speculation-bugs icon indicating copy to clipboard operation
speculation-bugs copied to clipboard
verified publisher icon marcan

Kernel 4.15.*-wip-x* (Full support IBRS/IBPB/LKRG)

Open AndyLavr opened this issue 7 years ago • 0 comments

WIP Kernel 4.15.*

WIP Patched Kernel Sources (Linux 4.15.*)

  • Full kernel adaptation to version Ubuntu 18.04 LTS Bionic.

  • Full kernel adaptation to build GCC7/GCC8.

GitHub Repo This kernel for developers and testers !

Full support:

  • Indirect Branch Restricted Speculation (IBRS)
  • Indirect Branch Prediction Barrier (IBPB)

Add Linux Kernel Runtime Guard (LKRG)

Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.

Important security fix:

Recommended built on the latest GCC 7.3+

Current status of this kernel for the Spectre and Meltdown vulnerabilities

Spectre and Meltdown mitigation detection tool

Checking for vulnerabilities on current system

Hardware check

  • Hardware support (CPU microcode) for mitigation techniques
    • Indirect Branch Restricted Speculation (IBRS)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
      • Kernel has set the spec_ctrl flag in cpuinfo: NO
    • Indirect Branch Prediction Barrier (IBPB)
      • PRED_CMD MSR is available: YES
      • CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
    • Single Thread Indirect Branch Predictors (STIBP)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates STIBP capability: YES
    • Enhanced IBRS (IBRS_ALL)
      • CPU indicates ARCH_CAPABILITIES MSR availability: NO
      • ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
    • CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
    • CPU microcode is known to cause stability problems: YES (model 71 stepping 1 ucode 0x1b)

The microcode your CPU is running on is known to cause instability problems, such as intempestive reboots or random crashes. You are advised to either revert to a previous microcode version (that might not have the mitigations for Spectre), or upgrade to a newer one if available.

  • CPU vulnerability to the three speculative execution attacks variants
    • Vulnerable to Variant 1: YES (Enable Mitigation: __user pointer sanitization)
    • Vulnerable to Variant 2: YES (Enable Mitigation: PTI)
    • Vulnerable to Variant 3: YES (Enable Mitigation: Full generic retpoline, IBPB, IBRS_FW)

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'

  • Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
  • Kernel has array_index_mask_nospec: YES (1 occurence(s) found of 64 bits array_index_mask_nospec())
  • Checking count of LFENCE instructions following a jump in kernel: YES (1839 jump-then-lfence instructions found, which is >= 30 (heuristic))

STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'

  • Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
  • Mitigation 1
    • Kernel is compiled with IBRS/IBPB support: YES
    • Currently enabled features
      • IBRS enabled for Kernel space: NO
      • IBRS enabled for User space: NO
      • IBPB enabled: YES
  • Mitigation 2
    • Kernel compiled with retpoline option: YES
    • Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
    • Retpoline enabled: YES

STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline, IBPB, IBRS_FW)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'

  • Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
  • Kernel supports Page Table Isolation (PTI): YES
  • PTI enabled and active: YES
  • Performance impact if PTI is enabled
    • CPU supports PCID: YES (performance degradation with PTI will be limited)
    • CPU supports INVPCID: YES (performance degradation with PTI will be limited)
  • Running as a Xen PV DomU: NO

STATUS: NOT VULNERABLE (Mitigation: PTI)

 This is a mainline Linux kernel distribution with custom settings.
Optimized to take full advantage of high-performance.

Supports all recent 64-bit versions of Debian and Ubuntu-based systems. 

Main Features:

Tuned CPU for Intel i5/i7/Atom platform.
PDS CPU Scheduler & Multi-Queue I/O Block Layer w/ BFQ-MQ
for smoothness and responsiveness.
Caching, Virtual Memory Manager and CPU Governor Improvements.
General-purpose Multitasking Kernel.
Built on the latest GCC 7.3
DRM Optimized Performance.
BBR TCP Congestion Control.
Intel CPUFreq (P-State passive mode).
ZFS, AUFS, BFQ and Ureadahead support available.

Download and install kernel (DEB packages):

Look at the file date and the build number.

Download packages

Read this before installing

GitHub Repo

AndyLavr avatar Feb 04 '18 14:02 AndyLavr