[Security-Discuss] Patching RH Linux Boxes Against new CPU (Meltdown & Spectre)

Weeks, Thomas t.weeks at vt.edu
Thu Jan 11 11:32:48 EST 2018


After applying the new, patched kernels on Red Hat (check other distros for these kernel controls).. 
here are the sysctl tunables to enable/disable the work arounds (could impose a performance hit.. so TEST TEST TEST!)
http://theweeks.org/tmp/FILES/tmp/meltdown-spectre_mitigation_sysctl_switches.png

or:

echo 1 > /sys/kernel/debug/x86/pti_enabled
echo 1 > /sys/kernel/debug/x86/ibpb_enabled
echo 1 > /sys/kernel/debug/x86/ibrs_enabled

  
 Thomas "Tweeks" Weeks
 Director, Technology Futures and Community Advocacy
 Division of Information Technology, Virginia Tech

-----------------------------

From: Weeks, Thomas
Sent: Thursday, January 11, 2018 11:16 AM
To: security-discuss at lists.rbtc.tech
Subject: Re: [Security-Discuss] Patching RH Linux Boxes Against new CPU (Meltdown & Spectre)
  

Here's the slide deck from the Red Hat webex on this (going on right now):
http://theweeks.org/tmp/FILES/tmp/RHat_Meltdown_and_Spectre_patch_performance_impact_webinar_FINAL.pdf

 Thomas "Tweeks" Weeks
 Director, Technology Futures and Community Advocacy
 Division of Information Technology, Virginia Tech

----------------------------

From: Thomas Tweeks Weeks <tom at theweeks.org>
Sent: Wednesday, January 10, 2018 10:55 PM
To: Shailesh Prajapati
Cc: Weeks, Thomas; security-discuss at lists.rbtc.tech
Subject: Re: [Security-Discuss] Patching RH Linux Boxes Against new CPU (Meltdown & Spectre)
  
That's THE definitive place for more info on the vulnerabilities.. but here's another really great video by my buddies at Red Hat that really break it down:
https://www.youtube.com/watch?v=syAdX44pokE
 
Tweeks
 
 ------------------------------
 
On Wednesday, January 10, 2018 9:58am, "Shailesh Prajapati" <prajapatisk at gmail.com> said:



Thomas,
Thanks for this info. 
I would also recommend folks to check this website read this  https://spectreattack.com/ 


On Thu, Jan 4, 2018 at 4:03 PM, Weeks, Thomas  <t.weeks at vt.edu> wrote:
 I don't normally send out security announcements.. but this is so huge it demands some extra attention..

Here's a really great security bulletin by a good X-Racker friend of mine (now a security lead at Red Hat) on the big processor/kernel Side-Channel attack vectors (by Meltdown/Spectre).
https://access.redhat.com/security/vulnerabilities/speculativeexecution


Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 ...
access.redhat.com
To help you use Red Hat products to their full potential, our engineers have developed a powerful set of tools to support your ongoing success. Engage with our Red ...


If you run Red Hat base distros, stay tuned to the Advisory/Update column of the "Resolve" tab of this super critical security bulletin.


TL;DR
The packages you'll want to watch for updates on are kernel, libvirt and qemu-kvm (as well as kernel-rt and dracut on RHEL7):

Post any of your findings, tips or suggestions here please.. we're all in this one for the long term!


p.s. Invite security friends to both this list:   http://lists.rbtc.tech/mailman/listinfo/security-discuss
and the main [Security-Announce] list:   http://lists.rbtc.tech/mailman/listinfo/security-announce
Both run the mailman email list server, and as such have archives that are google indexed, and thus VERY useful for recalling useful things you can't quite remember.. :)

 T.Weeks
 Thomas "Tweeks" Weeks
 Director, Technology Futures and Community Advocacy
 Division of Information Technology, Virginia Tech

_______________________________________________
Security-Discuss mailing list
Security-Discuss at lists.rbtc.tech
http://lists.rbtc.tech/mailman/listinfo/security-discuss           


More information about the Security-Discuss mailing list