Project Talk:Security/Vulnerabilities/Meltdown and Spectre

From Gentoo Wiki
Jump to:navigation Jump to:search
Note
Before creating a discussion or leaving a comment, please read about using talk pages. To create a new discussion, click here. Comments on an existing discussion should be signed using ~~~~:
A comment [[User:Larry|Larry]] 13:52, 13 May 2024 (UTC)
: A reply [[User:Sally|Sally]] 10:36, 6 October 2024 (UTC)
:: Your reply ~~~~

Introduce dracut initramfs

Talk status
This discussion is still ongoing.

`dracut` seems to be a rather simple solution for initramfs-based microcode loading.

Looks like `early_microcode = yes` in `/etc/dracut.conf.d/gentoo.conf` is enough.

— The preceding unsigned comment was added by Lkraav (talkcontribs) 11:33, 6 January 2018‎

Note about nVidia

Talk status
This discussion is still ongoing.

NVIDIA is also affected: http://nvidia.custhelp.com/app/answers/detail/a_id/4611

— The preceding unsigned comment was added by PrSo (talkcontribs) 07:06, 7 January 2018

cpuid command change

Talk status
This discussion is still ongoing.

Consider changing the following command:

  cpuid -1 | grep serial | tail -n1 | awk '{print $4}' | cut -d\- -f1,2 | sed 's/-//g'

with:

  cpuid -1 |awk '/processor serial number:/{split($4,c,"-");print c[1]c[2]}'

— The preceding unsigned comment was added by Teknoraver (talkcontribs) 13:11, 9 January 2018‎

2.1.3 sys-firmware/intel-microcode

Talk status
This discussion is still ongoing.

there's an update from intel (https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=52214). There are more processors listed as in this wikipage. Is this list obsolete and should be updated?

— The preceding unsigned comment was added by Butzel (talkcontribs) 14:45, 10 January 2018

CVE-2017-5715

Talk status
This discussion is still ongoing.

Apparently CVE-2017-5715 is NOT fixed in the listed kernels (at least not 4.14.13). The page should clarify this. Ideally the kernel config option for mitigating Meltdown should be documented as well. --Luke-jr (talk) 01:50, 11 January 2018 (UTC)

Chromium/Chrome

Talk status
This discussion is still ongoing.

AFAIK, chrome://flags/#enable-site-per-process should be turned on in Chromium/Chrome to mitigate some form of Spectre. I suggest documenting this (and any other mitigations needed). --Luke-jr (talk) 01:50, 11 January 2018 (UTC)

Tuning security options

Talk status
This discussion is still ongoing.

It seems RHEL docs suggest different kernel boot options for Spectre mitigations: https://access.redhat.com/articles/3311301 --Pacho (talk) 09:04, 15 January 2018 (UTC)

  • RHEL uses a different kernel. Gentoo-sources doesn't even support mitigating Spectre yet... :/ --Luke-jr (talk) 09:32, 15 January 2018 (UTC)

Checking whether a system is vulnerable

Talk status
This discussion is done.

It would be useful if this page added instructions for checking whether a system is vulnerable, as mentioned by Greg Kroah-Hartman: http://kroah.com/log/blog/2018/01/19/meltdown-status-2/ --BT (talk) 04:48, 21 January 2018 (UTC)

Error in AMD microcode section

Talk status
This discussion is still ongoing.

The section related to fixing AMD microcode (sys-kernel/linux-firmware) links to the Wiki page on Intel microcode, not the one on AMD microcode. The Intel page is the correctly referenced in the next section. Could someone with the relevant permissions please fix this.

— The preceding unsigned comment was added by HuskyDog (talkcontribs) 17:13, 6 February 2018‎

intel-microcode

Talk status
This discussion is still ongoing.

Haswell ULT (00040651) has newer microcode in "production status" according to this table: 0x23 https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf --Pauledd (talk) 16:15, 12 March 2018 (UTC)

mark outdated

Talk status
This discussion is still ongoing.

We should probably mark this article as outdated, since it does not cover Spectre mitigation. I is missing any information about Retpoline, IBPB, IBRS, IBRS_FW, User Pointer Sanitization and the Kernel / FW / GCC versions required to use them.--Tillschaefer (talk) 14:02, 16 March 2018 (UTC)