Project Talk:Security/Vulnerabilities/Meltdown and Spectre
This is a Talk page - please see the documentation about using talk pages. Add newer comments below older ones, sign comments using four tildes (
~~~~), and indent successive comments with colons (:).
Add new sections at the bottom of the page, under a heading (== ==). Please remember to mark sections as "open for discussion" using {{talk|open}}, so they will show up in the list of open discussions.Introduce dracut initramfs
`dracut` seems to be a rather simple solution for initramfs-based microcode loading.
Looks like `early_microcode = yes` in `/etc/dracut.conf.d/gentoo.conf` is enough.
— The preceding unsigned comment was added by Lkraav (talk • contribs) 11:33, 6 January 2018
Note about nVidia
NVIDIA is also affected: http://nvidia.custhelp.com/app/answers/detail/a_id/4611
— The preceding unsigned comment was added by PrSo (talk • contribs) 07:06, 7 January 2018
cpuid command change
Consider changing the following command:
cpuid -1 | grep serial | tail -n1 | awk '{print $4}' | cut -d\- -f1,2 | sed 's/-//g'
with:
cpuid -1 |awk '/processor serial number:/{split($4,c,"-");print c[1]c[2]}'
— The preceding unsigned comment was added by Teknoraver (talk • contribs) 13:11, 9 January 2018
2.1.3 sys-firmware/intel-microcode
there's an update from intel (https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=52214). There are more processors listed as in this wikipage. Is this list obsolete and should be updated?
— The preceding unsigned comment was added by Butzel (talk • contribs) 14:45, 10 January 2018
CVE-2017-5715
Apparently CVE-2017-5715 is NOT fixed in the listed kernels (at least not 4.14.13). The page should clarify this. Ideally the kernel config option for mitigating Meltdown should be documented as well. --Luke-jr (talk) 01:50, 11 January 2018 (UTC)
Chromium/Chrome
AFAIK, chrome://flags/#enable-site-per-process should be turned on in Chromium/Chrome to mitigate some form of Spectre. I suggest documenting this (and any other mitigations needed). --Luke-jr (talk) 01:50, 11 January 2018 (UTC)
Tuning security options
It seems RHEL docs suggest different kernel boot options for Spectre mitigations: https://access.redhat.com/articles/3311301 --Pacho (talk) 09:04, 15 January 2018 (UTC)
- RHEL uses a different kernel. Gentoo-sources doesn't even support mitigating Spectre yet... :/ --Luke-jr (talk) 09:32, 15 January 2018 (UTC)
Checking whether a system is vulnerable
It would be useful if this page added instructions for checking whether a system is vulnerable, as mentioned by Greg Kroah-Hartman: http://kroah.com/log/blog/2018/01/19/meltdown-status-2/ --BT (talk) 04:48, 21 January 2018 (UTC)
Error in AMD microcode section
The section related to fixing AMD microcode (sys-kernel/linux-firmware) links to the Wiki page on Intel microcode, not the one on AMD microcode. The Intel page is the correctly referenced in the next section. Could someone with the relevant permissions please fix this.
— The preceding unsigned comment was added by HuskyDog (talk • contribs) 17:13, 6 February 2018
intel-microcode
Haswell ULT (00040651) has newer microcode in "production status" according to this table: 0x23 https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf --Pauledd (talk) 16:15, 12 March 2018 (UTC)
mark outdated
We should probably mark this article as outdated, since it does not cover Spectre mitigation. I is missing any information about Retpoline, IBPB, IBRS, IBRS_FW, User Pointer Sanitization and the Kernel / FW / GCC versions required to use them.--Tillschaefer (talk) 14:02, 16 March 2018 (UTC)