Hi,
Are there something to do in OMV LX 3.03 about Meltdown and Spectre?
Thanks
1 Like
Yes. First this issue pertains only to those with certain Intel CPUâs (as I understand).
Intel provides a utility to check from Konsole or other terminal to see if your system has this vulnerability. That download here.
To install:
[ben79@ben79-pc Downloads]$ tar -xzvf SA00086_Linux.tar.gz
To run:
[ben79@ben79-pc Downloads]$ sudo python2 ./intel_sa00086.py
[sudo] password for ben79:
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved
Application Version: 1.0.0.152
Scan date: 2018-01-11 16:43:54 GMT
*** Host Computer Information ***
Name: ben79-pc
Manufacturer: ASUS
Model: All Series
Processor Name: Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz
OS Version: OpenMandriva Lx 3.0 Einsteinium (4.14.2-desktop-1omv)
*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 9.1.25.1005
SVN: 0
*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.
For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
Intel Security Advisory Intel-SA-00086 at the following link:
https://www.intel.com/sa-00086-supportTwo computers one is not vulnerable but the other is. This application suggests there is something I could do to remedy this.
Processor Name: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz
OS Version: OpenMandriva Lx 3.0 Einsteinium (4.13.12-desktop-2omv)
*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 9.1.41.3024
SVN: 0
*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
The detected version of the Intel(R) Management Engine firmware
is considered vulnerable for INTEL-SA-00086.
Contact your system manufacturer for support and remediation of this system.However, in the Intel support page mine is the last version of IntelÂŽ Management Engine (???)
1 Like
Edit: As I understand it.
It is the most recent ones that have the problem.
As far as what to do about it Iâm not sure but I believe that is up to OpenMandriva developers like @TPG, @bero, and @Colin to apply patches to some packages.
Again that is âas I understand itâ and I only started reading about this today.
Iâd like to know more myself.
Edit: I think one thing is to get the kernel-4.15.rc6 kernel available in OMV. Read this and that.
Further proof that reading can be a good thing. Read this. Which contains:
"So, where are we with fixing the problems? Work is continuing, but the latest update of the stable Linux kernel, 4.14.2, has the current patches. Some people may experience boot problems with this release, but 4.14.13 will be out in a few days. "
Edit: @Colin is pushing kernel-4.14-2 to main-updates so should be available to all as soon as mirrors sync. You all should update to this kernel ASAP unless you have problems with it. QA has been testing it for days with no known issues.
Also kernel-4.15 will be made available as soon as it is released and sufficiently tested.
Edit: Regarding my earlier comment about OMV developers it looks more like most of the work is applied to the Linux kernel so keeping the most up to date kernel should help.
More:
https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/
Edit: And now it looks like Iâm up the proverbial creek without a paddle:
$ sudo sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 4.14.2-desktop-1omv #1 SMP PREEMPT Fri Jan 5 09:07:31 UTC 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 24 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
Another one:
Hi,
new microcode-intel package is available for 3.03 which provides fixed microcodes for processors.
Iâm planning to adapt 3.03 and cooker over weekend so hopefully we will be safe.
1 Like
Excellent, thanks @TPG.
This is the most important post in this thread. @TPG is the Lx3.03 release manager and developer extraordinaire.
New kernel-release 4.14.13 is available in main/testing
Feel free to give it a test and check for spectre/meltdown.
1 Like
Many thanks @TPG
First test in VBox with the tool given by OStechNix:
# . ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29
Checking for vulnerabilities against running kernel Linux 4.14.13-desktop-1omv #1 SMP PREEMPT Fri Jan 12 15:47:49 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 24 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
Only the last test seems ok.
I also tried the tool given by Intel:
# python2 ./intel_sa00086.py
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved
Application Version: 1.0.0.152
Scan date: 2018-01-14 11:43:55 GMT
*** Host Computer Information ***
Name: jcl-B1482
Manufacturer: innotek GmbH
Model: VirtualBox
Processor Name: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
OS Version: OpenMandriva Lx 3.0 Einsteinium (4.14.13-desktop-1omv)
*** Risk Assessment ***
Detection Error: This system may be vulnerable,
either the Intel(R) MEI/TXEI driver is not installed
(available from your system manufacturer)
or the system manufacturer does not permit access
to the ME/TXE from the host driver.
For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
Intel Security Advisory Intel-SA-00086 at the following link:
https://www.intel.com/sa-00086-support
1 Like
As I understand it that is because so far all the work has been done on Meltdown Variant 3. This was thought to be the most immediate and biggest threat.Work on Spectre will be on going over a long period of time.
https://meltdownattack.com/#faq-fix
As I understand it if users have the latest microcode-intel-20180108-1 and kernel-release-desktop-4.14.13-1 you have done as much as can be done for now. The next step will be kernel-4.15.
Just for more fun there are reports that kernel versions with Meltdown patches have caused a few users problems with booting. Hopefully these issues will be addressed in time.
1 Like
Yes âMeltdownâ aka âVariant 3â is secure.
âSpectre Variant 1â should be fine on bare metal when you have updated microcode package.
âSpectre Variant 2â is quite hard as it needs patches for compilers, and iâd suggest to wait until upstream release patched gcc or LLVM/clang.
1 Like
Btw, I have the same results on a real laptop (asus GL752VW) and I have to say that the last kernel is working fine on it 
The microcode installed is microcode-intel-20180108-1-omv2015.0.noarch
As I understand the things, the real solution is to update the bios ans the processorâs firmware. I can do it but Iâm waiting in order to let me test the kernel workarounds.
Another thing: the version of Firefox is 57.0.3 in our repos. The last version, 57.0.4 helps to circumvent the failure as some javascripts can exploit them.
Yes iâm trying to build ff-57.0.4 but iâm blocked with:
Firefox 57.0.4 is available in main/testing but without stylo enabled.