This security update
https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html addresses Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331) - CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS) - CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) These updates contain the CPU Microcode adjustments for the software mitigations. to be installed with zypper in -t patch openSUSE-2019-1806=1 here, running lsb_release -rd Description: openSUSE Leap 15.1 Release: 15.1 uname -rm 5.5.2-25.g994cf1f-default x86_64 rpm -qa | egrep "ucode-intel|firmware-intel" ucode-intel-20191115-lp151.3.9.x86_64 kernel-firmware-intel-20200122-36.2.noarch on an old, but otherwise functional, laptop, cat /proc/cpuinfo | grep -i "model name" model name : Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz with mitigations enabled with, cat /proc/cmdline BOOT_IMAGE=/vmlinuz-5.5.2-25.g994cf1f-default ... mitigations=auto,nosmt ... and zypper in -t patch openSUSE-2019-1806=1 Loading repository data... Reading installed packages... 'patch:openSUSE-2019-1806 = 1' is already installed. Resolving package dependencies... Nothing to do. a check with spectre-meltdown-checker.sh --version Spectre and Meltdown mitigation detection tool v0.43 returns ... CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: YES > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) ... and cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled what additional mitigation, &/or specific microcode update is required to complete the mitigations? -- To unsubscribe, e-mail: [hidden email] To contact the owner, e-mail: [hidden email] |
Hi,
On Wed, Feb 12, 2020 at 08:29:53PM -0800, PGNet Dev wrote: > This security update > > https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html > > addresses > > Four new speculative execution information leak issues have been > identified in Intel CPUs. (bsc#1111331) > > - CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) > - CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS) > - CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS) > - CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory > (MDSUM) > > These updates contain the CPU Microcode adjustments for the software > mitigations. > > to be installed with > > zypper in -t patch openSUSE-2019-1806=1 > > here, running > > lsb_release -rd > Description: openSUSE Leap 15.1 > Release: 15.1 > > uname -rm > 5.5.2-25.g994cf1f-default x86_64 > > rpm -qa | egrep "ucode-intel|firmware-intel" > ucode-intel-20191115-lp151.3.9.x86_64 > kernel-firmware-intel-20200122-36.2.noarch > > on an old, but otherwise functional, laptop, > > cat /proc/cpuinfo | grep -i "model name" > model name : Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz > > with mitigations enabled with, > > cat /proc/cmdline > BOOT_IMAGE=/vmlinuz-5.5.2-25.g994cf1f-default ... mitigations=auto,nosmt ... > > and > > zypper in -t patch openSUSE-2019-1806=1 > Loading repository data... > Reading installed packages... > 'patch:openSUSE-2019-1806 = 1' is already installed. > Resolving package dependencies... > > Nothing to do. > > a check with > > spectre-meltdown-checker.sh --version > Spectre and Meltdown mitigation detection tool v0.43 > > returns > > ... > CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' > * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) > * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) > * Kernel mitigation is enabled and active: NO > * SMT is either mitigated or disabled: YES > > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) > > CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' > * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) > * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) > * Kernel mitigation is enabled and active: NO > * SMT is either mitigated or disabled: YES > > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) > > CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' > * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) > * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) > * Kernel mitigation is enabled and active: NO > * SMT is either mitigated or disabled: YES > > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) > > CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' > * Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled) > * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) > * Kernel mitigation is enabled and active: NO > * SMT is either mitigated or disabled: YES > > STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability) > ... > > and > > cat /sys/devices/system/cpu/vulnerabilities/mds > Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled > > what additional mitigation, &/or specific microcode update is required to complete the mitigations? A newer processor. :/ Sadly, Intel does not provide updated microcode for older processors. Ciao, Marcus -- To unsubscribe, e-mail: [hidden email] To contact the owner, e-mail: [hidden email] |
On 13/02/2020 08.30, Marcus Meissner wrote:
> Hi, > > On Wed, Feb 12, 2020 at 08:29:53PM -0800, PGNet Dev wrote: >> This security update >> >> https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html >> >> >> addresses ... >> on an old, but otherwise functional, laptop, >> >> cat /proc/cpuinfo | grep -i "model name" model name : Intel(R) >> Core(TM) i3 CPU M 370 @ 2.40GHz ... >> a check with >> >> spectre-meltdown-checker.sh --version Spectre and Meltdown >> mitigation detection tool v0.43 >> >> returns ... >> and >> >> cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable: Clear >> CPU buffers attempted, no microcode; SMT disabled >> >> what additional mitigation, &/or specific microcode update is >> required to complete the mitigations? > > A newer processor. :/ > > Sadly, Intel does not provide updated microcode for older > processors. Doesn't the Linux kernel include other mitigations besides Intel provided microcode? If only new processors are covered by them, we are doomed. :-( -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) |
On Thu, Feb 13, 2020 at 11:41:16AM +0100, Carlos E. R. wrote:
> On 13/02/2020 08.30, Marcus Meissner wrote: > > Hi, > > > > On Wed, Feb 12, 2020 at 08:29:53PM -0800, PGNet Dev wrote: > >> This security update > >> > >> > https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html > >> > >> > >> > addresses > > ... > > >> on an old, but otherwise functional, laptop, > >> > >> cat /proc/cpuinfo | grep -i "model name" model name : Intel(R) > >> Core(TM) i3 CPU M 370 @ 2.40GHz > > ... > > >> a check with > >> > >> spectre-meltdown-checker.sh --version Spectre and Meltdown > >> mitigation detection tool v0.43 > >> > >> returns > > ... > > >> and > >> > >> cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable: Clear > >> CPU buffers attempted, no microcode; SMT disabled > >> > >> what additional mitigation, &/or specific microcode update is > >> required to complete the mitigations? > > > > A newer processor. :/ > > > > Sadly, Intel does not provide updated microcode for older > > processors. > > Doesn't the Linux kernel include other mitigations besides Intel > provided microcode? > > If only new processors are covered by them, we are doomed. :-( Some of the processor mitigations can be done in software, like retpolines or spectre v1 and v3 like fixes, or L1TF baremetal fixes. Others need CPU Microcode help, and yes, these are then problematic. The major ones like Meltdown, SPectre v1, v2 are covered by software only solutions, the rest has a smaller impact. If you are just using this as your home machine or laptop, no need to worry. Realistic attack scenarios include multiuser servers, either with untrusted users or untrusted VMs. Ciao, Marcus -- To unsubscribe, e-mail: [hidden email] To contact the owner, e-mail: [hidden email] |
On 13/02/2020 11.54, Marcus Meissner wrote:
> On Thu, Feb 13, 2020 at 11:41:16AM +0100, Carlos E. R. wrote: >> On 13/02/2020 08.30, Marcus Meissner wrote: >>> Hi, >>> >>> On Wed, Feb 12, 2020 at 08:29:53PM -0800, PGNet Dev wrote: >>>> This security update >>>> >>>> >> https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00052.html >>>> >>>> >>>> >> >> addresses >> >> ... >> >>>> on an old, but otherwise functional, laptop, >>>> >>>> cat /proc/cpuinfo | grep -i "model name" model name : >>>> Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz >> >> ... >> >>>> a check with >>>> >>>> spectre-meltdown-checker.sh --version Spectre and Meltdown >>>> mitigation detection tool v0.43 >>>> >>>> returns >> >> ... >> >>>> and >>>> >>>> cat /sys/devices/system/cpu/vulnerabilities/mds Vulnerable: >>>> Clear CPU buffers attempted, no microcode; SMT disabled >>>> >>>> what additional mitigation, &/or specific microcode update is >>>> required to complete the mitigations? >>> >>> A newer processor. :/ >>> >>> Sadly, Intel does not provide updated microcode for older >>> processors. >> >> Doesn't the Linux kernel include other mitigations besides Intel >> provided microcode? >> >> If only new processors are covered by them, we are doomed. :-( > > Some of the processor mitigations can be done in software, like > retpolines or spectre v1 and v3 like fixes, or L1TF baremetal > fixes. > > Others need CPU Microcode help, and yes, these are then > problematic. > > The major ones like Meltdown, SPectre v1, v2 are covered by > software only solutions, the rest has a smaller impact. > > If you are just using this as your home machine or laptop, no need > to worry. Thanks. Well, I'm replacing my main desktop machine (because of other reasons), but the new CPU will be a AMD Ryzen, because of these problems. Intel now scares me. And the mitigations make them slower. But I have other machines I can not replace, and one of them is reachable from Internet via ssh: Intel(R) Pentium(R) CPU N3710 @ 1.60GHz > Realistic attack scenarios include multiuser servers, either with > untrusted users or untrusted VMs. No, nothing like that. Unless we consider Apache to be vulnerable, as the users are unknown. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) |
In reply to this post by Marcus Meissner
On 2/12/20 11:30 PM, Marcus Meissner wrote:
> A newer processor. :/ > > Sadly, Intel does not provide updated microcode for older processors. shame. i'd _thought_ there were software-only mitigations for these. time to re-read. it's a perfectly functional, fully up-to-date (except for these mitigations) laptop, that STILL runs more reliably than off-the-shelf M$. Intel's certainly selling a lot of Ryzens. Think they get a $cut ? -- To unsubscribe, e-mail: [hidden email] To contact the owner, e-mail: [hidden email] |
Free forum by Nabble | Edit this page |