| irgendwer4711 | how to compile a meltdown/spectre secure kernel? I took config of 4.4.0-112-generic and compiled myself. this kernel is not like the stock kernel 4.4.0-112-generic. why? | 11:57 |
|---|---|---|
| smeso | what you mean by "not like"? | 11:58 |
| smeso | are you sure you got the right sources and the right config files? | 12:00 |
| irgendwer4711 | I took the latest source | 12:00 |
| smeso | how? | 12:00 |
| irgendwer4711 | apt get: 4.4.0.112.118 | 12:00 |
| tomreyn | $ apt get: 4.4.0.112.118 | 12:01 |
| tomreyn | E: Invalid operation get: | 12:01 |
| tomreyn | i doubt that's the command oyu ran | 12:01 |
| irgendwer4711 | funny | 12:01 |
| irgendwer4711 | linux-source_4.4.0.112.118_all.deb | 12:02 |
| tomreyn | that's the file name of a package. did you create this yourself, did you download it (where)? what did you do with it? what happened and what did you expect to happen instead? | 12:04 |
| tomreyn | without more context, it will be impossible to assist you | 12:04 |
| irgendwer4711 | its a ubuntu package | 12:04 |
| irgendwer4711 | its the stock kernel sources für Ubuntu lts 16.04 | 12:06 |
| smeso | I'll assume that you installer it via `apt-get install linux-source`, then what did you do? | 12:06 |
| smeso | s/installer/installed/ | 12:06 |
| Nafallo | perhaps https://help.ubuntu.com/community/Kernel/Compile will help | 12:07 |
| Nafallo | not sure if that's updated, but otherwise check out the kernel-team's pages on help and the wiki. | 12:07 |
| irgendwer4711 | smeso: compiled it with stock config config-4.4.0-112-generic | 12:08 |
| tomreyn | https://packages.ubuntu.com/xenial/linux-source is a meta package, does not contain kernel sources | 12:08 |
| smeso | irgendwer4711: we need details | 12:09 |
| === himcesjf_ is now known as him-cesjf | ||
| irgendwer4711 | which details? you dont know how to compile a kernel??? | 12:09 |
| smeso | I do, but apparently you don't | 12:09 |
| smeso | we need details to understand what you missed | 12:10 |
| irgendwer4711 | sure I do. | 12:10 |
| smeso | OK | 12:10 |
| smeso | so what's the problem? | 12:10 |
| irgendwer4711 | the spectre/meltdown protection is missing | 12:10 |
| smeso | *if* that's true it means that you did something wrong | 12:11 |
| irgendwer4711 | only Page Table Isolation is active | 12:11 |
| irgendwer4711 | I did this: /spectre-meltdown-checker.sh --kernel /usr/src/linux-source-4.4.0/linux-source-4.4.0/arch/x86/boot/bzImage --config /usr/src/linux-source-4.4.0/linux-source-4.4.0/.config --map /usr/src/linux-source-4.4.0/linux-source-4.4.0/System.map | 12:12 |
| smeso | I doubt that can have PTI on a 4.4.0 | 12:13 |
| Nafallo | https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown ← updated information about this, updated last Friday | 12:13 |
| irgendwer4711 | so I should have protection for all 3 variants.... | 12:14 |
| smeso | no | 12:15 |
| smeso | (assuming that you are on x86_64) | 12:16 |
| irgendwer4711 | you didnt read the status table? | 12:16 |
| Nafallo | all mitigations haven't landed upstreams yet, have they? we still need new microcode updates. | 12:17 |
| irgendwer4711 | I have an amd cpu | 12:17 |
| smeso | irgendwer4711: Did you? | 12:17 |
| Nafallo | but I believe what can be done for the kernel has been done :-) | 12:17 |
| smeso | so why you care about meltdown? | 12:17 |
| irgendwer4711 | I summed it up | 12:17 |
| irgendwer4711 | and I told, that PTI is active | 12:18 |
| smeso | and you are wrong again | 12:18 |
| smeso | there is no PTI in 4.4.0 | 12:18 |
| smeso | KAISER != PTI | 12:19 |
| irgendwer4711 | * Kernel supports Page Table Isolation (PTI): YES | 12:19 |
| smeso | I give up | 12:19 |
| irgendwer4711 | read the table! | 12:20 |
| irgendwer4711 | 4.4 M=Y | 12:20 |
| smeso | 4.4 has KAISER, which is a (not so good) mitigation for metldown | 12:21 |
| smeso | PTI is only on newer kernels | 12:21 |
| irgendwer4711 | smeso: nevermind, I have an AMD CPU | 12:22 |
| irgendwer4711 | my model is not vulnerable | 12:22 |
| irgendwer4711 | so now I need something against Spectre 1 and 2 | 12:23 |
| smeso | for 2 you have to wait a working microcode update | 12:23 |
| smeso | 1 should be there already | 12:24 |
| irgendwer4711 | script said for stock kernel: Kernel is compiled with IBRS/IBPB support | 12:25 |
| Nafallo | irgendwer4711: read the USN for your kernel listed on the link I sent you. especially the bottom part :-) | 12:29 |
| irgendwer4711 | which part? | 12:30 |
| Nafallo | irgendwer4711: the one that mentions IBRS/IBPB waiting for microcode... | 12:31 |
| irgendwer4711 | I know that part. | 12:32 |
| irgendwer4711 | I cant check this yet, because I am running a different kernel. | 12:33 |
| irgendwer4711 | BUT my compiled kernel is missing "Kernel is compiled with IBRS/IBPB support" and the stock one has support! | 12:34 |
| === mamarley is now known as Guest11558 | ||
| === mamarley_ is now known as mamarley | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!