Some clues about CPU vulnerabilities? Spectre and meltdown

[eselma]

Today there was a new kernel to update (4.9.65-3+deb9u2). Do not know if it is related to a new patch trying to fix the recent vulnerability in some recent x86 CPUs (not only intel ones).

After downloading the intel tool to detect this flaw (intel_sa00086.py), either 4.9.0-4 or 4.9.0-5 appears to be vulnerable, according this tool. Anybody knows the state of this patch with Debian/Solydxk kernels?

Thanks in advance for your comments.

[bas_otten]

This latest kernel you are referring to is related to the Intel-only Meltdown vulnerability.
For the general processor Spectre vulnerability there is not a fix available at this time.
See https://www.debian.org/security/2018/dsa-4078.

[smitty1]

The update today installed linux-image-4.9.0-5-amd64 (4.9.65-3+deb9u2) which is the fixed version for stretch, according to https://security-tracker.debian.org/tracker/DSA-4078-1.
See also https://security-tracker.debian.org/tra ... -2017-5754.

[eselma]

Many thanks for your answers, Bas_oten and smitty. This was what I presumed.
Anyway, the output of the test utility says:

Code: Select all

*** Host Computer Information ***
Name: orion
Manufacturer: MSI
Model: MS-7793
Processor Name: AMD A10-6800K APU with Radeon(tm) HD Graphics
OS Version: SolydXK 9 solydxk-9 (4.9.0-5-amd64)
*** Risk Assessment ***
Detection Error: This system may be vulnerable,
  either the Intel(R) MEI/TXEI driver is not installed
  (available from your system manufacturer)
  or the system manufacturer does not permit access
  to the ME/TXE from the host driver.

As you can see, my CPU is AMD, but is said that any x86 CPU (including Atom) and even some ARM) are vulnerable to this flaw.
Do you know any utility suitable for this CPU?

Thanks again.

[ilu]

@eselma: The tool is not working on your AMD cpu, that's all the message says.

If I understand correctly spectre is still completely unfixed for either Intel, AMD or ARM. Page table isolation (PTI) is only against meltdown and thus solely relevant for Intel cpus. But I might be wrong.

This is the debian CVE for meltdown - Intel only: https://security-tracker.debian.org/tra ... -2017-5754
This is the debian CVE for spectre - all cpu https://security-tracker.debian.org/tra ... -2017-5715

Can somebody clarify which bug is mitigated by PTI and whether this fix is applied to the kernel in general or only on the kernel modules for Intel CPUs? Should AMD and ARM users set the nopti boot parameter to avoid unnecessary slowdown?

[ScottQuier]

After downloading the intel tool to detect this flaw (intel_sa00086.py), either 4.9.0-4 or 4.9.0-5 appears to be vulnerable, according this tool. Anybody knows the state of this patch with Debian/Solydxk kernels?

Thanks in advance for your comments.

I, also, downloaded the script and ran it against both 4.9.65-3+deb9u1 and 4.9.65-3+deb9u2 and got similar results:

Code: Select all

INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.152
Scan date: 2018-01-05 19:17:08 GMT

*** Host Computer Information ***
Name: sagerk
Manufacturer: Notebook
Model: W65_67SZ
Processor Name: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz
OS Version: SolydXK 9 solydxk-9 (4.9.0-4-amd64)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 9.0.20.1447
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support

Both kernels were/are noted as being "not vulnerable".

I'm confused.....

[kurotsugi]

AFAIK PTI only fix meltdown. OTOH we didn't have any solution for spectre yet. as long as we exclusively only use softwares from the official repo, we'll be relatively safe. though, I don't know much about the possibility of attack from websites. theorically our browser has it's own sandboxing mechanism but since we're dealing with hardware issue, there's a possibility that the sandboxing mechanism didn't work.

[bas_otten]

Can somebody clarify which bug is mitigated by PTI and whether this fix is applied to the kernel in general or only on the kernel modules for Intel CPUs? Should AMD and ARM users set the nopti boot parameter to avoid unnecessary slowdown?

It is just the nature of these vulnerabilities that PTI only eliminates the Meltdown vulnerability. For Spectre there is no patch yet, and there does not seem to be information so far in what area of the kernel this patch needs to be implemented. Both patches, however, are only software-workarounds for what basically is a hardware/firmware issue. The PTI patch, for instance, only prevents the Meltdown vulnerability from being exploitable.
As far as I can see from the kernel-configuration and what I have been reading in https://en.wikipedia.org/wiki/Kernel_pa ... _isolation, the PTI-patch is applied into the kernel generically. Using the boot-parameter nopti on non-Intel systems will not make you vulnerable to the same degree as on Intel systems, but it is still recommended to leave PTI on, citing the wikipedia link: "However, AMD processors are still susceptible to KASLR bypass when KPTI is disabled".

Both kernels were/are noted as being "not vulnerable".
I'm confused...

I am pretty sure that the Intel Detection Tool only assesses your system hardware/firmware-wise. The root-cause vulnerability essentially is and remains present (or not, as I find surprising in your case!). Whether you have a kernel running that has a software-workaround-patch on it that prevents the vulnerability from being exploitable is a wholly different view on the subject. In my case, both with the previous and the latest kernel, the Intel Tool indicates my system is vulnerable.

In any case you can check whether you are safe from Meltdown exploitation by issuing the following command to see if PTI is enabled:

Code: Select all

root@bashost:/ #>>> dmesg | grep 'page tables isolation'
[    0.000000] Kernel/User page tables isolation: enabled

The output will only be exactly like this when you are on the latest kernel that has the PTI patch and do not have the nopti boot-parameter active.
EDIT: this is true when on Intel, on AMD this is intentionally disabled by default.

[grizzler]

The SA-00086 tool has absolutely nothing to do with Meltdown/Spectre. It's about the Intel Management Engine issue that came up earlier.

https://www.wired.com/story/intel-manag ... rvers-iot/
https://hackaday.com/2017/12/11/what-yo ... nt-engine/
https://www.intel.com/content/www/us/en ... tware.html

[eselma]

The SA-00086 tool has absolutely nothing to do with Meltdown/Spectre. It's about the Intel Management Engine issue that came up earlier.

Ooops! That explains a lot of things, specially the references to 'ME/TXE' in the output.

Sorry for having misguided someone. I got the reference of this test from another forum. Thanks for clarifying this, Grizzler.

[bas_otten]

You are right, @grizzler, thanx !
To avoid confusion, I edited my post above, indicating which paragraph is [wrong].
I was actually looking for strikethrough, but not all BBCode parses this;-)

[Arjen Balfoort]

You are right, @grizzler, thanx !
To avoid confusion, I edited my post above, indicating which paragraph is [wrong].
I was actually looking for strikethrough, but not all BBCode parses this;-)

I never realised there was no strike through in our forum. Well now there is!

[bas_otten]

I never realised there was no strike through in our forum. Well now there is!

Fancy that, so quickly! Nice
Re-edited my post above to use it.

[eselma]

All right. So, I tried your suggestion (with newer kernel):

Code: Select all

[root@orion eselma]# dmesg | grep 'page tables isolation'
[    0.000000] Kernel/User page tables isolation: disabled

Well, disabled should mean safe. I did not put the argument 'nopti' in grub.cfg

[bas_otten]

I was going to say: you are not safe because PTI should be enabled. But, I checked on my old AMD-desktop and it shows that, apparently, the kernel has a routine that checks the CPU-brand and only enables PTI by default when on Intel. As you, @eselma, are on AMD, this will be the intended behaviour, and you are safe. This also answers @ilu's earlier question more specifically: AMD users need not explicitely specify nopti and will not suffer unnecessary performance impact. I'll go strikeout one more paragraph of my post today

[ilu]

Thank you very much for your research basotten.

[eselma]

Thank you very much for your research bas_otten.

+1

[bas_otten]

You're welcome!

[Arjen Balfoort]

Just thought to share this with you.

I tweeted Asus to ask whether or not there's going to be a BIOS update to address the Meltdown and Spectre vulnerabilities. This was the first reply:

I think no BIOS update can mitigate this issues. Linux kernels have been updated with KPTI and Retpoline which is the only way to protect your computer at the moment.

I then told them that I hoped it could have been solved by a BIOS update because of the performance impact a software solution would have. This was their last response:

The problem is the BIOS is not responsible of managing memory access, nor the CPU, as it is mostly a software concept, and therefore OS dependent, even application dependent as Firefox or Chrome had to fix it too. As for performance lose, it is not as dramatic.

[Arjen Balfoort]

I've also run this script: https://www.cyberciti.biz/faq/check-lin ... erability/

My current output:

Code: Select all

Checking for vulnerabilities against running kernel Linux 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64                                                                                             
CPU is Intel(R) Core(TM) i7-4785T CPU @ 2.20GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 25 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  NO 
*     The SPEC_CTRL CPUID feature bit is set:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Checking if we're running under Xen PV (64 bits):  NO 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)