[gentoo-user] Vulnerability info in /sys

[gentoo-user] Vulnerability info in /sys

[Daniel Frey]

I've read online that there should be vulnerability info (Meltdown,
Spectre) in /sys under /sys/devices/system/cpu/vulnerabilities but this
doesn't exist on my PC.

Another place is in /proc/cpuinfo, no info on meltdown/spectre in there
either.

Yet another place is in dmesg, (grep 'page tables isolation') nothing
there either.

I've updated to gentoo-sources-4.9.76-r1, shouldn't this info be present?

$ uname -a
Linux zatpc 4.9.76-gentoo-r1 #1 SMP Mon Feb 12 09:20:32 PST 2018 x86_64
Intel(R) Core(TM)2 Extreme CPU X9650 @ 3.00GHz GenuineIntel GNU/Linux

$ zgrep PAGE_TABLE_ISO /proc/config.gz
CONFIG_PAGE_TABLE_ISOLATION=y

Or does the page table isolation need to be explicitly turned on?

Dan

[gentoo-user] Re: Vulnerability info in /sys

[Ian Zimmerman]

On 2018-02-12 19:24, Daniel Frey wrote:

> I've read online that there should be vulnerability info (Meltdown,
> Spectre) in /sys under /sys/devices/system/cpu/vulnerabilities but this
> doesn't exist on my PC.

> I've updated to gentoo-sources-4.9.76-r1, shouldn't this info be present?
> 
> $ uname -a
> Linux zatpc 4.9.76-gentoo-r1 #1 SMP Mon Feb 12 09:20:32 PST 2018 x86_64
> Intel(R) Core(TM)2 Extreme CPU X9650 @ 3.00GHz GenuineIntel GNU/Linux

See the other threads: you need at least 4.9.79 for the /sys bits.

If you've enabled PTI at build time it's enabled, no need to do anything
else.

Later 4.9 kernels also contain patches for spectre (PTI is not relevant
there).

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.

Re: [gentoo-user] Re: Vulnerability info in /sys

[Daniel Frey]

On 02/12/18 19:39, Ian Zimmerman wrote:
> On 2018-02-12 19:24, Daniel Frey wrote:
> 
>> I've read online that there should be vulnerability info (Meltdown,
>> Spectre) in /sys under /sys/devices/system/cpu/vulnerabilities but this
>> doesn't exist on my PC.
> 
>> I've updated to gentoo-sources-4.9.76-r1, shouldn't this info be present?
>>
>> $ uname -a
>> Linux zatpc 4.9.76-gentoo-r1 #1 SMP Mon Feb 12 09:20:32 PST 2018 x86_64
>> Intel(R) Core(TM)2 Extreme CPU X9650 @ 3.00GHz GenuineIntel GNU/Linux
> 
> See the other threads: you need at least 4.9.79 for the /sys bits.
> 
> If you've enabled PTI at build time it's enabled, no need to do anything
> else.
> 
> Later 4.9 kernels also contain patches for spectre (PTI is not relevant
> there).
> 

I'm surprised I missed those threads, I read all messages on here.
According to the thread I found it's actually starts on 4.9.77, I'm just
on the latest stable (.76).

Dan

[gentoo-user] Re: Vulnerability info in /sys

[Ian Zimmerman]

On 2018-02-13 18:38, Daniel Frey wrote:

> > See the other threads: you need at least 4.9.79 for the /sys bits.

> I'm surprised I missed those threads, I read all messages on here.
> According to the thread I found it's actually starts on 4.9.77, I'm
> just on the latest stable (.76).

You're probably right; it just so happened that I archived my
gentoo-user mailbox between then and now, so I can't easily read those
messages, I just remember they exist.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for the domain.

[gentoo-user] Re: Vulnerability info in /sys

[Nikos Chantziaras]

On 14/02/18 04:38, Daniel Frey wrote:
> On 02/12/18 19:39, Ian Zimmerman wrote:
>> On 2018-02-12 19:24, Daniel Frey wrote:
>>
>>> I've read online that there should be vulnerability info (Meltdown,
>>> Spectre) in /sys under /sys/devices/system/cpu/vulnerabilities but this
>>> doesn't exist on my PC.
>>> [...]
>>
>> See the other threads: you need at least 4.9.79 for the /sys bits.
>> [...]
> 
> I'm surprised I missed those threads, I read all messages on here.
> According to the thread I found it's actually starts on 4.9.77, I'm just
> on the latest stable (.76).

During "special emergencies" like this one, it would be a good idea to 
use the latest 4.9.x, regardless of whether portage marked it "stable" 
or not. At least for a while and until the situation has settled down again.

Re: [gentoo-user] Re: Vulnerability info in /sys

[Daniel Frey]

On 02/14/18 09:29, Nikos Chantziaras wrote:
> On 14/02/18 04:38, Daniel Frey wrote:
>> On 02/12/18 19:39, Ian Zimmerman wrote:
>>> On 2018-02-12 19:24, Daniel Frey wrote:
>>>
>>>> I've read online that there should be vulnerability info (Meltdown,
>>>> Spectre) in /sys under /sys/devices/system/cpu/vulnerabilities but this
>>>> doesn't exist on my PC.
>>>> [...]
>>>
>>> See the other threads: you need at least 4.9.79 for the /sys bits.
>>> [...]
>>
>> I'm surprised I missed those threads, I read all messages on here.
>> According to the thread I found it's actually starts on 4.9.77, I'm just
>> on the latest stable (.76).
> 
> During "special emergencies" like this one, it would be a good idea to
> use the latest 4.9.x, regardless of whether portage marked it "stable"
> or not. At least for a while and until the situation has settled down
> again.
> 
> 

Nah, I like stability over everything else. I recall lots of pain and
instability in January when everyone rushed to patch the flaws (both
Windows and linux.)

These are my personal computers, not a work environment.

Dan

[gentoo-user] Re: Vulnerability info in /sys

[Nikos Chantziaras]

On 15/02/18 02:57, Daniel Frey wrote:
> On 02/14/18 09:29, Nikos Chantziaras wrote:
>> On 14/02/18 04:38, Daniel Frey wrote:
>>> On 02/12/18 19:39, Ian Zimmerman wrote:
>>>> On 2018-02-12 19:24, Daniel Frey wrote:
>>>>
>>>>> I've read online that there should be vulnerability info (Meltdown,
>>>>> Spectre) in /sys under /sys/devices/system/cpu/vulnerabilities but this
>>>>> doesn't exist on my PC.
>>>>> [...]
>>>>
>>>> See the other threads: you need at least 4.9.79 for the /sys bits.
>>>> [...]
>>>
>>> I'm surprised I missed those threads, I read all messages on here.
>>> According to the thread I found it's actually starts on 4.9.77, I'm just
>>> on the latest stable (.76).
>>
>> During "special emergencies" like this one, it would be a good idea to
>> use the latest 4.9.x, regardless of whether portage marked it "stable"
>> or not. At least for a while and until the situation has settled down
>> again.
>>
>>
> 
> Nah, I like stability over everything else. I recall lots of pain and
> instability in January when everyone rushed to patch the flaws (both
> Windows and linux.)
> 
> These are my personal computers, not a work environment.

Personal preference of course, but I prefer to risk some instability 
compared to risking having a bitcoin miner infesting my PC or some 
botnet worm.

That's just me though.