Jump to content

Photo

Meltdown and Spectre


  • Please log in to reply
13 replies to this topic

#1 auro

auro

    Member

  • Members
  • 35 posts
  • LocationStockholm, Sweden

Posted 10 January 2018 - 01:34 PM

I have not seen any post here in the Bohdi forums regarding Meltdown and Spectre vulnerabilities. But these can't hardy have been missed by everyone here, right?

https://googleprojec...h-side.html?m=1

https://meltdownattack.com/

 

Anyway, Ubuntu is of course aware of it, https://insights.ubu...ulnerabilities/

and so it's the upstream, http://kroah.com/log...eltdown-status/

 

Ubuntu released the KTPI patched kernels a few hours ago, https://wiki.ubuntu....ctreAndMeltdown

 

So, the question here is, how to I get the patched kernels on this Bodhi machine? Currently running 4.13.21 installed through Synaptic.

Thx!





A big thank you to everyone who contributes to Bodhi Linux


#2 graywizardlinux

graywizardlinux

    Bodhi Supporter

  • Members
  • 1090 posts

Posted 10 January 2018 - 07:33 PM

there was a mention in another thread.  no time to find right now but will post later.  i too was concerned since bodhi is downstream?  is it - from ubuntu and if ubuntu does stuff many times we have residual affect from it.  so was not sure how much bodhi keeps this stuff out - but i guess it is inherent withing bodhi if it is based on ununtu.  saw something yesterday that the fix bricks amd machines so go figure.  (know enough to be DANGEROUS! - so WARNING!)



#3 Charles@Bodhi

Charles@Bodhi

    Old Faithful

  • Moderators
  • 4677 posts
  • LocationZeist, The Netherlands

Posted 10 January 2018 - 07:45 PM

Well, these kernel packages were declared hwe (means "stable") in xenial, contrary to the 4.13.0-21 that has a hwe-edge (means "experimental") status. When you use synaptic you should find them after refreshing the package list.

linux-image-4.13.0-26-generic
linux-image-extra-4.13.0-26-generic

linux-headers-4.13.0-26
linux-headers-4.13.0-26-generic

Reading that link to the bottom I guess it means the Meltdown/Spectre fix is included, but I have not gotten a firm confirmation for this.

 

At Bodhi Linux we don't force kernel updates to the users, as we believe "don't fix what ain't broken". But if you like to have your kernels as up to date as possible then Ubuntu provides a package that checks for kernel updates regularly and uses the update application to install them for you. I'm not sure this works fully on Bodhi.

linux-generic-hwe-16.04

Hope this helps you enough.

 

Enjoy,

Charles



#4 graywizardlinux

graywizardlinux

    Bodhi Supporter

  • Members
  • 1090 posts

Posted 10 January 2018 - 08:02 PM

thanks charles.  I guess you answered my questions too.   i figured bodhi updated everything all the time.  Thank my friend!



#5 Charles@Bodhi

Charles@Bodhi

    Old Faithful

  • Moderators
  • 4677 posts
  • LocationZeist, The Netherlands

Posted 10 January 2018 - 08:07 PM

thanks charles.  I guess you answered my questions too.   i figured bodhi updated everything all the time.  Thank my friend!

 

That's what friends are for.

By the way Meltdown and Spectre are not related to the Bios corruption. These are vulnerabilities in (Intel/AMD/ARM) processors from maybe 20 years ago that are discovered and OS makers (includes MS and Apple) are all busy to get a software fix out.

 

Enjoy,

Charles



#6 graywizardlinux

graywizardlinux

    Bodhi Supporter

  • Members
  • 1090 posts

Posted 10 January 2018 - 08:21 PM

i thought there was some relationship.  my bad.



#7 auro

auro

    Member

  • Members
  • 35 posts
  • LocationStockholm, Sweden

Posted 10 January 2018 - 08:31 PM

Thanks Charles!
Will get to 4.13.0-26 as soon as Ubuntu repos are a bit less overloaded. Things can go wrong at the moment, since the servers are very busy.

The KPTI patches are a fix for Meltdown only! Spectre patches will come later. Anyway, it's easier to exploit through meltdown, you would have to be a much better hacker to use Spectre.

EDIT: By the way, once you get the patched kernels, you can run this https://github.com/s...eltdown-checker
It should then return Not vulnerable.

#8 birdmun

birdmun

    Member

  • Members
  • 443 posts
  • LocationWabash, IN

Posted 10 January 2018 - 08:45 PM

Scott Manley and JayzTwoCents both have a youtube video about these two threats. Both videos are pretty high level passes to just educate the general audience. As I recall, Spectre can affect many processors; Intel, AMD, (many/some)ARM. The thing is it requires physical access. Meltdown can be exploited via the web. I saw a headline that suggested that Meltdown(?) could maybe be thwarted in javascript by making the timers more coarse.



#9 Charles@Bodhi

Charles@Bodhi

    Old Faithful

  • Moderators
  • 4677 posts
  • LocationZeist, The Netherlands

Posted 10 January 2018 - 08:48 PM

 

 

EDIT: By the way, once you get the patched kernels, you can run this https://github.com/s...eltdown-checker
It should then return Not vulnerable.

 

Nice to know, will certainly use that. Tx

 

Enjoy,

Charles



#10 auro

auro

    Member

  • Members
  • 35 posts
  • LocationStockholm, Sweden

Posted 10 January 2018 - 09:02 PM

@birdmun
Yes, Spectre affectes Intel, AMD and ARM. Some AMD's are immune to meltdown, namely the Zen ones.
The only completely immune cpu's are the raspberry pi's, https://www.raspberr...re-or-meltdown/

Chrome and Firefox have been updated to fix this. PaleMoon, that I'm using will be in a few days. As of yesterday, chromium had not been updated.

EDIT: @Charles, You are welcome. Thx for pointing me the way to a safe kernel.

#11 auro

auro

    Member

  • Members
  • 35 posts
  • LocationStockholm, Sweden

Posted 11 January 2018 - 09:48 AM

@Charles

Just reporting back here! I've now installed the patched kernel 4.13.0-26, as well as Intel's microcode found here http://ftp.us.debian...md64-microcode/

Purged the "old" 4.13.0-21 and everything is running fine. Hp elitebook, Intel i5 with 12Gb RAM

 

Now, I just have to find a solution for my, no longer supported Samsung S5...

 

Regards and thank you all!

 

EDIT: Wrong link above, sorry. That one is for AMD

Here is the one for Intel, http://ftp.us.debian...ntel-microcode/



#12 BeGo

BeGo

    Member

  • Members
  • 163 posts
  • LocationBogor, Indonesia

Posted 12 January 2018 - 01:10 AM

Well, these kernel packages were declared hwe (means "stable") in xenial, contrary to the 4.13.0-21 that has a hwe-edge (means "experimental") status. When you use synaptic you should find them after refreshing the package list.

linux-image-4.13.0-26-generic
linux-image-extra-4.13.0-26-generic

linux-headers-4.13.0-26
linux-headers-4.13.0-26-generic

Reading that link to the bottom I guess it means the Meltdown/Spectre fix is included, but I have not gotten a firm confirmation for this.

 

At Bodhi Linux we don't force kernel updates to the users, as we believe "don't fix what ain't broken". But if you like to have your kernels as up to date as possible then Ubuntu provides a package that checks for kernel updates regularly and uses the update application to install them for you. I'm not sure this works fully on Bodhi.

linux-generic-hwe-16.04

Hope this helps you enough.

 

Enjoy,

Charles

 

Working good in my Bodhi, but,

 

I must update dkms and purge last kernels myself. :wacko:

 

In synaptic, these named linux-signed-generic-hwe-16.04

 

Or You can also use linux-signed-lowlatency-hwe-16.04 if You prefer Your laptop to finish one job before starting next. :)



#13 graywizardlinux

graywizardlinux

    Bodhi Supporter

  • Members
  • 1090 posts

Posted 12 January 2018 - 05:28 PM

https://hardware.sla...vulnerabilities



#14 auro

auro

    Member

  • Members
  • 35 posts
  • LocationStockholm, Sweden

Posted 12 January 2018 - 09:40 PM

Intel-microcode is available from the upstream Ubuntu repos as of today/night.
Use Synaptic to fetch it.

Two down, one to go!

Just remember to update your browser as well 😉




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users