jueves, noviembre 16, 2017

Kernels nuevos en Debian Stretch (now with full retpoline!)

Continuando con la serie de posts con versiones estables del kernel de Linux, dejo disponible la última versión que compilé en casa. Todas estas son directamente instalables sobre Debian GNU/Linux 9.0 Stretch de 64 bits sin quilombo de dependencias. Cada directorio contiene los paquetes con la imagen del kernel, los encabezados y la configuración utilizada en la compilación.
Esta es la salida de spectre-meltdown-checker para este kernel sobre una CPU Intel i5 con Microcódigo del 20170707 (vean donde dice STATUS):
Spectre and Meltdown mitigation detection tool v0.34

Checking for vulnerabilities on current system
Kernel is Linux 4.15.4 #1 SMP Sat Feb 17 14:40:51 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
Will use vmlinux image /boot/vmlinuz-4.15.4
Will use kconfig /boot/config-4.15.4
Will use System.map file /proc/kallsyms

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available: YES
    * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
    * Kernel has set the spec_ctrl flag in cpuinfo: NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available: YES
    * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available: YES
    * CPU indicates STIBP capability: YES
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability: NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
  * CPU microcode is known to cause stability problems: YES (model 78 stepping 3 ucode 0xc2)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1: YES
  * Vulnerable to Variant 2: YES
  * Vulnerable to Variant 3: YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec: YES (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Checking count of LFENCE instructions following a jump in kernel: NO (only 3 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support: NO
  * Currently enabled features
    * IBRS enabled for Kernel space: NO
    * IBRS enabled for User space: NO
    * IBPB enabled: NO
* Mitigation 2
  * Kernel compiled with retpoline option: YES
  * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Performance impact if PTI is enabled
  * CPU supports PCID: YES (performance degradation with PTI will be limited)
  * CPU supports INVPCID: YES (performance degradation with PTI will be limited)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
Si les interesa saber qué hay de nuevo, les dejo el link al blog de Diego Callejas que nos acerca las novedades de Linux 4.15 y el clásico resumen hecho por la gente de KernelNewbies.

No hay comentarios.: