How to fix the meltdown and spectre issue in Devuan

chillfan · 2018-01-13 23:17:33

Some information about mitigating the recent issues for Devuan users. I don't own any AMD hardware, so these instructions are for intel only.

Upgrade the kernel

It's worth knowing that Devuan does nothing to change the kernel images, and provides the Debian packaged kernels. So you can check with the Debian security tracker for the current status of the kernel packages.

https://security-tracker.debian.org/tra … kage/linux

Meltdown is fixed in all the Devuan branches, so you can upgrade your kernel right now to protect against meltdown.

apt-get update

apt-get dist-upgrade

This should be enough to get the kernel updates if you have the linux-image-<insertyourarch> virtual package installed. Otherwise search for the latest image version.

apt-cache search ^linux-image-

And install it like this for example.

apt-get install linux-image-3.16.0-5-amd64

Update the microcode using GRUB

Intel recently released new microcode. It's not known for sure if it's related to meltdown/spectre yet, but if you want to update the microcode anyway here's how to go about it. You don't need to do this if your motherboard vendor has released a BIOS update with the microcode.

Find and download the latest microcode from downloadcenter.intel.com. The latest at time of writing is here.

Change to the /lib/firmware directory (as root).

cd /lib/firmware/

And unpack the tarball here.

tar xf /home/youruser/Downloads/microcode*tgz

The Gentoo wiki page here explains how to convert the ucode into an initrd image that grub can use.

On Devuan install the iucode-tool package.

apt-get install iucode-tool

And generate the image for grub to use (if you use a boot partition make sure it's mounted).

iucode_tool -S --write-earlyfw=/boot/early_ucode.cpio /lib/firmware/intel-ucode/*

And you will need to make the changes in /etc/grub.d/10_linux as pointed out in the grub section. When you're happy with the changes update grub like this.

dpkg-reconfigure grub-pc

And you'll need to reboot for the changes to take effect.

reboot

And see the verification section from the gentoo wiki as well.

If you're an NVIDIA driver user you should update those to 384.111 for the stable release and 390.25 for the latest version (not covered here). You'll need to use the nvidia.com driver search feature to find those versions.

Last edited by chillfan (2018-02-04 04:54:04)

fungus · 2018-01-14 16:20:32

Thank you for the information but your subject is slightly misleading.
Spectre has only partially been dealt with and the fix seems very far away.

siva · 2018-01-25 19:53:20

fyi, x86 is still vulnerable to meltdown.

chillfan · 2018-02-03 12:49:56

fungus wrote:

Thank you for the information but your subject is slightly misleading.
Spectre has only partially been dealt with and the fix seems very far away.

True, the title was poorly chosen. Really this should be titled "How to mitigate Meltdown and Spectre" as it's unclear if they will ever be fixed. This is basically just how to apply the mitigations if/when they are available.

From what I can tell about Spectre it needs mitigations in userland, and maybe even mitigations during compile time using a patched gcc.

Last edited by chillfan (2018-02-03 12:50:15)

greenjeans · 2018-02-04 00:14:18

Just need to maybe get with a packager and have them package the newest version, the microcode version in the repo is the next-to-latest version, it's from July 2017 and the newest one is November 2017, so it's not like the current jessie microcode package is way old or anything.

I kinda doubt it has any fixes for meltdown in it.

chillfan · 2018-02-04 04:49:59

greenjeans wrote:

Just need to maybe get with a packager and have them package the newest version, the microcode version in the repo is the next-to-latest version, it's from July 2017 and the newest one is November 2017, so it's not like the current jessie microcode package is way old or anything.
I kinda doubt it has any fixes for meltdown in it.

Also Intel looks to have pulled the latest microcode for 2018, so most people have to wait for this to change.

greenjeans · 2018-02-05 20:53:01

chillfan wrote:

Also Intel looks to have pulled the latest microcode for 2018,

Ahh, well hopefully that means they may be working on some mitigation for this issue, will be watching for any new updates.

fungus · 2018-02-05 21:03:50

They haven't just pulled, they said whoever made the mistake of applying it is screwed, in nicer terms. But some distributions still have the 01/18 microcode available.

greenjeans · 2018-02-08 20:21:23

chillfan wrote:

greenjeans wrote:
Just need to maybe get with a packager and have them package the newest version, the microcode version in the repo is the next-to-latest version, it's from July 2017 and the newest one is November 2017, so it's not like the current jessie microcode package is way old or anything.
I kinda doubt it has any fixes for meltdown in it.
Also Intel looks to have pulled the latest microcode for 2018, so most people have to wait for this to change.

Debian does have the November update, in stretch-backports, maybe it's in Devuan ascii backports or proposed?

boycottsystemd · 2018-07-27 14:47:33

Hello, just in case someone is interested: Intel has issued new CPU microcode (20180703):

https://downloadcenter.intel.com/downlo … uct=122139

Last edited by boycottsystemd (2018-07-27 14:51:43)

ivanovnegro · 2018-07-31 22:06:34

It is already available in ascii-backports.

The officially official Devuan Forum!

#1 2018-01-13 23:17:33