Meltdown and Spectre

Support for security such as Firewalls and securing linux
User avatar
bshoe24
Posts: 22
Joined: 2015/03/11 15:38:54

Re: Meltdown and Spectre

Post by bshoe24 » 2018/01/19 22:41:22

Thanks for the update Trevor.

aceprabhu
Posts: 4
Joined: 2018/01/19 12:39:25

Re: Meltdown and Spectre

Post by aceprabhu » 2018/01/20 20:46:47

@bshoe24, I didn't install the microcode - microcode_ctl-1.17-25.2 - as it was said be problematic and a new one was released to undo the its installation.

Any thoughts on why spectre-meltdown-checker.sh yeilds negative results even though, I have patched my OS?

-Prabhu

User avatar
bshoe24
Posts: 22
Joined: 2015/03/11 15:38:54

Re: Meltdown and Spectre

Post by bshoe24 » 2018/01/21 18:45:01

@aceprabhu I'm not sure sorry.

my CentOS 6 E3-1230 V2 system fully updated reports mitigated except for spectre #2 testing with both Github (spectre-meltdown-checker.sh) and Redhat's (spectre_meltdown.sh) test scripts.

2.6.32-696.18.7.el6.x86_64 installed
microcode_ctl-1.17-25.4.el6_9.x86_64 installed

Variant #1 (Spectre): Mitigated
Variant #2 (Spectre): Vulnerable
Variant #3 (Meltdown): Mitigated

By comparison on the CentOS 6 E3-1231 V3 system i testing it reports all 3 mitigated including Spectre #2 if i load the newer Intel microcode (Version: 20180108) but, that microcode does not seem stable yet. It has not crashed on me yet but is generating mcelog errors.

aceprabhu
Posts: 4
Joined: 2018/01/19 12:39:25

Re: Meltdown and Spectre

Post by aceprabhu » 2018/01/23 12:32:12

Is KPTI only for 64bit system ? Sorry for persisting with the question of mitigating the vulnerabilities in CentOS 6.9 i386. I am not finding any reference to why the following files would be missing: ( I had mounted debugfs)

Code: Select all

 /sys/kernel/debug/x86/pti_enabled
/sys/kernel/debug/x86/ibpb_enabled
/sys/kernel/debug/x86/ibrs_enabled
In my CentOS 7 system, patch update worked just fine. Updated kernel and kernel-firmware. Variant 1 and Variant 2 are mitigated.

User avatar
bshoe24
Posts: 22
Joined: 2015/03/11 15:38:54

Re: Meltdown and Spectre

Post by bshoe24 » 2018/01/24 02:38:41

32-bit news :)
https://duckduckgo.com/?q=kpti+32+bit

I asked about in early post the reason that the Microsoft spectre checker script doesn't find support even with the buggy microcode and it is because there is none yet passed to guest apparently from this post.

"Right now, there are no public patches to KVM that expose the new CPUID bits and MSRs to the virtual machines"

https://www.qemu.org/2018/01/04/spectre/

rajrana0720
Posts: 1
Joined: 2017/12/15 05:20:05

Re: Meltdown and Spectre

Post by rajrana0720 » 2018/01/25 09:52:31

rickyng wrote:After running "yum update" and rebooting, how do we verify if the patch was applied?
By running uname -r command , You can check kernel version.

theninjaboy123
Posts: 2
Joined: 2018/01/30 01:25:49

Re: Meltdown and Spectre

Post by theninjaboy123 » 2018/01/30 02:22:45

Is it possible to apply these patch manually (offline servers) for CentOS release 6.3 and 6.8 or I definitely need to update to CentOS 6.9 first?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Meltdown and Spectre

Post by TrevorH » 2018/01/30 03:25:40

Patches are only tested with all other patches applied. To be honest, if you're on 6.3 then you have sufficient other serious security vulnerabilities present such that meltdown and spectre are the least of your worries.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

theninjaboy123
Posts: 2
Joined: 2018/01/30 01:25:49

Re: Meltdown and Spectre

Post by theninjaboy123 » 2018/01/30 03:53:04

TrevorH wrote:Patches are only tested with all other patches applied. To be honest, if you're on 6.3 then you have sufficient other serious security vulnerabilities present such that meltdown and spectre are the least of your worries.
Thanks for the response Trevor.

I have upgraded 6.3 to 6.9 (offline server) via DVD1 & DVD2 iso of CentOS 6.9.

Subsequently, I had also manually install all the packages for the Meltdown and Spectre (kernel, libvert, qemu) [https://lists.centos.org/pipermail/cent ... 22701.html].

The meltdown and spectre script checker has shown that I mitigated both #1 and #3 (not for #2 as I did not applied the microcode update).

Is this an sufficient attempt to patch the general security as well as meltdown and spectre?

aceprabhu
Posts: 4
Joined: 2018/01/19 12:39:25

Re: Meltdown and Spectre

Post by aceprabhu » 2018/01/30 04:45:45

Any idea on the timeline in making mitigation fixes available for i386? Or it will not be available at all?

Post Reply