Welcome to Centmin Mod Community
Register Now

Security Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 3, 2018.

  1. buik

    buik “Life is trying things to see if they work.” Premium Member

    1,378
    377
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,151
    Local Time:
    2:04 AM
    Red Hat release is faster than upstream:)

     
  2. pamamolf

    pamamolf Premium Member Premium Member

    3,933
    396
    83
    May 31, 2014
    Ratings:
    +769
    Local Time:
    3:04 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    How can you confirm the patch has been applied on a CentOS/RHEL based distro for Intel bug?
    Here is how you search for CVE. If you get output. You are patched. No output means not patched.

     
    Last edited: Jan 5, 2018
  3. Matt

    Matt Moderator Staff Member

    866
    391
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +611
    Local Time:
    1:04 AM
    1.5.15
    MariaDB 10.2
    Specify the kernel version
    Code:
    # rpm -q --changelog kernel-3.10.0-693.11.6.el7 | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
    - [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] kaiser/mm: skip IBRS/CR3 restore when paranoid exception returns to userland (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] kaiser/mm: consider the init_mm.pgd a kaiser pgd (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: Prevent unwanted speculation without IBRS (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
    - [x86] entry: Remove trampoline check from paranoid entry path (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
    - [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
    - [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
    - [x86] spec_ctrl: remove SPEC_CTRL_DEBUG code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: add noibrs noibpb boot options (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] entry: Use retpoline for syscall's indirect calls (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] syscall: Clear unused extra registers on 32-bit compatible syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: cleanup unnecessary ptregscall_common function (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: CLEAR_EXTRA_REGS and extra regs save/restore (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] syscall: Clear unused extra registers on syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: rescan cpuid after a late microcode update (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: add debugfs ibrs_enabled ibpb_enabled (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: consolidate the spec control boot detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] KVM/spec_ctrl: allow IBRS to stay enabled in host userland (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: add debug aid to test the entry code without microcode (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: move stuff_RSB in spec_ctrl.h (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] entry: Stuff RSB for entry to kernel for non-SMEP platform (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] mm: Only set IBPB when the new thread cannot ptrace current thread (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] mm: Set IBPB upon context switch (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] idle: Disable IBRS when offlining cpu and re-enable on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] idle: Disable IBRS entering idle and enable it on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: implement spec ctrl C methods (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: save IBRS MSR value in save_paranoid for NMI (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] enter: Use IBRS on syscall and interrupts (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: swap rdx with rsi for nmi nesting detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: spec_ctrl_pcp and kaiser_enabled_pcp in same cachline (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: use per-cpu knob instead of ALTERNATIVES for ibpb and ibrs (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] enter: MACROS to set/clear IBRS and set IBPB (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [kvm] x86: add SPEC_CTRL to MSR and CPUID lists (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [kvm] svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] svm: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [kvm] vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [kvm] vmx: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [kvm] x86: clear registers on VM exit (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] kvm: pad RSB on VM transition (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] cpu/AMD: Control indirect branch predictor when SPEC_CTRL not available (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] feature: Report presence of IBPB and IBRS control (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [x86] feature: Enable the x86 feature to control Speculation (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [tools] objtool: Don't print 'call dest' warnings for ignored functions (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
    - [misc] locking/barriers: prevent speculative execution based on Coverity scan results (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [fs] udf: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [fs] prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [kernel] userns: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [scsi] qla2xxx: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [netdrv] p54: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [netdrv] carl9170: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [media] uvcvideo: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [misc] locking/barriers: introduce new memory barrier gmb() (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
    - [x86] mm/kaiser: Replace kaiser with kpti to sync with upstream (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add "kaiser" and "nokaiser" boot options (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map the trace idt tables in userland shadow pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: fix RESTORE_CR3 crash in kaiser_stop_machine (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: use stop_machine for enable/disable knob (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: use atomic ops to poison/unpoison user pagetables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: use invpcid to flush the two kaiser PCID AISD (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: use two PCID ASIDs optimize the TLB during enter/exit kernel (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: stop patching flush_tlb_single (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: use PCID feature to make user and kernel switches faster (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm: If INVPCID is available, use it to flush global mappings (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/64: Fix reboot interaction with CR4.PCIDE (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/64: Initialize CR4.PCIDE early (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm: Add a 'noinvpcid' boot option to turn off INVPCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm: Add the 'nopcid' boot option to turn off PCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: validate trampoline stack (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] entry: Move SYSENTER_stack to the beginning of struct tss_struct (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: isolate the user mapped per cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: enable kaiser in build (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: selective boot time defaults (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: handle call to xen_pv_domain() on PREEMPT_RT (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser/xen: Dynamically disable KAISER when running under Xen PV (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add Kconfig (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: avoid false positives during non-kaiser pgd updates (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: Respect disabled CPU features (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: trampoline stack comments (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: stack trampoline (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: remove paravirt clock warning (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: re-enable vsyscalls (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: allow to build KAISER with KASRL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: allow KAISER to be enabled/disabled at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: un-poison PGDs at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add a function to check for KAISER being enabled (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add debugfs file to turn KAISER on/off at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: disable native VSYSCALL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map virtually-addressed performance monitoring buffers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map debug IDT tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add kprobes text section (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map trace interrupt entry (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map entry stack per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: map dynamically-allocated LDTs (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: make sure static PGDs are 8k in size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: allow NX poison to be set in p4d/pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: unmap kernel from userspace page tables (core patch) (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: mark per-cpu data structures required for entry/exit (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: introduce user-mapped per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: add cr3 switches to entry code (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: remove scratch registers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: prepare assembly for entry/exit CR3 switching (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/kaiser: Disable global pages by default with KAISER (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm: Document X86_CR4_PGE toggling behavior (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm/tlb: Make CR4-based TLB flushes more robust (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] mm: Do not set _PAGE_USER for init_mm page tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [x86] increase robusteness of bad_iret fixup handler (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [perf] x86/intel/uncore: Fix memory leaks on allocation failures (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [mm] userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [fs] userfaultfd: non-cooperative: fix fork use after free (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [mm] userfaultfd: hugetlbfs: remove superfluous page unlock in VM_SHARED case (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    - [mm] fix bad rss-counter if remap_file_pages raced migration (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    weird did they mess up order of change log display ? if you don't specify exact kernel version and just kernel package you don't get the change log at all

    usually the latest is at top of listing
    Code (Text):
    rpm -q --changelog kernel | head -n10                                                          
    * Tue Jul 04 2017 CentOS Sources <bugs@centos.org> - 3.10.0-514.26.2.el7
    - Apply debranding changes
    
    * Fri Jun 30 2017 Frantisek Hrbata <fhrbata@hrbata.com> [3.10.0-514.26.2.el7]
    - [mm] fix new crash in unmapped_area_topdown() (Frantisek Hrbata) [1466138 1463241]
    - [mm] larger stack guard gap, between vmas (Frantisek Hrbata) [1466138 1463241]
    - [mm] Revert "enlarge stack guard gap" (Frantisek Hrbata) [1466138 1463241]
    
    * Tue Jun 20 2017 Frantisek Hrbata <fhrbata@hrbata.com> [3.10.0-514.26.1.el7]
    - [mm] enlarge stack guard gap (Larry Woodman) [1452732 1452733] {CVE-2017-1000364}
    

    but now need to specify exact version ?
    Code (Text):
    rpm -q --changelog kernel-3.10.0-693.11.6.el7 | head -n10
    * Wed Jan 03 2018 CentOS Sources <bugs@centos.org> - 3.10.0-693.11.6.el7
    - Apply debranding changes
    
    * Thu Dec 28 2017 Denys Vlasenko <dvlasenk@redhat.com> [3.10.0-693.11.6.el7]
    - [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] kaiser/mm: skip IBRS/CR3 restore when paranoid exception returns to userland (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    - [x86] kaiser/mm: consider the init_mm.pgd a kaiser pgd (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
    
     
  5. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    CentOS 6 kernel updates are now out too
    Code (Text):
    yum list updates -q | tr -s ' '
    Updated Packages
    kernel.x86_64 2.6.32-696.18.7.el6 updates
    kernel-devel.x86_64 2.6.32-696.18.7.el6 updates
    kernel-firmware.noarch 2.6.32-696.18.7.el6 updates
    kernel-headers.x86_64 2.6.32-696.18.7.el6 updates
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Interesting update from Linode joining forces with other cloud providers Linode Blog » CPU Vulnerabilities: Meltdown & Spectre

     
  7. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    OVH Meltdown, Spectre bug impacting x86-64 CPU - OVH fully mobilised

     
  8. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    More on Spectre flaws Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

    probably the best explanation for Spectre I have read so far
    software based counter measures Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

    one mentioned is reptoline
     
    Last edited: Jan 5, 2018
  9. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    More info after you update kernels Controlling the Performance Impact of Microcode and Security Patches for CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753 using Red Hat Enterprise Linux Tunables - Red Hat Customer Portal

    more suited to before/after kernel update testing of performance impact
    by default i am only setting one of them set to non-zero value
    Code (Text):
    cat /sys/kernel/debug/x86/pti_enabled
    1
    
    cat /sys/kernel/debug/x86/ibpb_enabled
    0
    
    cat /sys/kernel/debug/x86/ibrs_enabled
    0
    

     
  10. Matt

    Matt Moderator Staff Member

    866
    391
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +611
    Local Time:
    1:04 AM
    1.5.15
    MariaDB 10.2
    Are you modifying the boot command, or setting this value after each reboot?
     
  11. Matt

    Matt Moderator Staff Member

    866
    391
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +611
    Local Time:
    1:04 AM
    1.5.15
    MariaDB 10.2
    Hmm, this is what I'm seeing on my updated servers as well
    Code (Text):
    # cat /sys/kernel/debug/x86/pti_enabled
    1
    # cat /sys/kernel/debug/x86/ibpb_enabled
    0
    # cat /sys/kernel/debug/x86/ibrs_enabled
    0
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Read further into the redhat tunables explanation link

    so i see 1 0 0
    as my i7 4790K doesn't have microcode update available yet
     
  13. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    on my OVH i7 4790K CentOS 7.4 64bit server updated microcode but nothing for my i7 4790K related to Meltdown/Spectre yet

    microcode_ctl updates - maybe want to contact your web host first if unsure about this update
    Code (Text):
    rpm -q --changelog microcode_ctl | head -n4
    * Fri Dec 15 2017 Petr Oros <poros@redhat.com> - 2.1-22.2
    - Update Intel CPU microde for 06-3f-02, 06-4f-01, and 06-55-04
    - Resolves: #1527358
    

    before
    Code (Text):
    journalctl -b --no-pager | grep microcode | sed -e "s|$(hostname)|hostname|g"
    Jan 05 07:18:31 hostname kernel: microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x17
    Jan 05 07:18:31 hostname kernel: microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
    Jan 05 07:19:17 hostname dracut[3287]: *** Generating early-microcode cpio image contents ***
    Jan 05 07:19:17 hostname dracut[3287]: *** No early-microcode cpio image needed ***
    

    after
    revision bumped from 0x17 to 0x22 but date = 2017-01-27 is last date for microcode updates for i7 4790K so there are no more recent microcode updates available for my i7 4790K yet.
    Code (Text):
    journalctl -b --no-pager | grep microcode | sed -e "s|$(hostname)|hostname|g"
    Jan 05 14:44:46 hostname kernel: microcode: microcode updated early to revision 0x22, date = 2017-01-27
    Jan 05 14:44:46 hostname kernel: microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x22
    Jan 05 14:44:46 hostname kernel: microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
    Jan 05 14:44:47 hostname systemd[1]: Starting Load CPU microcode update...
    Jan 05 14:44:48 hostname systemd[1]: Started Load CPU microcode update.
    

    But still tunables so 1 0 0 instead of 1 1 1 (according to here)
    Code (Text):
    cat /sys/kernel/debug/x86/pti_enabled
    1
    
    cat /sys/kernel/debug/x86/ibpb_enabled
    0
    
    cat /sys/kernel/debug/x86/ibrs_enabled
    0
    


    from Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 - Red Hat Customer Portal
     
    Last edited: Jan 6, 2018
  14. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  15. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    More Phoronix.com
     
  16. dcg

    dcg Member

    53
    18
    8
    Oct 17, 2015
    Florida, USA
    Ratings:
    +34
    Local Time:
    8:04 PM
    1.15.x
    10.2.x
     
  17. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Thanks @dcg :)

    Update from Cloudlinux and Kernelcare fixes Intel CPU Bug - Meltdown and Spectre - KernelCare and CloudLinux

    relevant to Kernelcare
     
  18. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Intel Intel Issues Updates to Protect Systems from Security Exploits | Intel Newsroom

    Industry Testing Shows Recently Released Security Updates Not Impacting Performance in Real-World Deployments | Intel Newsroom

     
  19. pamamolf

    pamamolf Premium Member Premium Member

    3,933
    396
    83
    May 31, 2014
    Ratings:
    +769
    Local Time:
    3:04 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    May i have an example on how to do this so i can disable it and test ?

    Thank you
     
  20. eva2000

    eva2000 Administrator Staff Member

    46,469
    10,555
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,388
    Local Time:
    10:04 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    If you don't know how then i suggest using non-persistent method as you also need to know how to recover from non-boot situation if you use kernel command line method - of course google-fu ;)