Upgraded kernel and microcode but no effect on Spectre Vulnerability
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Upgraded kernel and microcode but no effect on Spectre Vulnerability
Hi, I am not an expert and am rather confused about what to do about Spectre.
Be that as it may I installed Kernel 4.13.0-26 and the intel microcode, which does include my cpu. However when I ran a script "sh spectre-meltdown-checker.sh2 having downloaded it. It tells me that I am still vulnerable to both variants of spectre despite the microcode update. I then ran "dmesg|grep microcode" which I think (?) tells me what microcode I have and it tells me I have the following -
~ $ dmesg|grep microcode
[ 0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
[ 0.929217] microcode: sig=0x306a9, pf=0x2, revision=0x1c
[ 0.929307] microcode: Microcode Update Driver: v2.2.
This appears to tell me I have microcode dated from 26/02/15 which is not what I thought I had updated to.
If anyone can suggest any advice as to what I need to do I'd appreciate it. I don't know what the problem now is or what a solution might look like.
Regards Steve
Be that as it may I installed Kernel 4.13.0-26 and the intel microcode, which does include my cpu. However when I ran a script "sh spectre-meltdown-checker.sh2 having downloaded it. It tells me that I am still vulnerable to both variants of spectre despite the microcode update. I then ran "dmesg|grep microcode" which I think (?) tells me what microcode I have and it tells me I have the following -
~ $ dmesg|grep microcode
[ 0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
[ 0.929217] microcode: sig=0x306a9, pf=0x2, revision=0x1c
[ 0.929307] microcode: Microcode Update Driver: v2.2.
This appears to tell me I have microcode dated from 26/02/15 which is not what I thought I had updated to.
If anyone can suggest any advice as to what I need to do I'd appreciate it. I don't know what the problem now is or what a solution might look like.
Regards Steve
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: Upgraded kernal and microcode but no effect on Spectre Vulnerability
Oops I should have said I'm running Linux Mint 18.2
Re: Upgraded kernal and microcode but no effect on Spectre Vulnerability
If you want, I can write a script that says you're not vulnerable. (That's a sarcastic way of saying "where'd you get it?")steveis2 wrote:However when I ran a script "sh spectre-meltdown-checker.sh2 having downloaded it. It tells me that I am still vulnerable to both variants of spectre despite...
FWIW, I havesteveis2 wrote: [ 0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
[ 0.929217] microcode: sig=0x306a9, pf=0x2, revision=0x1c
[ 0.929307] microcode: Microcode Update Driver: v2.2.
Code: Select all
$ uname -a
Linux .... 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$
$ dmesg|grep microcode
[ 0.000000] microcode: microcode updated early to revision 0xa0b, date = 2010-09-28
[ 1.170499] microcode: sig=0x1067a, pf=0x1, revision=0xa0b
[ 1.170600] microcode: Microcode Update Driver: v2.2.
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
Your data and OS are backed up....right?
Re: Upgraded kernal and microcode but no effect on Spectre Vulnerability
Hi
I got the script off wget https://raw.githubusercontent.com/speed ... checker.sh. I found this on https://www.ghacks.net/2018/01/11/check ... erability/.
With a bit of luck maybe the script is no good and the result is wrong.
However the result it came up with was as follows:-
Checking for vulnerabilities against running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
Regards Steve
I got the script off wget https://raw.githubusercontent.com/speed ... checker.sh. I found this on https://www.ghacks.net/2018/01/11/check ... erability/.
With a bit of luck maybe the script is no good and the result is wrong.
However the result it came up with was as follows:-
Checking for vulnerabilities against running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
Regards Steve
Re: Upgraded kernal and microcode but no effect on Spectre Vulnerability
i'm assuming everyone running this script will get the same values. 2 vulnerable and 1 not vulnerable, i get the same thing in arch linux with kernel 4.14.12 which is higher than the kernels in mint repos
and the thing with
if you wonder why the date is 2010 you need to ask intel not the kernel developers because the kernel devs get the updates from intel
and the thing with
dmesg | grep microcode
is that it will only be as recent as the last time your processor was updated into the intel processor list. everyones date will be somewhere around 2010 if you have older cpuif you wonder why the date is 2010 you need to ask intel not the kernel developers because the kernel devs get the updates from intel
Re: Upgraded kernal and microcode but no effect on Spectre Vulnerability
Thank you for your insight. Looking inside the script its creator does say it might not work so perhaps the microcode is working as it should. Given that the processor came out in 2012 it could be it was added to the list in 2015 I suppose.
Regards Steve
Regards Steve
trytip wrote:i'm assuming everyone running this script will get the same values. 2 vulnerable and 1 not vulnerable, i get the same thing in arch linux with kernel 4.14.12 which is higher than the kernels in mint repos
and the thing withdmesg | grep microcode
is that it will only be as recent as the last time your processor was updated into the intel processor list. everyones date will be somewhere around 2010 if you have older cpu
if you wonder why the date is 2010 you need to ask intel not the kernel developers because the kernel devs get the updates from intel
- Pjotr
- Level 24
- Posts: 20078
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: Upgraded kernal and microcode but no effect on Spectre Vulnerability
If your CPU is less than 10 years old, you can probably expect a future update for the intel-microcode package, which does contain fixed microcode for Meltdown/Spectre.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: Upgraded kernal and microcode but no effect on Spectre Vulnerability
@ steveis2, .......
Your CPU is Intel 3rd-gen Ivy Bridge (= sig=0x306a9) which is not covered by the Intel microcode 20180108 update. Only Intel 3rd-gen Ivy Town(= Xeon) and 4th-gen Haswell or newer are covered.
.steveis2 wrote:...
Your CPU is Intel 3rd-gen Ivy Bridge (= sig=0x306a9) which is not covered by the Intel microcode 20180108 update. Only Intel 3rd-gen Ivy Town(= Xeon) and 4th-gen Haswell or newer are covered.
Re: Upgraded kernal and microcode but no effect on Spectre Vulnerability
Hi,
I think it is in there because on their Linux microcode page for 20180108 it does make reference to the I5 3470 in the list of included CPUs. Having said that, even if it is included there could still be something wrong somewhere.
Regards Steve
I think it is in there because on their Linux microcode page for 20180108 it does make reference to the I5 3470 in the list of included CPUs. Having said that, even if it is included there could still be something wrong somewhere.
Regards Steve
michael louwe wrote:@ steveis2, .......
.steveis2 wrote:...
Your CPU is Intel 3rd-gen Ivy Bridge (= sig=0x306a9) which is not covered by the Intel microcode 20180108 update. Only Intel 3rd-gen Ivy Town(= Xeon) and 4th-gen Haswell or newer are covered.
Re: Upgraded kernel and microcode but no effect on Spectre Vulnerability
If you compare Meltdown/Spectre to building a safe house, Meltdown is equivalent to forgetting to install the front door and Spectre is equivalent to forgetting to install the walls. Spectre protection includes updating all your applications including your Web browser and javascript interpreters to stop advertisers using Spectre to improve their breaches of your privacy.
Re: Upgraded kernel and microcode but no effect on Spectre Vulnerability
@ steveis2, .......
* Sync package to xenial's latest update
* New upstream microcode datafile 20180108
+ New Microcodes:
sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384
sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280
sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
+ Updated Microcodes:
sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360
sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408
sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312
sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648
sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744
sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528
sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304
* source: remove unneeded intel-ucode/ directory
* source: remove superseded upstream data file: 20170707
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 09 Jan 2018 13:28:52 -0500
.steveis2 wrote:sig=0x306a9, , pf=0x2, revision=0x1c...
* Sync package to xenial's latest update
* New upstream microcode datafile 20180108
+ New Microcodes:
sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384
sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280
sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
+ Updated Microcodes:
sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360
sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408
sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312
sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648
sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744
sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528
sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304
* source: remove unneeded intel-ucode/ directory
* source: remove superseded upstream data file: 20170707
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 09 Jan 2018 13:28:52 -0500
- smurphos
- Level 18
- Posts: 8498
- Joined: Fri Sep 05, 2014 12:18 am
- Location: Irish Brit in Portugal
- Contact:
Re: Upgraded kernel and microcode but no effect on Spectre Vulnerability
Sit tight and wait for further kernel updates and microcode updates. Enjoy your patched web browser.steveis2 wrote: If anyone can suggest any advice as to what I need to do I'd appreciate it. I don't know what the problem now is or what a solution might look like.
The current 4.4.0-109 and 4.13.0-26 kernels are only patched against Meltdown. Ubuntu are working on the next updates which will include the Spectre patches. They are currently in testing.
https://insights.ubuntu.com/2018/01/12/ ... us-update/
https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown
Re the Microcode package - it contains microcodes for all Intel CPUs that have ever had Microcode updates as listed on the Intel page here - https://downloadcenter.intel.com/downlo ... -Data-File
But not all of those microcodes (including the one for your processor) have been patched for Spectre yet as has been mentioned. The most recent update included 16 updated Microcodes and 4 new ones. There are a lot more that presumably, Intel are working on.
https://launchpad.net/ubuntu/+source/in ... ntu16.04.2
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
Re: Upgraded kernel and microcode but no effect on Spectre Vulnerability
Hi,
I think I will do as you say and wait to see what happens. Hopefully things will work out. I can't see a BIOS update coming from the Motherboard manufacturer for some of my older computers so the microcode is the only hope.
Regards Steve
[/quote]
Sit tight and wait for further kernel updates and microcode updates. Enjoy your patched web browser....
There are a lot more that presumably, Intel are working on.
https://launchpad.net/ubuntu/+source/in ... ntu16.04.2[/quote]
I think I will do as you say and wait to see what happens. Hopefully things will work out. I can't see a BIOS update coming from the Motherboard manufacturer for some of my older computers so the microcode is the only hope.
Regards Steve
[/quote]
Sit tight and wait for further kernel updates and microcode updates. Enjoy your patched web browser....
There are a lot more that presumably, Intel are working on.
https://launchpad.net/ubuntu/+source/in ... ntu16.04.2[/quote]
Re: Upgraded kernel and microcode but no effect on Spectre Vulnerability
interesting,
both of us have identical microcode revision 0x1c
it supposed to be safe
but according to
it has bugs related TSC ing but dont really know what it is mean for though
confusing
both of us have identical microcode revision 0x1c
Code: Select all
lynx@lynx-lappy ~ $ grep microcode /proc/cpuinfo
microcode : 0x1c
microcode : 0x1c
microcode : 0x1c
microcode : 0x1c
microcode : 0x1c
microcode : 0x1c
microcode : 0x1c
microcode : 0x1c
Code: Select all
lynx@lynx-lappy ~ $ grep isolation /var/log/syslog
Feb 21 16:03:58 lynx-lappy kernel: [ 0.000000] Kernel/User page tables isolation: enabled
Code: Select all
lynx@lynx-lappy ~ $ grep microcode /var/log/kern.log
Feb 18 20:23:33 lynx-lappy kernel: [ 0.000000] [Firmware Bug]: TSC_DEADLINE disabled due to Errata; please update microcode to version: 0x22 (or later)
Feb 18 20:23:33 lynx-lappy kernel: [ 2.909978] microcode: sig=0x306c3, pf=0x20, revision=0x1c
Feb 18 20:23:33 lynx-lappy kernel: [ 2.910129] microcode: Microcode Update Driver: v2.2.
confusing