Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kernel 4.15.*-wip-x* (Full support IBRS/IBPB/LKRG) #17

Open
AndyLavr opened this issue Feb 4, 2018 · 0 comments
Open

Kernel 4.15.*-wip-x* (Full support IBRS/IBPB/LKRG) #17

AndyLavr opened this issue Feb 4, 2018 · 0 comments

Comments

@AndyLavr
Copy link

AndyLavr commented Feb 4, 2018
edited
Loading

WIP Kernel 4.15.*

WIP Patched Kernel Sources (Linux 4.15.*)

  • Full kernel adaptation to version Ubuntu 18.04 LTS Bionic.

  • Full kernel adaptation to build GCC7/GCC8.

GitHub Repo
This kernel for developers and testers !

Full support:

  • Indirect Branch Restricted Speculation (IBRS)
  • Indirect Branch Prediction Barrier (IBPB)

Add Linux Kernel Runtime Guard (LKRG)

Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that
performs runtime integrity checking of the Linux kernel and detection of
security vulnerability exploits against the kernel.

Important security fix:

Recommended built on the latest GCC 7.3+

Current status of this kernel for the Spectre and Meltdown vulnerabilities

Spectre and Meltdown mitigation detection tool

Checking for vulnerabilities on current system

Hardware check

  • Hardware support (CPU microcode) for mitigation techniques
    • Indirect Branch Restricted Speculation (IBRS)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
      • Kernel has set the spec_ctrl flag in cpuinfo: NO
    • Indirect Branch Prediction Barrier (IBPB)
      • PRED_CMD MSR is available: YES
      • CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
    • Single Thread Indirect Branch Predictors (STIBP)
      • SPEC_CTRL MSR is available: YES
      • CPU indicates STIBP capability: YES
    • Enhanced IBRS (IBRS_ALL)
      • CPU indicates ARCH_CAPABILITIES MSR availability: NO
      • ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
    • CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
    • CPU microcode is known to cause stability problems:
      YES (model 71 stepping 1 ucode 0x1b)

The microcode your CPU is running on is known to cause instability problems,
such as intempestive reboots or random crashes.
You are advised to either revert to a previous microcode version (that might not have
the mitigations for Spectre), or upgrade to a newer one if available.

  • CPU vulnerability to the three speculative execution attacks variants
    • Vulnerable to Variant 1: YES (Enable Mitigation: __user pointer sanitization)
    • Vulnerable to Variant 2: YES (Enable Mitigation: PTI)
    • Vulnerable to Variant 3: YES (Enable Mitigation: Full generic retpoline, IBPB, IBRS_FW)

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'

  • Mitigated according to the /sys interface:
    YES (kernel confirms that the mitigation is active)
  • Kernel has array_index_mask_nospec:
    YES (1 occurence(s) found of 64 bits array_index_mask_nospec())
  • Checking count of LFENCE instructions following a jump in kernel:
    YES (1839 jump-then-lfence instructions found, which is >= 30 (heuristic))

STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'

  • Mitigated according to the /sys interface:
    YES (kernel confirms that the mitigation is active)
  • Mitigation 1
    • Kernel is compiled with IBRS/IBPB support: YES
    • Currently enabled features
      • IBRS enabled for Kernel space: NO
      • IBRS enabled for User space: NO
      • IBPB enabled: YES
  • Mitigation 2
    • Kernel compiled with retpoline option: YES
    • Kernel compiled with a retpoline-aware compiler:
      YES (kernel reports full retpoline compilation)
    • Retpoline enabled: YES

STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline, IBPB, IBRS_FW)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'

  • Mitigated according to the /sys interface:
    YES (kernel confirms that the mitigation is active)
  • Kernel supports Page Table Isolation (PTI): YES
  • PTI enabled and active: YES
  • Performance impact if PTI is enabled
    • CPU supports PCID:
      YES (performance degradation with PTI will be limited)
    • CPU supports INVPCID:
      YES (performance degradation with PTI will be limited)
  • Running as a Xen PV DomU: NO

STATUS: NOT VULNERABLE (Mitigation: PTI)

 This is a mainline Linux kernel distribution with custom settings.
Optimized to take full advantage of high-performance.

Supports all recent 64-bit versions of Debian and Ubuntu-based systems. 

Main Features:

Tuned CPU for Intel i5/i7/Atom platform.
PDS CPU Scheduler & Multi-Queue I/O Block Layer w/ BFQ-MQ
for smoothness and responsiveness.
Caching, Virtual Memory Manager and CPU Governor Improvements.
General-purpose Multitasking Kernel.
Built on the latest GCC 7.3
DRM Optimized Performance.
BBR TCP Congestion Control.
Intel CPUFreq (P-State passive mode).
ZFS, AUFS, BFQ and Ureadahead support available.

Download and install kernel (DEB packages):

Look at the file date and the build number.

Download packages

Read this before installing

GitHub Repo
@AndyLavr AndyLavr changed the title Kernel 4.15.1-wip-x* (Full paranoid support IBRS/IBPB/LKRG) Kernel 4.15.*-wip-x* (Full paranoid support IBRS/IBPB/LKRG) Feb 8, 2018
@AndyLavr AndyLavr changed the title Kernel 4.15.*-wip-x* (Full paranoid support IBRS/IBPB/LKRG) Kernel 4.15.*-wip-x* (Full support IBRS/IBPB/LKRG) Feb 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AndyLavr