fixing Linux Mint 18.3 for Meltdown and Spectre

[thx-1138]

@Pjotr

You wrote higher up:

@norm.h: please do *not* use Grub Customizer. It's superfluous and it'll irreversibly add a thick layer of complexity to your bootloader.

Would you please elaborate on that? I thought Grub Customizer was a tool intended for editing the grub.cfg file without you "getting your hands dirty". It just probes the system for all the boot options available and you just decide in what order they appear on the grub menu and it takes care of that. I am not sure if I understand how it adds " a thick layer of complexity to your bootloader".
regards

Marziano => https://sites.google.com/site/easylinux ... Customizer

"...The Rolling HWE kernel for Ubuntu 16.04 will go to 4.13 early, instead of also fixing 4.10 HWE kernel. " ???

I'm on LM 18.3 (Mate):

Code: Select all

uname -a
Linux 4.10.0-42-generic #46~16.04.1-Ubuntu SMP[/b] Mon Dec 4 15:57:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Ok, so do I stay with latest 4.10.0-42, or go to latest 4.13.* ?

Thx ahead.

scjet45 => There won't be patched kernels for 4.10.*, only for 4.4.* & 4.13.*. Choose whatever fit your needs.

[Sir Charles]

@thx-1138:

Marziano => https://sites.google.com/site/easylinux ... Customizer

Thank you for the link! A good and vital read. I have used Grub Customizer at several occasions before unaware of the complexities and complications it can introduce in my system. Let's hope that it hasn't messed up things beyond repair!
regards

[Pjotr]

Debian already has packaged new Intel microcode (released today), which probably also addresses the Meltdown/Spectre vulnerabilities: http://ftp.us.debian.org/debian/pool/no ... _amd64.deb

Coming to Mint pretty soon, I think. Don't try this at home (waiting for the official update is always best), but I've already installed it on some machines without problems.

[wpshooter]

But after I installed today's kernel update, the Intel Detection Tool STILL says that
my processor is VULNERABLE to the problems. Should the installation of the new
kernel prevent the Intel tool from giving a positive result or is the tool just saying
that the processor is subject to the problems and is "basically" unaware as to whether the
problem has been mitigated or not ?

Thanks.

The current round of kernel updates from Ubuntu only address Meltdown, not Spectre.

Spectre fixes to follow at a later date.

https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown

So am I correct that when both Meltdown AND Spectre have been mitigated, that
the Intel Detection Tool will say that the processor is NOT vulnerable ?

Here is my latest solution to these problems.

I call Intel, they (Intel) tell me to call Dell, they say it is a Dell (BIOS update) problem.
I call Dell, they (Dell) tell me to call Intel, they say it is an Intel design problem.
See MY problem !!!

Thanks.

[BigEasy]

What is Intel Detection Tool ?

[wpshooter]

What is Intel Detection Tool ?

https://www.intel.com/content/www/us/en ... tware.html

See here for Linux users:

https://downloadcenter.intel.com/download/27150?v=t

[BigEasy]

Thank you. I already knows about it but forgot because seems it is not about Meltdown and Spectre. Well, anyway who konws what that output means?

Code: Select all

Processor Name: Intel(R) Celeron(R) CPU 2.66GHz
OS Version: LinuxMint 18.3 sylvia (4.4.0-109-generic)
HECI error: No device with MKHI found[2]
SPS tool failed with error Exec format error[8]
Status: HECI_NOT_INSTALLED
Tool Stopped

[wpshooter]

Thank you. I already knows about it but forgot because seems it is not about Meltdown and Spectre. Well, anyway who konws what that output means?

Code: Select all

Processor Name: Intel(R) Celeron(R) CPU 2.66GHz
OS Version: LinuxMint 18.3 sylvia (4.4.0-109-generic)
HECI error: No device with MKHI found[2]
SPS tool failed with error Exec format error[8]
Status: HECI_NOT_INSTALLED
Tool Stopped

You need to run it as SUDO and according to what I am reading it IS related to testing for Meltdown and Spectre problems.

P.S. - Seems to me that I read that these flaws do NOT apply to Celeron, but don't take that for gospel.

[BigEasy]

Sudo! Thank you. There is output:

Code: Select all

Processor Name: Intel(R) Celeron(R) CPU 2.66GHz
OS Version: LinuxMint 18.3 sylvia (4.4.0-109-generic)

*** Risk Assessment ***
Detection Error: This system may be vulnerable,
  either the Intel(R) MEI/TXEI driver is not installed
  (available from your system manufacturer)
  or the system manufacturer does not permit access
  to the ME/TXE from the host driver.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support

[wpshooter]

Sudo! Thank you. There is output:

Code: Select all

Processor Name: Intel(R) Celeron(R) CPU 2.66GHz
OS Version: LinuxMint 18.3 sylvia (4.4.0-109-generic)

*** Risk Assessment ***
Detection Error: This system may be vulnerable,
  either the Intel(R) MEI/TXEI driver is not installed
  (available from your system manufacturer)
  or the system manufacturer does not permit access
  to the ME/TXE from the host driver.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support

I see that you have your kernel updated to the very same version that I currently have.

So, that leads to my question, does your output when running the detection tool after updating the
kernel mean that your (and my) systems are still vulnerable to the processor problems or is it just
a message that is saying that our processors are "possible" candidates for these problems. I can get
no one from Dell, Intel nor these forums who knows the answer to this question.

[thx-1138]

But after I installed today's kernel update, the Intel Detection Tool STILL says that
my processor is VULNERABLE to the problems. Should the installation of the new
kernel prevent the Intel tool from giving a positive result or is the tool just saying
that the processor is subject to the problems and is "basically" unaware as to whether the
problem has been mitigated or not ?
.........................................
So am I correct that when both Meltdown AND Spectre have been mitigated, that
the Intel Detection Tool will say that the processor is NOT vulnerable ?
.......................
Thanks.

...the 'Intel Detection Tool' has absolutely nothing to do with Meltdown & Spectre: it's purpose is to detect if Management Engine is affected by a different set of flaws that were disclosed back in November.
For Meltdown & Spectre:
https://github.com/speed47/spectre-meltdown-checker

[Spearmint2]

what about mate v17.x? is there going to be an update or I have to upgrade to v18.x first? Is that even possible or I should start again. I'm using it in oracle VM.
thanks.

Supposedly this is the one needed. Need to set update manager to visible for levels 4 & 5 and refresh it.

Code: Select all

 inxi -S
System:    Host: mint16 Kernel: 3.13.0-139-generic i686 (32 bit) Desktop: MATE 1.12.0
           Distro: Linux Mint 17.3 Rosa

[wpshooter]

[quote=
For Meltdown & Spectre:
https://github.com/speed47/spectre-meltdown-checker

[/quote]

Thanks.

[tovian]

New articles today (1/18)

from Ars Technica:
Meltdown and Spectre: Good news for AMD users, (more) bad news for Intel
Note the last paragraph !!

AND ANOTHER................

from PCMag:
Tests Show Tiny PC Performance Hit From Meltdown, Spectre Fix

[InkKnife]

And now this:

You know how you’re supposed to flash the BIOS or update the UEFI on all of your Intel machines, to guard against Meltdown/Spectre? Well, belay that order, private! Intel just announced that you need to hold off on all of its new patches. No, you can’t uninstall them. To use the technical term, if you ran out and applied your Intel PC’s latest firmware patch, you’re hosed.

In what appears to be a catastrophic curtain call to the "oops" moment that I discussed 10 days ago, it now seems that the bright, new firmware versions — which Intel has had six months to patch — have a nasty habit of causing “higher system reboots.”

https://www.computerworld.com/article/3 ... fixes.html

The Mint guys are on it though, there is a microcode update that rolls back the previous update in the Update Manger already.

[KalEl]

Hello
I've been following everything about it.
The first step I took was backing up everything ...
The only thing I know I am not a hacker or advanced user, I am user I have followed all the steps.
I could not understand one thing:
Why do they want to read your files or passwords?
I wonder what the purpose of all this would be smoke from a test?
I can only say one thing I backed up everything, so I understood this is your first and safest thing to do.
And what worries me is not the power to read the files, but to delete everything... (this would be possible ?)

[G-Mo]

The threat of meltdown/specter is the vulnerability that a hacker or malware process "could" gain read access to passwords, credit card numbers, etc. Passwords or numbers may appear readable (in real time) from unprotected (non-encrypted) "holes" inside the CPU's instruction layer. If a process can read them, they can trap the characters and have network access or your banking password. The CPU holes have been out there for years where no one has created the highly sophisticated malware to successfully exploit it - yet. But should they gain access to banking passwords or credit card numbers, it wouldn't be pretty for us. Taking steps to prevent any attack is prudent but in this case - not a panic for you.

Good that Google found it. Good that government, enterprise business, banking, and credit card systems went shields-up. Home users shouldn't rush to install every new kernel roll out before a small waiting period to ensure stability. Same with microcode and other spices offered to sprinkle on this evolving "fix". Pay attention to what seems sensible not what the enterprise admins are doing. It does have scary names associated. Thanks Google!

[KalEl]

The threat of meltdown/specter is the vulnerability that a hacker or malware process "could" gain read access to passwords, credit card numbers, etc. Passwords or numbers may appear readable (in real time) from unprotected (non-encrypted) "holes" inside the CPU's instruction layer. If a process can read them, they can trap the characters and have network access or your banking password. The CPU holes have been out there for years where no one has created the highly sophisticated malware to successfully exploit it - yet. But should they gain access to banking passwords or credit card numbers, it wouldn't be pretty for us. Taking steps to prevent any attack is prudent but in this case - not a panic for you.

Good that Google found it. Good that government, enterprise business, banking, and credit card systems went shields-up. Home users shouldn't rush to install every new kernel roll out before a small waiting period to ensure stability. Same with microcode and other spices offered to sprinkle on this evolving "fix". Pay attention to what seems sensible not what the enterprise admins are doing. It does have scary names associated. Thanks Google!

I know all that you said I read the site howtogeek/I read everything...
I'm just not afraid of any of this ...
What do they want to turn off the internet world breaking all systems and what will they gain from it?
What is the purpose?
I don’t understand...
You can read lyrics of the song that I'll leave here ...
The name of the song is :
You Can not Break What's Already Broken
If they want I can send a picture of me (in censored poses) and a letter with all the passwords of half the population for example: 123456

[G-Mo]

I'm pretty sure they don't want to break the Internet nor do they want to delete your files. They want to Steal your identity, on-line account info and basically anything that can make money hacking with after they have the info. If you read everything then you know about ransom-ware that encrypts your files until you pay. So this is worse, they can steal your identity and money without you knowing they came. "Specter" ya know?

[KalEl]

I'm pretty sure they don't want to break the Internet nor do they want to delete your files. They want to Steal your identity, on-line account info and basically anything that can make money hacking with after they have the info. If you read everything then you know about ransom-ware that encrypts your files until you pay. So this is worse, they can steal your identity and money without you knowing they came. "Specter" ya know?

Fort Knox, are 8.1 thousand tons of gold bars how will they get there online?
There are people who have already said that they have faked the bars, you can find of everything on the internet ...
Who has money to pay for their own money or information? how can I get it the bank without my password giving them the money they want if they already have my password ?
I just hope they do not do this to people in hospitals.
That would be ugly again.