[ubuntu-hardened] 16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).
Seth Arnold
seth.arnold at canonical.com
Thu Feb 1 22:00:03 UTC 2018
Hello Daniel,
On Thu, Feb 01, 2018 at 03:02:54PM +0000, daniel curtis wrote:
> What do you think: should I install e.g. 'intel-microcode' package? I've
> never do this, because there never was any issues with computer, processor
> etc. And I don't see my microcode value (vide '/proc/cpuinfo') in
> 'intel-microcode' package changelogs.
This is hard to answer. Intel doesn't document their microcode updates.
Even the recent announcements to stop distributing the recent updates
is more than we're accustomed to getting from Intel.
So perhaps the intel-microcode package has updates for your CPU,
perhaps not; the easiest way to find out is to install it and see if
new microcode is installed when rebooting. There's basically no way of
knowing what has changed if there is an update for your CPU. There's no
way to know if Intel will release updates for your CPU in the future,
nor what they might hypothetically address.
I've installed the package for years, on the grounds that Intel went to
the effort, and probably the end result is worth the trouble. But I wish I
knew what the changes are.
> >> 32-bit x86 might not receive mitigations for Meltdown.
> >> Our friends at SUSE (...)
>
> So, we have to wait and see what will happen in the future, right? And if
> everything will be okey and wide testing will show, that it's worth to do
> an update for x86_32 then we (I mean users etc.) can expect an update,
> mitigations also for Meltdown?
>
> Let's summarize: there is a chance, that mitigations for Meltdown attack
> will not be available for 32-bit x86 architecture, but Spectre variant will
> be fixed? Am I right? (Maybe a better solution is to install a 64-bit
> variant? But, in my case, it's a testing machine with 1. GB of RAM memory
> only and I'm afraid, that there will be problems etc.)
I'm not sure what level of support we have for 32-bit userland and a
64-bit kernel. I know that 32 bit packages *can* work, but I don't know if
you have to install with a 64 bit userland first and then install the
32-bit compatability packages, or if you could just upgrade the kernel in
isolation.
Certainly a full 64-bit system is safer and easier.
> By the way: You're so lucky, that your laptop shows "Kernel/User page
> tables isolation: enabled" information :- )
I'll certainly feel better once I've got the Spectre mitigations, too.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20180201/6e436081/attachment.sig>
More information about the ubuntu-hardened
mailing list