Meltdown and Spectre

Support for security such as Firewalls and securing linux
User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Meltdown and Spectre

Post by avij » 2018/01/09 16:43:37

invis1988 wrote:I am running a custom patch server which syncs to uwaterloo mirror. The update package was downloaded and is contained in the repo. Just incase my script failed I manually ran createrepo --update to make sure it is recognized. When using uname -r I still have 5.2, and when I run yum update it states "no packages marked for update". Just wondering if there is another way I am supposed to update the kernel in this case, if not I will continue to troubleshoot my repo..
Did you reboot after you installed the new kernel? When you run rpm -q kernel, does it show kernel-3.10.0-693.11.6.el7.x86_64 among the installed kernels? If the new kernel is installed and you did not reboot, consider rebooting.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Meltdown and Spectre

Post by avij » 2018/01/09 16:46:50

rafaelweingartner wrote:I just applied the update. My kernel version is 3.10.0-693.11.6.el7.x86_64 now.
To be sure, is this what you get when you run uname -r ?

rafaelweingartner
Posts: 2
Joined: 2018/01/09 15:48:23

Re: Meltdown and Spectre

Post by rafaelweingartner » 2018/01/09 16:52:51

avij wrote:
rafaelweingartner wrote:I just applied the update. My kernel version is 3.10.0-693.11.6.el7.x86_64 now.
To be sure, is this what you get when you run uname -r ?
[root@vm~]# uname -r
3.10.0-693.11.6.el7.x86_64

KalmanReti
Posts: 1
Joined: 2018/01/10 14:00:36

Re: Meltdown and Spectre

Post by KalmanReti » 2018/01/10 14:05:31

Are there going to be new livedvd isos? (I run some diskless machines with iso contents copied to ram.) If so, any guess when?

iseelinuxpeople
Posts: 1
Joined: 2018/01/11 18:09:50

Re: Meltdown and Spectre

Post by iseelinuxpeople » 2018/01/11 18:19:36

Is there a way to patch for 2.6.32-573.1.1.el6.x86_64 or do i have to upgrade kernel to centos 6.9 or 7 at least?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Meltdown and Spectre

Post by TrevorH » 2018/01/11 18:33:08

No, you need to update. There are many more vulnerabilities fixed in both the kernel and the rest of the system between 6.7 (which appears to be what you're running based on the kernel version) and 6.9. Only 6.9 gets updates.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

cybervedaa
Posts: 1
Joined: 2018/01/15 19:02:22

Re: Meltdown and Spectre

Post by cybervedaa » 2018/01/15 20:05:42

I am running Centos 6.9. Applied the kernel patches and verified that Kernel version is 2.6.32-696.18.7.el6.x86_64

Code: Select all

[root@vm~]# uname -r
2.6.32-696.18.7.el6.x86_64
Then ran the script to check for the vulnerability by downloading it from here https://raw.githubusercontent.com/speed ... checker.sh

Output shows the following :

Code: Select all

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  YES  (84 opcodes found, which is >= 70)
> STATUS:  NOT VULNERABLE  (heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES 
*   Kernel support for IBRS:  YES 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
Spectre Variant 2 is the only remaining vulnerability. I tried turning IBRS and IBPB on by following the instructions listed here https://access.redhat.com/articles/3311 ... ion-ibrs-7. I mounted debugfs

Code: Select all

mount -t debugfs nodev /sys/kernel/debug
then tried running

Code: Select all

[root@vm~]# echo 2 > /sys/kernel/debug/x86/ibrs_enabled 
but i get the error

Code: Select all

-bash: echo: write error: No such device 
same error for

Code: Select all

echo 1 > /sys/kernel/debug/x86/ibpb_enabled

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Meltdown and Spectre

Post by TrevorH » 2018/01/15 21:23:46

Pretty sure that both IBRS and IBPB need microcode support and it's unlikely that a VM will have that and only Intel processors that have had a microcode update will do so.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Stoomy
Posts: 1
Joined: 2018/01/16 18:15:41

Re: Meltdown and Spectre

Post by Stoomy » 2018/01/16 18:21:18

Hi All,
If I'm running an EC2 in AWS and still have the Variant 2 vulnerabilities....am I "safe"?

User avatar
bshoe24
Posts: 22
Joined: 2015/03/11 15:38:54

Re: Meltdown and Spectre

Post by bshoe24 » 2018/01/17 15:57:07

I have been trying to update the intel downloaded microcode also for spectre variant #2 on centos6. I need to do it without rebooting as i have some VPS hosts that are hard to reboot. I'll reboot if I have to but I'm trying to figure out how to do it without rebooting.

I've seen a few different instructions.

#1 this one fails
dd if=microcode.dat of=/dev/cpu/microcode bs=1M

output shows error
dd: writing `/dev/cpu/microcode': Invalid argument

#2 this one works but, shows error in dmesg
microcode_ctl -u /lib/firmware/microcode.dat

dmesg shows error
microcode: error!Bad data in microcode data file

#3 Finally I found a ticket in bugzilla that shows you can just copy the Intel folder like this:
cp -v intel-ucode/* /lib/firmware/intel-ucode/

However, I also have this problem. I see plenty of articles mentioning doing this when complete to reload dynamically but this path does not even exist on my centos6

echo 1 > /sys/devices/system/cpu/microcode/reload

And then finally do this to make it permanent.

dracut -vf
reboot

So the question is what are the proper procedures for centos6 actually. I have even had my friend who has Red Hat support open a ticket and they have been unhelpful in their first response. They just said contact Intel.

Post Reply