Linux Lite Forums
General => Security & Bug Fixes => Topic started by: Ottawagrant on January 03, 2018, 11:36:05 AM
-
Happy New Year Everyone:
What better way to ring in 2018 than to scramble and fix a ten-year-old security flaw in the processor.
There is a kernel memory leak in Intel processors design that now put Windows and Linux users in harms ways as programmers rush to apply patches as quickly as possible.
https://www.onmsft.com/news/intels-kernel-memory-leak-flaw-forces-microsoft-others-to-apply-performance-slowing-patch (https://www.onmsft.com/news/intels-kernel-memory-leak-flaw-forces-microsoft-others-to-apply-performance-slowing-patch)
But wait!
As for Linux users, there are patches for the Linux kernel available now.
-
Which means?
Just keep loading LL updates and all will be solved??
-
A good, simple breakdown:
https://www.youtube.com/watch?v=lsQAGqMaXi0
-
(https://img.memecdn.com/saw-a-video-benchmarking-an-amd-and-intel-cpu-s-where-the-later-obtained-a-higher-score_o_4444517.jpg)
-
@Jerry, watched video but it was beyond my understanding. :-[ Glad my main computer is AMD based on the recommendations of the ghost formerly know as Spatry. ;)
-
The video lost me about 10 seconds after it started. I have no idea what he is talking about.
-
Thanks for this. Though I'm not sure how well I understand some parts.
In essence, and from technical news posts, my understanding is that (anyone has better knowledge may correct me):-
- Intel processors since the 1990s are vulnerable to this because of using the "speculative" approach. But cancelling this approach can greatly slow processing in processor-intensive tasks.
- AMD prcoessors are technically unknown according to some reports, and unaffected by others; and possibly affected in their own right by others (I don't have the sources to hand). My take is that it is unknown/thought unlikely to affect AMD processors.
- My take is also that it requires local access to exploit (as known at the moment), but whether that will continue the case isn't reported on in the items I've read.
- This has been known about for some time.
- The problem requires fixing at the OS level.
I'm presuming that using Intel processors with the current kernel 4.4.x series in Linux Lite leaves it theoretically vulnerable; though I understand that at present there is no malware exploiting the problem?
-
This may or may not help explain things......https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html
-
OK.
I've had a few minutes to research this further, since coming to it myself first time first thing this morning.
There are two bugs reported: MELTDOWN and SPECTRE. According to Wikipedia:-
"The Meltdown vulnerability can be thought of as a particularly easy and efficient-to-implement special case of Spectre." Note that there is no citation and it is reported as needing one; indeed citation is lacking in the Spectre entry at this time.
"Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 and CVE-2017-5715, have been issued."
Spectre affects Intel, AMD and ARM processors.
"[Meltdown] was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754."
Meltdown affects Intel processors and "does not seem to affect AMD microprocessors".
The Wikipedia entries are at:-
https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
There is a website for Meltdown and Spectre (which both Wikipedia articles label as the "official website") at:
https://meltdownattack.com/
Hope this helps, though I'm still reading up on it at the moment.
-
I have two Windows 10 machines that have been already patched (both originally developer/insider mode) and have had no problems so far, and no noticeable performance issues though there are reports of some VM complications elsewhere. In the case of Linux this is another OEM hardware nuisance which like all such nuisances diffuses down to ordinary users with some over-reaction. Spectre is a threat to ordinary users but only on multi-user boxes i/e - do you trust your wife? I played around with this issue some years back on a Suse Linux system I administrated. It has been known in some form or another for quite a while, but developers never looked at it as particularly threatening. It's the nature of CPUs themselves to not be secure, and again this problem lies within the the whole idea of low level proprietary code. It should be a legal issue with tart recourse to the courts, but who's big enough to sue, maybe Google, or Amazon. Big business is a strangely esoteric political beast here in the US - The government bails out GM but upholds a billion dollar penalty against Ford for bad tires. I can't think of a company in recent history that deserved a class action suit against them more than Intel. As far as civil disobedience perhaps a well organized boycott of Google and Amazon would do the trick but in a lot of ways consumerism is an addiction so that would be awfully hard to organize. Buying a computer for your kids to use is a lot like taking your kids to the doctor. The difference is that most doctors live by a code of ethics, while OEM hardware is produced with an eye to insulating the developers from any liability. Intel developers don't need malpractice insurance. Intel is so big and internationalized that the US government must cast a wary eye on their hardware to protect itself. I have often thought that the first line of recourse for the government is to use the SEC to suspend trading of Intel, and then go from there.
TC
Additionally: "News" of this is hardly new. Only the exploit news part of it, which was held back by Google in agreement with Intel. I highly doubt that AMD is not vulnerable with a modified version. Any 64bit multt-core cached cpu is vulnerable. This has always been known of speculative processes. The bigger the processor the greater the possibility of stealing information. That is the only reason this has suddenly become important. CPUs are finally big enough to cough up and spew considerable information via the hack. Hilariously the hack will still work even with the patch by simply falling back to the old kernel address system. It is not a permanent solution. The permanent solutuion is full and complete free access to CPU microcode.
-
Meh,
~$ inxi -f
CPU: Single core AMD Athlon 64 3800+ (-UP-) cache: 512 KB
speed/max: 1000/2400 MHz
CPU Flags: 3dnow 3dnowext 3dnowprefetch apic clflush cmov
cr8_legacy cx16 cx8 de extapic extd_apicid fpu fxsr fxsr_opt
lahf_lm lm mca mce mmx mmxext msr mtrr nopl nx pae pat pge pni pse
pse36 rdtscp rep_good sep sse sse2 svm syscall tsc vme vmmcall
$ inxi -S
System: Host: biker Kernel: 4.4.0-104-generic x86_64 (64 bit)
Desktop: Xfce 4.12.3 Distro: Ubuntu 16.04 xenial
$ cat /etc/llver
Linux Lite 3.6
Edit: Just to explain myself. In my area. I am more likely to have have my car stereo stolen stolen than this exploit to take hold on my computers.
I care more about the stereo.
-
Just to explain myself. In my area. I am more likely to have have my car stereo stolen stolen than this exploit to take hold on my computers.
I care more about the stereo.
Indeed. Are hackers going to target Joe Nothing living at 123 Who Cares Street or do they have juicer targets?
Sent from my Mobile phone using Tapatalk
-
Ubuntu plan to release Kernel updates early next week, in or around the 9th.
Sent from my Mobile phone using Tapatalk
-
An update on (hopefully) reputable and authoritative information sources this morning regarding Meltdown and Spectre.
Personally I agree with Jerry: Don't panic - there is no known malware exploiting these yet. Meltdown looks specific to Intel, and is the "easier" both to exploit and to patch; Spectre affects many more processors (including ARM and AMD as well as Intel), and is both harder to exploit and patch. At least according to these websites.
BBC News has two articles which may be of interest (the second if you are also an Apple user):
http://www.bbc.co.uk/news/technology-42562303
http://www.bbc.co.uk/news/technology-42575033
Leading cryptography expert Bruce Schneier says he plans to write more soon on his blog, and has a brief summary of the technical issue that is easy to read:
https://www.schneier.com/
4.4.x series updated in Kernel 4.4.109 (among other versions):
https://fullcirclemagazine.org/2018/01/04/linux-kernels-4-14-11-4-9-74-4-4-109-3-16-52-and-3-2-97-patch-meltdown-flaw/
The Department of Homeland Security (USA) website contains additional information on the general problem, as well as links to vendor-specific information:
https://www.us-cert.gov/ncas/alerts/TA18-004A
Threatpost has details on ARM and AMD chips not affected by Spectre (according to the manufacturers) among other things:
https://threatpost.com/vendors-share-patch-updates-on-spectre-and-meltdown-mitigation-efforts/129307/
Happy Computing! :)
-
If you wanna do a quick check on your own. Just for piece of mind I guess.
dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000
<use sudo in Linux Lite>
Linus Torvalds thoughts on all of this hoopla.
https://lkml.org/lkml/2018/1/3/797 (https://lkml.org/lkml/2018/1/3/797)
[color=inherit ! important][size=13px ! important][/size][/color]
-
To sum up myself: a nuisance with a price tag in manhours and compute time and a bad business practice from a company (Intel) that continues to operate above the law, and a community wide bandwagon of denial that everyone has been riding on for at least 10 years that I know of in the name of progress, Ethically speaking akin to testing drugs on people without having to pay them for the use of their body, claimed to be for the greater good of humanity. Driving at high speed is fun as long your brakes work properly, Ethics are the brakes.
TC
https://www.intel.com/content/www/us/en/policy/policy-code-conduct-corporate-information.html
Read the section on privacy.
-
So....If I am reading this right,We are going to get a software fix for a faulty hardware problem...?. ::)
-
The Linus Torvalds email message is well worth reading; quote:
"I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed."
Designed. Yes, in this instance the company is telling the truth.
-
(Intel CEO) Krzanich said the entire industry was planning to publish the data security issue once the fix was in place — but the problem leaked early.
"Why did it leak ahead of time? Somebody was doing some updates on a Linux kernel and they improperly posted that this was due to this flaw," Krzanich said.
Exaclty who is the "entire industry" that so agreeably decided not to publish? Why is it "improper" to publish concerning a vulnerability, especially one that has been speculated about for years? Why would the US government drag its feet all this time? In fact Amazon (the only one that admits it "officially") was aware nearly two years ago. Suse Enterprise and RHEL well before that (which could aguably mean the whole Linux community). Why not publish? Proof of concept was obvious long ago. A working exploit was unneccessary. Why would the whole "white hat" community be coerced and/or intimidated by Intel not to publish? Intel's system of partnerships and non-disclosure agreements violates so many laws in the US that it is literally an issue for the ACLU, yet no one ever attempts to call them out. They are in general a national security issue for the US. Enough is enough. Funny how the annoncement didn't leak until after the Christmas buying season, a shame too. A good deep public panic would have given the WWW a much needed enema.
http://www.techradar.com/news/computing-components/processors/need-for-speed-a-history-of-overclocking-540671/2 (http://www.techradar.com/news/computing-components/processors/need-for-speed-a-history-of-overclocking-540671/2)
I honestly remember being aware of this issue sometime around 2001 and having a discussion about it with some other hobbyists from that era. We considered it trivial at the time, but I reported it via e-mail to Suse. I can't remember what ISP I had at the time (the one from Ohio not AOL and not Prodigy) I wish I could because other hobbyist over-clockers at the time were aware of it as well. There is a history of awareness of this flaw that goes back at least 15 years and eventually it's going to appear taking away Intel's hope of any plausible denial.
TC
-
As interesting as all this is, and no doubt will become more interesting now as it all unfolds in the future, I can't say I'm surprised.
Big business usually doesn't give a sh*t about anything but big business.
I'd near bet if they weren't caught with their pants down it wouldn't have been published at all.
-
As interesting as all this is, and no doubt will become more interesting now as it all unfolds in the future, I can't say I'm surprised.
Big business usually doesn't give a sh*t about anything but big business.
I'd near bet if they weren't caught with their pants down it wouldn't have been published at all.
-
(Intel CEO) Krzanich said the entire industry was planning to publish the data security issue once the fix was in place — but the problem leaked early.
"Why did it leak ahead of time? Somebody was doing some updates on a Linux kernel and they improperly posted that this was due to this flaw," Krzanich said.
TC
I like the quote, it'll be good for paraphrasing - "(Intel CEO) Krzanich said, everything was fine until those rebellious Linux geeks moved their fingers"
-
Ultimately the issue of computer security, in any sense whatsoever, is open source code. Speculative execution would not be a security issue at all if the processor code was open source. You cannot compare for bit parity for binaries you cannot access. We banged this around years ago and recommended dual CPU's and one bank of protected memory for low level binary comparisons. As long as OEM vendors refuse access to binary setups there is no solution that will ever be secure. The amount of patching in Debian is probably headed for fifty different specific application instances. At the high end, giant service providers are going to absorb a big hit and be forced to purchase more rack space to deal with the performance issues this ridiculous proprietary policy has caused. Intel's partnerships are just extortion in this sense and always have been.
TC
-
8) i am not too freaked out by all this , a flaw since what ?, 1995 ?, wow, ok. i suffered viruses through the years since windows 98SE, so again, not to freaked out by this .
??? any ways , has Linux Lite released some updates on this issue for Linux lite 3.6 ?.
my windows 10 machine has been fixed by me, ha ha , it was a outdated driver issue, now ready to bring back down my Linux machine from upstairs and plug it back in........ i miss my Linux.
windows is for my Husband, he so far has no problems with my machine , but he is a cave man and needs more how to attention.............
-
Class Action investigation against Intel, the first taker.
https://www.bgandg.com/intc (https://www.bgandg.com/intc)
A pdf copy of the action is available on the page.
From 2005 MIT:
https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-823-computer-system-architecture-fall-2005/lecture-notes/l13_brnchpred.pdf
TC
-
Interesting catch! Thanks, Trinidad, for both of these.
-
Krzanich talks his book, but will he walk the (perp) walk?
https://www.zerohedge.com/news/2018-01-08/it-doesnt-look-good-intel-ceo-jeopardy-selling-stock-after-learning-staggering-flaw (https://www.zerohedge.com/news/2018-01-08/it-doesnt-look-good-intel-ceo-jeopardy-selling-stock-after-learning-staggering-flaw)
Bring Comey back - why, he wiped the floor with Martha Stewart!
-
Ubuntu plan to release Kernel updates early next week, in or around the 9th.
Do we have any news on the status of Ubuntu kernel updates to fix this issue?
-
Kernel 4.4.0-109.132 is out for LTS. Fix for meltdown began at .131 I believe. This is not a complete fix all for Ubuntu OS. Older hardware will not respond to the update in many cases because of incomplete firmware. This whole thing is an ugly ugly mess for Debian. The main issue will be for people who run older hardware without firmware updates, and connect to virtual server instances that have firmware updates. They may find they cannot connect to their server. The exploit 1 of spectre is already mitigated in firefox but exploit 2 will not be fully mitigated for quite some time and people with older hardware may find themselves out of luck. If you are running anit-virus your provider will have had to issue a flag to your system to install the changes. I have some reticence about installing the meltdown mitigations at all, given other issues with Intel. I am slowly working my way through all the documentation on the exploits, but a cursory examination makes me a little itchy, given the impact on some common server administration tools, and given Intels other issues I am not so sure that the mitigation for meltdown will not open a wider door for specter exploit 2 due to a lack of pointer obfuscation. I don't think there's any need for home users to rush into this at this point other than the virtual server connection issues. Let the industry giants worry about it, and let Debian run its course through the mess the Debian way -- slowly via the community. There may be a worst case scenario for all of this akin to emmision testing for automobiles.
TC
-
Thanks TC :)
-
Tks Trinidad. For the uninitiated, such as myself
Does this Virtual Server vulnerability mean?
a) Contacting/using cloud storage is a possible vulnerability.
B) Connection to online banking could be vulnerable
c) Ditto online payment transaction such as Amazon, Paypal etc even though they are supposedly "locked" = https://
d) The connection process to "home" wifi is vulnerable even with proper WPA/WPA2 activated?
Is this another case of Year 2000 "panic" or a realistic potential threat?
Thanks
-
I read one article referred to me about the whole issue but it only mentions Intel/AMD "Server" CPUs and ARM CPUs. Atoms are not affected(?).
@trinidad , from your readings, are standard desktop/laptop CPUs affected are not?
This whole issue went kaboom all over the place... hard to find clear info.
Nothing better for something to get popular than big companies trying to keep it quiet. ;)
Cheers!
-
Certainly not a panic issue for home users of any OS, at least in the present definition of what security is. There is no doubt that it could prove to be a real pain down the road (depending on the provider) for small businesses using older Intel hardware who have purchased virtual space on a server, in that there is a real possibilty that their hardware will no longer be able to log onto their server space which is likely to have the Intel firmware updates, kind of like the changes made to Firefox last summer involving secure connections. If there is no Intel firmware update available for your hardware you may find yourself not able to log onto virtual server space you have paid for that has the Intel firmware updates. That is just the first problem users of Ubuntu, Windows 7, 8.1, Debian, Mac OS, and others running on Intel older hardware will run up against. It is a security issue for industry leaders using Intel hardware to run big server arrays. People like RHEL, Suse Enterprise, Microsoft, and Ubuntu and Debian as well. However, and it's a big however, I would argue at this point that is a rush toward an appearance of better security, but not as grave as it seems in the news. Furthermore given the security measures available to most good administrators, it is a highly unlikely hack unless of course you operate with seriously unvetted administrators. The winners here are likely to turn out to be Intel and Microsoft in the end, given the planned obselescence model of business they use. Want to use our Intel servers? Upgrade your firmware. It seems too brilliant of a business ploy to be anything other than a business ploy. That aside I am not satisfied at all with the mitigations in Linux for meltdown as I and a lot of other people think the action is too extreme, given the neccessity of then having to deal with propietary firmware updates. We all need to take a deep breath here and take the time to study the mitigations thorougly. It has been proved time and time again that computing security is best enabled via the open source community, period.
TC
-
Few new things:
Have not tested this but the script should work on normal Linux OS. Those of you who want to check kernels may want to try it.
https://github.com/speed47/spectre-meltdown-checker
So far it seems that the version of the LTS 4.4 kernel 109.132 does not brick some older boards the way .108 does. I am running it on a six year old Intel Dell. Will be looking at Qemu this afternoon to see how broken it is. MS patches have been bricking things all over the place and literally locking Windows 7 and 10 on older harware to junk. If you are on Windows 7 do NOT install the patch. The patching for this mess in general is running below 50% success rate on older hardware. Best to be patient. This whiz kids who published this worked from a 2005 research paper to begin with. The generation gap is obvious concerning this. If you are just a home user, and do not maintain a server presence, I wouldn't bother with a patch just yet. This vulnerability affects the core infrastructure of the web and there is little you can do about that. IMHO I think it may turn out to be the biggest tech bloodbath in history by the end of the year with a myriad of on again off again failed fixes. If you are just a home user take heart, you are a consumer, and that is what built it all.
TC
-
IMHO I think it may turn out to be the biggest tech bloodbath in history by the end of the year...
TC
It already is.
-
Any idea which Intel chips are considered to be vulnerable to updates.?
-
No comprehensive info on that yet. MS patches have cooked a bunch of different boards already, and withdrew some patches. Early losses will be unpredictable, about like a blind machine gunner firing into a crowd.
TC
-
So are we safe in continuing to update LL; i.e no chance of "junking" our older hardware??
-
If you wanna do a quick check on your own. Just for piece of mind I guess.
dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000
<use sudo in Linux Lite>
RESULT
-Ultra-slim-Desktop:~$ sudo dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000
[sudo] password for linuxlite:
5000000+0 records in
5000000+0 records out
2560000000 bytes (2.6 GB, 2.4 GiB) copied, 21.1723 s, 121 MB/s
-Ultra-slim-Desktop:~$
So what does this mean in the scheme of things please?
-
If you wanna do a quick check on your own. Just for piece of mind I guess.
dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000
<use sudo in Linux Lite>
RESULT
-Ultra-slim-Desktop:~$ sudo dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000
[sudo] password for linuxlite:
5000000+0 records in
5000000+0 records out
2560000000 bytes (2.6 GB, 2.4 GiB) copied, 21.1723 s, 121 MB/s
-Ultra-slim-Desktop:~$
So what does this mean in the scheme of things please?
For starters. Simple answer. 121 MB/s is OK and means no memory leak.
I have been busy changing kernels in my gear and using patched kernels from Debian and AntiX to make the point of this thread moot in my case usage.
Like on this IBM T23 Laptop that Linux Lite won't run on. Due to age of gear and hardware limitations. Posting this reply in Netsurf browser. No Java or Flashplayer Plugin touches this laptop.
harry@biker:~
$ inxi -M
Machine: Device: laptop System: IBM product: 26474MU serial: N/A
Mobo: IBM model: 26474MU serial: N/A
BIOS: IBM v: 1AET64WW (1.20 ) date: 10/18/2006
harry@biker:~
$ inxi -f
CPU: Single core Mobile Intel Pentium III - M (-UP-) cache: 512 KB
CPU Flags: cmov cx8 de eagerfpu fpu fxsr mca mce mmx msr mtrr pae pge pse
pse36 sep sse tsc vme
harry@biker:~
$ uname -a
Linux biker 4.9.75-antix.2-486-smp #2 SMP Tue Jan 9 15:22:47 EST 2018 i686 GNU/Linux
harry@biker:~
$
Ubuntu will make this thread moot also when their patched kernels are available also.
Your gear is untouched from what I can tell from your readout. I'll run that command on my IBM T23 Laptop. Which is way way slower and weaker than your gear. It uses a intel cpu also though.
# dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000
5000000+0 records in
5000000+0 records out
2560000000 bytes (2.6 GB, 2.4 GiB) copied, 68.3041 s, 37.5 MB/s
as you can tell from my readout I gave as a comparison. Mine is fine also for the age of this gear. If I got something like 5 MB/s. Then I'd worry. If it took like 10 mintues to copy. That would concern me also. s
-
I heard you on the wireless back in fifty two
Lying awake intent at tuning in on you
If I was young it didn't stop you coming through
They took the credit for your second symphony
Rewritten by machine and new technology
And now I understand the problems you can see
Oh-a oh
I met your children
Oh-a oh
What did you tell them?
Video killed the radio star
Video killed the radio star
Pictures came and broke your heart
Oh-a-a-a oh
And now we meet in an abandoned studio
We hear the playback and it seems so long ago
And you remember the jingles used to go
Oh-a oh
You were the first one
Oh-a oh
You were the last one
Video killed the radio star
Video killed the radio star
In my mind and in my car
We can't rewind we've gone too far
Oh-a-aho oh
Oh-a-aho oh
Video killed the radio star
Video killed the radio star
In my mind and in my car
We can't rewind we've gone to far
Pictures came and broke your heart
Put the blame on VTR
https://www.youtube.com/watch?v=Iwuy4hHO3YQ
Don't look back. You're not going that way.
TC
-
Hey T what are you on :) All this blown your circuits?? :)
-
Hey T what are you on :) All this blown your circuits?? :)
My take and sense of humor is his clever way on how video killed my the function of my IBM T23 laptop.
Only way I can watch watch youtube on a Pentium 3 is with livestreamer tied into streamlight-antix
Livestreamer is a Command Line Interface that extracts video
streams from various services and hands them to a video player,
such as VLC. The main purpose of Livestreamer is to allow the
user to avoid buggy and CPU heavy flash plugins but still
be able to enjoy various streamed content.
Currently most of the big streaming services are supported
(e.g. Dailymotion, Livestream, Justin.tv, Twitch, YouTube Live
and UStream) and more specialized content providers can be
added easily using Livestreamer’s plugin system.
streamlight-antix
An easy way to play or download antiX help videos from Youtube without using a modern, heavyweight, web browser.
Hope I guessed right. Kinda off topic. But I don't care. :P
-
Acutally if we consider the fundamental ethical business model of the proprietary computer industry we can derive the creedo: "Don't look back. You're not going that way." though Roks take is perfectly funny too. Rush to development is what this mess is all about. I believe a cautionary approach is better, given that this flaw involves proprietary code that has such a cross platform impact and scope. The best approach would be for Intel to release open source CPU code, not expect software modification. Some say Linux in general would be better off to drag its feet a little with this issue and consider a little more in depth what the suggested mitigations might open a door to. Could be a bad moon rising.
TC
-
FYI - Ubuntu making some head way here:
(https://i.imgur.com/d3bd6Ik.png)
-
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html?sf178994854=1
-
Nasty little side effects. With the meltdown mitigations on both kernels .109 in Ubuntu LTS base system, and .110 in LL running in Qemu I'm running a right around a 38% increase in RAM usage with heavy IO (noted while updating from .109 to .110 in LL running in Qemu) CPU bouncing between 70% and 90%. RAM usage never exceeded 50% before.
Settled back a bit after rebooting both. Only about 15% higher that before running Firefox in both systems simultaneously.
TC
-
View from DW - https://distrowatch.com/weekly.php?issue=20180115#qa
-
I've read them both before Jerry. Glad Distrowatch has made the info easy to access. Spectre is a threat to high end propietary security meaures like AV and anti-malware deployments that use CPU sandboxing, and is also able to produce DOS exploits via bit flipping exploits akin to the rowhammer concept. Every existing CPU protection/monitoring gadget is open to exploit this way. It is the ultimate back door. I am avoiding being technical until I'm ready with my own conclusions.
TC
-
https://community.sophos.com/kb/en-us/128053 - Its relevance to LL or Debian distros is beyond me I am afraid. May be of help to our "knowledgeable ones" though
-
I've tested the Meltdown Spectre checker from github and the Ubuntu commands on this page and they work.
https://www.ostechnix.com/check-meltdown-spectre-vulnerabilities-patch-linux/
TC
-
This whole post was wrong. I've wortked on 38 different machines in the last four days and my head is is tired and my laptop notes completely jumbled. So far I can say that the meltdown mitigation (KPTI) has yet to roll out for LTS 32bit, and the spectre v1 mitigation has yet to roll out for Ubuntu LTS 64bit though it is in place in LL 32bit. Some 32bit machines I have tested have 800 code ops in place for Specter v1. I expect this number is excessive for big 64bit systems thus the delay. So generally : 32bit is safe from specter v1 so far, and 64bit has KPTI mitigation. Sorry for the previous error. I'm stopping for today now.
TC
-
@trinidad - I also concur that the Distrowatch article is one of the easiest on the brain! ;)
Also, I must say trinidad that you are quite the "machine" on this technical subject! ;) again.
Cheers!
-
Even easier script. Download - https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated (https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated)
Extract and double click on sm-start to run the checker. Let me know how this goes.
(https://i.imgur.com/iByFcgd.gif)
-
I have this with kernel 4.10 (Lite)
Should I go back to Kernel 4.4.0?
(http://i253.photobucket.com/albums/hh80/bfb_album/Screenshot_2018-01-17_14-19-28_zpsacu6tfpv.png) (http://s253.photobucket.com/user/bfb_album/media/Screenshot_2018-01-17_14-19-28_zpsacu6tfpv.png.html)
-
4.4 LTS has KPTI rev -109 and above. LL is on rev -111 now.
TC
-
News: Write to the congressman.
https://imgur.com/a/4IoTC (https://imgur.com/a/4IoTC)
TC
-
If you want to know how technically bad this is going to get follow this guy.
https://twitter.com/aionescu
TC
-
This is where the fun begins.
https://arstechnica.com/gadgets/2018/01/spectre-and-meltdown-patches-causing-trouble-as-realistic-attacks-get-closer/ (https://arstechnica.com/gadgets/2018/01/spectre-and-meltdown-patches-causing-trouble-as-realistic-attacks-get-closer/)
For MS ... " If you are using VMware ESXi to update your microcode, VMware says you should revert to an earlier version."
TC
-
(http://imgur.com/lb2KLZ9l.png)
(http://i.imgur.com/lb2KLZ9.png)
Just after latest update. Beforehand vulnerable throughout. So some improvement.
Great tool Jerry !!
-
Linux lite 3.8 beta updated.
(https://i.imgur.com/Dh1lrRr.png)
-
Doesn't look too good for me :-\ but I'm still on -109
How do I get -111
I already ran updates
(https://i.imgur.com/9qa0wMV.png)
-
Similar results as others Variant #1- Not vulnerable, Variant #2-vulnerable, Variant #3-not vulnerable. This is on a new (for me) computer. Only computer that I have with an AMD processor. Good & simple way to check. Will check again after next kernel update.
-
How do I get -111
Just have to wait for your local repo to push updates. Or you could try another repo.
-
:o
http://news.softpedia.com/news/linux-lite-developer-creates-automated-spectre-meltdown-checker-for-linux-oses-519431.shtml
-
:o
http://news.softpedia.com/news/linux-lite-developer-creates-automated-spectre-meltdown-checker-for-linux-oses-519431.shtml
Wow, grats Jerry! Alexa says Softpedia is bigger than MajorGeek and TechSpot. Check that web hit-counter fly! ;)
Cheers!
-
Hi everyone,
I've been trying to follow this thread, with gratitude for the knowledgeable work being done by you all. Thanks.
What I have done is to Install Updates at least once a day, and keep my LL system as up-to-date as possible. Here is a copy of (some of) my system info
-Version-
Kernel : Linux 4.4.0-111-generic (x86_64)
Compiled : #134-Ubuntu SMP Mon Jan 15 14:53:09 UTC 2018
C Library : Unknown
Default C Compiler : GNU C Compiler version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5)
Distribution : Linux Lite 3.6
I am hoping (aren't we all!) that LL will be patched enough to continue safe browsing - subject of course to staying off sites of unknown security as usual.
I run a Win 7 laptop also, very similar i5 specs, for work, cad programmes. I don't go online much with that Win 7 laptop, (and haven't at all in the past week I think) using my LL for almost all my browsing, email etc. So my plan is to stay off-line completely on the Windows 7 laptop until it's known to be "safe" out there! Or should I chance "Windows updates"?
I do have a netbook with an Atom processor - did someone say the Atom is not affected?
-
A simple spectre-meltdown-checker for Windows systems that deals with the registry key permissions. You must have up to date AV that allows the regkey flag.
https://www.grc.com/inspectre.htm
TC
-
Similar results as others Variant #1- Not vulnerable, Variant #2-vulnerable, Variant #3-not vulnerable.
Exactly the results that I got too on my laptop when I checked it this morning. I haven't looked at my main machine yet.
A huge Thank You to @Jerry for making this user-friendly script to get and run the checker. I honestly don't think I would have bothered checking for vulnerabilities if it wasn't for Jerry's script. This was so easy to install and use. I just downloaded from GitHub, then right click on package and go "extract here", then go in folder and mark both scripts as executable and double-click on the "start" script. Then it opens up a window and runs and gives the results. It was so fast and uncomplicated.
-
@Vera great to hear :)
-
To Searchernow: I have 2 Acer netbooks. Both have the Intel Atom processor, version N455, made in 02/2011. According to an article I read the Intel Atom (made before 2013) is one of only 2 processors unaffected. That's what I read. (humor intentional). I will install LL 3.6 32-bit on it today & run Jerry's test. I'll post the results here as well as the netbook's spec's. Both netbooks have Windows 7 starter on them now, so no loss there.
-
Thanks Trinidad - I'll update my Win7 laptop AVG free then try the Win check you posted.
Thanks too Ottawa - I since looked at my netbook (Samsung) - it has Atom N450, pretty sure it's pre-2013, and presumably pre - N455.
It's spec is 1.67Ghz and 2gb ram - so comfortably within LL recomended.
-
Sorry, I meant to add:
tweaktown's list, reportedly an official Intel list, is shown below.
My netbook (32 bit, Win7 Home Prem) doesn't give "series" - just Atom N450, but looking at the Atom wikipedia entry, my date of purchase Feb. 2011, logo sticker etc. then the series is N (obvious now) so appears not to be on the vulnerable list, as you suggest!
from https://www.tweaktown.com/news/60411/heres-list-intel-cpus-affected-spectre-meltdown/index.html "12 days ago"
"Intel has finally released a full list of all of their processors that are open to the Spectre and Meltdown security flaws, with virtually all Intel CPUs at risk.
heres-list-intel-cpus-affected-specture-meltdown_06
The chipmaker has worked closely with AMD, ARM Holdings, and multiple operating system makers in order to push an industry-wide approach to fixing this problem.
Intel will soon have an update for 90% of their processors, something that should drop in the next few days.
Intel® Core™ i3 processor (45nm and 32nm)
Intel® Core™ i5 processor (45nm and 32nm)
Intel® Core™ i7 processor (45nm and 32nm)
Intel® Core™ M processor family (45nm and 32nm) 2nd generation
Intel® Core™ processors 3rd generation
Intel® Core™ processors 4th generation
Intel® Core™ processors 5th generation
Intel® Core™ processors 6th generation
Intel® Core™ processors 7th generation
Intel® Core™ processors 8th generation
Intel® Core™ processors Intel® Core™ X-series Processor Family for Intel® X99 platforms
Intel® Core™ X-series Processor Family for Intel® X299 platforms
Intel® Xeon® processor 3400 series
Intel® Xeon® processor 3600 series
Intel® Xeon® processor 5500 series
Intel® Xeon® processor 5600 series
Intel® Xeon® processor 6500 series
Intel® Xeon® processor 7500 series
Intel® Xeon® Processor E3 Family
Intel® Xeon® Processor E3 v2 Family
Intel® Xeon® Processor E3 v3 Family
Intel® Xeon® Processor E3 v4 Family
Intel® Xeon® Processor E3 v5 Family
Intel® Xeon® Processor E3 v6 Family
Intel® Xeon® Processor E5 Family
Intel® Xeon® Processor E5 v2 Family
Intel® Xeon® Processor E5 v3 Family
Intel® Xeon® Processor E5 v4 Family
Intel® Xeon® Processor E7 Family
Intel® Xeon® Processor E7 v2 Family
Intel® Xeon® Processor E7 v3 Family
Intel® Xeon® Processor E7 v4 Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon Phi™ Processor 3200, 5200, 7200 Series
Intel® Atom™ Processor C Series
Intel® Atom™ Processor E Series
Intel® Atom™ Processor A Series
Intel® Atom™ Processor x3 Series
Intel® Atom™ Processor Z Series
Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series
Intel® Pentium® Processor J Series
Intel® Pentium® Processor N Series
Read more: https://www.tweaktown.com/news/60411/heres-list-intel-cpus-affected-spectre-meltdown/index.html "
-
I reverted to the 4.4.0 available in the Lite Kernels list in Lite Tweaks, as 4.10 is vulnerable, but still get this.
How can I get to the 111 version of Lite 4.4.0 ?
(http://i253.photobucket.com/albums/hh80/bfb_album/Screenshot_2018-01-18_17-02-28_zpszgfjbud4.png) (http://s253.photobucket.com/user/bfb_album/media/Screenshot_2018-01-18_17-02-28_zpszgfjbud4.png.html)
-
Remove kernel 4.10 and then update kernel 4.4. You must be running on 4.4 to delete 4.10. If you are running 4.4 now try updating. I think LL will only update the running kernel, though not sure. In any case 4.4 in LL will update to -111.
TC
-
Acer Aspire One netbook D255E
Intel Atom n455 1.66GHz processor
Manufactured 02/2011
Linux Lite 3.6 32-bit
Fresh install on kernel 4.4.0-93 #116
Variant #1 - no
#2 - yes
#3 - yes
updated kernel to 4.4.0-111 #134
Variant #1 - no
#2 - yes
#3 - yes
A different article that I read seems to suggest that it is the Intel Atom 32-bit only that is OK. It's suggested that any chip that is x86_64 is vulnerable. I installed LL on the netbook with Windows 7 starter, so no loss there. But if anyone wants to try it on a netbook/laptop/desktop without installing LL, just boot into a live environment via USB, download Jerry's zip file, extract, & then double-click the 'sm-start'. No password required. It'll be an older kernel, but it'll give you an idea for your device.
-
https://mobile.twitter.com/verge/status/954025667137540096/video/1
-
v1 Spectre is partially mitigated against timing attacks, by Firefox 57 and ESR
https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
TC
-
hello im new to the party.
i have downloaded and installed the latest microcode from the lite repo.is this enough to mitigate.?
my browser is google chrome.
thank you.
-
Thanks Jerry for the Automated Spectre/Meltdown Checker.
http://news.softpedia.com/news/linux-lite-developer-creates-automated-spectre-meltdown-checker-for-linux-oses-519431.shtml (http://news.softpedia.com/news/linux-lite-developer-creates-automated-spectre-meltdown-checker-for-linux-oses-519431.shtml)
Ran the script and my results were the same.
"Spectre Variant 1" Status: Not Vulnerable
"Spectre Variant 2" Status: Vulnerable
"Meltdown aka Variant 3" Status: Not Vulnerable
(Results with latest Intel microcode update and updated Linux kernel 4.4.0-111)
In respect to "Spectre Variant 2" the following article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation - may be reassuring.
https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-Preps-Spectre-Kernels (https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-Preps-Spectre-Kernels)
-
Thanks Jerry for the Automated Spectre/Meltdown Checker.
http://news.softpedia.com/news/linux-lite-developer-creates-automated-spectre-meltdown-checker-for-linux-oses-519431.shtml
Ran the script and my results were the same.
"Spectre Variant 1" Status: Not Vulnerable
"Spectre Variant 2" Status: Vulnerable
"Meltdown aka Variant 3" Status: Not Vulnerable
(Results with latest Intel microcode update and updated Linux kernel 4.4.0-111)
In respect to "Spectre Variant 2" the following article - Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation - may be reassuring.
https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-Preps-Spectre-Kernels
-
Remove kernel 4.10 and then update kernel 4.4. You must be running on 4.4 to delete 4.10. If you are running 4.4 now try updating. I think LL will only update the running kernel, though not sure. In any case 4.4 in LL will update to -111.
TC
I took your advice, for which I am grateful, but the 4.4 from the Lite Tweaks doesn't update to -111 for some reason.
1)Does this mean that all the kernels from there are vulnerable? Remember I had 4.10 running before and that was vulnerable 2)how can I install the -111 version if 4.4 doesn't update to it automatically?
-
Does anyone read this article the same way I do. (and it doesn't surprise me if I'm wrong) That the kernel update coming on Monday the 22nd is for computers with Intel processors only. Nothing done with AMD at this time.
-
@bfb Run - sudo apt-get update first in the terminal, then exit and update normally via lite updates.
TC
-
Thank you. I have done all that, but I still get this.
I wonder if there is a problem with kernels from the Lite tweaks 'Instal kernel' option?
(http://i253.photobucket.com/albums/hh80/bfb_album/Screenshot_2018-01-20_05-51-59_zpsbn5ald4b.png) (http://s253.photobucket.com/user/bfb_album/media/Screenshot_2018-01-20_05-51-59_zpsbn5ald4b.png.html)
-
During this past week I have had two Sandy Bridge firmware updates go completely haywire, one massive slowdown, the other blue screen, then cook the board. (Intel has adjusted the firmware but with disclaimers) If you are on Windows 10 do not update the firmware on your Sandy Bridge CPU, and do not use the recommended MS patches for Meltdown if on Windows 7 or 8. There are charcteristics of this CPU that make the Intel update and MS patch together basically crippling in some cases. Several OEMs including DELL are highly unlikely to ever patch this CPU for the MS kernel. However If you dual boot Ubuntu with Windows 10, the KPTI adjustments in Ubuntu work fine, with little impact on performance, but there are several differences in the MS kernel functions in CPU space and some ugly MS and Intel tweaks to this CPU running Windows.
The officai MS response: "If you are using a pre-2016 Intel CPU with Windows 10, there is nothing much you can do except consider upgrading to a newer processor or, you could possibly just live with the performance impact of the Meltdown and Spectre patches."
Probably the ultimate cause of the slowdowns: "With Sandy Bridge, Intel has tied the speed of every bus (USB, SATA, PCI, PCI-E, CPU cores, Uncore, memory etc.) to a single internal clock generator issuing the basic 100 MHz Base Clock (BClk). With CPUs being multiplier locked, the only way to overclock is to increase the BClk, which can be raised by only 5–7% without other hardware components failing."
Another issue that is certain to become a security issue: "Sandy and Ivy Bridge processors with vPro capability have security features that can remotely disable a PC or erase information from hard drives. This can be useful in the case of a lost or stolen PC. The commands can be received through 3G signals, Ethernet, or Internet connections. AES encryption acceleration will be available, which can be useful for video conferencing and VoIP applications."
Leave your Windows 10 unpatched on Sandy Bridge, but go ahead and update your Ubuntu if you dual boot.
TC
-
The other day had a couple vulnerability updated aand for kicks tried again this morn... All Good :)
4.4.0-111 on the 32bit mini..
(http://imgur.com/lcq5i2xl.png)
(http://i.imgur.com/lcq5i2x.png)
(http://imgur.com/ci3tX8Dl.png)
(http://i.imgur.com/ci3tX8D.png)
-
Read last Friday that Ubuntu was releasing a new kernel today. They did. 4.4.0-112 #135. I wanted to test it on an Intel computer. So I used my HP compaq 7900 SFF. I'll test a few other computers but for the HP it still shows Variant #2 as vulnerable. Variant #1 & 3, not. Time to boot up another computer.
-
I updated my Toshiba laptop just now, rebooted and ran the checker. Got the same results as @Ottawagrant , so the #2 is not mitigated for me yet either. Haven't checked my main machine yet, just the Toshiba laptop.
-
v2 Spectre vulnerabilities may never be fully identified or patched. These creatures evolve into thousand armed spiders,
Ubuntu has made a lot of progress no thanks to Intel or AMD though. Stick with your LL. The waters are much dirtier elsewhere.
https://usn.ubuntu.com/usn/xenial/
TC
-
I'm checking for updates twice a day. Just now 4.4.0-112 #135.
I ran tool v.0.32 with same result as others above - variant 2 vulnerable.
on another mitigation -
My main browser is FF 57, and I have it blocking insecure sites (this setup from before the Intel catastrophe!) - but some of these sites I want to view (articles etc., but I don't send and login or other info - not intentionally!) and these I view on Chromium, also customized to be reasonably secure, but a bit more permisssive.
Anyway, for those who don't already know there is a trial mitigation tool from the Chromium project which seeks to isolate sites you are accessing from each other. This will hopefully close a route for a rogue page to infect other open pages.
details here https://www.chromium.org/Home/chromium-security/site-isolation#TOC-1-Isolating-All-Sites
go to the tool here chrome://flags/#enable-site-per-process and scroll down to Strict Site Isolation and enable. (do this in Chromium!).
-
I'm sure like me, a few on the LL forum are stuck as to how to run the Spectre/Meltdown checker.
I went to https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated
then downloaded the script:
wget https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated.git
What do I do next ... ?
-
Extract the folder -> open it -> double click on sm-start.
-
Extract the folder -> open it -> double click on sm-start.
I don't have a folder to extract from :o
When I used the wget command in post #2, an HTML file is downloaded, named Spectre-Meltdown-Checker-Automated.git ...
:(
-
I'm sure like me, a few on the LL forum are stuck as to how to run the Spectre/Meltdown checker.
I went to https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated (https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated)
then downloaded the script:
wget https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated.git
What do I do next ... ?
I don't know why you are using the wget command, that instruction isn't there. https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated (https://github.com/linuxlite/Spectre-Meltdown-Checker-Automated) shows the exact instructions under Instructions. Click on the green 'Clone or download' button, Download zip.
-
@Jerry
Many thanks - got it sorted, worked fine in LL3.6
I guess though, that the spectre-meltdown checker wont work in some other distros, where sudo is not a recognised command, e.g. PCLinuxOS.
-
@m654321 Below is the list of updated kernels for PClinuxOS and even though this a LL forum and I don't use PClinuxOS maybe just create a directory in your home directory to hold the shell script and run the commands in a root terminal without the sudo added in to the last.
http://www.pclinuxos.com/forum/index.php/topic,144844.msg1237197.html#msg1237197
We also need to ask these things all in the same thread and not spread this out all over the place.
TC
-
Topics merged and title of this thread renamed.
Please keep all posts on this topic in this thread. Cheers :)
-
Here's a nice article I just found while surfing the web https://insights.ubuntu.com/2018/01/17/spectre-mitigation-updates-available-for-testing-in-ubuntu-proposed
It says: You are invited to test and provide feedback for the following updated Linux kernels. We have also rebased all derivative kernels such as the public cloud kernels (Amazon, Google, Microsoft, etc) and the Hardware Enablement (HWE) kernels.
It provides links for the proposed kernels for Ubuntu 14.04, 16.04, 17.04, 17.10.
-
For advanced users. Do not try this on your actual machine unless you have god powers -https://www.sentinelone.com/blog/sentinelone-releases-free-linux-tool-detect-meltdown-vulnerability-exploitations/ (https://www.sentinelone.com/blog/sentinelone-releases-free-linux-tool-detect-meltdown-vulnerability-exploitations/) Play with in an up to date LL VM.
-
I will try this out sometime this week Jerry. Thanks.
TC
-
Here's another nice article I just found on the web, it describes another way to check on meltdown-spectre http://kroah.com/log/blog/2018/01/19/meltdown-status-2/
:)
-
Bad news is that now more than 200 different forms of malware have turned up in the "wild" modified to attempt to exploit the Spectre vulnerability, which indicates the probability that some sophisticated sleeper applications may evolve to pose a huge threat to Microsoft Windows.
Good news is that this week I will be posting several different alternative ways to monitor for the vulnerabilities besides the already available spectre-meltdown-checker. Debian has now backported the spectre-meltdown-checker for stretch.
TC
-
"Once its weaponized to run evil things, we're doomed, DOOMED! Dooooooomed! ;) - Tim the Enchanter!
We'll need Coconut computers!
-
Hmmm... off to live in a cave in the middle of a forest (next to a river with plenty of fish)... ;)
Will launch my secret nuclear weapons at Intel first...
-
It seems the new kernel 4.13.33 fixes the variant 2 version on an older amd at least.
(https://imgur.com/a/uE0lx)
-
It seems the new kernel 4.13.33 fixes the variant 2 version on an older amd at least.
(https://imgur.com/a/uE0lx)
I'm using latest kernel 4.15 on an AMD CPU too and I see this message on boot I can't just now remember. However, running $ grep . /sys/devices/system/cpu/vulnerabilities/*
shows this:
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
I believe message on boot has something to do with last line of that output; full generic reptoline.
-
I used the script to check. Here is the report from your command:
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: OSB (observable speculation barrier, Intel v6)
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline
-
8)
-
I'm running a highly modified version of Linux Lite and some modified Xubuntu stuff. I am assuming the kernel updates will be pushed out by Ubuntu as that is how I got them as I am running a HWE kernel.
System: Host: supergamer Kernel: 4.13.0-33-generic x86_64 (64 bit gcc: 5.4.0)
Desktop: Xfce 4.12.3 (Gtk 2.24.28) Distro: Ubuntu 16.04 xenial
Machine: System: TOSHIBA (portable) product: Satellite L505D v: PSLV6U-00K001
Mobo: TOSHIBA model: Portable PC
Bios: Insyde v: 1.00 date: 09/07/2009
CPU: Dual core AMD Athlon II M300 (-MCP-) cache: 1024 KB
flags: (lm nx sse sse2 sse3 sse4a svm) bmips: 7979
clock speeds: max: 2000 MHz 1: 1400 MHz 2: 800 MHz
Graphics: Card: Advanced Micro Devices [AMD/ATI] RS880M [Mobility Radeon HD 4100]
bus-ID: 01:05.0
Display Server: X.Org 1.18.4 drivers: ati,radeon (unloaded: fbdev,vesa)
Resolution: [email protected]
GLX Renderer: AMD RS880 (DRM 2.50.0 / 4.13.0-33-generic, LLVM 5.0.0)
GLX Version: 3.0 Mesa 17.2.8 Direct Rendering: Yes
Audio: Card Advanced Micro Devices [AMD/ATI] SBx00 Azalia (Intel HDA)
driver: snd_hda_intel bus-ID: 00:14.2
Sound: Advanced Linux Sound Architecture v: k4.13.0-33-generic
Network: Card-1: Realtek RTL8187SE Wireless LAN Controller
driver: rtl818x_pci port: 7000 bus-ID: 02:00.0
IF: wlp2s0 state: up mac: <filter>
Card-2: Realtek RTL8101/2/6E PCI Express Fast/Gigabit Ethernet controller
driver: r8169 v: 2.3LK-NAPI port: 6000 bus-ID: 03:00.0
IF: p5p1 state: down mac: <filter>
Drives: HDD Total Size: 250.1GB (36.2% used)
ID-1: /dev/sda model: TOSHIBA_MK2555GS size: 250.1GB
Partition: ID-1: / size: 227G used: 82G (38%) fs: ext4 dev: /dev/sda1
ID-2: swap-1 size: 2.95GB used: 0.00GB (0%) fs: swap dev: /dev/sda5
RAID: No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors: System Temperatures: cpu: 67.0C mobo: N/A
Fan Speeds (in rpm): cpu: N/A
Info: Processes: 165 Uptime: 13 min Memory: 875.9/2746.7MB
Init: systemd runlevel: 5 Gcc sys: 5.4.0
Client: Shell (bash 4.3.481) inxi: 2.2.35
-
Do the new meltdown / spectre kernels update automatically or is this something I have to manually do using Synaptic Package Manager
For kernel updates follow this link and read through the thread.
https://www.linuxliteos.com/forums/linux-lite-software-development/linux-lite-kernel/msg38277/#msg38277
Is the kernel posted above secure enough or is there a new more secure kernel which I should update to
run this command to find out
$ grep . /sys/devices/system/cpu/vulnerabilities/*
-
I run this kernel in Ubuntu 16,04 and it is mitigated against Meltdown with KPTI and mitigated against Spectre variant 1, and Firefox 58 is in the LTS version. You're good enough.
TC
-
8)
-
Here are my results on Ubuntu 16.04 LTS with your listed kernel. The long command is correct for Ubuntu and/or LL. The unpatched frowny face is for no exiting Intel microcode updates as yet.
https://imgur.com/a/wX54Z (https://imgur.com/a/wX54Z)
TC
-
8)
-
8)
-
The 4.4.0-116 kernel now fixes everything. I ran the checker after install and boot of the new kernel and now all three variants say 'NOT VULNERABLE'.
-
8)
-
(https://i.imgur.com/b5oEKhZ.png)
-
Sooo, if I’m on 4.10, I have to revert to 4.4.0-116 to get the fix?
-
8)
-
Sooo, if I’m on 4.10, I have to revert to 4.4.0-116 to get the fix?
I would think that you would be able to use the 4.15 kernel which you can download and install from the Synaptic Package Manager aka Install/Remove Software.
Go into Synaptic Package Manager / Install/Remove Software center and install linux-headers 4.15 first and then install linux-image 4.15 second.
Do a reboot and you should boot into the new 4.15 kernel.
Do not remove existing kernel in case the new kernel fails to boot.
--------------------------------------------------------------------------------------------------------------------------------
Update
It appears that Lite Tweaks in the Menu under System has a kernel installer so you might want to give that a look at also.
Don't hold me to this as I'm only a Linux Lite user and not a Linux Guru.
Thanks and yep, I'm gonna keep older kernels because last time I tried 4.13, got a kernel panic on boot. ;)
If 4.15 breaks, I'll go the 4.4.0-116 route.
Now time to read if those fixes slow CPUs down or not, whick was the big worry in the beginning. :-O
Cheers!
-
8)
-
Vulnerabilities resolved :)
Speed?? has it been reduced. Tests below.
-Computer-
Processor : 2x Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz
Memory : 4037MB (2138MB used)
-Version-
Kernel : Linux 4.4.0-116-generic (x86_64)
Distribution : Linux Lite 3.6
-Current Session-
Computer Name : linuxlite-HP-Compaq-dc7700p-Ultra-slim-Desktop
Desktop Environment : XFCE 4
-Misc-
Uptime : 6 hours, 10 minutes
Load Average : 0.42, 0.56, 0.38
-CPU Blowfish-
<big><b>This Machine</b></big> 1867 MHz 9.806
Intel(R) Celeron(R) M processor 1.50GHz (null) 26.1876862
PowerPC 740/750 (280.00MHz) (null) 172.816713
-CPU CryptoHash-
<big><b>This Machine</b></big> 1867 MHz 137.318
-CPU Fibonacci-
<big><b>This Machine</b></big> 1867 MHz 5.082
Intel(R) Celeron(R) M processor 1.50GHz (null) 8.1375674
PowerPC 740/750 (280.00MHz) (null) 58.07682
-CPU N-Queens-
<big><b>This Machine</b></big> 1867 MHz 17.196
-FPU FFT-
<big><b>This Machine</b></big> 1867 MHz 4.524
-FPU Raytracing-
<big><b>This Machine</b></big> 1867 MHz 11.347
Intel(R) Celeron(R) M processor 1.50GHz (null) 40.8816714
PowerPC 740/750 (280.00MHz) (null) 161.312647
No idea what the above means. perhaps those more knowledgeable can comment??
-
Thanks @newtusmaximus but I have no clue what the benchmark numbers mean either. ;)
Guess I'll have to bench the machine before and after all the patches.
Cheers!
-
My HP compaq is 9 years old, 3.33MHz, duo core w/8gb RAM. Absolutely no slowdown with the patch installed. My Windows 10 computers, with whatever patch Microsoft has issued, all show slowdown. I only have one computer with an AMD processor, so I use that if I have to use Windows. Next month is Microsoft's Spring update to Windows 10. Better check the drug store flyers for antacid.
-
Re Speed / performance tests. as per my previous post, is there a simple "idiots" guide as to what the results means in real life for the average computer user? Thanks
-
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ
I doubt microcode updation will ever appear for anything older than Skylake, and though Intel is already facing over 30 litigations I expect class actions to branch out to include OEMs Dell, HP, Lenovo, and Asus. We've only just begun in Linux with retpoline and it's going to be an application by application case instance without microdode updation for older CPUs. Worse off MS is riddled with potential sleeper applications and the Spring update is probably going to kill off hordes of current Windows 10 users on machines older than Skylake who will find themselves unable to connect to their financial institutions.
TC
-
The spectre-meltdown-checker received an update today on my Debian machines. I'm going to look now if LL or Ubuntu versions were updated.
Okay checked LL and Ubuntu. LL/Ubuntu version is v0.33 Debian version is v0.35. The only differences in the script I could find is how variant 1 mitigation detection is handled in Debian. Ubuntu uses the original Red Hat patch and Debian does not. v0.33 is okay for LL/Ubuntu even though v0.35 is newer.
TC
-
Debian have their own fork based on their own kernels. Not applicable to LL here which uses Ubuntu kernels. I'd like to keep this LL focused so newbies don't start posting questions about how they are confused. Cheers :)
-
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ
I doubt microcode updation will ever appear for anything older than Skylake, and though Intel is already facing over 30 litigations I expect class actions to branch out to include OEMs Dell, HP, Lenovo, and Asus. We've only just begun in Linux with retpoline and it's going to be an application by application case instance without microdode updation for older CPUs. Worse off MS is riddled with potential sleeper applications and the Spring update is probably going to kill off hordes of current Windows 10 users on machines older than Skylake who will find themselves unable to connect to their financial institutions.
TC
Thanks for all this info, some of which I think (!) I understand, a bit.
I'm using 2 laptops. My i5 CPUs are pre-Skylake ... not sure about the meaning of microcode issues, but I think you're saying it may become a serious problem for those on pre-Skylake cpu computers. Soon?
I use an i5 laptop (1) (single partition) windows 7 ( to run windows-based cad) and so far this year I've not had to go online with it and I don't intend to.
But it does get some files transferred to it (on SD cards or usb) from my i5 linux Lite laptop (2) (dual-boot) which I use online - Firefix & Chromium. I'm not sure if a Windows bug can get onto LL (2) then over to the other laptop (1) running win7?
Longer term - should I be putting money in a piggy-bank for a new computer? Or could I fit new CPU?
-
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ
I doubt microcode updation will ever appear for anything older than Skylake, and though Intel is already facing over 30 litigations I expect class actions to branch out to include OEMs Dell, HP, Lenovo, and Asus. We've only just begun in Linux with retpoline and it's going to be an application by application case instance without microdode updation for older CPUs. Worse off MS is riddled with potential sleeper applications and the Spring update is probably going to kill off hordes of current Windows 10 users on machines older than Skylake who will find themselves unable to connect to their financial institutions.
TC
So what are we saying here please? Are we saying, even with the patches from the recent Kernel update for LL, because of thepre skylake CPUs, our older machines are still vulnerable even when J's test reports no vulnerabily.
I.e ALL older hardware is now "junk" if used "online".
Can not the anti virus / malware boys evolve their products to screen for "code" that would exploit these vulnerabilities.?
Very confused as to what all this will mean for the average user. Does it mean online shopping/ banking etc is potentially now a nono!! ??
-
The link below is one of the better explanations of the retpoline mitigation.
https://support.google.com/faqs/answer/7625886
This link is the "claimed" status of Intel's micocode updation which should be taken sceptically not optimistically.
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf
This is from my 5year old AMD A8 HP.
https://imgur.com/a/bWhLr
TC
-
News
1) Well Intel has made stable microcode available now as far back as Sandy Bridge, however OEM's Dell and HP are still lagging behind in the implementations. Microsoft continues to be ahead of the curve on the whole issue though the latest updations have install issues as well due to the lagging OEM implementations. I have succeeded with a couple of W10 Dell Sandy Bridge boxes but it cannot be done without resorting to the CLI so everyday users are unlikely to install the mc mitigations.
2) New security studies from AMD are dismal for some of their CPU's. See the link below.
https://www.amdflaws.com/
3) Being a regular Debian user I am a bit spoiled when it comes to updates. Debian stable is slow and methodical about such things. But I also use both Ubuntu and LL where update schedules are far denser and hectic. I have to remind myself that so many of the current issues are linked to S/M and Intel. Ubuntu has been on top of the issues since they began and the devs have worked very hard to deal with the changes for their users. Updation was not always so intense with Linux in general, but it is good to remember that Linux is a community and as such more in touch with its own reality in more diverse ways than any corporate entity could ever hope to be. It is discouraging what corporate OEMs have done to everyday people, but it is wonderful to watch the Linux community respond.
TC
-
Trinidad - thanks for keeping us up-to-date!! Much appreciated.
-
(https://i.imgur.com/O4EHqi3.png)
-
Hi Jerry,
for me your post is blank. Maybe my firefox settings are detecting something considered insecure and blocking it.
-
Hi Jerry,
for me your post is blank. Maybe my firefox settings are detecting something considered insecure and blocking it.
It's an image, I can see... maybe slow loading or FF??
(https://i.imgur.com/O4EHqi3.png)
-
Loading ok on Chrome
-
Loading quickly for me on Firefox and Opera browsers.
-
Hi all,
thanks for your responses. I use FF (more strict blocking of tracking content etc.) and that's where I interact with this forum; and for others, e.g. non-https sites where I will not be logging in, I use Chromium (less strict blocking, though still blocks javascript by default).
I re-opened this page on Chromium, it said javascript was blocked, so I un-blocked for this page, but still no image. I allowed protected content, still no image.
All I can suggest is:
a) I have more secure browser environments which see reasons to block the content
or
b) I am missing something in the way I have things set up. Though I do normally use FF to read e.g. The Guardian and I'm used to blank spaces/content or ads blocked. That's the way I like it.
Another factor may be my use of plug-ins Privacy Badger, HTTPS Everywhere, and Disconnect.
Anyway, I am assuming Jerry's posted image is not vital for me, I can live without it. I'm curious of course!
-
Hello Searchernow,
In your browsers do -
other images hosted on imgur display?
other png file type images ?
-
Hello Searchernow,
In your browsers do -
other images hosted on imgur display?
other png file type images ?
I'm not aware of what images might be hosted by imgur, either shown or blocked! What I did do just now was to try to open the imgur site, and both browsers block it, it is unsafe! Maybe there's the answer.
Not sure about other png images, how would I know?
-
Hello Searchernow,
I thought it could be the case, I had looked at imgur before it looked a bit snoopy to me, I use a different image host. https://imgbb.com/
You could check this post
https://www.linuxliteos.com/forums/other/is-there-a-way-to-make-the-desktop-taskbar-always-on-top/msg39982/#msg39982
and see if the png images I added display in your browsers, to determine if your browsers are blocking png image file type at other hosts, or whether it is only blocking imgur.
-
Hello Searchernow,
I thought it could be the case, I had looked at imgur before it looked a bit snoopy to me, I use a different image host. https://imgbb.com/
You could check this post
https://www.linuxliteos.com/forums/other/is-there-a-way-to-make-the-desktop-taskbar-always-on-top/msg39982/#msg39982
and see if the png images I added display in your browsers, to determine if your browsers are blocking png image file type at other hosts, or whether it is only blocking imgur.
Thanks,
I opened that page and I do see your pic of a bee on flowers and a screenshot of "Panel window".
More generally, the wikipedia page for imgur reported a serious potential user data breach, though unlike yahoo they did notify users straight away.
-
Re-reading my posts - I mentioned blank spaces n the Guardian, I should add that these are the exception, most images in the Guardian I can see ok.
-
Do you have a link for the imgur wikipedia page please, so I can read the detail of it ?
The blank spaces in the Guardian may be blocked adverts ?
-
yes, at least some blanks are ads, I try to live an ad-less life.
https://en.wikipedia.org/wiki/Imgur (https://en.wikipedia.org/wiki/Imgur)
-
Thank You :) , I'll have a read of it
-
I had looked at imgur before it looked a bit snoopy to me, I use a different image host. https://imgbb.com/ (https://imgbb.com/)
Very many thanks for this useful tip 8)
-
I had looked at imgur before it looked a bit snoopy to me, I use a different image host. https://imgbb.com/ (https://imgbb.com/)
Very many thanks for this useful tip 8)
Glad it was useful :)
-
News
1) Well Intel has made stable microcode available now as far back as Sandy Bridge, however OEM's Dell and HP are still lagging behind in the implementations. Microsoft continues to be ahead of the curve on the whole issue though the latest updations have install issues as well due to the lagging OEM implementations. I have succeeded with a couple of W10 Dell Sandy Bridge boxes but it cannot be done without resorting to the CLI so everyday users are unlikely to install the mc mitigations.
2) New security studies from AMD are dismal for some of their CPU's. See the link below.
https://www.amdflaws.com/
3) Being a regular Debian user I am a bit spoiled when it comes to updates. Debian stable is slow and methodical about such things. But I also use both Ubuntu and LL where update schedules are far denser and hectic. I have to remind myself that so many of the current issues are linked to S/M and Intel. Ubuntu has been on top of the issues since they began and the devs have worked very hard to deal with the changes for their users. Updation was not always so intense with Linux in general, but it is good to remember that Linux is a community and as such more in touch with its own reality in more diverse ways than any corporate entity could ever hope to be. It is discouraging what corporate OEMs have done to everyday people, but it is wonderful to watch the Linux community respond.
TC
I'd been wondering about your comment re OEMs lagging ... in implementations - and would I need to do anything myself.
But today I did Install Updates and it includes "intel-microcode: microcode will be updated at next boot" - I presume this will apply to my i5 cpu.
-
LL meltdown Checker on Linux Lite 4.0 (latest kernel)
(https://i.imgur.com/NQoDU0n.gif)
-
Yo!
I didnt use the Checker tool... yet, since using other computer for banking stuff, etc.
But is it / will it be available in Lite Tweaks or Lite Software in LiLi 4.0 ?
Planning to ditch those 'dows when 4 is out.
Cheers and keep it up! ;)
-
It's been a long time since I looked at this issue, I had frankly forgotten it!
I keep my Updates up-to-date each week, so am I safe to assume the vulnerabilities are no longer a threat?
LL 4.4, 64bit, i5 processor.
-
Security is a fallacy, there is no such thing in computing.
As long as you own the architecture, you will always be at risk. The attack vector for Meltdown is extremely unlikely. If you trust everyone that uses your pc locally, then you have nothing to worry about, do you...
(https://i.ytimg.com/vi/RhlXqYiTz2Q/hqdefault.jpg)
-
Agreed.
-
If you trust everyone that uses your pc locally, then you have nothing to worry about, do you...
But, can you REALLY thrust anyone? Your familly could have been infitrated years ago and your life a lie.
(reference to a 2001 movie called "Antithrust", was pretty cool ;) )
Thrust no one! (insert X-File music)
(http://cdn.shopify.com/s/files/1/0770/1289/products/unisex_tno2_grande.jpg?v=1509566855)