Debian Sid: Linux 4.15, vulnérabilités Meltdown-Spectre

Debian Sid a reçu en mise à jour la version 4.15 du noyau

– Version 4.15.0-1-amd64 dans la numérotation Debian

-Version 4.15.4-1 dans la numérotation classique

J’ai voulu vérifier s’il était toujours vulnérable aux failles Spectre et Meltdown (je rappelle que mon processeur est un Intel ) ou si, au contraire, le problème est résolu

J’ai installé le paquet spectre-meltdown-checker (à savoir qu’il existe pour Stretch et Buster, l’actuelle testing)

$sudo aptitude install spectre-meltdown-checker

Je le lance avec la commande :

$spectre-meltdown-checker

Le contenu de la capture du terminal :

$ spectre-meltdown-checker
Spectre and Meltdown mitigation detection tool v0.35

Note that you should launch this script with root privileges to get accurate information.
We'll proceed but you might see permission denied errors.
To run it as root, you can try the following command: sudo /usr/bin/spectre-meltdown-checker

Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-1-amd64 #1 SMP Debian 4.15.4-1 (2018-02-18) x86_64
CPU is Intel(R) Pentium(R) CPU J2900 @ 2.41GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
* CPU indicates IBRS capability: UNKNOWN (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
* CPU indicates IBPB capability: UNKNOWN (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
* CPU indicates STIBP capability: UNKNOWN (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: UNKNOWN (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: UNKNOWN
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): UNKNOWN
* CPU microcode is known to cause stability problems: NO (model 55 stepping 8 ucode 0x811)
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec: YES (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

 

Bon, bah, ça m’a l’air cool

Je n’ai pas constaté de véritables changements niveau performances, peut être le fait de tourner « léger »

Publicités

Les commentaires sont fermés.