Page 5 of 6

Re: Meltdown and Spectre

Posted: 2018/01/19 22:41:22
by bshoe24
Thanks for the update Trevor.

Re: Meltdown and Spectre

Posted: 2018/01/20 20:46:47
by aceprabhu
@bshoe24, I didn't install the microcode - microcode_ctl-1.17-25.2 - as it was said be problematic and a new one was released to undo the its installation.

Any thoughts on why spectre-meltdown-checker.sh yeilds negative results even though, I have patched my OS?

-Prabhu

Re: Meltdown and Spectre

Posted: 2018/01/21 18:45:01
by bshoe24
@aceprabhu I'm not sure sorry.

my CentOS 6 E3-1230 V2 system fully updated reports mitigated except for spectre #2 testing with both Github (spectre-meltdown-checker.sh) and Redhat's (spectre_meltdown.sh) test scripts.

2.6.32-696.18.7.el6.x86_64 installed
microcode_ctl-1.17-25.4.el6_9.x86_64 installed

Variant #1 (Spectre): Mitigated
Variant #2 (Spectre): Vulnerable
Variant #3 (Meltdown): Mitigated

By comparison on the CentOS 6 E3-1231 V3 system i testing it reports all 3 mitigated including Spectre #2 if i load the newer Intel microcode (Version: 20180108) but, that microcode does not seem stable yet. It has not crashed on me yet but is generating mcelog errors.

Re: Meltdown and Spectre

Posted: 2018/01/23 12:32:12
by aceprabhu
Is KPTI only for 64bit system ? Sorry for persisting with the question of mitigating the vulnerabilities in CentOS 6.9 i386. I am not finding any reference to why the following files would be missing: ( I had mounted debugfs)

Code: Select all

 /sys/kernel/debug/x86/pti_enabled
/sys/kernel/debug/x86/ibpb_enabled
/sys/kernel/debug/x86/ibrs_enabled
In my CentOS 7 system, patch update worked just fine. Updated kernel and kernel-firmware. Variant 1 and Variant 2 are mitigated.

Re: Meltdown and Spectre

Posted: 2018/01/24 02:38:41
by bshoe24
32-bit news :)
https://duckduckgo.com/?q=kpti+32+bit

I asked about in early post the reason that the Microsoft spectre checker script doesn't find support even with the buggy microcode and it is because there is none yet passed to guest apparently from this post.

"Right now, there are no public patches to KVM that expose the new CPUID bits and MSRs to the virtual machines"

https://www.qemu.org/2018/01/04/spectre/

Re: Meltdown and Spectre

Posted: 2018/01/25 09:52:31
by rajrana0720
rickyng wrote:After running "yum update" and rebooting, how do we verify if the patch was applied?
By running uname -r command , You can check kernel version.

Re: Meltdown and Spectre

Posted: 2018/01/30 02:22:45
by theninjaboy123
Is it possible to apply these patch manually (offline servers) for CentOS release 6.3 and 6.8 or I definitely need to update to CentOS 6.9 first?

Re: Meltdown and Spectre

Posted: 2018/01/30 03:25:40
by TrevorH
Patches are only tested with all other patches applied. To be honest, if you're on 6.3 then you have sufficient other serious security vulnerabilities present such that meltdown and spectre are the least of your worries.

Re: Meltdown and Spectre

Posted: 2018/01/30 03:53:04
by theninjaboy123
TrevorH wrote:Patches are only tested with all other patches applied. To be honest, if you're on 6.3 then you have sufficient other serious security vulnerabilities present such that meltdown and spectre are the least of your worries.
Thanks for the response Trevor.

I have upgraded 6.3 to 6.9 (offline server) via DVD1 & DVD2 iso of CentOS 6.9.

Subsequently, I had also manually install all the packages for the Meltdown and Spectre (kernel, libvert, qemu) [https://lists.centos.org/pipermail/cent ... 22701.html].

The meltdown and spectre script checker has shown that I mitigated both #1 and #3 (not for #2 as I did not applied the microcode update).

Is this an sufficient attempt to patch the general security as well as meltdown and spectre?

Re: Meltdown and Spectre

Posted: 2018/01/30 04:45:45
by aceprabhu
Any idea on the timeline in making mitigation fixes available for i386? Or it will not be available at all?