Discover Centmin Mod today
Register Now

Linux Kernel Security Updates for Spectre & Meltdown Vulnerabilities

Discussion in 'Centmin Mod News' started by eva2000, Jan 5, 2018.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    There are new Linux Kernel security updates for Spectre & Meltdown vulnerability fixes. Update: May 21, 2018 - Newly found Spectre Variant 4 and 3a vulnerabilities outlined at Security - Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

    Other Notes:
    • Your web host may already have contacted you regarding these as Linux Kernel updates will also require a server reboot.
    • If you're on OpenVZ VPSes, then Linux kernel updates would be needed on OpenVZ host node level so contact your web host.
    • If using Xen VPSes, need to wait for a Xen branch Kernel to be available, so again contact your web host.
    Details and discussions are available at Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]. You should subscribe/watch the thread for further news and developments as the situation is still fluid and on going.
    p.s. while you updating, might as well update your PHP versions as there are security updates out as well PHP Security Updates: 5.6.33, 7.0.27, 7.1.13, 7.2.1 ;)
     
    Last edited: Jan 6, 2018
    • Informative Informative x 4
  2. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    More info after you update Redhat/CentOS kernels Controlling the Performance Impact of Microcode and Security Patches for CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753 using Red Hat Enterprise Linux Tunables - Red Hat Customer Portal

    more suited to before/after kernel update testing of performance impact
    by default i am only setting one of them set to non-zero value as my i7 4790K cpu doesn't have a microcode update available i believe
    Code (Text):
    cat /sys/kernel/debug/x86/pti_enabled
    1
    
    cat /sys/kernel/debug/x86/ibpb_enabled
    0
    
    cat /sys/kernel/debug/x86/ibrs_enabled
    0
    

     
    • Informative Informative x 2
    • Winner Winner x 1
  3. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  4. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Many Linode users on this forum so a very relevant update as there's a new Linode 4.14.12 Kernel available Available Linux Kernels - Linode :)

    Update: January 8th, 2018 - Linode blog update Linode Blog » CPU Vulnerabilities: Meltdown & Spectre

    Update: January 7, 2018 - Linode users can switch back from Linode custom 4.14.12 kernel to CentOS distro Kernel for the additional Spectre backported fixes not included in Linux 4.14 upstream Kernels by using guide outlined at Run a Distribution-Supplied Kernel on a KVM Linode

    Linode blog update Linode Blog » CPU Vulnerabilities: Meltdown & Spectre
    One of my Linode KVM VPS rebooted
    Code (Text):
    uname -r
    4.14.12-x86_64-linode92
    

    Checking Kernel KPTI and related tunables - looks like Linode custom 4.14.12 kernels do not support Redhat/CentOS backported 3.10 kernel's tunable settings
    Code (Text):
    cat /sys/kernel/debug/x86/pti_enabled
    cat: /sys/kernel/debug/x86/pti_enabled: No such file or directory
    
    cat /sys/kernel/debug/x86/ibpb_enabled
    cat: /sys/kernel/debug/x86/ibpb_enabled: No such file or directory
    
    cat /sys/kernel/debug/x86/ibrs_enabled
    cat: /sys/kernel/debug/x86/ibrs_enabled: No such file or directory
    
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Nginx response for Meltdown & Spectre NGINX Response to the Meltdown and Spectre Vulnerabilities - NGINX

     
  6. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  7. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Intel Intel® Product Security Center

     
  8. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Meltdown and Spectre get their own Wiki entries :)
    some goods on Android side at least for Meltdown (but not for Spectre)
     
  9. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Dell and bios updates Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products | Dell Australia
    Looks like I need to update my Dell Inspiron 13 7000 (D7378) too :)
     
  10. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    AMD more vulnerable that initially thought AMD CPUs Are Potentially Vulnerable To Spectre / Variant 2 - Phoronix ?

     
  11. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Not good news at all, Intel cpu microcode updates causing system crashes Intel Xeon E5 V3 and V4 Servers See More Reboots After Meltdown and Spectre Fixes :(

     
  12. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Looks like new firmware and microcode updates are available on Redhat/CentOS 6/7 at least Red Hat Customer Portal

    Code (Text):
    yum list updates -q
    Updated Packages
    linux-firmware.noarch                                    20170606-58.gitc990aae.el7_4                                     updates
    microcode_ctl.x86_64                                     2:2.1-22.5.el7_4                                                 updates
    

    on my Intel i7 4790K OVH server
    Code (Text):
    journalctl -b --no-pager | grep microcode | sed -e "s|$(hostname)|hostname|g"
    Jan 17 17:51:09 hostname kernel: microcode: microcode updated early to revision 0x22, date = 2017-01-27
    Jan 17 17:51:09 hostname kernel: microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU4 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU5 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU6 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: CPU7 sig=0x306c3, pf=0x2, revision=0x22
    Jan 17 17:51:09 hostname kernel: microcode: Microcode Update Driver: v2.01 <[email protected]>, Peter Oruba
    Jan 17 17:51:10 hostname systemd[1]: Starting Load CPU microcode update...
    Jan 17 17:51:10 hostname systemd[1]: Started Load CPU microcode update.
    
     
  13. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    seems like round 2 is about to start Meltdown-Spectre flaws: We've found new attack variants, say researchers | ZDNet

     
    • Informative Informative x 1
  14. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Meltdown-Spectre: Malware is already being tested by attackers | ZDNet

     
  15. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Phoronix checks out latest Linux 4.16 kernel with KPTI patches + Reptoline with AMD EPYC 7601 cpu An Early Look At The Linux 4.16 Kernel Performance With AMD EPYC - Phoronix. Interesting to see how Linux 4.16 kernel does considering my early Linux 4.15 tests with AMD 7401P showed much better performance compared to CentOS 7.4's 3.10 Kernels for AMD EPYC.

    Interesting comment brought up on the Phoronix forums for this article is that while AMD EPYC isn't affected by Kernel KPTI for Meltdown like Intel is, but CentOS/RHEL yum RPM packages themselves maybe built on Intel based systems initially so the resulting RPM binaries might be affected even if they are installed on AMD EPYC systems ! Luckily, for Centmin Mod users at least Nginx, PHP-FPM, Memcached server and some select PHP extensions are all source compiled rather than using YUM provided RPM binaries so can retain some of that performance on AMD EPYC systems. Also both GCC 8 and Clang 6 have further optimisations for AMD EPYC which will help for Centmin Mod Nginx, PHP-FPM source builds thanks to my work on GCC 8 and Clang 6 :)

     
  16. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    As some folks have guessed, some Intel cpus can not be fixed for Spectre v2 vulnerability and some cpus Intel won't be fixing for Meltdown either Security - Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

     
  17. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    8 new Spectre-NG vulnerabilities
    Eight new Spectre Variant Vulnerabilities for Intel Discovered - four of them critical
    Can be discussed at Security - Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]
     
    • Informative Informative x 1
  18. eva2000

    eva2000 Administrator Staff Member

    36,054
    7,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,192
    Local Time:
    7:28 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
..
Thread Status:
Not open for further replies.