The officially official Devuan Forum!

You are not logged in.

#1 2018-01-06 09:42:20

joril
Member
From: Italy
Registered: 2017-04-15
Posts: 44  

Meltdown and Spectre

Hi everyone!

Is the fix for Meltdown/Spectre already out for Devuan Jessie?

Thanks!

Offline

#2 2018-01-06 13:26:56

cynwulf
Member
Registered: 2017-10-09
Posts: 234  

Re: Meltdown and Spectre

# apt-get update && apt-get upgrade

?

You can always grab the source and build a new kernel.

The "spectre" "fix" isn't so simple I suggest reading at least the white papers at the sites set up for these.

Offline

#3 2018-01-06 13:45:17

MiyoLinux
Member
Registered: 2016-12-05
Posts: 1,323  

Re: Meltdown and Spectre

I don't think it's available in Jessie yet. It is in Ascii, but I had to do a dist-upgrade to get it...then again, I'm on AMD. tongue

Perhaps this will shed more information?

https://www.debian.org/security/2018/dsa-4078


I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

#4 2018-01-06 16:03:28

onekk
Member
Registered: 2017-12-20
Posts: 10  

Re: Meltdown and Spectre

It seems that a dist-upgrade on ascii done yesterday pulls in 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux

as I'm on Intel as reported by dmesg

CPU0: Intel(R) Core(TM) i3-2120 CPU @ 3.30GHz (family: 0x6, model: 0x2a, stepping: 0x7)

Regards

Carlo D.

Offline

#5 2018-01-06 23:07:01

sgage
Member
Registered: 2016-12-01
Posts: 341  

Re: Meltdown and Spectre

onekk wrote:

It seems that a dist-upgrade on ascii done yesterday pulls in 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux

as I'm on Intel as reported by dmesg

CPU0: Intel(R) Core(TM) i3-2120 CPU @ 3.30GHz (family: 0x6, model: 0x2a, stepping: 0x7)

Regards

Carlo D.

I got the patched kernel yesterday with a plain-old apt update; apt upgrade - didn't need dist-upgrade.

Offline

#6 2018-01-06 23:55:20

MiyoLinux
Member
Registered: 2016-12-05
Posts: 1,323  

Re: Meltdown and Spectre

sgage wrote:

I got the patched kernel yesterday with a plain-old apt update; apt upgrade - didn't need dist-upgrade.

I will readily admit that I can't remember the difference between using apt vs. apt-get. Might oughta make a note-to-self for myself on that. smile

So...I wonder if that's the reason why you got it without dist-upgrade.

When I first ran a regular upgrade, I received one upgrade that was named eerily similar to the patched kernel. Without thinking, I thought, "There it is!" and went ahead and upgraded. About a minute later, it hit me...HEY!...that wasn't a kernel upgrade. tongue

So...I did an apt-get dist-upgrade and then got the kernel.


I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

#7 2018-01-07 20:59:28

greenjeans
Member
Registered: 2017-04-07
Posts: 541  
Website

Re: Meltdown and Spectre

All AMD here for last dozen years, but I guess Spectre still applies...looks like it may be a difficult fix?


https://sourceforge.net/projects/vuu-do/
Vuu-do GNU/Linux, minimal Devuan-based openbox systems to build on, maximal versions if you prefer your linux fully-loaded.

Please donate to support Devuan and init freedom! https://devuan.org/os/donate

Offline

#8 2018-01-08 00:29:12

fungus
Member
From: Any witch way
Registered: 2017-07-12
Posts: 497  
Website

Re: Meltdown and Spectre

MiyoLinux wrote:

I will readily admit that I can't remember the difference between using apt vs. apt-get. Might oughta make a note-to-self for myself on that. smile

Each distribution in Debian/Devuan has a filesystem chart and it is different from each other (we touched on this topic on the other conversation about ascii).  Dist-upgrade brings what the distribution prescribes of pkgs while apt upgrade just searches the repository you point it to, for newer versions of the pkgs already installed.

Somehow Debian managed to even trip its own packaging tools so even a plain apt upgrade from wheezy to Debian jessie would require systemd stuff to come in (as dependencies of depended pkgs.  Apt upgrade from wheezy to Devuan jessie (or ascii) produces a fine system.  But since you will be shifting to devuan you may as well apt-get dist-upgrade for the full experience smile

On synaptic the difference is called default upgrade vs smart upgrade, smart being dist-upgrade.  (check on the preferences 1st page).

There are people who will disagree on this as apt and apt-get had different structures in the past but things have changed.  apt-get upgrade and apt upgrade are the same thing.  There is no such thing as apt dist-upgrade.

I hope this helps, and I welcome corrections on this view based on evidence.
I still have a functioning installation, I think my very 1st devuan, that is basically ascii converted from Devuan 1.0.0.0.  that I had exposed to debian/sid, did an apt upgrade to see the list of upgradeable pkgs, took off the list the ones I expected to be problematic, and upgraded a ton of things.  I haven't done it again for a few months now, but it works fine smile  I call it frankensidevuan!  Maybe I should call it GMO-linux

Hmmm,...  time to give that installation a transfusion of some fresh sid blood.

Offline

#9 2018-01-08 08:12:58

joril
Member
From: Italy
Registered: 2017-04-15
Posts: 44  

Re: Meltdown and Spectre

MiyoLinux wrote:

Perhaps this will shed more information?

https://www.debian.org/security/2018/dsa-4078

Ok so according to this page, Jessie is still vulnerable... hmm Thanks!

Offline

#10 2018-01-08 10:39:28

cynwulf
Member
Registered: 2017-10-09
Posts: 234  

Re: Meltdown and Spectre

joril wrote:
MiyoLinux wrote:

Perhaps this will shed more information?

https://www.debian.org/security/2018/dsa-4078

Ok so according to this page, Jessie is still vulnerable... hmm Thanks!

Looks like it.  The 3.16.x longterm branch hasn't been patched upstream.  You may find out why by searching the Linux kernel Mailing List.

However, there are 35 security issues related to Linux in the jessie release: https://security-tracker.debian.org/tra … kage/linux

As you seem concerned, I suggest building a new upstream longterm 4.4 or 4.9 kernel which have the KPTI patches.

greenjeans wrote:

All AMD here for last dozen years, but I guess Spectre still applies...looks like it may be a difficult fix?

The only real 'fix' is new CPUs without these flaws...

fungus wrote:

There is no such thing as apt dist-upgrade.

Seems to be "full-upgrade" (as is the case with aptitude): https://manpages.debian.org/jessie/apt/apt.8.en.html

Last edited by cynwulf (2018-01-08 10:40:30)

Offline

#11 2018-01-08 11:14:11

joril
Member
From: Italy
Registered: 2017-04-15
Posts: 44  

Re: Meltdown and Spectre

cynwulf wrote:

As you seem concerned, I suggest building a new upstream longterm 4.4 or 4.9 kernel which have the KPTI patches.

Looks like a good suggestion big_smile Or maybe I'll upgrade to Ascii... Thanks!

Offline

#12 2018-01-09 19:51:51

tlathm
Member
Registered: 2017-11-25
Posts: 103  

Re: Meltdown and Spectre

I just checked and apparently Debian now has a Meltdown fix for jessie (3.16.51-3+deb8u1 apparently):

https://security-tracker.debian.org/tra … -2017-5754

Does this mean we might have an update for jessie in the not to distant future? Thanks!

Tom

Offline

#13 2018-01-09 22:29:14

fungus
Member
From: Any witch way
Registered: 2017-07-12
Posts: 497  
Website

Re: Meltdown and Spectre

cynwulf wrote:
greenjeans wrote:

All AMD here for last dozen years, but I guess Spectre still applies...looks like it may be a difficult fix?

The only real 'fix' is new CPUs without these flaws...

I usually work on an intel E8600 (core2duo) but recently I was handed this much newer box with an i7-3770 (4corex2threads) with 8M L2cache.  I was expecting this thing to be flying and make mine feel like a turtle, but it actually seems pretty slow.  I can't figure out why that is.  Maybe most of what I do only requires a single core/thread and even though this i7 clocks at 3.9 and mine at 3.3 it should still be way ahead.  I only got to see the 8 threads working while processing a UHD video and that only got to 17% of processing power.  I thought maybe a slow disk makes it feel that way, so I switched disks, same thing.

I tried refracta, obarun, and artix on it.  Same difference.

I am puzzled!  Is it possible that kernels can explore older hw to the max while they haven't gotten the new hw figured out yet?

Offline

#14 2018-01-10 09:32:31

joril
Member
From: Italy
Registered: 2017-04-15
Posts: 44  

Re: Meltdown and Spectre

tlathm wrote:

Does this mean we might have an update for jessie in the not to distant future? Thanks!

It looks like it is already available!

# apt-get -s install --only-upgrade linux-image-amd64
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  firmware-linux-free irqbalance libnuma1 linux-image-3.16.0-5-amd64
[snip]
Inst linux-image-3.16.0-5-amd64 (3.16.51-3+deb8u1 None:1.0/jessie-security [amd64])
[snip]

Edit:

I can confirm this:

$ dmesg | grep -i isol
[    0.000000] Kernel/User page tables isolation: enabled

Last edited by joril (2018-01-10 09:43:58)

Offline

#15 2018-01-10 11:22:02

cynwulf
Member
Registered: 2017-10-09
Posts: 234  

Re: Meltdown and Spectre

fungus wrote:

I can't figure out why that is.  Maybe most of what I do only requires a single core/thread and even though this i7 clocks at 3.9 and mine at 3.3 it should still be way ahead.

In terms of clock speed it's not actually that huge a difference.  Apparently that core is 3.4GHz and can overclock to 3.9GHz, which I assume you have?

Usually modern CPUs don't run full belt 100% of the time.  They use "dynamic frequency scaling" to increase clock speed on demand.  Also unless you're running tasks which make heavy use of multi-threaded programmes you're not going to see a huge difference if you're just browsing or word processing, etc.

Linux uses the procfs filesystem, you could grep /proc/cpuinfo to see what MHz you're running at?

Then put the system under load, e.g. compile something (such as a new kernel?) with a parallel build (number of jobs = 1.5x the number of cores).

grep /proc/cpuinfo again to see if the clock speed has increased.

As I recall, with modern Intel CPU's, it's all configured via the BIOS... so the frequency scaling should be turned on there (forgot the Intel "brand names" for these) and Linux cpufreq driver isn't needed.

Last edited by cynwulf (2018-01-10 11:24:22)

Offline

#16 2018-01-10 14:44:29

tlathm
Member
Registered: 2017-11-25
Posts: 103  

Re: Meltdown and Spectre

joril wrote:

It looks like it is already available!

# apt-get -s install --only-upgrade linux-image-amd64
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  firmware-linux-free irqbalance libnuma1 linux-image-3.16.0-5-amd64
[snip]
Inst linux-image-3.16.0-5-amd64 (3.16.51-3+deb8u1 None:1.0/jessie-security [amd64])
[snip]

This is odd. I currently have 3.16.43-2+deb8u2 installed. I've done "apt update", however "apt list --upgradable" only shows 3.16.51-2 and not 3.16.51-3+deb8u1:

apt list --upgradable | grep linux

linux-image-3.16.0-4-amd64/stable 3.16.51-2 amd64 [upgradable from: 3.16.43-2+deb8u2]

Am I missing something here or am I maybe just hitting a mirror that hasn't synced yet or something?

EDIT: Now I'm even more confused. Bear with me as I'm fairly new to apt etc, but when I run the exact command you did I get this:

apt-get -s install --only-upgrade linux-image-amd64
Reading package lists... Done
Building dependency tree       
Reading state information... Done
linux-image-amd64 is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 74 not upgraded.

Why does that not at least show the 3.16.51-2? Totally lost now.

Thanks!
Tom

Last edited by tlathm (2018-01-10 14:49:23)

Offline

#17 2018-01-10 14:53:02

joril
Member
From: Italy
Registered: 2017-04-15
Posts: 44  

Re: Meltdown and Spectre

tlathm wrote:

Am I missing something here or am I maybe just hitting a mirror that hasn't synced yet or something?

I assume you did run "apt-get update", so I guess you are indeed using a mirror not updated yet...?

Offline

#18 2018-01-10 15:12:20

tlathm
Member
Registered: 2017-11-25
Posts: 103  

Re: Meltdown and Spectre

joril wrote:
tlathm wrote:

Am I missing something here or am I maybe just hitting a mirror that hasn't synced yet or something?

I assume you did run "apt-get update", so I guess you are indeed using a mirror not updated yet...?

Definitely. I just updated to 3.16.51-2 and now it tells me everything's up to date. Really seems odd. This is all I have enabled in /etc/apt/sources.list:

deb http://us.mirror.devuan.org/merged/ jessie main non-free contrib

Is that correct?

Tom

Offline

#19 2018-01-10 16:18:20

joril
Member
From: Italy
Registered: 2017-04-15
Posts: 44  

Re: Meltdown and Spectre

It looks like you are missing jessie-security... Try adding this:

deb http://us.mirror.devuan.org/merged/ jessie-security main non-free contrib

Offline

#20 2018-01-10 17:14:54

tlathm
Member
Registered: 2017-11-25
Posts: 103  

Re: Meltdown and Spectre

joril wrote:

It looks like you are missing jessie-security... Try adding this:

deb http://us.mirror.devuan.org/merged/ jessie-security main non-free contrib

That doesn't do it either. What it gets me is even more confusing:

apt list --upgradable | grep linux

WARNING: apt does not have a stable CLI interface yet. Use with caution in scripts.

linux-image-3.16.0-4-amd64/stable 3.16.51-2 amd64 [upgradable from: 3.16.43-2+deb8u2]
linux-image-amd64/jessie-security 3.16+63+deb8u1 amd64 [upgradable from: 3.16+63]

I have no clue what that second one even is.

I do in fact have the linux-image-amd64 meta package installed. Nothing I do seems to find that linux-image-3.16.0-5-amd64, but rather newer versions of linux-image-3.16.0-4-amd64. Earlier I tried adding jessie-updates and that didn't work either and was even more confusing. That wanted to pull in a version of linux-image-3.16.0-4-amd64 that was 3.16.51-3, but NOT the 3.16.51-3+deb8u1 that actually has the fix. Insane.

My company is sort of really dying for this one. I hope someone has suggestions because this is getting more confusing with everything I try.

SOLVED: OK...Now I think I get it. That new version of the linux-image-amd64 meta package from jessie-security (3.16+63+deb8u1) actually ends up pulling in linux-image-3.16.0-5-amd64 with the 3.16.51-3+deb8u1 version.

That was confusing. Is there some reason that the default sources.list from the install wouldn't include that by default? I can also see we were missing a number of updates because of that.

Tom

Last edited by tlathm (2018-01-10 17:36:34)

Offline

#22 2018-01-10 19:42:54

joril
Member
From: Italy
Registered: 2017-04-15
Posts: 44  

Re: Meltdown and Spectre

tlathm wrote:

Is there some reason that the default sources.list from the install wouldn't include that by default? I can also see we were missing a number of updates because of that.

I have to say that I did find your sources.list quite strange-looking... ^__^; Are you sure no one "tinkered" with it?

Offline

#23 2018-01-10 20:51:30

tlathm
Member
Registered: 2017-11-25
Posts: 103  

Re: Meltdown and Spectre

joril wrote:

I have to say that I did find your sources.list quite strange-looking... ^__^; Are you sure no one "tinkered" with it?

That wasn't the entire file, but it was in fact the only uncommented source in the file. The only change I made to the original one from the install was to comment out the line for the install CD ISO, as I was packaging it as a VM. The file also has the sources for the deb-src commented.

I can tell you for sure that jessie-security wasn't in there.

EDIT: Are backports and updates also supposed to be in there? Those were never in mine either. I used the expert non-graphical install. I'm wondering if there wasn't something in that that I selected incorrectly, though I don't recall that.

Tom

Last edited by tlathm (2018-01-10 21:01:38)

Offline

#24 2018-01-11 14:56:46

joril
Member
From: Italy
Registered: 2017-04-15
Posts: 44  

Re: Meltdown and Spectre

tlathm wrote:

I used the expert non-graphical install. I'm wondering if there wasn't something in that that I selected incorrectly, though I don't recall that.

Strange... I used the expert+graphical install, here's my "uncommented" sources.list

deb http://it.mirror.devuan.org/merged/ jessie main non-free contrib 
deb http://it.mirror.devuan.org/merged/ jessie-security main contrib non-free 
deb http://it.mirror.devuan.org/merged/ jessie-updates main contrib non-free 

deb http://packages.devuan.org/devuan/ jessie-proposed main 
deb http://packages.devuan.org/merged/ jessie main contrib non-free 

I'm not 100% sure but I think I never modified this by hand

Last edited by joril (2018-01-11 14:57:06)

Offline

#25 2018-01-11 15:04:43

fungus
Member
From: Any witch way
Registered: 2017-07-12
Posts: 497  
Website

Re: Meltdown and Spectre

Those are all valid jessie repositories, pick and choose.  Some may not have a contrib and non-free components.

deb https://pkgmaster.devuan.org/merged/ jessie main contrib non-free
deb https://pkgmaster.devuan.org/merged/ jessie-backports main contrib non-free
deb https://pkgmaster.devuan.org/devuan/ jessie-proposed main contrib non-free
deb https://pkgmaster.devuan.org/devuan/ jessie-proposed-backports main contrib non-free
deb https://pkgmaster.devuan.org/devuan/ jessie-proposed-security main contrib non-free
deb https://pkgmaster.devuan.org/merged/ jessie-proposed-updates main contrib non-free
deb https://pkgmaster.devuan.org/merged/ jessie-security main contrib non-free
deb https://pkgmaster.devuan.org/merged/ jessie-updates main contrib non-free

https://sysdfree.wordpress.com/151

Offline

Board footer