Project Talk:Security/Vulnerabilities/Meltdown and Spectre

Introduce dracut initramfs
`dracut` seems to be a rather simple solution for initramfs-based microcode loading.

Looks like `early_microcode = yes` in `/etc/dracut.conf.d/gentoo.conf` is enough.

Note about nVidia
NVIDIA is also affected: http://nvidia.custhelp.com/app/answers/detail/a_id/4611

cpuid command change
Consider changing the following command:

cpuid -1 | grep serial | tail -n1 | awk '{print $4}' | cut -d\- -f1,2 | sed 's/-//g'

with:

cpuid -1 |awk '/processor serial number:/{split($4,c,"-");print c[1]c[2]}'

2.1.3 sys-firmware/intel-microcode
there's an update from intel (https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=52214). There are more processors listed as in this wikipage. Is this list obsolete and should be updated?

CVE-2017-5715
Apparently CVE-2017-5715 is NOT fixed in the listed kernels (at least not 4.14.13). The page should clarify this. Ideally the kernel config option for mitigating Meltdown should be documented as well. --Luke-jr (talk) 01:50, 11 January 2018 (UTC)

Chromium/Chrome
AFAIK, chrome://flags/#enable-site-per-process should be turned on in Chromium/Chrome to mitigate some form of Spectre. I suggest documenting this (and any other mitigations needed). --Luke-jr (talk) 01:50, 11 January 2018 (UTC)

Tuning security options
It seems RHEL docs suggest different kernel boot options for Spectre mitigations: https://access.redhat.com/articles/3311301 --Pacho (talk) 09:04, 15 January 2018 (UTC)


 * RHEL uses a different kernel. Gentoo-sources doesn't even support mitigating Spectre yet... :/ --Luke-jr (talk) 09:32, 15 January 2018 (UTC)

Checking whether a system is vulnerable
It would be useful if this page added instructions for checking whether a system is vulnerable, as mentioned by Greg Kroah-Hartman: http://kroah.com/log/blog/2018/01/19/meltdown-status-2/ --BT (talk) 04:48, 21 January 2018 (UTC)

Error in AMD microcode section
The section related to fixing AMD microcode (sys-kernel/linux-firmware) links to the Wiki page on Intel microcode, not the one on AMD microcode. The Intel page is the correctly referenced in the next section. Could someone with the relevant permissions please fix this.

intel-microcode
Haswell ULT (00040651) has newer microcode in "production status" according to this table: 0x23 https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf --Pauledd (talk) 16:15, 12 March 2018 (UTC)

mark outdated
We should probably mark this article as outdated, since it does not cover Spectre mitigation. I is missing any information about Retpoline, IBPB, IBRS, IBRS_FW, User Pointer Sanitization and the Kernel / FW / GCC versions required to use them.--Tillschaefer (talk) 14:02, 16 March 2018 (UTC)