Join the community today
Become a Member

Security Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 3, 2018.

  1. buik

    buik “The best traveler is one without a camera.”

    1,990
    518
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,647
    Local Time:
    11:58 AM
    Red Hat release is faster than upstream:)


     
  2. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    12:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    How can you confirm the patch has been applied on a CentOS/RHEL based distro for Intel bug?
    Here is how you search for CVE. If you get output. You are patched. No output means not patched.

     
    Last edited: Jan 5, 2018
  3. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    10:58 AM
    1.5.15
    MariaDB 10.2
    Specify the kernel version
    Code:
    # rpm -q --changelog kernel-3.10.0-693.11.6.el7 | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
    - [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] kaiser/mm: skip IBRS/CR3 restore when paranoid exception returns to userland (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] kaiser/mm: consider the init_mm.pgd a kaiser pgd (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: Prevent unwanted speculation without IBRS (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
    - [x86] entry: Remove trampoline check from paranoid entry path (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
    - [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
    - [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
    - [x86] spec_ctrl: remove SPEC_CTRL_DEBUG code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: add noibrs noibpb boot options (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] entry: Use retpoline for syscall's indirect calls (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] syscall: Clear unused extra registers on 32-bit compatible syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: cleanup unnecessary ptregscall_common function (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: CLEAR_EXTRA_REGS and extra regs save/restore (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] syscall: Clear unused extra registers on syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: rescan cpuid after a late microcode update (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: add debugfs ibrs_enabled ibpb_enabled (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: consolidate the spec control boot detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] KVM/spec_ctrl: allow IBRS to stay enabled in host userland (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: add debug aid to test the entry code without microcode (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: move stuff_RSB in spec_ctrl.h (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] entry: Stuff RSB for entry to kernel for non-SMEP platform (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] mm: Only set IBPB when the new thread cannot ptrace current thread (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] mm: Set IBPB upon context switch (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] idle: Disable IBRS when offlining cpu and re-enable on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] idle: Disable IBRS entering idle and enable it on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: implement spec ctrl C methods (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: save IBRS MSR value in save_paranoid for NMI (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] enter: Use IBRS on syscall and interrupts (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: swap rdx with rsi for nmi nesting detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: spec_ctrl_pcp and kaiser_enabled_pcp in same cachline (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: use per-cpu knob instead of ALTERNATIVES for ibpb and ibrs (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] enter: MACROS to set/clear IBRS and set IBPB (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [kvm] x86: add SPEC_CTRL to MSR and CPUID lists (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [kvm] svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] svm: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [kvm] vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [kvm] vmx: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [kvm] x86: clear registers on VM exit (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] kvm: pad RSB on VM transition (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] cpu/AMD: Control indirect branch predictor when SPEC_CTRL not available (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] feature: Report presence of IBPB and IBRS control (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] feature: Enable the x86 feature to control Speculation (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [tools] objtool: Don't print 'call dest' warnings for ignored functions (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [misc] locking/barriers: prevent speculative execution based on Coverity scan results (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [fs] udf: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [fs] prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [kernel] userns: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [scsi] qla2xxx: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [netdrv] p54: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [netdrv] carl9170: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [media] uvcvideo: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [misc] locking/barriers: introduce new memory barrier gmb() (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [x86] mm/kaiser: Replace kaiser with kpti to sync with upstream (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add "kaiser" and "nokaiser" boot options (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map the trace idt tables in userland shadow pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: fix RESTORE_CR3 crash in kaiser_stop_machine (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: use stop_machine for enable/disable knob (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: use atomic ops to poison/unpoison user pagetables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: use invpcid to flush the two kaiser PCID AISD (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: use two PCID ASIDs optimize the TLB during enter/exit kernel (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: stop patching flush_tlb_single (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: use PCID feature to make user and kernel switches faster (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm: If INVPCID is available, use it to flush global mappings (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/64: Fix reboot interaction with CR4.PCIDE (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/64: Initialize CR4.PCIDE early (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm: Add a 'noinvpcid' boot option to turn off INVPCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm: Add the 'nopcid' boot option to turn off PCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: validate trampoline stack (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] entry: Move SYSENTER_stack to the beginning of struct tss_struct (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: isolate the user mapped per cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: enable kaiser in build (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: selective boot time defaults (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: handle call to xen_pv_domain() on PREEMPT_RT (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser/xen: Dynamically disable KAISER when running under Xen PV (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add Kconfig (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: avoid false positives during non-kaiser pgd updates (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: Respect disabled CPU features (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: trampoline stack comments (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: stack trampoline (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: remove paravirt clock warning (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: re-enable vsyscalls (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: allow to build KAISER with KASRL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: allow KAISER to be enabled/disabled at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: un-poison PGDs at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add a function to check for KAISER being enabled (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add debugfs file to turn KAISER on/off at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: disable native VSYSCALL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map virtually-addressed performance monitoring buffers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map debug IDT tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add kprobes text section (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map trace interrupt entry (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map entry stack per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map dynamically-allocated LDTs (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: make sure static PGDs are 8k in size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: allow NX poison to be set in p4d/pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: unmap kernel from userspace page tables (core patch) (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: mark per-cpu data structures required for entry/exit (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: introduce user-mapped per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add cr3 switches to entry code (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: remove scratch registers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: prepare assembly for entry/exit CR3 switching (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: Disable global pages by default with KAISER (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm: Document X86_CR4_PGE toggling behavior (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/tlb: Make CR4-based TLB flushes more robust (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm: Do not set _PAGE_USER for init_mm page tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] increase robusteness of bad_iret fixup handler (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [perf] x86/intel/uncore: Fix memory leaks on allocation failures (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [mm] userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [fs] userfaultfd: non-cooperative: fix fork use after free (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [mm] userfaultfd: hugetlbfs: remove superfluous page unlock in VM_SHARED case (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [mm] fix bad rss-counter if remap_file_pages raced migration (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    weird did they mess up order of change log display ? if you don't specify exact kernel version and just kernel package you don't get the change log at all

    usually the latest is at top of listing
    Code (Text):
    rpm -q --changelog kernel | head -n10                                                          
    * Tue Jul 04 2017 CentOS Sources <bugs@centos.org> - 3.10.0-514.26.2.el7
    - Apply debranding changes
    
    * Fri Jun 30 2017 Frantisek Hrbata <fhrbata@hrbata.com> [3.10.0-514.26.2.el7]
    - [mm] fix new crash in unmapped_area_topdown() (Frantisek Hrbata) [1466138 1463241]
    - [mm] larger stack guard gap, between vmas (Frantisek Hrbata) [1466138 1463241]
    - [mm] Revert "enlarge stack guard gap" (Frantisek Hrbata) [1466138 1463241]
    
    * Tue Jun 20 2017 Frantisek Hrbata <fhrbata@hrbata.com> [3.10.0-514.26.1.el7]
    - [mm] enlarge stack guard gap (Larry Woodman) [1452732 1452733] {CVE-2017-1000364}
    

    but now need to specify exact version ?
    Code (Text):
    rpm -q --changelog kernel-3.10.0-693.11.6.el7 | head -n10
    * Wed Jan 03 2018 CentOS Sources <bugs@centos.org> - 3.10.0-693.11.6.el7
    - Apply debranding changes
    
    * Thu Dec 28 2017 Denys Vlasenko <dvlasenk@redhat.com> [3.10.0-693.11.6.el7]
    - [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] kaiser/mm: skip IBRS/CR3 restore when paranoid exception returns to userland (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] kaiser/mm: consider the init_mm.pgd a kaiser pgd (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    CentOS 6 kernel updates are now out too
    Code (Text):
    yum list updates -q | tr -s ' '
    Updated Packages
    kernel.x86_64 2.6.32-696.18.7.el6 updates
    kernel-devel.x86_64 2.6.32-696.18.7.el6 updates
    kernel-firmware.noarch 2.6.32-696.18.7.el6 updates
    kernel-headers.x86_64 2.6.32-696.18.7.el6 updates
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Interesting update from Linode joining forces with other cloud providers Linode Blog » CPU Vulnerabilities: Meltdown & Spectre

     
  7. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    OVH Meltdown, Spectre bug impacting x86-64 CPU - OVH fully mobilised

     
  8. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More on Spectre flaws Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

    probably the best explanation for Spectre I have read so far
    software based counter measures Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

    one mentioned is reptoline
     
    Last edited: Jan 5, 2018
  9. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More info after you update kernels Controlling the Performance Impact of Microcode and Security Patches for CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753 using Red Hat Enterprise Linux Tunables - Red Hat Customer Portal

    more suited to before/after kernel update testing of performance impact
    by default i am only setting one of them set to non-zero value
    Code (Text):
    cat /sys/kernel/debug/x86/pti_enabled
    1
    
    cat /sys/kernel/debug/x86/ibpb_enabled
    0
    
    cat /sys/kernel/debug/x86/ibrs_enabled
    0
    

     
  10. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    10:58 AM
    1.5.15
    MariaDB 10.2
    Are you modifying the boot command, or setting this value after each reboot?
     
  11. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    10:58 AM
    1.5.15
    MariaDB 10.2
    Hmm, this is what I'm seeing on my updated servers as well
    Code (Text):
    # cat /sys/kernel/debug/x86/pti_enabled
    1
    # cat /sys/kernel/debug/x86/ibpb_enabled
    0
    # cat /sys/kernel/debug/x86/ibrs_enabled
    0
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Read further into the redhat tunables explanation link

    so i see 1 0 0
    as my i7 4790K doesn't have microcode update available yet
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    on my OVH i7 4790K CentOS 7.4 64bit server updated microcode but nothing for my i7 4790K related to Meltdown/Spectre yet

    microcode_ctl updates - maybe want to contact your web host first if unsure about this update
    Code (Text):
    rpm -q --changelog microcode_ctl | head -n4
    * Fri Dec 15 2017 Petr Oros <poros@redhat.com> - 2.1-22.2
    - Update Intel CPU microde for 06-3f-02, 06-4f-01, and 06-55-04
    - Resolves: #1527358
    

    before
    Code (Text):
    journalctl -b --no-pager | grep microcode | sed -e "s|$(hostname)|hostname|g"
    Jan 05 07:18:31 hostname kernel: microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
    Jan 05 07:19:17 hostname dracut[3287]: *** Generating early-microcode cpio image contents ***
    Jan 05 07:19:17 hostname dracut[3287]: *** No early-microcode cpio image needed ***
    

    after
    revision bumped from 0x17 to 0x22 but date = 2017-01-27 is last date for microcode updates for i7 4790K so there are no more recent microcode updates available for my i7 4790K yet.
    Code (Text):
    journalctl -b --no-pager | grep microcode | sed -e "s|$(hostname)|hostname|g"
    Jan 05 14:44:46 hostname kernel: microcode: microcode updated early to revision 0x22, date = 2017-01-27
    Jan 05 14:44:46 hostname kernel: microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
    Jan 05 14:44:47 hostname systemd[1]: Starting Load CPU microcode update...
    Jan 05 14:44:48 hostname systemd[1]: Started Load CPU microcode update.
    

    But still tunables so 1 0 0 instead of 1 1 1 (according to here)
    Code (Text):
    cat /sys/kernel/debug/x86/pti_enabled
    1
    
    cat /sys/kernel/debug/x86/ibpb_enabled
    0
    
    cat /sys/kernel/debug/x86/ibrs_enabled
    0
    


    from Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 - Red Hat Customer Portal
     
    Last edited: Jan 6, 2018
  14. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  15. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More Phoronix.com
     
  16. dcg

    dcg Member

    67
    24
    8
    Oct 17, 2015
    Florida, USA
    Ratings:
    +49
    Local Time:
    5:58 AM
    1.21.x
    10.3.x
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks @dcg :)

    Update from Cloudlinux and Kernelcare fixes Intel CPU Bug - Meltdown and Spectre - KernelCare and CloudLinux

    relevant to Kernelcare
     
  18. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Intel Intel Issues Updates to Protect Systems from Security Exploits | Intel Newsroom

    Industry Testing Shows Recently Released Security Updates Not Impacting Performance in Real-World Deployments | Intel Newsroom

     
  19. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    12:58 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    May i have an example on how to do this so i can disable it and test ?

    Thank you
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:58 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If you don't know how then i suggest using non-persistent method as you also need to know how to recover from non-boot situation if you use kernel command line method - of course google-fu ;)