Debian ve Ubuntu' da Spectre & Meltdown Kontrolü

Bu konuyu okuyanlar

Toplam: 1 (Kullanıcı: 0, ziyaretçi: 1)
rise

rise

Müdavim
Emektar
Katılım
12 Ocak 2009
Mesajlar
9,893
Reaksiyon puanı
3,247
Puanları
113
Bir süredir gündemde olan Spectre & Meltdown tehlikesine karşı yama ve düzeltme çalışmaları sürüyor. Debian Jessie ve Stretch sürümleri için yayınlanan yeni kernel ve paketlerle Spectre & Meltdown açıklarına karşı sistemi tarayabilirsiniz.

Debian Jessie ve Strecth sürümleri ile Ubuntu 18.04 sürümünde aşağıdaki komut ile paketi yükleyebilirsiniz:
Kod: 
sudo apt install spectre-meltdown-checker

Şu komut ile çalıştırıp tarama sonucunu görebilirsiniz :
Kod: 
sudo spectre-meltdown-checker
Ubuntu – Details of package spectre-meltdown-checker in bionic
Debian -- Details of package spectre-meltdown-checker in stretch-backports
Question #663713 : Questions : Ubuntu
 
Halktan Biri

Halktan Biri

Müdavim
Emektar
Katılım
30 Ekim 2016
Mesajlar
9,401
Reaksiyon puanı
9,163
Puanları
113
Elinize sağlık. Yazı güzel olmuş. :)
Windows tarafında kontrol ettiğimde işlemcimde hem Spectre hem de Meltdown açığı çıktı.
Bakalım Linux'ta kontrol edince aynı sonucu mu verecek?
Bu arada işlemcim i5-2450m.
 
Finix

Finix

Daha mükemmel bir Troy
Katılım
4 Haziran 2008
Mesajlar
11,527
Reaksiyon puanı
2,285
Puanları
113
Ya önlem almazsak?
 
rise

rise

Müdavim
Emektar
Katılım
12 Ocak 2009
Mesajlar
9,893
Reaksiyon puanı
3,247
Puanları
113
Halktan Biri dedi ki:
Elinize sağlık. Yazı güzel olmuş. :)
Windows tarafında kontrol ettiğimde işlemcimde hem Spectre hem de Meltdown açığı çıktı.
Bakalım Linux'ta kontrol edince aynı sonucu mu verecek?
Bu arada işlemcim i5-2450m.
Genişletmek için tıkla ...
Ubuntu 18.04 ile şöyle bir çıktı veriyor:
Kod: 
rise@rise-Lenovo-ideapad-310-15IKB:~$ sudo spectre-meltdown-checker
[sudo] password for rise:
Spectre and Meltdown mitigation detection tool v0.33

Checking for vulnerabilities on current system
Kernel is Linux 4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:14:41 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  UNKNOWN
  * CPU microcode is known to cause stability problems:  NO
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  NO
  * Kernel compiled with a retpoline-aware compiler:  NO
  * Retpoline enabled:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
rise@rise-Lenovo-ideapad-310-15IKB:~$

Forumun Ağası Finix dedi ki:
Ya önlem almazsak?
Genişletmek için tıkla ...

tTlzKs99.jpg
 
Halktan Biri

Halktan Biri

Müdavim
Emektar
Katılım
30 Ekim 2016
Mesajlar
9,401
Reaksiyon puanı
9,163
Puanları
113
rise dedi ki:
Ubuntu 18.04 ile şöyle bir çıktı veriyor:
Genişletmek için tıkla ...
Kubuntu 17.10'da tarama sonucu:
Kod: 
Checking for vulnerabilities on current system
Kernel is Linux 4.13.0-17-generic #20-Ubuntu SMP Mon Nov 6 10:04:08 UTC 2017 x86_64
CPU is Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO
* Checking count of LFENCE opcodes in kernel:  NO  (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)                                                                                                      
                                                                                                                                                                                               
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'                                                                                                                                
* Mitigation 1                                                                                                                                                                                
  * Kernel is compiled with IBRS/IBPB support:  NO                                                                                                                                            
  * Currently enabled features                                                                                                                                                                
    * IBRS enabled for Kernel space:  NO                                                                                                                                                      
    * IBRS enabled for User space:  NO                                                                                                                                                        
    * IBPB enabled:  NO                                                                                                                                                                        
* Mitigation 2                                                                                                                                                                                
  * Kernel compiled with retpoline option:  NO                                                                                                                                                
  * Kernel compiled with a retpoline-aware compiler:  NO                                                                                                                                      
  * Retpoline enabled:  NO                                                                                                                                                                    
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)                                                                      
                                                                                                                                                                                               
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'                                                                                                                          
* Kernel supports Page Table Isolation (PTI):  NO
* PTI enabled and active:  NO
* Running as a Xen PV DomU:  NO
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
 
ConfickerBelasi

ConfickerBelasi

Müdavim
Katılım
8 Ekim 2011
Mesajlar
53,871
Çözümler
1
Reaksiyon puanı
16,116
Puanları
113
Kod: 
spectre-meltdown-checker
Spectre and Meltdown mitigation detection tool v0.33

Note that you should launch this script with root privileges to get accurate information.
We'll proceed but you might see permission denied errors.
To run it as root, you can try the following command: sudo /usr/bin/spectre-meltdown-checker

Checking for vulnerabilities on current system
Kernel is Linux 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25 10:13:43 UTC 2018 x86_64
CPU is Intel(R) Pentium(R) D CPU 2.80GHz
/usr/bin/spectre-meltdown-checker: 1: /usr/bin/spectre-meltdown-checker: cannot open /boot/vmlinuz-4.13.0-32-generic: Permission denied
/usr/bin/spectre-meltdown-checker: 1: /usr/bin/spectre-meltdown-checker: cannot open /boot/vmlinuz-4.13.0-32-generic: Permission denied
/usr/bin/spectre-meltdown-checker: 1: /usr/bin/spectre-meltdown-checker: cannot open /boot/vmlinuz-4.13.0-32-generic: Permission denied
/usr/bin/spectre-meltdown-checker: 1: /usr/bin/spectre-meltdown-checker: cannot open /boot/vmlinuz-4.13.0-32-generic: Permission denied
/usr/bin/spectre-meltdown-checker: 1: /usr/bin/spectre-meltdown-checker: cannot open /boot/vmlinuz-4.13.0-32-generic: Permission denied
/usr/bin/spectre-meltdown-checker: 1: /usr/bin/spectre-meltdown-checker: cannot open /boot/vmlinuz-4.13.0-32-generic: Permission denied

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates IBRS capability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates IBPB capability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates STIBP capability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  UNKNOWN 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  UNKNOWN 
  * CPU microcode is known to cause stability problems:  NO 
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  UNKNOWN 
> STATUS:  UNKNOWN  (couldn't check (couldn't extract your kernel from /boot/vmlinuz-4.13.0-32-generic))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO  (echo 1 > /proc/sys/kernel/ibrs_enabled)
    * IBRS enabled for User space:  NO  (echo 2 > /proc/sys/kernel/ibrs_enabled)
    * IBPB enabled:  NO  (echo 1 > /proc/sys/kernel/ibpb_enabled)
* Mitigation 2
  * Kernel compiled with retpoline option:  NO 
  * Kernel compiled with a retpoline-aware compiler:  NO 
  * Retpoline enabled:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
ne olmuş?
 
Cevap yazmak için kayıt ol veya giriş yap

Benzer konular

hasanmerkit
Linux için Minecraft Sunucu Kurulum Rehberi (Debian, Ubuntu ve PiluX)
Cevaplar
0
Görüntüleme
2K
hasanmerkit
hasanmerkit
Hopeツ︎
Yazılım paketleriniz ve sanallaştırılması adına yeni bir alternatif, Flatpak!
Cevaplar
6
Görüntüleme
2K
gen2
G
Castaft
Hot! Linux'a Geçiş: 1 Aylık Linux Deneyimim Sorunlar ve Tarafsız İnceleme
2 3
Cevaplar
72
Görüntüleme
8K
Fedoralover
F
T
  • Anket
[Eksiksiz Kılavuz] GNU/Linux'ta apt Komutlarını Kullanma
Cevaplar
1
Görüntüleme
2K
boncukablaeray54
B
Halktan Biri
Hot! Ubuntu 18.04 (Bionic Beaver) Çıkış Tarihi ve Önemli Yenilikler!
Cevaplar
18
Görüntüleme
4K
ConfickerBelasi
ConfickerBelasi

Son mesajlar

Üst