How to ensure Mint is secure from Spectre & Meltdown?

Questions about hardware,drivers and peripherals
Forum rules
Before you post please read how to get help
Post Reply
User avatar
jameskga
Level 3
Level 3
Posts: 192
Joined: Sat Jun 04, 2016 8:23 pm

How to ensure Mint is secure from Spectre & Meltdown?

Post by jameskga » Fri Jan 19, 2018 2:37 am

From my reading I understand Spectre & Meltdown require at least a two-fold response: Hardware (firmware update) and software (OS)

While I wait for my motherboard manufacturer to release their update (skeleton.jpg), I know Windows automagically applied their mystical patches behind my back, and I understand the linux kernel addresses the issue in its own regard, where I could at least see the item being downloaded and installed as I gave permission.

But someone on the EVE Online forums told me Intel maintains the microcode for Linux as though they're some kind of benevolent force of open source altruism. Maybe they are. They were referring, of course, to what we see in the Driver Manager window on Mint. They said Intel maintains that like champions.

Image

So I searched, and this is what I found:

According to the following site, intel-microcode (open-source) was updated to Version 3.20180108.0-ubuntu16.04.2 to address Spectre.
https://usn.ubuntu.com/usn/usn-3531-1/

Cool, right? That means they at least addressed Spectre and patched the open source intel-microcode included in many Mint installations on Intel chips.

Only thing is, several people on this board have strongly suggested users do NOT enable this processor microcode if they don't need to. That is to say, they make it sound like you're either wasting your time doing so, or could potentially brick your system. It's been made on these forums to sound like if you switch over to this driver, you are making a potentially fatal error in judgment and you're a complete n00b for trying it without a computer science degree. But to me, it seems absolutely imperative that I switch to this driver because it was released specifically in response to Spectre. I will switch to it after writing this post. And then if what the old guard around here warns me is true, I'll be purchasing a new system (lol).

So now I wonder, will consensus change? Shouldn't EVERYONE now be instructed to open Driver Manager and switch to this intel-microcode driver? Or was the change to the Linux kernel that was included in Software Manager enough to remedy this security hole? Or do we need some combination of the two? Is Meltdown still a threat, since only Spectre was mentioned? Or did the kernel update mitigate both threats?

I'd love to hear your thoughts.
LMDE 2 Cinnamon (64-bit)
I am out there

User avatar
thx-1138
Level 6
Level 6
Posts: 1255
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: How to ensure Mint is secure from Spectre & Meltdown?

Post by thx-1138 » Fri Jan 19, 2018 3:37 am

Quite a few misconceptions - but you are correct in that it takes a multi-layered approach. In a simple diagram:
-> BIOS -> (Microcode) -> Kernel -> Recompiled and/or 'corrected' packages (aka. userland)

Intel 'maintains' the microcode in general, regardless of OS, because it's meant for their own products / processors. Yes, in a sense, you could say that they are 'kind enough' to supply us with such. On another context, you could equally also claim that they are required to supply such, since they're selling us their products in the first place (and even more since security updates are needed from time to time as it happens in the current situation).
To keep it short, 'benevolent force of open source altruism' i certainly wouldn't call them to speak off (although they do contribute in the kernel lots of code for their own reasons). The microcode itself is not open source & will most likely never be. It doesn't even come with a proper changelog: no one knows exactly what goes inside them.

Intel's microcode is already contained in your BIOS (...UEFI nowadays). The suggested & recommended method even by microcode's packagers themselves is to update the BIOS. However, a newer BIOS update might not be available for your system from your vendor, hence comes microcode as a simpler solution: it gets loaded from the kernel each time the machine boots & corrects / enhances the processors' behavior.

The reason some people say to be cautious about it is exactly because it alters the execution of instructions. There's always a good chance it won't behave correctly / as expected, and people not being very technically inclined might not notice it or know what to do. If i was to make an over-simplistic comparison, maybe kinda think of it like installing an extra proprietary driver: theoritically, the company responsible made the tests required in the lab, but in real life '...you never know...'
For the record, in my Mint 18.3 installation, the latest microcode was offered as a Level 2 update.

In regards to the title now, "how to ensure"...to keep it as short as possible:
1) Keep an eye for an updated BIOS from your vendor.
2) If such isn't available / an option, install the latest microcode, chances are it will still mitigate the dangers. Run dmesg | grep microcode after installing it: if it reports a date at least newer than 2017-06-01, it means that the package included patches for your processor. If it reports an older date, a newer microcode update at some later point might still provide support & fixes for it.
3) Keep your kernel updated per instructions here. If / when newer required kernels get released, it's 110% certain that some notice & instructions will be provided around here. Spectre hasn't been patched yet on Canonical's kernels, only Meltdown.
4) Last but certainly not least, make sure to have installed the latest versions of the browsers you're using, and (obviously) that they are regularly updated via Update Manager...

User avatar
Moem
Level 17
Level 17
Posts: 7039
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: How to ensure Mint is secure from Spectre & Meltdown?

Post by Moem » Fri Jan 19, 2018 4:29 am

thx-1138 wrote: 4) Last but certainly not least, make sure to have installed the latest versions of the browsers you're using, and (obviously) that they are regularly updated via Update Manager...
... or in a different way, as long as they're regularly updated.
For example, Pale Moon and Waterfox have their own updating systems. They are both invulnerable against Spectre.

Apart from this addition, thank you for this clear and thorough explanation!
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

Deadtroopers
Level 1
Level 1
Posts: 9
Joined: Mon Apr 30, 2012 3:16 pm
Location: Stockport, England

Re: How to ensure Mint is secure from Spectre & Meltdown?

Post by Deadtroopers » Fri Jan 19, 2018 4:03 pm

Driver Manager reports Version 3.20180108.0-ubuntu16.04.2 in use. Running dmesg | grep microcode returns 'date = 2013-06-017'. I don't think that is terribly useful.

User avatar
jameskga
Level 3
Level 3
Posts: 192
Joined: Sat Jun 04, 2016 8:23 pm

Re: How to ensure Mint is secure from Spectre & Meltdown?

Post by jameskga » Fri Jan 19, 2018 5:07 pm

Dude, excellent responses. Thank you guys so much. I have just two more questions.
thx-1138 wrote:The microcode itself is not open source & will most likely never be. It doesn't even come with a proper changelog: no one knows exactly what goes inside them.
1) Do you think the driver is mislabeled 'open-source' in Driver Manager?

Image

Could it be I am thinking of the wrong microcode, or maybe the wrong instance of this term, or something like that?

2) In his latest response, Deadtroopers suggests the microcode listed in Driver Manager is out-of-date or useless. I don't know whether that's true, but let's say hypothetically it is true (and add to our hypothetical Canonical patched the kernel to beat both Spectre and Meltdown): Does running deprecated microcode break threat protections provided in the kernel? Or to phrase the question another way, would running bunk microcode override or contradict those protections, reopening security risks?
LMDE 2 Cinnamon (64-bit)
I am out there

User avatar
thx-1138
Level 6
Level 6
Posts: 1255
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: How to ensure Mint is secure from Spectre & Meltdown?

Post by thx-1138 » Fri Jan 19, 2018 11:13 pm

The Driver Manager indeed has a small glitch & mislabels intel-microcode as open source.

It is always the newest microcode that gets loaded: if the BIOS has a newer version included / 'embedded' within it, the kernel will simply ignore an older dated manually installed intel-microcode package. Ie. to simplify this: the system will always use the newest one available, regardless of where it finds it.

Now, say for example in the above case, where the date returned is 2013-06-17:
it is useless in that in won't protect from Spectre - being that old, it obviously doesn't contain fixes for it.
There is no guarantee whatsoever that Intel will release updated microcode for all older processors.
Yet, it is not useless however in at least the following 2 cases:
1) what was the actual version / date of the microcode that came by default with the BIOS before installing the microcode package? if it was earlier than that, then, it still fixes other past errata. if it is from the same date, so be it, no harm done whatsoever (it merely 'wastes' 2mb of disk size being installed)...
2) having it installed, even if it doesn't get loaded due to it's older date, still ensures that you automatically receive future updates (which as described above, they might or might not provide fixes for your processor...it all comes down to what Intel will decide to fix).

jglen490
Level 4
Level 4
Posts: 239
Joined: Sat Jul 15, 2017 9:57 pm

Re: How to ensure Mint is secure from Spectre & Meltdown?

Post by jglen490 » Sat Jan 20, 2018 12:32 am

I'm not sure one can "ensure" that Meltdown and Spectre won't hurt. Mitigate, yes. Diligence, yes. Ensure, not today.

It's a vulnerability, not an exploit - at least today.

This, like everything else pertaining to security, is mitigated by diligently applying patches to the OS and applications as they are made available. Keep yourself educated not only about the vulnerability, but also any exploits should they appear some day. Avoid panic, knee-jerk reactions, and fad approaches to "fixes".
I feel more like I do than I did when I got here.
Toshiba A135-S2386, Intel T2080, ATI Radeon® Xpress 200M Chipset, 2GB RAM, 500GB

Post Reply

Return to “Hardware Support”