Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Is my laptop vulnerable or not?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
egrep
n00b
n00b


Joined: 16 Jul 2020
Posts: 49

PostPosted: Mon Jul 27, 2020 5:39 pm    Post subject: [SOLVED] Is my laptop vulnerable or not? Reply with quote

Hello,

I have a Lenovo laptop with a Intel Xeon E3-1200 v6/7th Gen Core Processor. It looks like I'm collecting vulnerabilities, lol. I used a guide to update my processors microcode as described here: https://wiki.gentoo.org/wiki/Intel_microcode. And after a reboot dmesg output says I have installed Intel microcode proper way:
Code:

$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0xd6, date = 2020-04-23
[    0.575621] microcode: sig=0x906e9, pf=0x20, revision=0xd6
[    0.576199] microcode: Microcode Update Driver: v2.2.


But my system is still vulnerable (?) to the mds, meltdown, spectre flaws, and so on, although I used the guide to update my processors microcode:
Code:

$ lscpu | grep -i vulnerab
Vulnerability Itlb multihit:     Processor vulnerable
Vulnerability L1tf:              Mitigation; PTE Inversion
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP conditional, RSB filling
Vulnerability Srbds:             Mitigation; Microcode
Vulnerability Tsx async abort:   Not affected


Code:

$ dmesg | grep -iE '(spectre|mds|srbds)'
[    0.100599] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[    0.100601] Spectre V2 : Mitigation: Full generic retpoline
[    0.100603] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[    0.100604] Spectre V2 : Enabling Restricted Speculation for firmware calls
[    0.100606] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[    0.100608] Spectre V2 : User space: Mitigation: STIBP via seccomp and prctl
[    0.100617] SRBDS: Mitigation: Microcode
[    0.100618] MDS: Mitigation: Clear CPU buffers
[    0.109359] MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.

I am running 5.7.10-gentoo and have no idea what else can I do. I am missing something else?

To summarize, I am interested in the question of how vulnerable my processor is. And Is there any complete guide to protection from such vulnerabilities?


Last edited by egrep on Mon Jul 27, 2020 11:39 pm; edited 1 time in total
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 24527
Location: here

PostPosted: Mon Jul 27, 2020 5:49 pm    Post subject: Reply with quote

You can install app-admin/spectre-meltdown-checker package that has better output.
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
egrep
n00b
n00b


Joined: 16 Jul 2020
Posts: 49

PostPosted: Mon Jul 27, 2020 6:04 pm    Post subject: Reply with quote

fedeliallalinea wrote:
You can install app-admin/spectre-meltdown-checker package that has better output.


Well, spectre-meltdown-checker says:

Code:

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK


e.g. there is no CVE with non-OK. Is this means everything is OK?
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 24527
Location: here

PostPosted: Mon Jul 27, 2020 6:21 pm    Post subject: Reply with quote

Yes but I'm not expert and I don't know if this utility checks all know issues.
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
halcon
Apprentice
Apprentice


Joined: 15 Dec 2019
Posts: 248

PostPosted: Mon Jul 27, 2020 7:13 pm    Post subject: Re: Is my laptop vulnerable or not? Reply with quote

egrep wrote:

Code:
Vulnerability Itlb multihit:     Processor vulnerable


AFAIK, that vulnerability is actual only if you use a virtualization with KVM: iTLB multihit.

spectre-meltdown-checker's last info block is dedicated to it. For example:
Code:
CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
* Mitigated according to the /sys interface:  YES  (Not affected)
* This system is a host running a hypervisor:  NO
* iTLB Multihit mitigation is supported by kernel:  YES  (found itlb_multihit in kernel image)
* iTLB Multihit mitigation enabled and active:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
Back to top
View user's profile Send private message
egrep
n00b
n00b


Joined: 16 Jul 2020
Posts: 49

PostPosted: Mon Jul 27, 2020 11:39 pm    Post subject: Reply with quote

Thank you guys
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15849

PostPosted: Tue Jul 28, 2020 2:21 am    Post subject: Re: [SOLVED] Is my laptop vulnerable or not? Reply with quote

egrep wrote:
It looks like I'm collecting vulnerabilities, lol.
But my system is still vulnerable (?) to the mds, meltdown, spectre flaws, and so on, although I used the guide to update my processors microcode:
Code:

$ lscpu | grep -i vulnerab
Vulnerability Itlb multihit:     Processor vulnerable
Vulnerability L1tf:              Mitigation; PTE Inversion
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP conditional, RSB filling
Vulnerability Srbds:             Mitigation; Microcode
Vulnerability Tsx async abort:   Not affected
Not quite. As I read this:
  • You are still fully impacted by itlb.
  • For MDS, you are still affected if SMT is used.
  • For all the others, software mitigations (which impair system performance) are present and attempt to mitigate the problem.

egrep wrote:
I am running 5.7.10-gentoo and have no idea what else can I do. I am missing something else?
What else do you want to do? Which of these vulnerabilities apply to how you use your system?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6694

PostPosted: Tue Jul 28, 2020 3:27 am    Post subject: Reply with quote

There are changes coming in Linux 5.8 (.9?) to make SMT less dangerous without having to disable it outright. That's probably a long way off though.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46122
Location: 56N 3W

PostPosted: Tue Jul 28, 2020 9:23 am    Post subject: Reply with quote

egrep,

We are all vulnerable. :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
egrep
n00b
n00b


Joined: 16 Jul 2020
Posts: 49

PostPosted: Tue Jul 28, 2020 1:47 pm    Post subject: Re: [SOLVED] Is my laptop vulnerable or not? Reply with quote

Hu wrote:
What else do you want to do? Which of these vulnerabilities apply to how you use your system?


Well, my daily usage of this workstation is to read news (rss), check mail (thunderbird), write simple code (emacs), do some local research and read books (evince). Probably I could count all the unique web-sites that I visit for a month and this number would not exceed 20. That's probably all. I'm just interested in doing the best that I can. However, I would not want to sacrifice performance because of the mythical hack possibility.
Back to top
View user's profile Send private message
egrep
n00b
n00b


Joined: 16 Jul 2020
Posts: 49

PostPosted: Tue Jul 28, 2020 1:50 pm    Post subject: Reply with quote

NeddySeagoon wrote:
egrep,

We are all vulnerable. :)


Haha, This is certainly true! However, I am not prone to fanatical defense.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15849

PostPosted: Wed Jul 29, 2020 2:19 am    Post subject: Reply with quote

Based on that usage pattern, I think using a browser is probably your single greatest risk. Modern browsers are bloated monstrosities with uncounted lurking vulnerabilities due to the desire to have them do all sorts of things (WebGL, asynchronous page content, inline videos with sound, inline video-conferencing, etc.), usually without user preapproval, and sometimes without any way for the user to withhold consent other than refusing to visit the offending site. Keeping your number of sites down is helpful, but not sufficient, because those sites could suffer a breach and begin serving dangerous content. Realistically, unless you visit sites that would be a high priority target due to extreme popularity, the processor flaws probably will not matter.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum