CPU Vulnerabilities clarification.

General questions.
Post Reply
ipfireuser1
Posts: 12
Joined: November 15th, 2016, 11:01 am

CPU Vulnerabilities clarification.

Post by ipfireuser1 » June 13th, 2019, 3:24 pm

Hy to all,

following latest Micheal post on Ipfire blog
https://blog.ipfire.org/post/32-bit-is- ... ive-32-bit
i switched our ipfire installation from 32bit to 64bit. All went fine, no problem so far.

I looked on the Vulnerabilities page and this is what comes out:
vuln.jpg
before, on 32bit ipfire, first 5 entry were red

should every entry be blue?

we run ipfire ond a Intel(R) Xeon(R) CPU X5355 server.

regards

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5770
Joined: August 11th, 2005, 9:02 am

Re: CPU Vulnerabilities clarification.

Post by MichaelTremer » June 13th, 2019, 8:06 pm

No, this should all be green :) But blue is at least better than red.

Make sure that you have all BIOS updates installed and that should include the latest microcode.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

ipfireuser1
Posts: 12
Joined: November 15th, 2016, 11:01 am

Re: CPU Vulnerabilities clarification.

Post by ipfireuser1 » June 13th, 2019, 8:38 pm

Thanks Micheal for your answer.

we're running ipfire in virtual machine environment (VMWare Esxi)
so what should i do? Check for VMware updates?

By the way, switching to 64bit architecture was surprisingly "easy", at least for me, i'm quite a noob on linux and firewall.
Installed a new 64bit machine and restored a backup from the old 32bit machine was a flawless process.

regards

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5770
Joined: August 11th, 2005, 9:02 am

Re: CPU Vulnerabilities clarification.

Post by MichaelTremer » June 13th, 2019, 8:39 pm

ipfireuser1 wrote:
June 13th, 2019, 8:38 pm
so what should i do? Check for VMware updates?
*Always* install all the updates.
ipfireuser1 wrote:
June 13th, 2019, 8:38 pm
By the way, switching to 64bit architecture was surprisingly "easy", at least for me, i'm quite a noob on linux and firewall.
Installed a new 64bit machine and restored a backup from the old 32bit machine was a flawless process.
That's how it should be :)
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

callifo
Posts: 32
Joined: September 30th, 2013, 4:14 pm

Re: CPU Vulnerabilities clarification.

Post by callifo » June 14th, 2019, 2:46 am

So to clarify, two things from the last blog post,

1) 32bit is being stopped? I didn't quite get a sense of whether this was a possibility, or it was actually happening?

2) In 32bit, the vulnerability page doesn't actually detect the vulnerabilities? Mine are all green; I'm running a very very old atom.

I do have plans to move to a new platform in the near future, but realistically there are no good replacements that wont also be vulnerable. The blog post suggested considering AMD, but there are no low power AMD mini PCs, let alone ones with dual NICs on them. That side is a bit disappointing. I could go another Intel MiniPC but it sounds like it would be more vulnerable then my current setup.

I probably wont move from 32bit to 64bit right now, as I've done enough changes on my ipfire in the backend, that I doubt a simple backup/restore would work, so I would prefer having a new system side by side and allow me to slowly cutover.
Image

ipfireuser1
Posts: 12
Joined: November 15th, 2016, 11:01 am

Re: CPU Vulnerabilities clarification.

Post by ipfireuser1 » June 14th, 2019, 6:54 am

well i think it's your choice.

running in a virtual machine environment gaved me the chance to test new installation
knowing that i had always the "old" installation ready at any moment.

if you have to change new system you can do what you said, keep old system alive while testing new.

regards

SuperBigAl
Posts: 18
Joined: August 16th, 2017, 1:52 pm

Re: CPU Vulnerabilities clarification.

Post by SuperBigAl » June 14th, 2019, 8:40 am

Recommendation for tests: I have IP Fire installed on a local ssd. But for testing, I have an installation that I run from an USB stick. So I can play around with new versions, see if I can restore the settings from the "hot" machine etc. If I run in to troubles, I shut down the machine, pull the USB drive off and start the firewall from its ssd. This saves me from buying two identical hardware. I really recommend doing this. It's great for those who, like me, are not experienced with Linux and want to change from 32 to 64 bit. You can try it on the USB drive first before touching the real system. Just my 2 cents.

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5770
Joined: August 11th, 2005, 9:02 am

Re: CPU Vulnerabilities clarification.

Post by MichaelTremer » June 14th, 2019, 9:08 am

callifo wrote:
June 14th, 2019, 2:46 am
So to clarify, two things from the last blog post,

1) 32bit is being stopped? I didn't quite get a sense of whether this was a possibility, or it was actually happening?
No, but I wanted to write this article to make clear that it has become a second-class citizen for many people now, including the kernel developers and Intel.
callifo wrote:
June 14th, 2019, 2:46 am
2) In 32bit, the vulnerability page doesn't actually detect the vulnerabilities? Mine are all green; I'm running a very very old atom.
Good for you! Keep it maybe :)
callifo wrote:
June 14th, 2019, 2:46 am
I do have plans to move to a new platform in the near future, but realistically there are no good replacements that wont also be vulnerable. The blog post suggested considering AMD, but there are no low power AMD mini PCs, let alone ones with dual NICs on them. That side is a bit disappointing. I could go another Intel MiniPC but it sounds like it would be more vulnerable then my current setup.
There are small AMD-based systems around: https://www.lightningwirelabs.com/asset ... iances.pdf
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8228
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: CPU Vulnerabilities clarification.

Post by Arne.F » June 14th, 2019, 10:37 am

In 32bit, the vulnerability page doesn't actually detect the vulnerabilities? Mine are all green; I'm running a very very old atom.
This is correct. Some older Atom CPU's doesn't use "speculative execution" so they are not vulnerable to all speculation vulnerabilities.
But if your Atom support x64_64 (like the Atom D330) you should switch to 64bit anyway because there are some more security relevant features missing in 32bit kernel and the kernel is much better tested.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

callifo
Posts: 32
Joined: September 30th, 2013, 4:14 pm

Re: CPU Vulnerabilities clarification.

Post by callifo » June 14th, 2019, 11:50 am

Arne.F wrote:
June 14th, 2019, 10:37 am
In 32bit, the vulnerability page doesn't actually detect the vulnerabilities? Mine are all green; I'm running a very very old atom.
This is correct. Some older Atom CPU's doesn't use "speculative execution" so they are not vulnerable to all speculation vulnerabilities.
But if your Atom support x64_64 (like the Atom D330) you should switch to 64bit anyway because there are some more security relevant features missing in 32bit kernel and the kernel is much better tested.
OK thanks for the clarification, I wasn't sure if what Michael was saying was that 32bit couldn't actually detect the vulnerabilities or something else. The intent is to move to 64bit, I think part of it is nostalgia , this box has been running flawlessly with IPfire on it for more than half a decade :)
Image

callifo
Posts: 32
Joined: September 30th, 2013, 4:14 pm

Re: CPU Vulnerabilities clarification.

Post by callifo » June 14th, 2019, 11:58 am

MichaelTremer wrote:
June 14th, 2019, 9:08 am
callifo wrote:
June 14th, 2019, 2:46 am
I do have plans to move to a new platform in the near future, but realistically there are no good replacements that wont also be vulnerable. The blog post suggested considering AMD, but there are no low power AMD mini PCs, let alone ones with dual NICs on them. That side is a bit disappointing. I could go another Intel MiniPC but it sounds like it would be more vulnerable then my current setup.
There are small AMD-based systems around: https://www.lightningwirelabs.com/asset ... iances.pdf
Looks nice, any idea where to buy them? The website doesn't seem to have a store, and I'm not in Europe.
Image

DJ-Melo
Posts: 535
Joined: July 8th, 2014, 7:12 am

Re: CPU Vulnerabilities clarification.

Post by DJ-Melo » June 14th, 2019, 12:13 pm


User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5770
Joined: August 11th, 2005, 9:02 am

Re: CPU Vulnerabilities clarification.

Post by MichaelTremer » June 14th, 2019, 2:32 pm

DJ-Melo wrote:
June 14th, 2019, 12:13 pm
https://www.lightningwirelabs.com/contact

write a mail to sales
A shop is in the making and we ship worldwide :)
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

Post Reply