On Wed, Jan 24, 2018 at 10:06 AM, Nicholas Geovanis <nickgeova...@gmail.com> wrote: > Jonathon Dowland the Great Lutenist wrote: >> Sylvestre Ledru has uploaded the script to the Debian archive (package >> spectre-meltdown-checker in sid). I haven't checked but they might have >> made any necessary alterations for it to perform properly on Debian >> systems. It might be worth trying that version. (if any alterations are >> required for proper operation on Debian and are *not* made to the >> packaged version of the script, a Debian bug is appropriate) > > Thanks, I'm going to give that version a try shortly. >
Happy to report that the version of the script in sid properly detects presence of the CVE-2017-5754 fix on debian 8.6 jessie. So to sum up for debian: Don't use the version of spectre-meltdown-checker hosted on github for the developers, use instead the version in debian sid. Even on the older jessie. I'll be at least trying this script on 7 too, just for fun: CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' * Kernel supports Page Table Isolation (PTI): YES * PTI enabled and active: YES * Checking if we're running under Xen PV (64 bits): NO > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability) A false sense of security is worse than no security at all, see --disclaimer root@ftp51:/home/PRLSS/ngeovanis# cat /etc/debian_version 8.6 On Wed, Jan 24, 2018 at 10:06 AM, Nicholas Geovanis <nickgeova...@gmail.com> wrote: > Jonathon Dowland the Great Lutenist wrote: >> Sylvestre Ledru has uploaded the script to the Debian archive (package >> spectre-meltdown-checker in sid). I haven't checked but they might have >> made any necessary alterations for it to perform properly on Debian >> systems. It might be worth trying that version. (if any alterations are >> required for proper operation on Debian and are *not* made to the >> packaged version of the script, a Debian bug is appropriate) > > Thanks, I'm going to give that version a try shortly. > >>> So my question becomes: Is it just my server, or others too? And why me? > >> Good question. Is this a VPS? > > No. Believe it or not, it's real Dell hardware. Just 700 miles away from me. > > On Wed, Jan 24, 2018 at 4:13 AM, Jonathan Dowland <j...@debian.org> wrote: >> On Tue, Jan 23, 2018 at 05:07:15PM -0600, Nicholas Geovanis wrote: >>> >>> Sorry, should have added that the string "Linux version" also does not >>> appear in the dmesg results >>> after a reboot. So despite the check script's advice, a reboot doesn't >>> change the results here. >> >> >> Sylvestre Ledru has uploaded the script to the Debian archive (package >> spectre-meltdown-checker in sid). I haven't checked but they might have >> made any necessary alterations for it to perform properly on Debian >> systems. It might be worth trying that version. (if any alterations are >> required for proper operation on Debian and are *not* made to the >> packaged version of the script, a Debian bug is appropriate) >> >>> On Tue, Jan 23, 2018 at 5:02 PM, Nicholas Geovanis >>> <nickgeova...@gmail.com> wrote: >>>> >>>> There was a newer version of the script (about 4 hours newer), but the >>>> new version yields the same result. >>>> >>>> So I have a debian 8.6 machine for which this test in the script is >>>> failing: >> >> (snip) >> >> This test seems to be a "pre-test": it does not actually test for >> whether PTI is enabled; it tests whether the kernel ring buffer has >> rotated. There must be a subsequent test in the script to see whether >> PTI has been enabled (that is not executed if the kernel ring buffer >> has rotated). >> >> If you can identify that subsequent test, *and* if you have your kernel >> messages logged somewhere (/var/log/kern.log*, perhaps, or within >> journald), then you could adapt the subsequent test to check against >> those logs instead of the live ring buffer. >> >>>> So my question becomes: Is it just my server, or others too? And why me? >> >> >> Good question. Is this a VPS? >> >> -- >> >> ⢀⣴⠾⠻⢶⣦⠀ >> ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland >> ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net >> ⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list. >>
