ATTN!...Intel CPU owners (Spectre,Meltdown,Foreshadow, flaws)

Chat about just about anything else
User avatar
smurphos
Level 14
Level 14
Posts: 5160
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by smurphos »

michael louwe wrote:@ smurphos, .......
smurphos wrote:...
.
OK, Linux-Ubuntu was justifiably slow. How come Intel and M$ were so slow and seemed to lack patch testing.?
Don't know..

As an aside the changelog for the spectre patched kernel for 17.10 currently in testing is another huge one.....expect breakages. :mrgreen:

https://launchpad.net/ubuntu/+source/linux/4.13.0-29.32
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
Pjotr
Level 21
Level 21
Posts: 14121
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Pjotr »

A couple of remarks because of some misunderstandings I've read in this thread:

1. The current security flaws under discussion in this thread, need fixing/mitigation on various levels. So it's not enough to install a patched kernel; you also need to install patched microcode (when available) and apply other fixes, up to and including the application level.

2. If you have an Intel CPU which isn't fixed in the current intel-microcode package, you should still install it. Because Intel is still busy with creating new fixed microcodes: apparently they've promised to extend their effort to CPU's up to 10 years old.

These new fixed microcodes will be put into future updates of the intel-microcode package. If you have installed it, you'll be notified immediately by Update Manager when these updates have arrived.

3. If Driver Manager doesn't mention a manually installed microcode package, but Synaptic does: trust Synaptic.
Tip: 10 things to do after installing Linux Mint 19.3 Tricia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

phil995511
Level 4
Level 4
Posts: 338
Joined: Sat Feb 01, 2014 4:06 am
Location: Geneva (Switzerland)

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by phil995511 »

Pat D wrote:Oh boy. Another issue for Intel.

https://arstechnica.com/information-tec ... -firmware/
Intel said :

PCs for individuals large public audience and servers for data centers using Intel® Server Platform Services are not affected by this vulnerability.

https://www.intel.fr/content/www/fr/fr/ ... ement.html
Linux Mint 19.2 Cinnamon 64 Bits on Dell XPS 9570 (i7-8750H) laptop / Debian 10 Buster Cinnamon 64 Bits on customized workstation (i7-5960X @ 3.8 Ghz) / Raspbian 10 Buster on Raspberry Pi 4


User avatar
buffest_overflow
Level 2
Level 2
Posts: 54
Joined: Sun May 07, 2017 8:35 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by buffest_overflow »

Yeah, so I was one of the idiots that went straight to intel to download the microcode, the first stuff.
I believe this put my microcode to the 0x22. Then Linux pushed the minty microcode on, which I installed, and that turned the 0x22 into a 0x23. Both before I installed any microcode and the two microcodes after, there was one thing that persisted that I have no idea about and I'm hoping it's just something I don't understand.

Here is /proc/cpuinfo:

Code: Select all

  ~ $ cat /proc/cpuinfo 
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 60
model name	: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz
stepping	: 3
microcode	: 0x23
cpu MHz		: 3392.083
cache size	: 8192 KB
physical id	: 0
siblings	: 8
core id		: 0
cpu cores	: 4
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm cpuid_fault epb invpcid_single pti tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt dtherm ida arat pln pts
bugs		: cpu_insecure
bogomips	: 6784.16
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:
Can you spot the part I'm scared of? Does anyone happen to know what this means? if this is the wrong place for this, I'll go wandering off into the distance.

User avatar
Terryphi
Level 3
Level 3
Posts: 179
Joined: Mon Jun 06, 2011 6:30 am
Location: West Wales. UK

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Terryphi »

[quote="buffest_overflow"]...
Are you sure you have updated the kernel as well as the intel-microcode?
Version: LM 19.3 64bit Mate "If something is worth doing, it is worth doing for free."

User avatar
thx-1138
Level 7
Level 7
Posts: 1926
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by thx-1138 »

buffest_overflow wrote:Can you spot the part I'm scared of? Does anyone happen to know what this means? if this is the wrong place for this, I'll go wandering off into the distance.
...i assume you mean the cpu_insecure part? That's exactly what it should report...
https://askubuntu.com/questions/992137/ ... -my-ubuntu

User avatar
smurphos
Level 14
Level 14
Posts: 5160
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by smurphos »

bugs : cpu_insecure perchance? :)

I'm pretty sure that's a flag added by the patched kernel's which indicates that the kernel is implementing PTI to mitigate the CPUs vulnerability to Meltdown.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
michael louwe
Level 10
Level 10
Posts: 3298
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe »

@ buffest_overflow, .......
buffest_overflow wrote:...
.
Seems, the newer Linux kernels now flag all Intel CPUs as cpu_insecure = already patched for the Meltdown bug.

I have a LM 17.3 box running kernel 3.13.107(not yet patched for Meltdown) and Intel Core2Duo CPU which is not flagged as 'bug: cpu_insecure'.

User avatar
Spearmint2
Level 16
Level 16
Posts: 6883
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Spearmint2 »

Those running Linux AMD-based computers should not need to install the recent kernel patch for Meltdown(= KPTI feature), eg no need to install kernel 3.13.139. Installing it has no effect on AMD processors, wrt installing the KPTI feature, which can hurt CPU performance.
I didn't do it for any "need", just to test it and see if it would adversely affect AMD computers if installed. I knew I could boot instead to my old kernel if so. I was just curious to check it out, since I thought some others on AMD might install it and if it was a problem, they needed to be warned off.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
Spearmint2
Level 16
Level 16
Posts: 6883
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Spearmint2 »

michael louwe wrote:About microcode updates for Linux ... https://wiki.debian.org/Microcode , http://metadata.ftp-master.debian.org/c ... DME.Debian
My question is this: Is some AMD64 microcode from 2013 still relevant to today's distros, since I'd assume it was already built into newer versions.

This is what I show currently

Code: Select all

~ $ lsmod | grep amd
kvm_amd                54724  0 
kvm                   388316  1 kvm_amd

 ~ $ dmesg | grep microcode
[    1.164602] microcode: CPU0: patch_level=0x01000098
[    1.164639] microcode: Microcode Update Driver: v2.00 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
Here's what's shown for the older AMD64-microcode in Package Manager. Mostly seemed concerned at that time with AMD interaction with initramfs. I've had no problems without it, now 5 years later. I've assumed whatever problem existed then has already been ameliorated in later distro versions.
Processor microcode firmware for AMD CPUs

This package contains microcode patches for all AMD AMD64
processors. AMD releases microcode patches to correct
processor behavior as documented in the respective processor
revision guides.

CHANGELOG; (just some of the last entries for it)

amd64-microcode (2.20131007.1+really20130710.1) unstable; urgency=low

* Fix M-D-Y issue that leaked to the package version number
* The real upstream release date is 2013-07-10

-- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 07 Sep 2013 22:22:00 -0300

amd64-microcode (2.20131007.1) unstable; urgency=low

* New upstream release, received through linux-firmware and LKML
+ updated microcode:
sig 0x00500F10, id 0x05000029: erratum (+) 784;
sig 0x00500F20, id 0x05000119: erratum (+) 784;
sig 0x00600F12, id 0x0600063D: errata (-) 668, (+) 759, 778;
+ new microcode:
sig 0x00200F31, id 0x02000032: errata 311, 316;
sig 0x00600F20, id 0x06000822: errata 691, 699, 704, 708, 709, 734,
740, 778;
+ This update fixes important processor bugs that cause data corruption
or unpredictable system behaviour. It also fixes a performance issue
and several issues that cause system lockup.
* Switch to native package, since there is no upstream tarball

-- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 07 Sep 2013 15:22:09 -0300
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
Pjotr
Level 21
Level 21
Posts: 14121
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Pjotr »

Spearmint2 wrote:My question is this: Is some AMD64 microcode from 2013 still relevant to today's distros,
Yes, because it might improve the microcode contained in your BIOS. Or it might wreak havoc, of course. :mrgreen:
since I'd assume it was already built into newer versions.
It's not. It's in your BIOS.
Tip: 10 things to do after installing Linux Mint 19.3 Tricia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Capella
Level 1
Level 1
Posts: 17
Joined: Tue Nov 01, 2016 11:48 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Capella »

Pjotr wrote:A couple of remarks because of some misunderstandings I've read in this thread:

1. The current security flaws under discussion in this thread, need fixing/mitigation on various levels. So it's not enough to install a patched kernel; you also need to install patched microcode (when available) and apply other fixes, up to and including the application level.

2. If you have an Intel CPU which isn't fixed in the current intel-microcode package, you should still install it. Because Intel is still busy with creating new fixed microcodes: apparently they've promised to extend their effort to CPU's up to 10 years old.

These new fixed microcodes will be put into future updates of the intel-microcode package.
3. If Driver Manager doesn't mention a manually installed microcode package, but Synaptic does: trust Synaptic.

I just want to make sure I understand the intel-microcode package that was recently installed..Driver manager(and Synaptic) both show that I have version 3.20180108 ubuntu 16.04.02 installed on my Intel i7 3630-QM CPU. If I understand correctly--when I look at the output from "journalctl" I see the line "Inspiron-7720 kernel: microcode: microcode updated early to revision 0x1c, date = 2015-02-26"
This means that the intel-microcode package has not been updated by intel for this CPU--correct? Then each time a new intel-microcode package shows up in update manager--after installing-- I have to look in the journalctl to see if it has been updated for my CPU?
When I check my bios I have A16(15 Oct 2013) installed and dell download and drivers site shows the latest version to be A17(01 Jun 2015)--Not sure if this CPU will be ever be updated --but I was naive enough to think that the intel-microcode package from update manager did the job....Thanks

phil995511
Level 4
Level 4
Posts: 338
Joined: Sat Feb 01, 2014 4:06 am
Location: Geneva (Switzerland)

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by phil995511 »

Capella wrote:A couple of remarks because of some misunderstandings I've read in this thread:


I just want to make sure I understand the intel-microcode package that was recently installed..Driver manager(and Synaptic) both show that I have version 3.20180108 ubuntu 16.04.02 installed on my Intel i7 3630-QM CPU. If I understand correctly--when I look at the output from "journalctl" I see the line "Inspiron-7720 kernel: microcode: microcode updated early to revision 0x1c, date = 2015-02-26"
This means that the intel-microcode package has not been updated by intel for this CPU--correct? Then each time a new intel-microcode package shows up in update manager--after installing-- I have to look in the journalctl to see if it has been updated for my CPU?
When I check my bios I have A16(15 Oct 2013) installed and dell download and drivers site shows the latest version to be A17(01 Jun 2015)--Not sure if this CPU will be ever be updated --but I was naive enough to think that the intel-microcode package from update manager did the job....Thanks
Intel has not patched all cpu yet, when you see a recent date, your cpu will have been patched.

You should update your Dell bios to A17 for more stability and/or security, although the current problem will not be solved.

As explained above there are several things to do to ensure better security for your PC.

I advise you to read :

https://blog.linuxmint.com/?p=3496

If you have any further questions the Mint team will most certainly answer you on this page.

Best regards.
Last edited by phil995511 on Sat Jan 13, 2018 2:57 pm, edited 1 time in total.
Linux Mint 19.2 Cinnamon 64 Bits on Dell XPS 9570 (i7-8750H) laptop / Debian 10 Buster Cinnamon 64 Bits on customized workstation (i7-5960X @ 3.8 Ghz) / Raspbian 10 Buster on Raspberry Pi 4

User avatar
Pjotr
Level 21
Level 21
Posts: 14121
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Pjotr »

Capella wrote:This means that the intel-microcode package has not been updated by intel for this CPU--correct? Then each time a new intel-microcode package shows up in update manager--after installing-- I have to look in the journalctl to see if it has been updated for my CPU?
Yes and yes. :)
Tip: 10 things to do after installing Linux Mint 19.3 Tricia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
michael louwe
Level 10
Level 10
Posts: 3298
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe »

@ Capella, .......
Capella wrote:...
.
What about the Terminal output for ... dmesg | grep microcode .?

User avatar
michael louwe
Level 10
Level 10
Posts: 3298
Joined: Sun Sep 11, 2016 11:18 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by michael louwe »

As per https://news.ycombinator.com/item?id=16111433 , only 3rd-gen Intel Ivy Town(= Xeon 15-core) processors are covered by the Intel microcode 20180108 update, ie 3rd-gen Intel Ivy Bridge processors are not covered.
... Nearly all Intel processors from 4th-gen Haswell onward are covered.

neversaynever
Level 1
Level 1
Posts: 23
Joined: Sat Jan 13, 2018 4:26 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by neversaynever »

Hi and sorry for my bad english.
I’m a newbie with Linux Mint, I’ve read all the thread, I’ve made all the update using Update Manager and Driver Manager, apparently with success, but now I’m confused.

OS: Linux Mint 18 32 bit; CPU: Intel Core i7-2640M; kernel: 4.4.0.109-132 running; intel microcode: 3.20180108.0 (Ubuntu 16.04.2)installed. Everything seems to work without problems.

Now I’v run the Github spectre-meltown-checker.sh and I obtained:
5753: Spectre v.1: NOT VULNERABLE (as expected)
5715: Spectre v.2: VULNERABLE (as expected, waiting next Ubuntu Patch)
5754: Meltdown v.3: (NOT EXPECTED !!!)
* kernel supports Page Table Isolation (PTI): NO
* PTI enable and active: NO
>STATUS: VULNERABLE

I don’t understand why I’m vulnerable by Meltdown, with PTI not enabled, even if I updated without problems to kernel v. 4.4.0.109-132.
I don’t know what to do. May anybody help me please?

User avatar
Pjotr
Level 21
Level 21
Posts: 14121
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by Pjotr »

neversaynever wrote:Hi and sorry for my bad english.
I’m a newbie with Linux Mint, I’ve read all the thread, I’ve made all the update using Update Manager and Driver Manager, apparently with success, but now I’m confused.

OS: Linux Mint 18 32 bit; CPU: Intel Core i7-2640M; kernel: 4.4.0.109-132 running; intel microcode: 3.20180108.0 (Ubuntu 16.04.2)installed. Everything seems to work without problems.

Now I’v run the Github spectre-meltown-checker.sh and I obtained:
5753: Spectre v.1: NOT VULNERABLE (as expected)
5715: Spectre v.2: VULNERABLE (as expected, waiting next Ubuntu Patch)
5754: Meltdown v.3: (NOT EXPECTED !!!)
* kernel supports Page Table Isolation (PTI): NO
* PTI enable and active: NO
>STATUS: VULNERABLE

I don’t understand why I’m vulnerable by Meltdown, with PTI not enabled, even if I updated without problems to kernel v. 4.4.0.109-132.
I don’t know what to do. May anybody help me please?
Don't attach too much importance to that checking tool. With your current kernel you've already done a lot to contain/mitigate this.

More background information from the Ubuntu Security Team:
https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown
Tip: 10 things to do after installing Linux Mint 19.3 Tricia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

neversaynever
Level 1
Level 1
Posts: 23
Joined: Sat Jan 13, 2018 4:26 pm

Re: ATTN!...Intel CPU owners (Spectre & Meltdown flaws)

Post by neversaynever »

Pjotr wrote:
neversaynever wrote:...
OS: Linux Mint 18 32 bit; CPU: Intel Core i7-2640M; kernel: 4.4.0.109-132 running; intel microcode: 3.20180108.0 (Ubuntu 16.04.2)installed. Everything seems to work without problems.
...
Now I’v run the Github spectre-meltown-checker.sh and I obtained:
5753: Spectre v.1: NOT VULNERABLE (as expected)
5715: Spectre v.2: VULNERABLE (as expected, waiting next Ubuntu Patch)
5754: Meltdown v.3: VULNERABLE

I don’t understand why I’m vulnerable by Meltdown, ... even if I updated without problems to kernel v. 4.4.0.109-132.
... May anybody help me please?
Don't attach too much importance to that checking tool. With your current kernel you've already done a lot to contain/mitigate this.

More background information from the Ubuntu Security Team:
https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown
Thanks a lot Pjotr; so I will not worry about that ...

Post Reply

Return to “Open chat”