Join the community today
Register Now

Security Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 3, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    34,632
    7,655
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,773
    Local Time:
    2:39 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Latest state of my OVH MC-32 Core i7 4790K kernel level spectre/meltdown fixes

    kernel
    Code (Text):
    uname -r
    3.10.0-862.2.3.el7.x86_64
    

    check boot log on CentOS 7
    Code (Text):
    journalctl -b | egrep -C1 -i 'spectre|meltdown|cve' | sed -e "s|$(hostname -f)|hostname|g"
    May 22 08:11:33 hostname kernel: FEATURE IBPB_SUPPORT Not Present
    May 22 08:11:33 hostname kernel: Spectre V2 : Vulnerable: Retpoline without IBPB
    May 22 08:11:33 hostname kernel: Freeing SMP alternatives: 24k freed
    --
    May 25 14:12:44 hostname DISCLAIMER[28517]: This updated microcode supersedes microcode provided by Red Hat with
    May 25 14:12:44 hostname DISCLAIMER[28517]: the CVE-2017-5715 (“Spectre”) CPU branch injection vulnerability
    May 25 14:12:44 hostname DISCLAIMER[28517]: mitigation.
    May 25 14:12:44 hostname kernel: Spectre V2 : Mitigation: Full retpoline
    May 25 14:12:44 hostname DISCLAIMER[28517]: Historically, Red Hat has provided updated microcode, developed by our
    --
    May 25 14:12:44 hostname unknown: This updated microcode supersedes microcode provided by Red Hat with
                                         the CVE-2017-5715 (“Spectre”) CPU branch injection vulnerability
                                         mitigation.
    

    CentOS microcode_ctl package change log
    Code (Text):
    rpm -q --changelog microcode_ctl | head -n12
    * Tue May 15 2018 Petr Oros <[email protected]> - 2.1-29.2
    - Update disclaimer text
    - Resolves: #1575570
    
    * Mon May 07 2018 Petr Oros <[email protected]> - 2.1-29.1
    - Intel CPU microcode update to 20180425.
    - Resolves: #1575570
    
    * Fri Jan 12 2018 Petr Oros <[email protected]> - 2.1-29
    - Revert Microcode from Intel for Side Channel attack
    - Resolves: #1533939
    

    check logging for microcode related entries
    Code (Text):
    journalctl -b --no-pager | grep microcode | sed -e "s|$(hostname)|hostname|g"
    May 22 08:11:33 hostname kernel: microcode: microcode updated early to revision 0x22, date = 2017-01-27
    May 22 08:11:33 hostname kernel: microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x22
    May 22 08:11:33 hostname kernel: microcode: Microcode Update Driver: v2.01 <[email protected]>, Peter Oruba
    May 22 08:11:35 hostname systemd[1]: Starting Load CPU microcode update...
    May 22 08:11:35 hostname systemd[1]: Started Load CPU microcode update.
    May 22 08:12:19 hostname dracut[3492]: *** Generating early-microcode cpio image contents ***
    May 22 08:12:19 hostname dracut[3492]: *** Creating microcode section ***
    May 22 08:12:19 hostname dracut[3492]: *** Created microcode section ***
    May 22 08:12:20 hostname dracut[3492]: drwxr-xr-x   2 root     root            0 May 22 08:12 kernel/x86/microcode
    May 22 08:12:20 hostname dracut[3492]: -rw-r--r--   1 root     root        22528 May 22 08:12 kernel/x86/microcode/GenuineIntel.bin
    May 25 14:12:44 hostname kernel: microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU0 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU1 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU2 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU3 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU4 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU5 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU6 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname kernel: microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x22
    May 25 14:12:44 hostname kernel: microcode: CPU7 updated to revision 0x24, date = 2018-01-21
    May 25 14:12:44 hostname DISCLAIMER[28517]: This updated microcode supersedes microcode provided by Red Hat with
    May 25 14:12:44 hostname DISCLAIMER[28517]: Historically, Red Hat has provided updated microcode, developed by our
    May 25 14:12:44 hostname DISCLAIMER[28517]: temporarily suspended this practice while microcode stabilized. Red
    May 25 14:12:44 hostname DISCLAIMER[28517]: Hat is once again providing an updated Intel microcode package
    May 25 14:12:44 hostname DISCLAIMER[28517]: (microcode_ctl) and AMD microcode package (linux-firmware) to customers
    May 25 14:12:44 hostname DISCLAIMER[28517]: continue to update these microcode packages as necessary. Please
    May 25 14:12:44 hostname DISCLAIMER[28517]: Intel and AMD microcode package versions.
    May 25 14:12:44 hostname yum[28281]: Updated: 2:microcode_ctl-2.1-29.2.el7_5.x86_64
    May 25 14:12:44 hostname unknown: This updated microcode supersedes microcode provided by Red Hat with
                                         Historically, Red Hat has provided updated microcode, developed by our
                                         temporarily suspended this practice while microcode stabilized. Red
                                         Hat is once again providing an updated Intel microcode package
                                         (microcode_ctl) and AMD microcode package (linux-firmware) to customers
                                         continue to update these microcode packages as necessary. Please
                                         Intel and AMD microcode package versions.
    May 25 14:13:05 hostname dracut[8202]: *** Generating early-microcode cpio image contents ***
    May 25 14:13:05 hostname dracut[8202]: *** Creating microcode section ***
    May 25 14:13:05 hostname dracut[8202]: *** Created microcode section ***
    May 25 14:13:06 hostname dracut[8202]: drwxr-xr-x   2 root     root            0 May 25 14:13 kernel/x86/microcode
    May 25 14:13:06 hostname dracut[8202]: -rw-r--r--   1 root     root        23552 May 25 14:13 kernel/x86/microcode/GenuineIntel.bin
    May 25 14:13:17 hostname dracut[18352]: *** Generating early-microcode cpio image contents ***
    May 25 14:13:17 hostname dracut[18352]: *** Creating microcode section ***
    May 25 14:13:17 hostname dracut[18352]: *** Created microcode section ***
    May 25 14:13:18 hostname dracut[18352]: drwxr-xr-x   2 root     root            0 May 25 14:13 kernel/x86/microcode
    May 25 14:13:18 hostname dracut[18352]: -rw-r--r--   1 root     root        23552 May 25 14:13 kernel/x86/microcode/GenuineIntel.bin
    

    Check Redhat/CentOS tunables explained here = 1 1 0
    Code (Text):
    cat /sys/kernel/debug/x86/pti_enabled
    1
    
    cat /sys/kernel/debug/x86/ibpb_enabled
    1
    
    cat /sys/kernel/debug/x86/ibrs_enabled
    0
    
    cat /sys/kernel/debug/x86/retp_enabled 
    1
    

    So
    • pti_enabled - Page Table Isolation is enabled
    • ibpb_enabled - Indirect Branch Predication Barriers is enabled
    • ibrs_enabled - Indirect Branch Restricted Speculation is disabled
    • retp_enabled - "retp_enabled" alteration is only available at runtime for RHEL7 systems. This tunable is read-only for RHEL 6 systems
    ibrs_enabled
    So since Core i7 4790K is Haswell based processor, Kernel level Retpolines are used to mitigate Spectre variant 2 instead of ibrs_enabled.
     
  2. eva2000

    eva2000 Administrator Staff Member

    34,632
    7,655
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,773
    Local Time:
    2:39 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    more Spectre fixes land in Google Chrome 67 Google Patches 34 Browser Bugs in Chrome 67, Adds Spectre Fixes

    Good to know, I already enabled Site Isolation using Chrome flags prior to Chrome 67 but good to know it's default now.
     
..