Meltdown and Spectre

Support for security such as Firewalls and securing linux
User avatar
bshoe24
Posts: 19
Joined: 2015/03/11 15:38:54

Re: Meltdown and Spectre

Postby bshoe24 » 2018/01/19 22:41:22

Thanks for the update Trevor.

aceprabhu
Posts: 4
Joined: 2018/01/19 12:39:25

Re: Meltdown and Spectre

Postby aceprabhu » 2018/01/20 20:46:47

@bshoe24, I didn't install the microcode - microcode_ctl-1.17-25.2 - as it was said be problematic and a new one was released to undo the its installation.

Any thoughts on why spectre-meltdown-checker.sh yeilds negative results even though, I have patched my OS?

-Prabhu

User avatar
bshoe24
Posts: 19
Joined: 2015/03/11 15:38:54

Re: Meltdown and Spectre

Postby bshoe24 » 2018/01/21 18:45:01

@aceprabhu I'm not sure sorry.

my CentOS 6 E3-1230 V2 system fully updated reports mitigated except for spectre #2 testing with both Github (spectre-meltdown-checker.sh) and Redhat's (spectre_meltdown.sh) test scripts.

2.6.32-696.18.7.el6.x86_64 installed
microcode_ctl-1.17-25.4.el6_9.x86_64 installed

Variant #1 (Spectre): Mitigated
Variant #2 (Spectre): Vulnerable
Variant #3 (Meltdown): Mitigated

By comparison on the CentOS 6 E3-1231 V3 system i testing it reports all 3 mitigated including Spectre #2 if i load the newer Intel microcode (Version: 20180108) but, that microcode does not seem stable yet. It has not crashed on me yet but is generating mcelog errors.

aceprabhu
Posts: 4
Joined: 2018/01/19 12:39:25

Re: Meltdown and Spectre

Postby aceprabhu » 2018/01/23 12:32:12

Is KPTI only for 64bit system ? Sorry for persisting with the question of mitigating the vulnerabilities in CentOS 6.9 i386. I am not finding any reference to why the following files would be missing: ( I had mounted debugfs)

Code: Select all

 /sys/kernel/debug/x86/pti_enabled
/sys/kernel/debug/x86/ibpb_enabled
/sys/kernel/debug/x86/ibrs_enabled


In my CentOS 7 system, patch update worked just fine. Updated kernel and kernel-firmware. Variant 1 and Variant 2 are mitigated.

User avatar
bshoe24
Posts: 19
Joined: 2015/03/11 15:38:54

Re: Meltdown and Spectre

Postby bshoe24 » 2018/01/24 02:38:41

32-bit news :)
https://duckduckgo.com/?q=kpti+32+bit

I asked about in early post the reason that the Microsoft spectre checker script doesn't find support even with the buggy microcode and it is because there is none yet passed to guest apparently from this post.

"Right now, there are no public patches to KVM that expose the new CPUID bits and MSRs to the virtual machines"

https://www.qemu.org/2018/01/04/spectre/

rajrana0720
Posts: 1
Joined: 2017/12/15 05:20:05

Re: Meltdown and Spectre

Postby rajrana0720 » 2018/01/25 09:52:31

rickyng wrote:After running "yum update" and rebooting, how do we verify if the patch was applied?
By running uname -r command , You can check kernel version.

theninjaboy123
Posts: 2
Joined: 2018/01/30 01:25:49

Re: Meltdown and Spectre

Postby theninjaboy123 » 2018/01/30 02:22:45

Is it possible to apply these patch manually (offline servers) for CentOS release 6.3 and 6.8 or I definitely need to update to CentOS 6.9 first?

User avatar
TrevorH
Forum Moderator
Posts: 21744
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Meltdown and Spectre

Postby TrevorH » 2018/01/30 03:25:40

Patches are only tested with all other patches applied. To be honest, if you're on 6.3 then you have sufficient other serious security vulnerabilities present such that meltdown and spectre are the least of your worries.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

theninjaboy123
Posts: 2
Joined: 2018/01/30 01:25:49

Re: Meltdown and Spectre

Postby theninjaboy123 » 2018/01/30 03:53:04

TrevorH wrote:Patches are only tested with all other patches applied. To be honest, if you're on 6.3 then you have sufficient other serious security vulnerabilities present such that meltdown and spectre are the least of your worries.


Thanks for the response Trevor.

I have upgraded 6.3 to 6.9 (offline server) via DVD1 & DVD2 iso of CentOS 6.9.

Subsequently, I had also manually install all the packages for the Meltdown and Spectre (kernel, libvert, qemu) [https://lists.centos.org/pipermail/centos-announce/2018-January/022701.html].

The meltdown and spectre script checker has shown that I mitigated both #1 and #3 (not for #2 as I did not applied the microcode update).

Is this an sufficient attempt to patch the general security as well as meltdown and spectre?

aceprabhu
Posts: 4
Joined: 2018/01/19 12:39:25

Re: Meltdown and Spectre

Postby aceprabhu » 2018/01/30 04:45:45

Any idea on the timeline in making mitigation fixes available for i386? Or it will not be available at all?