Meltdown & Spectre

Meltdown & Spectre

[znavko]

[-- Attachment #1: Type: text/plain, Size: 2000 bytes --]

Hello! I am using pc to visit web-sites. Using GNU/Linux is much safer than other OS.
Yes, IceCat has wonderful LibreJS plugin that may defend me from vulnerabilities.
I've found bash-script checker  Meltdown & Spectre vulnerabilities https://github.com/shaman007/spectre-meltdown-checker <https://github.com/shaman007/spectre-meltdown-checker>

I am seeing this:

#  ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is Linux 4.19.1-gnu #1 SMP 1 x86_64
CPU is Intel(R) Pentium(R) CPU  N3530  @ 2.16GHz
We're missing some kernel info (see -v), accuracy might be reduced
..
..
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  NO 
  * Kernel is compiled with IBPB support:  UNKNOWN  (in offline mode, we need the kernel image to be able to tell)
    * IBPB enabled and active:  NO 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  UNKNOWN  (couldn't read your kernel configuration)
> STATUS:  VULNERABLE  (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

> How to fix: To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability:  NO 
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

# guix package -s readelf
#

Please, is what can I use instead of readelf for this script?
Also, how to embed necessary microcode?

Could you share your options in meltdown and spectre defense?

[-- Attachment #2: Type: text/html, Size: 2638 bytes --]

Re: Meltdown & Spectre

[Giovanni Biscuolo]

[-- Attachment #1: Type: text/plain, Size: 1359 bytes --]

Hi znavko,

(and Foreshadow? [1])

I'm still not using GuixSD as my primary OS, just in a testing
environment, so I cat't help fully, but...

<znavko@tutanota.com> writes:

[...]

> Also, how to embed necessary microcode?

AFAIK GuixSD does not provide CPU microcode updates because they are
non-free (not compatible with GNU FSDG)

there was a long thread on Jan 2018 on guix-devel:
http://lists.gnu.org/archive/html/guix-devel/2018-01/msg00067.html

I'm still reading it...

> Could you share your options in meltdown and spectre defense?

unfortunately some vulnerabilities cannot be fixed without microcode

maybe a dedicated GuixSD page on this topic could help better understand
the state of (very sad) affairs

AFAIK using a coreboot supported machine does not solve the problem, the
patched microcode is still needed

this is what Debian is doing:
https://wiki.debian.org/DebianSecurity/SpectreMeltdown

...and no, the "terrible situation" is *not* limited to Intel, Ludo ;-)
(ref. http://lists.gnu.org/archive/html/guix-devel/2018-01/msg00223.html)
e.g. on MIPS we _simply_ have no idea, we have to trust :-O

...and yes, we need **free software microcode** CPUs :-S

\me very sad
Giovanni


[1] https://en.m.wikipedia.org/wiki/Speculative_execution

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]