On Sat, 10 Feb 2018 16:09:17 +0100, Joakim Hernberg wrote: >On Sat, 10 Feb 2018 16:00:14 +0100 Ralf Mardorf wrote: >> cat /sys/devices/system/cpu/vulnerabilities/* >> Mitigation: PTI >> Mitigation: __user pointer sanitization >> Mitigation: Full generic retpoline >> >> ...means that they are enabled? > >Yes, how well they protect the system is of course another question, >and I'm not 100% sure where the Intel ucode fits in all this. But it >seems fairly clear that Intel dropped the ball on all of this including >firmware updates... I see. Apart from the µcode the kernel already includes the page-table isolation patch set. When booting with "nopti" the output for "meltdown" is "Vulnerable". [rocketmouse@archlinux ~]$ grep Securityink_nopti -B3 -A5 /boot/syslinux/syslinux.cfg # "KPTI was merged into Linux kernel version 4.15,[snip] and backported to Linux kernels 4.14.11, 4.9.75, 4.4.110." # - https://en.wikipedia.org/wiki/Kernel_page-table_isolation LABEL Securityink_nopti MENU LABEL Arch Linux Rt Securityink nopt^i LINUX ../vmlinuz-linux-rt-securityink APPEND root=LABEL=archlinux ro nopti INITRD ../intel-ucode.img,../initramfs-linux-rt-securityink.img [rocketmouse@archlinux ~]$ ls -hAl /sys/devices/system/cpu/vulnerabilities/ total 0 -r--r--r-- 1 root root 4.0K Feb 10 16:44 meltdown -r--r--r-- 1 root root 4.0K Feb 10 16:44 spectre_v1 -r--r--r-- 1 root root 4.0K Feb 10 16:44 spectre_v2 [rocketmouse@archlinux ~]$ cat /sys/devices/system/cpu/vulnerabilities/* Vulnerable Mitigation: __user pointer sanitization Mitigation: Full generic retpoline
