CPU vulnerability & Spectre - what about Meltdown?

xfce
cpu
spectre-meltdown

#1

Having heard much in the news about the Spectre & Meltdown vulnerabilities in Intel CPUs, I thought I would check two different kernels on a Manjaro-xfce single-boot setup, running on an i7 4710Q CPU (4 cores, 8 threads) in an Asus G750JS machine. This was the resulting output from terminal when I booted into the 4.14 and 4.4 kernels, each in turn:

[mike@G750 ~]$ uname -a
Linux G750 4.14.21-1-MANJARO #1 SMP PREEMPT Fri Feb 23 00:01:40 UTC 2018 x86_64 GNU/Linux
[mike@G750 ~]$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline

[mike@G750 ~]$ uname -a
Linux G750 4.4.117-1-MANJARO #1 SMP PREEMPT Thu Feb 22 23:30:31 UTC 2018 x86_64 GNU/Linux
[mike@G750 ~]$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline

Interpretation?
Does the output above suggest that kernel 4.14 is safe (“mitigation”), whereas 4.4 has a vulnerability to spectre_v1. Referring to the above terminal output, in simple language what do the following mean: PTI, user pointer sanitization, and full generic retpoline? I’m just thinking of simple definitions that newbies, such as myself, can understand …

What about ‘Meltdown’ - what command can I use to check CPU vulnerability to this?

If 4.4 is vulnerable, does it mean that the single core laptop (Samsung NP-N145) which is running 4.4 is at risk of crashing. Ocassionally, it crashes at boot-up (i.e. black screen with tons of white script on it), though seems to recover on a reboot, though I don’t know if this has anything to do with CPU vulnerability …


#2

Meltdown is “fixed” since ages (note the " "). That’s what PTI is for.
It stands for Page Table Isolation.
dmesg | grep -i isolation shows whether it’s enabled or not.
It can be disabled manually by booting with nopti boot parameter.

Much more info in the general thread regarding Spectre/Meltdown:


#3

Closing this one as it has been discussed at length in other threads.


#4