Linux kernel 4.18.5

Forum Forums General Software Linux kernel 4.18.5

Tagged: 

This topic contains 5 replies, has 4 voices, and was last updated by masinick Aug 30-12:31 pm.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #11920
    Moderator
    masinick
    masinick

    Link to site

    contains an article with information on the latest Linux kernel for your information and potential interest.

    Brian Masinick

    #11924
    Forum Admin
    rokytnji
    rokytnji

    Thanks Brian. Good info. I edited your link for ya.

    Sometimes I drive a crooked road to get my mind straight.
    Not all who Wander are Lost.
    Linux Registered User # 475019
    How to Search for AntiX solutions to your problems

    #11925
    Forum Admin
    anticapitalista
    anticapitalista

    4.18.4 has just hit the antiX repos

    Philosophers have interpreted the world in many ways; the point is to change it.

    #11978
    Member
    fungalnet
    fungalnet

    Are there any measures about Foreshadow or is the patch in intel-ucode?

    #11979
    Forum Admin
    anticapitalista
    anticapitalista

    Are there any measures about Foreshadow or is the patch in intel-ucode?

    l1tf-foreshadow-patched-kernels-available/
    Debian upstream is supposed to be updating the intel-ucode debs, but it doesn’t seem like it works 100% yet.

    spectre-meltdown-checker.sh 
    Spectre and Meltdown mitigation detection tool v0.39+
    
    Checking for vulnerabilities on current system
    Kernel is Linux 4.18.4-antix.2-amd64-smp #1 SMP PREEMPT Wed Aug 22 12:09:25 BST 2018 x86_64
    CPU is Intel(R) Core(TM) i5 CPU       M 520  @ 2.40GHz
    
    Hardware check
    * Hardware support (CPU microcode) for mitigation techniques
      * Indirect Branch Restricted Speculation (IBRS)
        * SPEC_CTRL MSR is available:  UNKNOWN  (is msr kernel module available?)
        * CPU indicates IBRS capability:  UNKNOWN  (is cpuid kernel module available?)
      * Indirect Branch Prediction Barrier (IBPB)
        * PRED_CMD MSR is available:  UNKNOWN  (is msr kernel module available?)
        * CPU indicates IBPB capability:  UNKNOWN  (is cpuid kernel module available?)
      * Single Thread Indirect Branch Predictors (STIBP)
        * SPEC_CTRL MSR is available:  UNKNOWN  (is msr kernel module available?)
        * CPU indicates STIBP capability:  UNKNOWN  (is cpuid kernel module available?)
      * Speculative Store Bypass Disable (SSBD)
        * CPU indicates SSBD capability:  NO 
      * L1 data cache invalidation
        * FLUSH_CMD MSR is available:  UNKNOWN  (is msr kernel module available?)
      * Enhanced IBRS (IBRS_ALL)
        * CPU indicates ARCH_CAPABILITIES MSR availability:  UNKNOWN  (is cpuid kernel module available?)
        * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  UNKNOWN 
      * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  UNKNOWN 
      * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  UNKNOWN 
      * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  UNKNOWN 
      * CPU microcode is known to cause stability problems:  NO  (model 0x25 family 0x6 stepping 0x2 ucode 0x11 cpuid 0x0)
      * CPU microcode is the latest known available version:  UNKNOWN  (you have version 0x11 and latest known version is 0x8e)
    * CPU vulnerability to the speculative execution attack variants
      * Vulnerable to Variant 1:  YES 
      * Vulnerable to Variant 2:  YES 
      * Vulnerable to Variant 3:  YES 
      * Vulnerable to Variant 3a:  YES 
      * Vulnerable to Variant 4:  YES 
      * Vulnerable to Variant l1tf:  YES 
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
    * Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
    * Kernel has the Red Hat/Ubuntu patch:  NO 
    * Kernel has mask_nospec64 (arm64):  NO 
    > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
    * Mitigation 1
      * Kernel is compiled with IBRS support:  YES 
        * IBRS enabled and active:  YES  (for kernel and firmware code)
      * Kernel is compiled with IBPB support:  YES 
        * IBPB enabled and active:  YES 
    * Mitigation 2
      * Kernel has branch predictor hardening (arm):  NO 
      * Kernel compiled with retpoline option:  YES 
        * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
    > STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
    * Kernel supports Page Table Isolation (PTI):  YES 
      * PTI enabled and active:  YES 
      * Reduced performance impact of PTI:  NO  (PCID/INVPCID not supported, performance impact of PTI will be significant)
    * Running as a Xen PV DomU:  NO 
    > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
    
    CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
    * CPU microcode mitigates the vulnerability:  NO 
    > STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)
    
    CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
    * Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
    * Kernel supports speculation store bypass:  YES  (found in /proc/self/status)
    > STATUS:  NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
    
    CVE-2018-3615/3620/3646 [L1 terminal fault] aka 'Foreshadow & Foreshadow-NG'
    * Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
    > STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
    
    Need more detailed information about mitigation options? Use --explain
    A false sense of security is worse than no security at all, see --disclaimer
    • This reply was modified 1 year, 1 month ago by anticapitalista.

    Philosophers have interpreted the world in many ways; the point is to change it.

    #11990
    Moderator
    masinick
    masinick

    Thanks Brian. Good info. I edited your link for ya.

    Thanks Roki!

    You’re wonderful in the many helpful things you do for this community!

    You’re also “cool mahn!”

    An old bean, “The Mas” 😎

    Brian Masinick

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.