D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Kernel

 

On 18/02/18 23:20, Julian Hall wrote:
> Thanks for that! This is my result:
> 
> Spectre and Meltdown mitigation detection tool v0.35
> 
> Checking for vulnerabilities on current system
> Kernel is Linux 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25
> 10:13:43 UTC 2018 x86_64
> CPU is AMD Athlon(tm) II X4 620 Processor


Well two out of three isn't bad - it's what most people not using very
recent hardware and/or a rolling release distribution can reasonably
expect. Your AMD fortunately isn't vulnerable to Meltdown at all and
Spectre v1 is relatively trivially patched upstream by pretty much
everyone at this point. The bad news is of course Spectre v2 which is
the one that'll be haunting us for years - your CPU+chipset are
realistically never going to get patched firmware so you're dependent on
the performance impacting software fixes, namely a kernel+compiler with
retpoline. Which you haven't got. It's this bit of your output:

> * Mitigation 2
>   * Kernel compiled with retpoline option:  NO
>   * Kernel compiled with a retpoline-aware compiler:  NO
>> STATUS:  VULNERABLE  (Your kernel is compiled with IBRS but your CPU
> microcode is lacking support to successfully mitigate the vulnerability)

Specifically you don't need a retpoline-enabled compiler, you just need
your distro-provider (Mint?) to ship a 'retpolined' kernel which they
built with a retpoline-enabled version of GCC - I'm a bit surprised you
haven't got this yet if you're fully up to date. Mint have a very
disagreeable manner of handling new kernels so you might want to
manually check to see if there isn't something much newer available,
preferably 4.14 or even 4.15.

My veteran i5 2500k is of a similar vintage to your AMD 620 so I'm in a
similar situation on this box - hardware doesn't have IBRS/IBPB support
and because it's Intel it's even vulnerable to Meltdown as well. However
I've built a custom kernel on a boostrapped GCC-7.3.0 to get full
retpoline protection so I get this:

ghost@failbot:~/SRC$ sudo ./spectre-meltdown-checker.sh | grep VULNERABLE
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline -
vulnerable module loaded)
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

ghost@failbot:~/SRC$ cat /proc/version
Linux version 4.15.0-pf3-meowski+ (ghost@failbot) (gcc version 7.3.0
(GCC)) #1 SMP Sun Feb 18 21:25:49 GMT 2018

Cheers
-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq