Kernel-5.16 Addendum

2 views
Skip to first unread message

Diego Garcia

unread,
Jan 15, 2022, 8:40:52 AMJan 15
to
Kernel-5.16 is out.

After building and booting, check the "security:"

[~]# grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:Processor vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable: __user pointer sanitization and user
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable, STIBP: disabled
/sys/devices/system/cpu/vulnerabilities/srbds:Vulnerable: No microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected

So my system is vulnerable to the max. But who cares?

Contrast this with the average distro kernel that is crippled to the hilt
with security.

DIY is the only way to go.


--
Scratch your technical itch:
https://www.linuxfromscratch.org/

Aragorn

unread,
Jan 15, 2022, 2:53:17 PMJan 15
to
On 15.01.2022 at 13:40, Diego Garcia scribbled:

> So my system is vulnerable to the max. But who cares?
>
> Contrast this with the average distro kernel that is crippled to the
> hilt with security.

They wouldn't be a need to cripple them if the CPU makers were to get
their shit together in the first place. They are microcode patches for
design flaws in the hardware itself.

--
With respect,
= Aragorn =

Diego Garcia

unread,
Jan 17, 2022, 10:24:08 AMJan 17
to
Thay are NOT design flaws. They are very creative mechanisms to
improve processor performance. Just because they can be exploited
by parties with malicious intent does not make them flaws.

A thief can very easily smash the windows on your car or home to
quicky gain entry. Does that make car windows or home windows
a design flaw?

No. The only flaw is the thief.

But such security concerns are hardly relevant to a desktop
workstation. Only public-facing servers that host virtual machines
need to cripple their processors.

Keep in mind that the security obsession goes well beyond things
like Meltdown or Rowhammer. I believe that most distros also
build all software with protection schemes like stack protection
and "canaries." Since GNU/Linux is mostly C programs the addition
of a canary to every subroutine call can be quite expensive.

Gentoo offers a hardening option, or profile, that users can select
to produce a hardened and protected system, but others can choose
to ignore it all.

Reply all
Reply to author
Forward
0 new messages