How to update your kernel for Meltdown and Spectre

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
User avatar
Spearmint2
Level 15
Level 15
Posts: 5719
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: How to update your kernel for Meltdown and Spectre

Post by Spearmint2 » Sun Jan 28, 2018 3:45 pm

Pjotr wrote:
Spearmint2 wrote:I wouldn't put too much faith in that method. I installed the "fixed" kernel on my AMD computer and nothing shows it as patched, even though it's the 3.13.0-139-generic #188-Ubuntu SMP Tue Jan 9 14:44:37 UTC 2018 i686 athlon i686 GNU/Linux as stated on this page.

https://usn.ubuntu.com/usn/usn-3524-1/
Try this:

Code: Select all

dmesg | grep isolation
right now Meltdown and Spectre are "vulnerabilities" with no known actual threat.
Yet....
I checked update manager and see a new entry for same kernel's "headers", so installing that now. Will post back. I'd even run this and not gotten anything.

Code: Select all

lsmod |grep isolat
lsmod |grep kpti
yet this page said it should be there.
https://launchpad.net/ubuntu/+source/li ... .0-139.188

UPDATE;

Nope, nothing after doing the linux headers that was in update manager. Maybe it's detecting my AMD processor and to avoid problems kicking it out from kernel?
Last edited by Spearmint2 on Sun Jan 28, 2018 4:10 pm, edited 1 time in total.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
Pjotr
Level 20
Level 20
Posts: 10791
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: How to update your kernel for Meltdown and Spectre

Post by Pjotr » Sun Jan 28, 2018 3:47 pm

What does the command say that I named in my previous message?
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
xenopeek
Level 24
Level 24
Posts: 22764
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to update your kernel for Meltdown and Spectre

Post by xenopeek » Sun Jan 28, 2018 3:56 pm

3.13.0-139 is a fix for Meltdown only, not for Spectre variant 1 and 2. And Meltdown didn't affect AMD.
You need 3.13.0-141 (https://usn.ubuntu.com/usn/usn-3542-1/) to fix Spectre variant 1 and 2 (and for 2 you also need a microcode update).

See my initial post on this topic which I updated to include information about Spectre (the original post covered your 3.13.0-139 kernel and was only for Meltdown, as Spectre fixes weren't available till early this week).

You should install the available kernel security update.
Image

User avatar
Spearmint2
Level 15
Level 15
Posts: 5719
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: How to update your kernel for Meltdown and Spectre

Post by Spearmint2 » Sun Jan 28, 2018 4:15 pm

xenopeek wrote:3.13.0-139 is a fix for Meltdown only, not for Spectre variant 1 and 2. And Meltdown didn't affect AMD.
You need 3.13.0-141 (https://usn.ubuntu.com/usn/usn-3542-1/) to fix Spectre variant 1 and 2 (and for 2 you also need a microcode update).

See my initial post on this topic which I updated to include information about Spectre (the original post covered your 3.13.0-139 kernel and was only for Meltdown, as Spectre fixes weren't available till early this week).

You should install the available kernel security update.
Will do. Was it dropping the intel fix when installed on AMD computers, even though same kernel? Also, why isn't update manager showing the "fixes" under that column?

UPDATE;
Done

Code: Select all

3.13.0-141-generic #190-Ubuntu SMP Fri Jan 19 12:53:50 UTC 2018 i686 athlon i686 GNU/Linux
Pjotr, all the dmesg | grep command gives is the same nothing on AMD computer. I don't know what to "grep" to check for Spectre variant protection on this "141" version.

Here's the change logs for 3.13 kernels, starting with the "139" version through the "141"

Code: Select all

linux (3.13.0-141.190) trusty; urgency=low

  * linux: 3.13.0-141.190 -proposed tracker (LP: #1744308)

  * ubuntu_32_on_64 test crash Trusty 3.13.0-140 amd64 system (LP: #1744199) //
    test_too_early_vsyscall from ubuntu_qrt_kernel_panic crashes Trusty
    3.13.0-140 amd64 system (LP: #1744226) // CVE-2017-5715 // CVE-2017-5753
    - SAUCE: x86/entry: Fixup 32bit compat call locations

  * CVE-2017-5715 // CVE-2017-5753
    - SAUCE: x86/cpuid: Fix ordering of scattered feature list
    - SAUCE: KVM: Fix spec_ctrl CPUID support for guests

  * CVE-2017-5754
    - kaiser: Set _PAGE_NX only if supported
    - kaiser: Set _PAGE_NX only if supported

 -- Stefan Bader <stefan.bader@canonical.com>  Fri, 19 Jan 2018 13:23:30 +0100

linux (3.13.0-140.189) trusty; urgency=low

  * linux: 3.13.0-140.189 -proposed tracker (LP: #1743375)

  [ Stefan Bader ]
  * CVE-2017-5715 // CVE-2017-5753
    - x86, microcode: Share native MSR accessing variants
    - x86: Add another set of MSR accessor functions
    - x86/cpuid: Provide get_scattered_cpuid_leaf()
    - kvm: vmx: Scrub hardware GPRs at VM-exit
    - SAUCE: locking/barriers: introduce new memory barrier gmb()
    - SAUCE: uvcvideo: prevent speculative execution
    - SAUCE: carl9170: prevent speculative execution
    - SAUCE: p54: prevent speculative execution
    - SAUCE: qla2xxx: prevent speculative execution
    - SAUCE: cw1200: prevent speculative execution
    - SAUCE: userns: prevent speculative execution
    - SAUCE: fs: prevent speculative execution
    - SAUCE: udf: prevent speculative execution
    - SAUCE: x86/feature: Enable the x86 feature to control Speculation
    - SAUCE: x86/feature: Report presence of IBPB and IBRS control
    - SAUCE: x86/enter: MACROS to set/clear IBRS and set IBPB
    - SAUCE: x86/enter: Use IBRS on syscall and interrupts
    - SAUCE: x86/idle: Disable IBRS entering idle and enable it on wakeup
    - SAUCE: x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
    - SAUCE: x86/mm: Set IBPB upon context switch
    - SAUCE: x86/mm: Only set IBPB when the new thread cannot ptrace current
      thread
    - SAUCE: x86/entry: Stuff RSB for entry to kernel for non-SMEP platform
    - SAUCE: x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
    - SAUCE: x86/kvm: Set IBPB when switching VM
    - SAUCE: x86/kvm: Toggle IBRS on VM entry and exit
    - SAUCE: x86/kvm: Pad RSB on VM transition
    - SAUCE: x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
    - SAUCE: x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
    - SAUCE: x86/entry: Use retpoline for syscall's indirect calls
    - SAUCE: x86/cpu/AMD: Add speculative control support for AMD
    - SAUCE: x86/microcode: Extend post microcode reload to support IBPB feature
    - SAUCE: KVM: SVM: Do not intercept new speculative control MSRs
    - SAUCE: x86/svm: Set IBRS value on VM entry and exit
    - SAUCE: x86/svm: Set IBPB when running a different VCPU
    - SAUCE: KVM: x86: Add speculative control CPUID support for guests
    - SAUCE: x86/svm: Add code to clobber the RSB on VM exit
    - SAUCE: x86/cpu/AMD: Make the LFENCE instruction serialized
    - SAUCE: x86/cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature
    - SAUCE: x86/kvm: Fix stuff_RSB() for 32-bit
    - SAUCE: arm64: no gmb() implementation yet
    - SAUCE: arm: no gmb() implementation yet
    - SAUCE: powerpc: no gmb() implementation yet

  * Do not duplicate changelog entries assigned to more than one bug or CVE
    (LP: #1743383)
    - [Packaging] git-ubuntu-log -- handle multiple bugs/cves better

 -- Marcelo Henrique Cerri <marcelo.cerri@canonical.com>  Mon, 15 Jan 2018 13:38:40 -0200

linux (3.13.0-139.188) trusty; urgency=low

  * linux: 3.13.0-139.188 -proposed tracker (LP: #1741609)

  * CVE-2017-5754
    - perf/x86: Correctly use FEATURE_PDCM
    - arch: Introduce smp_load_acquire(), smp_store_release()
    - mm, x86: Account for TLB flushes only when debugging
    - x86/mm: Clean up inconsistencies when flushing TLB ranges
    - x86/mm: Eliminate redundant page table walk during TLB range flushing
    - mm, x86: Revisit tlb_flushall_shift tuning for page flushes except on
      IvyBridge
    - x86/mm: Clean up the TLB flushing code
    - x86/mm: Rip out complicated, out-of-date, buggy TLB flushing
    - x86/mm: Fix missed global TLB flush stat
    - x86/mm: New tunable for single vs full TLB flush
    - x86/mm: Set TLB flush tunable to sane value (33)
    - x86/mm: Fix sparse 'tlb_single_page_flush_ceiling' warning and make the
      variable read-mostly
    - rcu: Provide counterpart to rcu_dereference() for non-RCU situations
    - rcu: Move lockless_dereference() out of rcupdate.h
    - x86/ldt: Make modify_ldt synchronous
    - x86/ldt: Correct LDT access in single stepping logic
    - x86/ldt: Correct FPU emulation access to LDT
    - x86/ldt: Further fix FPU emulation
    - x86/mm: Disable preemption during CR3 read+write
    - x86: Clean up cr4 manipulation
    - x86/mm: Add INVPCID helpers
    - x86/mm: Fix INVPCID asm constraint
    - x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID
    - x86/mm: If INVPCID is available, use it to flush global mappings
    - mm/mmu_context, sched/core: Fix mmu_context.h assumption
    - sched/core: Add switch_mm_irqs_off() and use it in the scheduler
    - x86/mm: Build arch/x86/mm/tlb.c even on !SMP
    - x86/mm, sched/core: Uninline switch_mm()
    - x86/mm, sched/core: Turn off IRQs in switch_mm()
    - sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off()
    - x86/irq: Do not substract irq_tlb_count from irq_call_count
    - x86/vm86/32: Switch to flush_tlb_mm_range() in mark_screen_rdonly()
    - x86/mm: Remove flush_tlb() and flush_tlb_current_task()
    - x86/mm: Make flush_tlb_mm_range() more predictable
    - x86/mm: Reimplement flush_tlb_page() using flush_tlb_mm_range()
    - x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP
      code
    - x86/mm: Disable PCID on 32-bit kernels
    - x86/mm: Add the 'nopcid' boot option to turn off PCID
    - x86/mm: Enable CR4.PCIDE on supported systems
    - x86/mm/64: Fix reboot interaction with CR4.PCIDE
    - KAISER: Kernel Address Isolation
    - x86/mm/kaiser: re-enable vsyscalls
    - kaiser: user_map __kprobes_text too
    - kaiser: alloc_ldt_struct() use get_zeroed_page()
    - x86/alternatives: Cleanup DPRINTK macro
    - x86/alternatives: Add instruction padding
    - x86/alternatives: Make JMPs more robust
    - x86/alternatives: Use optimized NOPs for padding
    - kaiser: add "nokaiser" boot option, using ALTERNATIVE
    - x86, boot: Carve out early cmdline parsing function
    - x86/boot: Fix early command-line parsing when matching at end
    - x86/boot: Fix early command-line parsing when partial word matches
    - x86/boot: Simplify early command line parsing
    - x86/boot: Pass in size to early cmdline parsing
    - x86/boot: Add early cmdline parsing for options with arguments
    - x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling
    - x86/kaiser: Check boottime cmdline params
    - kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush
    - kaiser: asm/tlbflush.h handle noPGE at lower level
    - kaiser: kaiser_flush_tlb_on_return_to_user() check PCID
    - x86/paravirt: Dont patch flush_tlb_single
    - x86/kaiser: Reenable PARAVIRT
    - kaiser: disabled on Xen PV
    - x86/kaiser: Move feature detection up
    - KPTI: Rename to PAGE_TABLE_ISOLATION
    - KPTI: Report when enabled
    - kvmclock: export kvmclock clocksource and data pointers
    - x86/mm/kaiser: remove paravirt clock warning
    - kaiser: x86: Fix NMI handling
    - [Config] updateconfigs - enable PAGE_TABLE_ISOLATION

 -- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Tue, 09 Jan 2018 15:11:34 +0100
Last edited by Spearmint2 on Sun Jan 28, 2018 4:50 pm, edited 1 time in total.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

DAMIEN1307
Level 5
Level 5
Posts: 972
Joined: Tue Feb 21, 2017 8:13 pm
Location: Alamogordo, New Mexico

Re: How to update your kernel for Meltdown and Spectre

Post by DAMIEN1307 » Sun Jan 28, 2018 4:48 pm

not sure if THIS is what your looking for but here goes nothing from my command terminal...I am running AMD chip...DAMIEN

copy and paste this >>> grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched" || echo "unpatched"

damien@damien ~ $ grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched" || echo "unpatched"
CONFIG_PAGE_TABLE_ISOLATION=y
patched
damien@damien ~ $

and the answer is... CONFIG_PAGE_TABLE_ISOLATION=y
patched
ORDO AB CHAO

User avatar
Spearmint2
Level 15
Level 15
Posts: 5719
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: How to update your kernel for Meltdown and Spectre

Post by Spearmint2 » Sun Jan 28, 2018 4:57 pm

On my AMD I still get "unpatched". Maybe due to runniing a 32 bit OS, although the processor is AMD 145 Sempron 64 bit. Yes, I have rebooted after each kernel upgrade. It seems they may still be developing it more for x86 or 32 bit systems.
linux (3.13.0-141.190) trusty; urgency=low

* linux: 3.13.0-141.190 -proposed tracker (LP: #1744308)

* ubuntu_32_on_64 test crash Trusty 3.13.0-140 amd64 system (LP: #1744199) //
test_too_early_vsyscall from ubuntu_qrt_kernel_panic crashes Trusty
3.13.0-140 amd64 system (LP: #1744226) // CVE-2017-5715 // CVE-2017-5753
- SAUCE: x86/entry: Fixup 32bit compat call locations


* CVE-2017-5715 // CVE-2017-5753
- SAUCE: x86/cpuid: Fix ordering of scattered feature list
- SAUCE: KVM: Fix spec_ctrl CPUID support for guests

* CVE-2017-5754
- kaiser: Set _PAGE_NX only if supported
- kaiser: Set _PAGE_NX only if supported
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
xenopeek
Level 24
Level 24
Posts: 22764
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to update your kernel for Meltdown and Spectre

Post by xenopeek » Sun Jan 28, 2018 5:38 pm

You can use https://github.com/speed47/spectre-meltdown-checker to test the patch status of your system. It tests both hardware, microcode and kernel. Download the zip, extract the .sh file from it and open a terminal on the directory where you have extracted the .sh file. Then run this command to run the tests:
sudo sh spectre-meltdown-checker.sh

As noted in the first post on this topic, 32 bit systems remain vulnerable to Meltdown but because you have AMD that doesn't affect you. Spectre variant 1 should be patched but Spectre variant 2 isn't patched yet for 32 bit systems either. But Spectre variant 2 continues to affect most people as you also need a microcode update. As noted on the first post on this topic, it is critical that you use a web browser that has mitigation against Meltdown and Spectre. That closes the hole for most users as the only untrusted code they run is from websites they visit.
Image

User avatar
Spearmint2
Level 15
Level 15
Posts: 5719
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: How to update your kernel for Meltdown and Spectre

Post by Spearmint2 » Sun Jan 28, 2018 6:26 pm

Code: Select all

mint16 Downloads # uname -a
Linux mint16 3.13.0-141-generic #190-Ubuntu SMP Fri Jan 19 12:53:50 UTC 2018 i686 athlon i686 GNU/Linux
mint16 Downloads # sudo su
sudo: unable to resolve host mint16
mint16 Downloads # whoami
root
mint16 Downloads # sudo su
sudo: unable to resolve host mint16
mint16 Downloads # sh spectre-meltdown-checker.sh
spectre-meltdown-checker.sh: 8: spectre-meltdown-checker.sh: Syntax error: newline unexpected
mint16 Downloads # whoami
root

so I changed the file to /run folder and tried again. I don't think this new kernel is working properly
for me. Also seems to reject my user, yet I can open programs like pluma and caja in super user mode with this user name (old name but on 17.3 version.
Very odd.

Code: Select all

mint16 run # sudo su
sudo: unable to resolve host mint16
mint16 run # sudo ./spectre-meltdown-checker.sh
sudo: unable to resolve host mint16
sudo: unable to execute ./spectre-meltdown-checker.sh: Permission denied
mint16 run # sudo sh ./spectre-meltdown-checker.sh
sudo: unable to resolve host mint16
./spectre-meltdown-checker.sh: 8: ./spectre-meltdown-checker.sh: Syntax error: newline unexpected
I'm going to boot back to the 3.13 "139" kernel, see if my user password comes back.

UPDATE:
I discovered this was missing from my /etc/hosts file.

Code: Select all

127.0.0.1 localhost
127.0.1.1 mint16
After I fixed the host problem (have no idea how that happened, maybe from kernel update?) I rebooted to the "141" kernel.

This is what I get now.

Code: Select all

mint16@mint16 ~/Downloads $ sudo su
mint16 Downloads # ./spectre-meltdown-checker.sh
bash: ./spectre-meltdown-checker.sh: Permission denied
mint16 Downloads # sudo sh spectre-meltdown-checker.sh
spectre-meltdown-checker.sh: 8: spectre-meltdown-checker.sh: Syntax error: newline unexpected
mint16 Downloads # whoami
root
mint16 Downloads # exit
exit
mint16@mint16 ~/Downloads $ whoami
mint16
mint16@mint16 ~/Downloads $ sudo sh spectre-meltdown-checker.sh
spectre-meltdown-checker.sh: 8: spectre-meltdown-checker.sh: Syntax error: newline unexpected
mint16@mint16 ~/Downloads $ uname -a
Linux mint16 3.13.0-141-generic #190-Ubuntu SMP Fri Jan 19 12:53:50 UTC 2018 i686 athlon i686 GNU/Linux
mint16@mint16 ~/Downloads $
Update 2: I figured out the problem. I had right clked on the file name and downloaded that, but it wasn't an .sh file, but to an html document. I remembered you said "zip" and then saw the clone or download link and got that. Here's the results of running it on AMD Sempron 145, a 64 bit CPU.

Code: Select all

mint16@mint16 ~/Downloads $ ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.33

Note that you should launch this script with root privileges to get accurate information.
We'll proceed but you might see permission denied errors.
To run it as root, you can try the following command: sudo ./spectre-meltdown-checker.sh

Checking for vulnerabilities on current system
Kernel is Linux 3.13.0-141-generic #190-Ubuntu SMP Fri Jan 19 12:53:50 UTC 2018 i686
CPU is AMD Sempron(tm) 140 Processor
./spectre-meltdown-checker.sh: 1: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-3.13.0-141-generic: Permission denied
./spectre-meltdown-checker.sh: 1: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-3.13.0-141-generic: Permission denied
./spectre-meltdown-checker.sh: 1: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-3.13.0-141-generic: Permission denied
./spectre-meltdown-checker.sh: 1: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-3.13.0-141-generic: Permission denied
./spectre-meltdown-checker.sh: 1: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-3.13.0-141-generic: Permission denied
./spectre-meltdown-checker.sh: 1: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-3.13.0-141-generic: Permission denied

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates IBRS capability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates IBPB capability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates STIBP capability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  UNKNOWN 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  UNKNOWN 
  * CPU microcode is known to cause stability problems:  NO 
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  NO 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  UNKNOWN 
> STATUS:  UNKNOWN  (couldn't check (couldn't extract your kernel from /boot/vmlinuz-3.13.0-141-generic))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO  (echo 1 > /proc/sys/kernel/ibrs_enabled)
    * IBRS enabled for User space:  NO  (echo 2 > /proc/sys/kernel/ibrs_enabled)
    * IBPB enabled:  NO  (echo 1 > /proc/sys/kernel/ibpb_enabled)
* Mitigation 2
  * Kernel compiled with retpoline option:  NO 
  * Kernel compiled with a retpoline-aware compiler:  NO 
  * Retpoline enabled:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer
mint16@mint16 ~/Downloads $ 
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

turtlebay
Level 5
Level 5
Posts: 600
Joined: Mon Apr 01, 2013 12:33 pm

Re: How to update your kernel for Meltdown and Spectre

Post by turtlebay » Sat Feb 03, 2018 10:52 am

Spearmint2 wrote:

Code: Select all

mint16 Downloads # uname -a
Linux mint16 3.13.0-141-generic #190-Ubuntu SMP Fri Jan 19 12:53:50 UTC 2018 i686 athlon i686 GNU/Linux
mint16 Downloads # sudo su 
Aahh, you do realise that support for Mint 16 stopped on July 17th 2014, almost four years ago?

User avatar
Spearmint2
Level 15
Level 15
Posts: 5719
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: How to update your kernel for Meltdown and Spectre

Post by Spearmint2 » Sat Feb 03, 2018 2:36 pm

turtlebay wrote:
Spearmint2 wrote:

Code: Select all

mint16 Downloads # uname -a
Linux mint16 3.13.0-141-generic #190-Ubuntu SMP Fri Jan 19 12:53:50 UTC 2018 i686 athlon i686 GNU/Linux
mint16 Downloads # sudo su 
Aahh, you do realise that support for Mint 16 stopped on July 17th 2014, almost four years ago?
I can see that might be misleading, but that was the username I used during mint16 and then upgraded it to mint 17, currently 17.3 so the name came along still as mint16.

Here's some older threads on it. I came into Linux Mint with version 14.

viewtopic.php?f=90&t=164498&hilit=+chown

viewtopic.php?f=90&t=173714

It's an interesting read. Some things can be learned from it, what to avoid, how to recover, etc.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

turtlebay
Level 5
Level 5
Posts: 600
Joined: Mon Apr 01, 2013 12:33 pm

Re: How to update your kernel for Meltdown and Spectre

Post by turtlebay » Sat Feb 03, 2018 3:26 pm

I can see that might be misleading, but that was the username I used during mint16 and then upgraded it to mint 17, currently 17.3 so the name came along still as mint16.
Whoops, sorry!

User avatar
AZgl1500
Level 8
Level 8
Posts: 2303
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: How to update your kernel for Meltdown and Spectre

Post by AZgl1500 » Sun Feb 11, 2018 4:44 pm

I don't blame you on blocking updates on some things.

I did that to Windows 7 when Win8 was introduced, and to this day, I can't see where the lack of the "security updates" has hurt my Win7 PC at all....

It is always on, never turned off.... it has Avast anti-virus running and that is all.

I run MalwareBytes once in a while to see if anything is awry, but it has not found anything in over a year.

I am refusing to update the microcode on my desktop, it works just fine.
I only "surf" my favorite forums, and look at news.google once in a while.
have no clue how to access the Dark Web and no desire to go there.

So far, though, I have allowed Firefox to update here on Linux and also on Windows.
that pretty much is all the updating that I allow with the single exception of allowing Linux Update Manager to take care of this laptop.

As a newbie, I have to watch and read everything, and try to throw the bad stuff out with the dishwater.

User avatar
AZgl1500
Level 8
Level 8
Posts: 2303
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: How to update your kernel for Meltdown and Spectre

Post by AZgl1500 » Mon Feb 12, 2018 12:22 pm

Stumbled across this link, from a newsletter I read.

https://meltdownattack.com/
Meltdown and Spectre
Vulnerabilities in modern computers leak passwords and sensitive data
.



and from the same email came this:

More Meltdown/Spectre news

Dell is apparently recommending that their customers do not install the BIOS updates that are supposed to resolve Spectre v2 vulnerabilities. BleepingComputer has more about this here:

http://www.wservernews.com/go/iu75ugys/

______________________________________________________

User avatar
JadedMonk
Level 1
Level 1
Posts: 15
Joined: Sat Jan 20, 2018 9:10 pm

Re: How to update your kernel for Meltdown and Spectre

Post by JadedMonk » Mon Feb 12, 2018 2:22 pm

AZgl1500 wrote:
Mon Feb 12, 2018 12:22 pm
....and from the same email came this:

More Meltdown/Spectre news

Dell is apparently recommending that their customers do not install the BIOS updates that are supposed to resolve Spectre v2 vulnerabilities. BleepingComputer has more about this here:

http://www.wservernews.com/go/iu75ugys/

______________________________________________________
Thank you for that! Perhaps that explains some sporadic weird boot & reboot issues I've been having on my New Dell Laptop since we completely upgraded all of our machines to the new kernels. Only the Dell Laptop has been experiencing this. The rest of the machines are Acers and HP.

jopon
Level 1
Level 1
Posts: 1
Joined: Mon Feb 12, 2018 11:41 pm

Re: How to update your kernel for Meltdown and Spectre

Post by jopon » Mon Feb 12, 2018 11:50 pm

Hey do you think i can get an update on the lastest patch? Do any of the kernels offer protection from all three variants?

This is what i have installed and am getting so far according to meltdown-spectre tool.

4.13.0-32 - protects from meltdown and spectre 1, not Spectre 2
4.4.0-112 - protects from meltdown and spectre 1, not Spectre 2
4.15.xx - protects from meltdown and spectre 2, not spectre 1

Does anyone know of any kernel versions that protect from all three? Even if they need to be manually installed instead of using the update tool?

oldgranola
Level 3
Level 3
Posts: 162
Joined: Fri Sep 05, 2014 1:39 am

Re: How to update your kernel for Meltdown and Spectre

Post by oldgranola » Sun Feb 18, 2018 4:20 pm

Really confused on which kernel to use.
I am currently on LM17.3 64b. kernel 4.2.0-30. The top post in this thread says:
Linux Mint 17.x users should be using kernel 3.13.0-141 or 4.4.0-111
Both of those cause cinnamon to crash after logging in.
The security notice posted to blog.linuxmint.com says to use:
3.13 series (Linux Mint 17 LTS): patched in 3.13.0-139
4.4 series (Linux Mint 17 HWE and Linux Mint 18 LTS): patched in 4.4.0-108
And I saw another quote on this thread:
in short, Linux Mint 18.x users should be using kernel 4.4.0-109 or 4.13.0-26 or newer and NOT continue to use any 4.8.x or 4.10.x kernels. Linux Mint 17.x users should be using kernel 3.13.0-139 or 4.4.0-109
Can we clarify please? I'll post my hardware below. I believe the issue is the radeon APU which is why I haven't gone to LM18. Currently using the AMD proprietory driver which I like but understand its no longer supported (but don't know how to revert to standard driver if needed)
Thanks
btw, why would the blog vs the top OP post be different?

Code: Select all

          $ inxi -Fx
System:    Host: fun-pc Kernel: 4.2.0-30-generic x86_64 (64 bit gcc: 4.8.4)
           Desktop: Cinnamon 2.8.8 (Gtk 3.10.8~8+qiana)
           Distro: Linux Mint 17.3 Rosa
Machine:   Mobo: ASUSTeK model: A78M-A v: Rev X.0x
           Bios: American Megatrends v: 0504 date: 01/20/2014
CPU:       Quad core AMD A8-6600K APU with Radeon HD Graphics (-MCP-) cache: 8192 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm) bmips: 31359 clock speeds: max: 3900 MHz 1: 2500 MHz 2: 1900 MHz 3: 2500 MHz
           4: 1900 MHz
Graphics:  Card: Advanced Micro Devices [AMD/ATI] Richland [Radeon HD 8570D]
           bus-ID: 00:01.0
           Display Server: X.Org 1.15.1 drivers: ati,fglrx (unloaded: fbdev,vesa,radeon)
           Resolution: 1920x1080@60.0hz
           GLX Renderer: AMD Radeon HD 8570D
           GLX Version: 4.5.13399 - CPC 13.35.1005 Direct Rendering: Yes
Audio:     Card-1 Advanced Micro Devices [AMD] FCH Azalia Controller
           driver: snd_hda_intel bus-ID: 00:14.2
           Card-2 Advanced Micro Devices [AMD/ATI] Trinity HDMI Audio Controller
           driver: snd_hda_intel bus-ID: 00:01.1
           Sound: Advanced Linux Sound Architecture v: k4.2.0-30-generic
Network:   Card: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
           driver: r8169 v: 2.3LK-NAPI port: e000 bus-ID: 03:00.0
           IF: eth0 state: up speed: 1000 Mbps duplex: full
           mac: e0:3f:49:e9:09:b2
Drives:    HDD Total Size: 500.1GB (46.6% used)
           ID-1: /dev/sda model: ST3500320AS size: 500.1GB
Partition: ID-1: / size: 455G used: 214G (50%) fs: ext4 dev: /dev/sda2
           ID-2: swap-1 size: 3.43GB used: 0.00GB (0%) fs: swap dev: /dev/sda3
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 13.8C mobo: N/A
           Fan Speeds (in rpm): cpu: 0
Info:      Processes: 208 Uptime: 18 min Memory: 1796.4/11265.8MB
           Init: Upstart runlevel: 2 Gcc sys: 4.8.5
           Client: Shell (bash 4.3.111) inxi: 2.2.28 
comadore, pcDOS, hpux, solaris, vms-vax ....blah blah blah..
Yet I'm still a fn nooob

User avatar
Termy
Level 5
Level 5
Posts: 762
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: How to update your kernel for Meltdown and Spectre

Post by Termy » Mon Feb 19, 2018 7:52 am

oldgranola wrote:Can we clarify please?
Meltdown and Spectre are very serious, scary security vulnerabilties, at a hardware level, but patches to things like kernels and browsers help to mitigate these security holes. The 4.8 and 4.10 releases are not LTS and so haven't been given priority for these patches. However, 4.4 and 4.13 are and have. It's therefore strongly recommend that users stick with 4.4 or 4.8. I personally use 4.4, and will do until 4.13 has its VirtualBox crash bug solved. These issues extend far beyond that of Linux Mint.
Here to help.

I'm LearnLinux (LL) on YouTube: https://www.youtube.com/channel/UCfp-lN ... naEE6NtDSg
I'm also terminalforlife (TFL) on GitHub: https://github.com/terminalforlife

User avatar
Sir Charles
Level 7
Level 7
Posts: 1832
Joined: Thu Jan 04, 2018 1:00 pm

Re: How to update your kernel for Meltdown and Spectre

Post by Sir Charles » Mon Feb 19, 2018 8:14 am

Termy wrote:
Mon Feb 19, 2018 7:52 am
The 4.8 and 4.10 releases are not LTS and so haven't been given priority for these patches. However, 4.4 and 4.13 are and have.
Even though it is patched, I am not quite sure if 4.13 is LTS. Please see
https://wiki.ubuntu.com/Kernel/Support? ... hedule.svg
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.

User avatar
Termy
Level 5
Level 5
Posts: 762
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: How to update your kernel for Meltdown and Spectre

Post by Termy » Mon Feb 19, 2018 9:02 am

Ooooh, my bad. I guess because 4.13 is the step before an LTS kernel release, they patched it up?
Here to help.

I'm LearnLinux (LL) on YouTube: https://www.youtube.com/channel/UCfp-lN ... naEE6NtDSg
I'm also terminalforlife (TFL) on GitHub: https://github.com/terminalforlife

User avatar
AZgl1500
Level 8
Level 8
Posts: 2303
Joined: Thu Dec 31, 2015 3:20 am
Location: Oklahoma where the wind comes sweeping down the plains
Contact:

Re: How to update your kernel for Meltdown and Spectre

Post by AZgl1500 » Mon Feb 19, 2018 1:39 pm

Termy wrote:
Mon Feb 19, 2018 7:52 am
oldgranola wrote:Can we clarify please?
Meltdown and Spectre are very serious, scary security vulnerabilties, at a hardware level, but patches to things like kernels and browsers help to mitigate these security holes. The 4.8 and 4.10 releases are not LTS and so haven't been given priority for these patches. However, 4.4 and 4.13 are and have. It's therefore strongly recommend that users stick with 4.4 or 4.8.

I personally use 4.4, and will do until 4.13 has its VirtualBox crash bug solved. These issues extend far beyond that of Linux Mint.

I fixed that problem, I deleted VM from the repository and then installed VM direct from Oracle.

Now, WinXP and Win7 run fine and VM does not lock up.
Just remember to get Ghost Additions 5.2.7 and not use 5.2.6

Get it from this link direct https://www.virtualbox.org/download/tes ... 120528.iso

That link in English looks like this: "xxxxxx.virtualbox.org/download/testcase/VBoxGuestAdditions_5.2.7-120528.iso
"

The only way to find that link, is while reading is to be sure to not overlook the Oracle paragraph below which comes from this page: https://www.virtualbox.org/wiki/Downloads ( believe me, I overlooked it twice before Cosmo very sutlely informed me that he had already told me where it is. :mrgreen: )

Important: The Guest Additions which come with VirtualBox 5.2.6 and 5.1.32 do not work properly on Linux guests with 3D enabled. Here are updated versions for 5.2.6

and it is that highlighted link named 5.2.6 is how you get to the link I referred to above.... nasty way of saying things :evil:


Trying to find that one little link is very very frustrating. There are no mentions of 5.2.7 anywhere in the world that Google can find. Only obscure references to making sure we update to 5.2.7 at the link directed to and it is labelled of all damn things as "5.2.6" :evil:

I had to bookmark the page that comes from, and Rename the Bookmark "Ghost Additions 5.2.7 use 5.2.6 link reference"

Post Reply

Return to “Newbie Questions”