joined: 26 Jan 2013 19:36
- Location: Netherlands
- Contact:
Re: Some clues about CPU vulnerabilities? Spectre and meltdown
I never realised there was no strike through in our forum. Well now there is!bas_otten wrote:You are right, @grizzler, thanx !
To avoid confusion, I edited my post above, indicating which paragraph is [wrong].
I was actually looking for strikethrough, but not all BBCode parses this;-)
Re: Some clues about CPU vulnerabilities? Spectre and meltdown
Fancy that, so quickly! NiceSchoelje wrote: I never realised there was no strike through in our forum. Well now there is!

Re-edited my post above to use it.
Re: Some clues about CPU vulnerabilities? Spectre and meltdown
All right. So, I tried your suggestion (with newer kernel):
Well, disabled should mean safe. I did not put the argument 'nopti' in grub.cfg
Code: Select all
[root@orion eselma]# dmesg | grep 'page tables isolation'
[ 0.000000] Kernel/User page tables isolation: disabled

Re: Some clues about CPU vulnerabilities? Spectre and meltdown
I was going to say: you are not safe because PTI should be enabled. But, I checked on my old AMD-desktop and it shows that, apparently, the kernel has a routine that checks the CPU-brand and only enables PTI by default when on Intel. As you, @eselma, are on AMD, this will be the intended behaviour, and you are safe. This also answers @ilu's earlier question more specifically: AMD users need not explicitely specify nopti and will not suffer unnecessary performance impact. I'll go strikeout one more paragraph of my post today 

Re: Some clues about CPU vulnerabilities? Spectre and meltdown
Thank you very much for your research basotten.
Re: Some clues about CPU vulnerabilities? Spectre and meltdown
+1ilu wrote:Thank you very much for your research bas_otten.

Re: Some clues about CPU vulnerabilities? Spectre and meltdown
You're welcome!
- Arjen Balfoort
- Site Admin
- Posts: 9331
- Joined: 26 Jan 2013 19:36
- Location: Netherlands
- Contact:
Re: Some clues about CPU vulnerabilities? Spectre and meltdown
Just thought to share this with you.
I tweeted Asus to ask whether or not there's going to be a BIOS update to address the Meltdown and Spectre vulnerabilities. This was the first reply:
I tweeted Asus to ask whether or not there's going to be a BIOS update to address the Meltdown and Spectre vulnerabilities. This was the first reply:
I then told them that I hoped it could have been solved by a BIOS update because of the performance impact a software solution would have. This was their last response:I think no BIOS update can mitigate this issues. Linux kernels have been updated with KPTI and Retpoline which is the only way to protect your computer at the moment.
The problem is the BIOS is not responsible of managing memory access, nor the CPU, as it is mostly a software concept, and therefore OS dependent, even application dependent as Firefox or Chrome had to fix it too. As for performance lose, it is not as dramatic.
- Arjen Balfoort
- Site Admin
- Posts: 9331
- Joined: 26 Jan 2013 19:36
- Location: Netherlands
- Contact:
Re: Some clues about CPU vulnerabilities? Spectre and meltdown
I've also run this script: https://www.cyberciti.biz/faq/check-lin ... erability/
My current output:
My current output:
Code: Select all
Checking for vulnerabilities against running kernel Linux 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64
CPU is Intel(R) Core(TM) i7-4785T CPU @ 2.20GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 25 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
Who is online
Users browsing this forum: No registered users and 1 guest