Meltdown and Spectre
Re: Meltdown and Spectre
Thanks for the update Trevor.
Re: Meltdown and Spectre
@bshoe24, I didn't install the microcode - microcode_ctl-1.17-25.2 - as it was said be problematic and a new one was released to undo the its installation.
Any thoughts on why spectre-meltdown-checker.sh yeilds negative results even though, I have patched my OS?
-Prabhu
Any thoughts on why spectre-meltdown-checker.sh yeilds negative results even though, I have patched my OS?
-Prabhu
Re: Meltdown and Spectre
@aceprabhu I'm not sure sorry.
my CentOS 6 E3-1230 V2 system fully updated reports mitigated except for spectre #2 testing with both Github (spectre-meltdown-checker.sh) and Redhat's (spectre_meltdown.sh) test scripts.
2.6.32-696.18.7.el6.x86_64 installed
microcode_ctl-1.17-25.4.el6_9.x86_64 installed
Variant #1 (Spectre): Mitigated
Variant #2 (Spectre): Vulnerable
Variant #3 (Meltdown): Mitigated
By comparison on the CentOS 6 E3-1231 V3 system i testing it reports all 3 mitigated including Spectre #2 if i load the newer Intel microcode (Version: 20180108) but, that microcode does not seem stable yet. It has not crashed on me yet but is generating mcelog errors.
my CentOS 6 E3-1230 V2 system fully updated reports mitigated except for spectre #2 testing with both Github (spectre-meltdown-checker.sh) and Redhat's (spectre_meltdown.sh) test scripts.
2.6.32-696.18.7.el6.x86_64 installed
microcode_ctl-1.17-25.4.el6_9.x86_64 installed
Variant #1 (Spectre): Mitigated
Variant #2 (Spectre): Vulnerable
Variant #3 (Meltdown): Mitigated
By comparison on the CentOS 6 E3-1231 V3 system i testing it reports all 3 mitigated including Spectre #2 if i load the newer Intel microcode (Version: 20180108) but, that microcode does not seem stable yet. It has not crashed on me yet but is generating mcelog errors.
Re: Meltdown and Spectre
Is KPTI only for 64bit system ? Sorry for persisting with the question of mitigating the vulnerabilities in CentOS 6.9 i386. I am not finding any reference to why the following files would be missing: ( I had mounted debugfs)
In my CentOS 7 system, patch update worked just fine. Updated kernel and kernel-firmware. Variant 1 and Variant 2 are mitigated.
Code: Select all
/sys/kernel/debug/x86/pti_enabled
/sys/kernel/debug/x86/ibpb_enabled
/sys/kernel/debug/x86/ibrs_enabled
Re: Meltdown and Spectre
32-bit news
https://duckduckgo.com/?q=kpti+32+bit
I asked about in early post the reason that the Microsoft spectre checker script doesn't find support even with the buggy microcode and it is because there is none yet passed to guest apparently from this post.
"Right now, there are no public patches to KVM that expose the new CPUID bits and MSRs to the virtual machines"
https://www.qemu.org/2018/01/04/spectre/
https://duckduckgo.com/?q=kpti+32+bit
I asked about in early post the reason that the Microsoft spectre checker script doesn't find support even with the buggy microcode and it is because there is none yet passed to guest apparently from this post.
"Right now, there are no public patches to KVM that expose the new CPUID bits and MSRs to the virtual machines"
https://www.qemu.org/2018/01/04/spectre/
-
- Posts: 1
- Joined: 2017/12/15 05:20:05
Re: Meltdown and Spectre
By running uname -r command , You can check kernel version.rickyng wrote:After running "yum update" and rebooting, how do we verify if the patch was applied?
-
- Posts: 2
- Joined: 2018/01/30 01:25:49
Re: Meltdown and Spectre
Is it possible to apply these patch manually (offline servers) for CentOS release 6.3 and 6.8 or I definitely need to update to CentOS 6.9 first?
Re: Meltdown and Spectre
Patches are only tested with all other patches applied. To be honest, if you're on 6.3 then you have sufficient other serious security vulnerabilities present such that meltdown and spectre are the least of your worries.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 2
- Joined: 2018/01/30 01:25:49
Re: Meltdown and Spectre
Thanks for the response Trevor.TrevorH wrote:Patches are only tested with all other patches applied. To be honest, if you're on 6.3 then you have sufficient other serious security vulnerabilities present such that meltdown and spectre are the least of your worries.
I have upgraded 6.3 to 6.9 (offline server) via DVD1 & DVD2 iso of CentOS 6.9.
Subsequently, I had also manually install all the packages for the Meltdown and Spectre (kernel, libvert, qemu) [https://lists.centos.org/pipermail/cent ... 22701.html].
The meltdown and spectre script checker has shown that I mitigated both #1 and #3 (not for #2 as I did not applied the microcode update).
Is this an sufficient attempt to patch the general security as well as meltdown and spectre?
Re: Meltdown and Spectre
Any idea on the timeline in making mitigation fixes available for i386? Or it will not be available at all?