PDA

View Full Version : SLES 11 SP4 Meltdown and Spectre fix for SLES11SP4, 32bit?



Trelaine
06-Feb-2018, 14:50
The landing page for the Spectre and Meltdown issue is not very clear about what is already patched and what not.
When installing the latest available kernel patches (Version: kernel-pae-3.0.101-108.21.1.i586.rpm; Yes it is the 32bit PAE kernel) the following script is still reporting, that the system is vulnerable to all three vulnerabilities.
The script to check for all three vulnerabilities CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754:
https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh

For CVE-2017-5754 the SUSE landing page is providing this information: "This feature can be enabled / disabled by the "pti=[on|off|auto]" or "nopti" command line options. More details can be found in the "Additional information" section.". But enabling this on the kernel mentioned above does not change the result from the check by the script.

The questions now are:
- Are the vulnerabilities patched for SLES11SP4 x86 (32bit, pae kernel) and how can it be proved?
- What are the required settings to enable the fixes on SLES11SP4 x86 (32bit, pae kernel)?
- If there is still ongoing work especially on the PAE version of the 32bit kernel for SLES11SP4, how to get notified?

Thnx T.

smflood
06-Feb-2018, 15:20
On 06/02/18 13:54, Trelaine wrote:

> The landing page for the Spectre and Meltdown issue is not very clear
> about what is already patched and what not.
> When installing the latest available kernel patches (Version:
> kernel-pae-3.0.101-108.21.1.i586.rpm; Yes it is the 32bit PAE kernel)
> the following script is still reporting, that the system is vulnerable
> to all three vulnerabilities.
> The script to check for all three vulnerabilities CVE-2017-5753,
> CVE-2017-5715 and CVE-2017-5754:
> https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
>
> For CVE-2017-5754 the SUSE landing page is providing this information:
> "This feature can be enabled / disabled by the "pti=[on|off|auto]" or
> "nopti" command line options. More details can be found in the
> "Additional information" section.". But enabling this on the kernel
> mentioned above does not change the result from the check by the
> script.
>
> The questions now are:
> - Are the vulnerabilities patched for SLES11SP4 x86 (32bit, pae kernel)
> and how can it be proved?
> - What are the required settings to enable the fixes on SLES11SP4 x86
> (32bit, pae kernel)?
> - If there is still ongoing work especially on the PAE version of the
> 32bit kernel for SLES11SP4, how to get notified?

It's my understanding of Spectre and Meltdown that it affects 64-bit
Intel CPUs not 32-bit ones - whilst you're using 32-bit SLES11 SP4 is
your CPU 32- or 64-bit?

SUSE published TID 7022512 to cover Spectre and Meltdown - please see
https://www.suse.com/support/kb/doc/?id=7022512

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

Trelaine
06-Feb-2018, 16:04
Hi Simon,
the landing page I am referring to is the page you are forwarding in your message.
Our CPU is a 64bit CPU. It is a Intel Xeon server CPU. We are running a 32bit SLES11SP4 on a 64bit CPU. So we installed the latest pae kernel and also the microcode, but still the script to check if the vulnerabilities are resolved does not return any positive results.

Thnx T.

Trelaine
27-Feb-2018, 16:59
Hi,
I would like to reissue this because it is still important for me.
The SUSE published TID 7022512 to cover Spectre and Meltdown - https://www.suse.com/support/kb/doc/?id=7022512 is still only talking about X86_64 (64bit) and not about x86 (32bit).
The Spectre and Meltdown is also an issue for x86 and the pae kernel, what I am using. The page https://www.suse.com/de-de/security/cve/CVE-2017-5715/ is also mentioning, that there is a new kernel for SLES11SP4 coming, but with no date, yet.
Patches are available, but there is no way to proof that they are protecting against the vulnerabilities. The above mentioned script to check it is not working.
Is there another way to check it? Is the patch working for x86, 32bit?

Thnx
Trelaine