Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A number of ways are listed here [1]

1. With dmesg

dmesg -wH | grep 'page tables isolation'

2. With /proc/cpuinfo

grep cpu_insecure /proc/cpuinfo && echo "Patched" || echo "Unpatched!"

[1] https://askubuntu.com/questions/992137/how-to-check-that-kpt...



> grep cpu_insecure /proc/cpuinfo && echo "Patched" || echo "Unpatched!"

That command checks for the "bugs: cpu_insecure" entry in /proc/cpuinfo. However, that line only appears in some of the kernel versions. Recent kernels will have either "cpu_insecure" or "cpu_meltdown" (the name has been changed), while for instance the 3.10 kernel from CentOS 7, which has a backported version of these patches, doesn't even have the "bugs:" field.

And it's that 3.10 kernel which has all the workarounds (both for Spectre and Meltdown), while the more recent kernel has only what's been upstreamed, which so far is only the Meltdown workaround.

It's a mess.


Note that `dmesg` prints from a fixed-size ring buffer, so if your system has significant other output (e.g. if you create and destroy lots of devices or such), it's very possible the boot-time message about page table isolation will have fallen out of the ring buffer.

If you use journald, it by default saves the kernel's ring buffer to disk, so you can use it to check for that message:

sudo journalctl -b -o cat | grep "page table isolation"


Interestingly I get:

    dmesg -H | grep 'page tables isolation'
    [  +0.000000] Kernel/User page tables isolation: enabled

    grep cpu_insecure /proc/cpuinfo && echo "Patched" || echo "Unpatched!"
    Unpatched!

    cat /proc/cpuinfo | grep pti
    fpu_exception	: yes

    uname -a
    Linux host 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
So page tables isolation seems to be enabled but neither the pti flag nor the cpu_insecure bug is in cpuinfo.

EDIT: Maybe this is because it is Xen guest. Do I need pti on a XEN guest if the host is fully patched?


I like

    dmesg -H | grep 'page tables isolation'
better, because dmesg -wH doesn't return and I suppose the 'page tables isolation' appears during boot.


Thanks. So apparently, my system:

  Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-104-generic x86_64)
is unpatched! Is it because of LTS version? Most servers run this including mine.


Ubuntu has not released kernel updates for this issue yet.


Ubuntu say they will release a patch on or before the 9th of January.

They got caught out by the embargo being ended early.


Ubuntu’s kernel package updates are pending.

This Ubuntu Wiki page is being updated with relevant information and package updates as they become available:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAn...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: