[ubuntu-hardened] 16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

Sun Feb 11 19:08:36 UTC 2018

Hello Seth.

I'm sorry for such a long time without answer, but I'm so busy. You
have written, that the easiest way to find out is to install it and
see if new microcode is installed when rebooting. Okay, but what about
journalctl(1) command, which may be used to query the contents of the
systemd(1) journal etc.? I'm asking, because it seems that some
microcode update are available. Please see:

[~]$ journalctl -k | grep microcode
kernel: microcode: CPU0 sig=..., pf=..., revision=0xa07
kernel: microcode: CPU1 sig=..., pf=..., revision=0xa07
kernel: microcode: Microcode Update Driver: v2.01 <email at hidden>, Peter Oruba

NOTE: I've changed "sig=" and "pf=" values with "..." So, what do You
think about this? Should I try to install 'intel-microcode' package?
I'm sorry for such a naive questions, but I'm totally confused about
all these "Meltdown & Spectre" things etc.

And if it's about a mitigations and fixes for an i386/x86_32
architecture: it seems, that Developers are really working on this!
Just see:

✓ http://lkml.iu.edu/hypermail/linux/kernel/1802.1/00925.html
✓ http://lkml.iu.edu/hypermail/linux/kernel/1802.1/01801.html
✓ http://lkml.iu.edu/hypermail/linux/kernel/1801.2/00974.html
✓ http://lkml.iu.edu/hypermail/linux/kernel/1802.1/00915.html

Here are only a few messages. But something is happening! Seth, what
do You think: if everything will work and will be okay, is there a
chance to backport these patches to 16.04 LTS Release and i386/x86_32
architecture? According to the SecurityTeam wiki about "Spectre And
Meltdown" issues, there is only Spectre/Variant1/CVE-2017-5753 fixed,
for now. (16.04 LTS, i386 arch.) I hope, that it will change in near
future... Go lkml! :- )

I'm very happy with this statement: "Tests so far: kernel boots in
qemu. Whole system boots on thinkpad T40p, vulnerabities/meltdown says
mitigation: PTI.. so I guess it works." Fact, it's Thinkpad, but... :-
) (see: http://lkml.iu.edu/hypermail/linux/kernel/1801.2/03742.html)

Do You think, that installing 64.bit kernel in 32.bit system is a good
idea? It's not so hard to do this, right? But all 32.bit kernels will
be removed. Even SecurityTeam on wiki suggests: "moving to a 64-bit
kernel is the currently recommended mitigation." What is your opinion?
Should I wait for patches, mitigations etc. or install 64.bit kernel?
Again, naive question. Sorry. But, for now, I can not install a clean,
fresh 64.bit system (I have only 1. GB of RAM and I'm afraid of
problems, system freezing and so on.)

Thanks Seth, best regards.