[11:57] <irgendwer4711> how to compile a meltdown/spectre secure kernel? I took config of 4.4.0-112-generic and compiled myself. this kernel is not like the stock kernel 4.4.0-112-generic. why?
[11:58] <smeso> what you mean by "not like"?
[12:00] <smeso> are you sure you got the right sources and the right config files?
[12:00] <irgendwer4711> I took the latest source
[12:00] <smeso> how?
[12:00] <irgendwer4711> apt get: 4.4.0.112.118 
[12:01] <tomreyn> $ apt get: 4.4.0.112.118 
[12:01] <tomreyn> E: Invalid operation get:
[12:01] <tomreyn> i doubt that's the command oyu ran
[12:01] <irgendwer4711> funny
[12:02] <irgendwer4711> linux-source_4.4.0.112.118_all.deb
[12:04] <tomreyn> that's the file name of a package. did you create this yourself, did you download it (where)? what did you do with it? what happened and what did you expect to happen instead?
[12:04] <tomreyn> without more context, it will be impossible to assist you
[12:04] <irgendwer4711> its a ubuntu package
[12:06] <irgendwer4711> its the stock kernel sources für Ubuntu lts 16.04
[12:06] <smeso> I'll assume that you installer it via `apt-get install linux-source`, then what did you do?
[12:06] <smeso> s/installer/installed/
[12:07] <Nafallo> perhaps https://help.ubuntu.com/community/Kernel/Compile will help
[12:07] <Nafallo> not sure if that's updated, but otherwise check out the kernel-team's pages on help and the wiki.
[12:08] <irgendwer4711> smeso: compiled it with stock config config-4.4.0-112-generic
[12:08] <tomreyn> https://packages.ubuntu.com/xenial/linux-source is a meta package, does not contain kernel sources
[12:09] <smeso> irgendwer4711: we need details
[12:09] <irgendwer4711> which details? you dont know how to compile a kernel???
[12:09] <smeso> I do, but apparently you don't
[12:10] <smeso> we need details to understand what you missed
[12:10] <irgendwer4711> sure I do.
[12:10] <smeso> OK
[12:10] <smeso> so what's the problem?
[12:10] <irgendwer4711> the spectre/meltdown protection is missing
[12:11] <smeso> *if* that's true it means that you did something wrong
[12:11] <irgendwer4711> only Page Table Isolation  is active
[12:12] <irgendwer4711> I did this: /spectre-meltdown-checker.sh --kernel /usr/src/linux-source-4.4.0/linux-source-4.4.0/arch/x86/boot/bzImage --config /usr/src/linux-source-4.4.0/linux-source-4.4.0/.config --map /usr/src/linux-source-4.4.0/linux-source-4.4.0/System.map
[12:13] <smeso> I doubt that can have PTI on a 4.4.0
[12:13] <Nafallo> https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown ← updated information about this, updated last Friday
[12:14] <irgendwer4711> so I should have protection for all 3 variants....
[12:15] <smeso> no
[12:16] <smeso> (assuming that you are on x86_64)
[12:16] <irgendwer4711> you didnt read the status table?
[12:17] <Nafallo> all mitigations haven't landed upstreams yet, have they? we still need new microcode updates.
[12:17] <irgendwer4711> I have an amd cpu
[12:17] <smeso> irgendwer4711: Did you?
[12:17] <Nafallo> but I believe what can be done for the kernel has been done :-)
[12:17] <smeso> so why you care about meltdown?
[12:17] <irgendwer4711> I summed it up
[12:18] <irgendwer4711> and I told, that PTI is active
[12:18] <smeso> and you are wrong again
[12:18] <smeso> there is no PTI in 4.4.0
[12:19] <smeso> KAISER != PTI
[12:19] <irgendwer4711> * Kernel supports Page Table Isolation (PTI):  YES
[12:19] <smeso> I give up
[12:20] <irgendwer4711> read the table!
[12:20] <irgendwer4711> 4.4   M=Y
[12:21] <smeso> 4.4 has KAISER, which is a (not so good) mitigation for metldown
[12:21] <smeso> PTI is only on newer kernels
[12:22] <irgendwer4711> smeso: nevermind, I have an AMD CPU
[12:22] <irgendwer4711> my model is not vulnerable
[12:23] <irgendwer4711> so now I need something against Spectre 1 and 2
[12:23] <smeso> for 2 you have to wait a working microcode update
[12:24] <smeso> 1 should be there already
[12:25] <irgendwer4711> script said for stock kernel: Kernel is compiled with IBRS/IBPB support
[12:29] <Nafallo> irgendwer4711: read the USN for your kernel listed on the link I sent you. especially the bottom part :-)
[12:30] <irgendwer4711> which part?
[12:31] <Nafallo> irgendwer4711: the one that mentions IBRS/IBPB waiting for microcode...
[12:32] <irgendwer4711> I know that part.
[12:33] <irgendwer4711> I cant check this yet, because I am running a different kernel.
[12:34] <irgendwer4711> BUT my compiled kernel is missing "Kernel is compiled with IBRS/IBPB support" and the stock one has support!