(Lorenzo "Palinuro" Faletra) #1

we have finally imported the new linux kernel and cpu microcodes :slight_smile:

(alexandros) #2

Very good, bravo

(unknown) #3

I updated dist-upgrade, and rebooted but I’m not seeing the opcodes, when looking at the ./spectre-meltdown-checker.sh I’m still seeing Spectre-Variant 1 (only 23 opcodes found, should be >=70, heuristics to be improved when official patches become available) and for Spectre-Variant 2, I see Mitigation 2 compiled with repoliner option.

(Lorenzo "Palinuro" Faletra) #4

what kernel do you have? if you are on linux 4.14.0-parrot13 (4.14.13) then you already have the maximum level of security provided for the 4.14 branch

for what concerns intel/amd microcodes, well, you have to make sure that the processor was patched, as downloading an updated microcode package is completely useless if this microcode is not submitted to your cpu

(Lorenzo "Palinuro" Faletra) #5

anyways i know what you mean, and the spectre-meltdown-checker tool will give a lot of warnings for a long while, because cpu manufacturers are slow to release the proper patches

my main concerns are about those missing kernel flags, because i took the kernel configurations directly from debian and i kept them almost untouched

we should verify if spectre-meltdown-checker gives the same warnings on a debian testing instance

(unknown) #6

Yea I’m running 4.14.0-parrot13, CVE-2017-5753 opcodes/flags should of been replaced through >=70 from Debian’s kernal updates?

(2600) #7

Hello Folks,

Can anyone here tell me how to reverse the meltdown/spectre security patches ?
I understand the implications and I’m not willing to trade false sense of security for speed (processor performance).

Please, can anybody help me unpatch my kernel ?

Thanks a lot for your support and keep up the good work.

(Lorenzo "Palinuro" Faletra) #8

hello, you don’t really need to reverse-patch the kernel and recompile it

the kernel offers a dedicated flag to disable the page table isolation and gain back all the performance lost after the security update

just add the nopti flag at boot in the grub kernel parameters and have fun being exploited by just visiting a webpage :slight_smile:

closed #10