The current Meltdown Intel processor vulnerability is currently remedied by having the page table isolation enabled. There is a question how to turn this off: How to disable Page Table Isolation to regain performance lost due to Intel CPU security hole patch?
My question is opposite: is there a way to check on a running system whether the PTI mechanism is effective on the system and thus the system is protected? I'm specifically looking for cat /proc/something or cat /sys/something, not checking for kernel version or config parameter or the like.
7 Answers
Grepping CONFIG_PAGE_TABLE_ISOLATION in kernel config as Raniz's suggested does not help on desktop Ubuntu, but may help on cloud instances:
grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && \ echo "patched :)" || echo "unpatched :("
You can check with
/proc/cpuinfoas JonasCz suggested:grep -q "cpu_insecure\|cpu_meltdown\|kaiser" /proc/cpuinfo && echo "patched :)" \ || echo "unpatched :("
Or from
dmesg(thanks to Jason Creighton):dmesg | grep -q "Kernel/User page tables isolation: enabled" \ && echo "patched :)" || echo "unpatched :("
You can compile test program from Raphael Carvalho for Meltdown detection:
sudo apt-get install git build-essential cd /tmp git clone cd Am-I-affected-by-Meltdown make sudo sh -c "echo 0 > /proc/sys/kernel/kptr_restrict" ./meltdown-checker
on patched system it should end with output
...
so far so good (i.e. meltdown safe) ...
System not affected (take it with a grain of salt though as false negative
may be reported for specific environments; Please consider running it once again).Check with tool from :
cd /tmp wget sudo sh /tmp/spectre-meltdown-checker.sh
On patched system it should show the following:
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64
...
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)Do not install 4.4.0-108-generic on Xenial! It breaks boot/reboot/shutdown/suspend functionality!
Install 4.4.0-109-generic (see USN-3522-3 for details)!
As Robie Basak already wrote, there is a page about Spectre and Meltdown vulnerabilities status in Ubuntu.
Also there are:
- Ubuntu Security bulletin for CVE-2017-5715
- Ubuntu Security bulletin for CVE-2017-5753
- Ubuntu Security bulletin for CVE-2017-5754
Run the following command :
dmesg | grep 'page tables isolation'If it displays enabled, then PTI is enabled. If nothing is displayed or you see 'disabled' in the terminal, then PTI is disabled. Ubuntu has not published the patch yet, so it won't display any message.
3You can check with cat /proc/cpuinfo, if it reports cpu_insecure under "bugs", then PTI is enabled.
If it's blank (or just does not list cpu_insecure), then most likely you are running a kernel which has not yet been patched (Ubuntu's hasn't), or you have an AMD processor (for which this will forseeably not be enabled, since they're not vulnerable).
Currently all CPUs are treated as vulnerable in the latest 4.15 kernel.
7You can run the command below to see all available mitigations (not only for PTI but also for other vulnerabilities) :
$ cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTE Inversion
Mitigation: Clear CPU buffers; SMT vulnerable
Mitigation: PTI
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling 1 I found this great sh script to test Meltdown/spectre vulnerabilities on your system:
The script check your system to known Meltdown and spectre patchs on your system to tell you if these vulnerabilities are now mitigated by your OS
You can check /proc/config.gz for CONFIG_PAGE_TABLE_ISOLATION=y which means that the kernel was compiled with KPTI.
This is on my patched Arch Linux system running 4.14.11-1:
$ zgrep CONFIG_PAGE_TABLE_ISOLATION /proc/config.gz
CONFIG_PAGE_TABLE_ISOLATION=y 3 On my AWS Ubuntu 14.04.5 LTS EC2 instance, I ran
grep CONFIG_PAGE_TABLE_ISOLATION /boot/config-$(uname -r)It should say:
CONFIG_PAGE_TABLE_ISOLATION=yFor update I did:
sudo apt-get update && sudo apt-get install linux-image-genericI think also this is OK:
sudo apt-get update
sudo apt-get dist-upgradeTo check kernel version:
uname -rNeeds to be 3.13.0-139-generic or newer.
1