Are there something to do in OMV LX 3.03 about Meltdown and Spectre?

Hi,

Are there something to do in OMV LX 3.03 about Meltdown and Spectre?

Thanks

1 Like

Yes. First this issue pertains only to those with certain Intel CPU’s (as I understand).

Intel provides a utility to check from Konsole or other terminal to see if your system has this vulnerability. That download here.

To install:

[ben79@ben79-pc Downloads]$ tar -xzvf SA00086_Linux.tar.gz

To run:

[ben79@ben79-pc Downloads]$ sudo python2 ./intel_sa00086.py
[sudo] password for ben79: 
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.152
Scan date: 2018-01-11 16:43:54 GMT

*** Host Computer Information ***
Name: ben79-pc
Manufacturer: ASUS
Model: All Series
Processor Name: Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz
OS Version: OpenMandriva Lx 3.0 Einsteinium (4.14.2-desktop-1omv)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 9.1.25.1005
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support

Two computers one is not vulnerable but the other is. This application suggests there is something I could do to remedy this.

Processor Name: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz
OS Version: OpenMandriva Lx 3.0 Einsteinium (4.13.12-desktop-2omv)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 9.1.41.3024
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
The detected version of the Intel(R) Management Engine firmware
  is considered vulnerable for INTEL-SA-00086.
  Contact your system manufacturer for support and remediation of this system.

However, in the Intel support page mine is the last version of IntelÂŽ Management Engine (???)

1 Like

Edit: As I understand it.

It is the most recent ones that have the problem.

As far as what to do about it I’m not sure but I believe that is up to OpenMandriva developers like @TPG, @bero, and @Colin to apply patches to some packages.

Again that is “as I understand it” and I only started reading about this today.

I’d like to know more myself.

Edit: I think one thing is to get the kernel-4.15.rc6 kernel available in OMV. Read this and that.

Further proof that reading can be a good thing. Read this. Which contains:

"So, where are we with fixing the problems? Work is continuing, but the latest update of the stable Linux kernel, 4.14.2, has the current patches. Some people may experience boot problems with this release, but 4.14.13 will be out in a few days. "

Edit: @Colin is pushing kernel-4.14-2 to main-updates so should be available to all as soon as mirrors sync. You all should update to this kernel ASAP unless you have problems with it. QA has been testing it for days with no known issues.

Also kernel-4.15 will be made available as soon as it is released and sufficiently tested.

Edit: Regarding my earlier comment about OMV developers it looks more like most of the work is applied to the Linux kernel so keeping the most up to date kernel should help.

More:

https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/

Edit: And now it looks like I’m up the proverbial creek without a paddle:

$ sudo sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.14.2-desktop-1omv #1 SMP PREEMPT Fri Jan 5 09:07:31 UTC 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 24 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

Another one:

the original work:

https://spectreattack.com/

https://meltdownattack.com/

Hi,

new microcode-intel package is available for 3.03 which provides fixed microcodes for processors.

I’m planning to adapt 3.03 and cooker over weekend so hopefully we will be safe.

1 Like

Excellent, thanks @TPG.

This is the most important post in this thread. @TPG is the Lx3.03 release manager and developer extraordinaire.

New kernel-release 4.14.13 is available in main/testing

Feel free to give it a test and check for spectre/meltdown.

1 Like

Many thanks @TPG

First test in VBox with the tool given by OStechNix:

# . ./spectre-meltdown-checker.sh 
Spectre and Meltdown mitigation detection tool v0.29                                                                                                                                                              
                                                                                                                                                                                                                  
Checking for vulnerabilities against running kernel Linux 4.14.13-desktop-1omv #1 SMP PREEMPT Fri Jan 12 15:47:49 UTC 2018 x86_64                                                                                 
CPU is Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz                                                                                                                                                                  
                                                                                                                                                                                                                  
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'                                                                                                                                                       
* Checking count of LFENCE opcodes in kernel:  NO                                                                                                                                                                 
> STATUS:  VULNERABLE  (only 24 opcodes found, should be >= 70, heuristic to be improved when official patches become available)                                                                                  
                                                                                                                                                                                                                  
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'                                                                                                                                                   
* Mitigation 1                                                                                                                                                                                                    
*   Hardware (CPU microcode) support for mitigation:  NO                                                                                                                                                          
*   Kernel support for IBRS:  NO                                                                                                                                                                                  
*   IBRS enabled for Kernel space:  NO                                                                                                                                                                            
*   IBRS enabled for User space:  NO                                                                                                                                                                              
* Mitigation 2                                                                                                                                                                                                    
*   Kernel compiled with retpoline option:  NO                                                                                                                                                                    
*   Kernel compiled with a retpoline-aware compiler:  NO                                                                                                                                                          
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)                                                                                         
                                                                                                                                                                                                                  
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'                                                                                                                                              
* Kernel supports Page Table Isolation (PTI):  YES                                                                                                                                                                
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

Only the last test seems ok.

I also tried the tool given by Intel:

# python2 ./intel_sa00086.py 
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.152
Scan date: 2018-01-14 11:43:55 GMT

*** Host Computer Information ***
Name: jcl-B1482
Manufacturer: innotek GmbH
Model: VirtualBox
Processor Name: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
OS Version: OpenMandriva Lx 3.0 Einsteinium (4.14.13-desktop-1omv)

*** Risk Assessment ***
Detection Error: This system may be vulnerable,
  either the Intel(R) MEI/TXEI driver is not installed
  (available from your system manufacturer)
  or the system manufacturer does not permit access
  to the ME/TXE from the host driver.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support
1 Like

As I understand it that is because so far all the work has been done on Meltdown Variant 3. This was thought to be the most immediate and biggest threat.Work on Spectre will be on going over a long period of time.

https://meltdownattack.com/#faq-fix

As I understand it if users have the latest microcode-intel-20180108-1 and kernel-release-desktop-4.14.13-1 you have done as much as can be done for now. The next step will be kernel-4.15.

Just for more fun there are reports that kernel versions with Meltdown patches have caused a few users problems with booting. Hopefully these issues will be addressed in time.

1 Like

Yes ‘Meltdown’ aka ‘Variant 3’ is secure.

‘Spectre Variant 1’ should be fine on bare metal when you have updated microcode package.

‘Spectre Variant 2’ is quite hard as it needs patches for compilers, and i’d suggest to wait until upstream release patched gcc or LLVM/clang.

1 Like

Btw, I have the same results on a real laptop (asus GL752VW) and I have to say that the last kernel is working fine on it :slight_smile:

The microcode installed is microcode-intel-20180108-1-omv2015.0.noarch

As I understand the things, the real solution is to update the bios ans the processor’s firmware. I can do it but I’m waiting in order to let me test the kernel workarounds.

Another thing: the version of Firefox is 57.0.3 in our repos. The last version, 57.0.4 helps to circumvent the failure as some javascripts can exploit them.

Yes i’m trying to build ff-57.0.4 but i’m blocked with:

Firefox 57.0.4 is available in main/testing but without stylo enabled.