Meltdown & Spectre patch Discussion

[bssunilreddy]

I have MSI mobo too (full spec in sig). Please share links to patches!

*support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates

 

[whitestar_999]

I have MSI mobo too (full spec in sig). Please share links to patches!

@bssunilreddy has a premium gaming laptop with 7th gen intel processor so it was higher on priority list of bios updates by MSI.Your H87M has less chances of ever getting a bios update not to mention your processor is 4th gen.MS is releasing processor microcode update(it is this update which is required for spectre patch & can be released either by device manufacturer in form of bios update or by MS in form of windows update) in order from newest to oldest so 4th gen updates will take some time.Also performance may take quite a hit so also expect that.In fact many people are disabling spectre patch after seeing the drastic loss in performance on older gen processors.

 

[Vyom]

I have recently upgraded to SSD and GFX. The performance loss with security patch should be mitigated with the hardware upgrade. Or atleast I hope so.

 

[Nerevarine]

Didnt you upgrade a year back ?

 

[Vyom]

Didnt you upgrade a year back ?

Upgraded to GFX in Oct 2016 and to SSD last August. But whitestar is right, I don't have a patch to fix flaw for my 4th gen Intel proccy.

 

[whitestar_999]

No worries,there is no spectre malware till now(at least for general public).

 

[kg11sgbg]

No worries,there is no spectre malware till now(at least for general public).

Considering your point of view as a general public,wha tis the status of my DELL Inspiron 14 5447 laptop,based on 4th gen Intel core-i5?
Is it still vulnerable from Meltdown and Spectre security flaws???

 

[whitestar_999]

Run this tool for info:
GRC | InSpectre

Meltdown patch is via windows update released in jan/Feb 2018.Spectre v2 patch need bios updates.Spectre v1 patch is via browser & windows updates.

Dell has a bios update listed for 5547 model:
Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products | Dell India
Above give link to:
Dell Inspiron 5447/5547/5442/5542 System BIOS Driver Details | Dell Singapore
Searching directly for inspiron 5547 on dell india website also give same link:
Support for Inspiron 5547 | Diagnostics | Dell Singapore (click on "view full driver details" for bios update & it links to same as above driver link,release date is 24Feb2018)

 

[kg11sgbg]

Run this tool for info:
GRC | InSpectre

Meltdown patch is via windows update released in jan/Feb 2018.Spectre v2 patch need bios updates.Spectre v1 patch is via browser & windows updates.

Dell has a bios update listed for 5547 model:
Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products | Dell India
Above give link to:
Dell Inspiron 5447/5547/5442/5542 System BIOS Driver Details | Dell Singapore
Searching directly for inspiron 5547 on dell india website also give same link:
Support for Inspiron 5547 | Diagnostics | Dell Singapore (click on "view full driver details" for bios update & it links to same as above driver link,release date is 24Feb2018)

Ran the utility tool and results are :---

...
...
*www.grc.com/inspectre/screenshot.png

...
...

 

[whitestar_999]

That's good!So you updated the latest A11 bios?

 

[kg11sgbg]

That's good!So you updated the latest A11 bios?

Yes,Friend.

 

[whitestar_999]

Any performance impact as your laptop processor is 4th gen & chances of spectre patch performance impact is supposed to be more on 4th gen & older processors.

 

[kg11sgbg]

^For updation or whatever reason the Waves MaxxAudio sound was rendered defunct. Though out of warranty,DELL CC helped me extensively by providing me the drivers. The sound is as usual as before.
Regarding performance hit, I don't notice any difference as such.
By tweaking the memory buffer and page file under advanced system section,I found Laptop is booting faster than before.

 

[kg11sgbg]

The openSUSE leap42.3(64-bit),is showing the system to be spectre vulnerable v2 during its bootup mode,which is the other OS besides the Windows 10 in my DELL Inspiron 14 5447 laptop.
As I have already updated BIOS to A11 version,the Windows OS is clear. In fact it is also under latest updates.
BUT WHAT ABOUT LINUX OS????
@whitestar_999 ,@bssunilreddy ,@Vyom any take on this aspect?

 

[kg11sgbg]

To the experts, I did this and the result is :--->

tabanKG@linux-shua:~> uname -r
4.4.120-45-default
tabanKG@linux-shua:~> git clone *github.com/speed47/spectre-meltdown-checker.git
Cloning into 'spectre-meltdown-checker'...
remote: Counting objects: 652, done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 652 (delta 15), reused 16 (delta 7), pack-reused 628
Receiving objects: 100% (652/652), 263.27 KiB | 302.00 KiB/s, done.
Resolving deltas: 100% (398/398), done.
tabanKG@linux-shua:~> ls
bin        IBM                     LOGOS        spectre-meltdown-checker
DELL       INDIAN-RAILWAYS         man          Templates
Desktop    Indian-Railways-VIDEOS  Music        Videos
Documents  jEdit                   Pictures
Downloads  LEARN-Videos            Public
Hot-Spot   Linux-Tools             public_html
tabanKG@linux-shua:~> su
Password:
linux-shua:/home/tabanKG # chmod 777 spectre-meltdown-checker/
linux-shua:/home/tabanKG # ls
.adobe         .e                      .inputrc      Public
.bash_history  .elementary             jEdit         public_html
.bashrc        .emacs                  .kde4         spectre-meltdown-checker
bin            .esd_auth               LEARN-Videos  Templates
.cache         .fonts                  Linux-Tools   .themes
.cinnamon      .gnu-emacs              .local        .thunderbird
.claws-mail    .gtkrc-2.0              LOGOS         .urlview
.config        Hot-Spot                .macromedia   Videos
.dbus          .hplip                  man           .Xauthority
DELL           .i18n                   .mozilla      .xim.template
Desktop        IBM                     .mplayer      .xinitrc.template
.dmrc          .ICEauthority           Music         .xsession-errors
Documents      .icons                  .muttrc       .xsession-errors-:0
Downloads      INDIAN-RAILWAYS         Pictures      .xsession-errors.old
.dvipsrc       Indian-Railways-VIDEOS  .profile
linux-shua:/home/tabanKG # cd spectre-meltdown-checker/ls
bash: cd: spectre-meltdown-checker/ls: No such file or directory
linux-shua:/home/tabanKG # cd spectre-meltdown-checker/
linux-shua:/home/tabanKG/spectre-meltdown-checker # ls
.git  LICENSE  README.md  spectre-meltdown-checker.sh
linux-shua:/home/tabanKG/spectre-meltdown-checker # chmod 777 *
linux-shua:/home/tabanKG/spectre-meltdown-checker # ls
.git  LICENSE  README.md  spectre-meltdown-checker.sh
linux-shua:/home/tabanKG/spectre-meltdown-checker # ls -ltr
total 116
-rwxrwxrwx 1 tabanKG users 69078 Mar 22 07:24 spectre-meltdown-checker.sh
-rwxrwxrwx 1 tabanKG users  4346 Mar 22 07:24 README.md
-rwxrwxrwx 1 tabanKG users 35147 Mar 22 07:24 LICENSE
drwxr-xr-x 8 tabanKG users  4096 Mar 22 07:24 .git
linux-shua:/home/tabanKG/spectre-meltdown-checker # ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.4.120-45-default #1 SMP Wed Mar 14 20:51:49 UTC 2018 (623211f) x86_64
CPU is Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES
    * CPU indicates STIBP capability:  YES
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 69 stepping 1 ucode 0x23)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  UNKNOWN
    * IBRS enabled for User space:  UNKNOWN
    * IBPB enabled:  UNKNOWN
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline + IBPB - vulnerable module loaded)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
linux-shua:/home/tabanKG/spectre-meltdown-checker #

 

[whitestar_999]

As per output that is not the case.

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: YES
* Currently enabled features
* IBRS enabled for Kernel space: UNKNOWN
* IBRS enabled for User space: UNKNOWN
* IBPB enabled: UNKNOWN
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline + IBPB - vulnerable module loaded)

 

[kg11sgbg]

So what is the actual case? @whitestar_999

 

[whitestar_999]

Not sure but may be opensuse is not correctly reading the mitigation status at boot.Spectre v2 mitigation is either by cpu microcode update via OS update(I think Linux kernels have already added it,MS is releasing these updates but slowly) or via bios update(already done by you). Better ask at official opensuse forums for clarification.

 

[kg11sgbg]

Not sure but may be opensuse is not correctly reading the mitigation status at boot.Spectre v2 mitigation is either by cpu microcode update via OS update(I think Linux kernels have already added it,MS is releasing these updates but slowly) or via bios update(already done by you). Better ask at official opensuse forums for clarification.

You are quite correct as I presume.
Actually this is the openSUSE-42.3(LEAP) 64-bit which I am using.
Kernel-4.4.120-45-default is the version of kernel of Leap 42.3 after updates. We have to wait till May 2018,when openSUSE-15 stable (final) distro comes out,with latest kernel and advanced features.
Let's Hope for the best in the upcoming distro.

 

[nRiTeCh]

I have very old system:
i7 2600k on Asus P8Z68V
OS: Win 10 Enterprise 64 bit

Its obvious Asus wont even care supporting old gen hardware so no bios update for my board.

I'm not getting any windows updates since past 3 weeks but only getting defender updates.
Somebody told me unless I get patch for Spectre, windows wont download new updates for my OS Win 10 Enterprise 64.

Now what to do? How to get auto windows security+cumulative updates for my OS?