Talpa and Spectre issue

[grandtoubab]

Hello,
Lokking for status on my PC, I found this:

@debian:~$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline - vulnerable module loaded

And looking deeper , based on https://patchwork.kernel.org/patch/10184921/ I found this

@debian:/sys/devices/system/cpu/vulnerabilities$ journalctl -xb | grep "loading module not compiled with retpoline"
févr. 23 13:06:28 debian kernel: talpa_syscallhook: loading module not compiled with retpoline compiler.
févr. 23 13:06:28 debian kernel: talpa_linux: loading module not compiled with retpoline compiler.
févr. 23 13:06:28 debian kernel: talpa_core: loading module not compiled with retpoline compiler.
févr. 23 13:06:28 debian kernel: talpa_vcdevice: loading module not compiled with retpoline compiler.
févr. 23 13:06:28 debian kernel: talpa_pedevice: loading module not compiled with retpoline compiler.
févr. 23 13:06:28 debian kernel: talpa_pedconnector: loading module not compiled with retpoline compiler.
févr. 23 13:06:28 debian kernel: talpa_vfshook: loading module not compiled with retpoline compiler.

versions - SAV: 9.14.2, Engine: 3.70.2, Data: 5.48

[paperclip]

Hi,
I think you need to make sure your build tools (gcc) are up to date, then rebuild talpa.
In SAV you'll need to delete the compiled TBP from $INST/talpa/compiled/

[grandtoubab]

hello
Debian security GCC is version 6 https://www.debian.org/security/2018/dsa-4121
but my config is

root@debian:/opt/av-sophos/talpa/override# cat build.options
CC=/usr/bin/x86_64-linux-gnu-gcc-7

So il will use /usr/bin/x86_64-linux-gnu-gcc-6 and rebuild all

[grandtoubab]

I rebuild all with only gcc6

root@debian:/opt/av-sophos/talpa/compiled# gcc --version
gcc (Debian 6.4.0-12) 6.4.0 20180123
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
root@debian:/opt/av-sophos/talpa/compiled# 

`root@debian:/opt/av-sophos/engine#  ./talpa_select select
[Talpa-select]
Copyright 1989-2018 Sophos Limited. All rights reserved.
Sat Feb 24 13:28:40 2018 GMT
Linux distribution: [debian]
Product: [Debian GNU/Linux stable-updates (sid)]
Kernel: [4.9.0-6-amd64]
Multiprocessor support enabled.
Searching for source pack...
Searching for suitable binary pack...
No suitable binary pack available.
Preparing for build...
Extracting sources...
Configuring build of version 0.9.95...
Building...
Installing binaries...
NOTE: You are running Sophos Anti-Virus on a kernel for which Sophos does not provide binary kernel modules.
 Therefore the kernel modules have been locally compiled. Please see KBA14377 for supported platforms and kernels.
root@debian:/opt/av-sophos/log# systemctl start  sav-protect.service
root@debian:/opt/av-sophos/log# systemctl status  sav-protect.service
● sav-protect.service - "Sophos Anti-Virus daemon"
   Loaded: loaded (/lib/systemd/system/sav-protect.service; disabled; vendor preset: enabled)
   Active: active (running) since Sat 2018-02-24 14:32:50 CET; 7s ago
     Docs: man:sav-protect
  Process: 11601 ExecStartPost=/opt/av-sophos/engine/.sav-protect.systemd.poststart.sh (code=exited, status=0/SUCCESS)
  Process: 11521 ExecStartPre=/opt/av-sophos/engine/.sav-protect.systemd.prestart.sh (code=exited, status=0/SUCCESS)
 Main PID: 11600 (savd)
    Tasks: 28 (limit: 4317)
   CGroup: /system.slice/sav-protect.service
           ├─11600 savd etc/savd.cfg
           ├─11669 savscand --incident=unix://tmp/incident --namedscan=unix://root@tmp/namedscansprocessor.0 --ondemandc
           └─11749 savscand --incident=unix://tmp/incident socketpair://51/52 --threads=5

févr. 24 14:32:24 debian systemd[1]: Starting "Sophos Anti-Virus daemon"...
févr. 24 14:32:27 debian savd[11600]: savd.daemon: SAVD-STARTED
févr. 24 14:32:48 debian savd[11600]: savd.daemon: ONACCESS-ENABLED talpa
févr. 24 14:32:50 debian systemd[1]: Started "Sophos Anti-Virus daemon".

root@debian:/opt/av-sophos/log# journalctl -xb | grep retpoline
févr. 24 13:26:26 debian kernel: Spectre V2 : Mitigation: Full AMD retpoline
févr. 24 14:32:29 debian kernel: talpa_syscallhook: loading module not compiled with retpoline compiler.
févr. 24 14:32:29 debian kernel: talpa_linux: loading module not compiled with retpoline compiler.
févr. 24 14:32:29 debian kernel: talpa_core: loading module not compiled with retpoline compiler.
févr. 24 14:32:29 debian kernel: talpa_vcdevice: loading module not compiled with retpoline compiler.
févr. 24 14:32:29 debian kernel: talpa_pedevice: loading module not compiled with retpoline compiler.
févr. 24 14:32:29 debian kernel: talpa_pedconnector: loading module not compiled with retpoline compiler.
févr. 24 14:32:29 debian kernel: talpa_vfshook: loading module not compiled with retpoline compiler.
root@debian:/opt/av-sophos/log

Here is the log file
talpaselect.log

Don't we have to add a CONFIG_RETPOLINE=y somewhere in talpa config as for the kernel itself?

root@debian:/boot# grep CONFIG_RETPOLINE config-4.9.0-6-amd64
CONFIG_RETPOLINE=y
root@debian:/boot# 

[paperclip]

I'm afraid I don't know what's going wrong. In general Talpa needs to be compiled with the same compiler as the kernel.
If you are a Sophos customer I suggest raising a support ticket, since then someone will be able to spend time reproducing the problem.

[grandtoubab]

I have to downgrade some tools to the stable Debian version to get the right secure compilation environment which is gcc-6/stable 6.3.0-18+deb9u1 amd64

then I rebuid all

expoert CC=/usr/bin/x86_64-linux-gnu-gcc-6
cd /opt/av-sophos
bash autodeploy.sh /opt/av-sophos/talpa-gcc6
cd /opt/av-sophos/talpa-gcc6
cp -v talpa-srcpack.tar.gz /opt/av-sophos/talpa/override
cd /opt/av-sophos/engine
 ./talpa_select select

root@debian:/opt/av-sophos/talpa# cd compiled
root@debian:/opt/av-sophos/talpa/compiled# ls -alrt

-rw------- 1 root root     93474 févr. 28 12:17 talpa-binpack-debian-x86_64-4.9.0-6-amd64-1smpdebian49821deb9u220180221.tar.gz

And Sophos is running with no more retpoline warning

root@debian:/# systemctl status sav-protect.service
● sav-protect.service - "Sophos Anti-Virus daemon"
   Loaded: loaded (/lib/systemd/system/sav-protect.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-02-28 12:24:42 CET; 9min ago
     Docs: man:sav-protect
  Process: 11459 ExecStartPost=/opt/av-sophos/engine/.sav-protect.systemd.poststart.sh (code=exited, status=0/SUCCESS)
  Process: 9488 ExecStartPre=/opt/av-sophos/engine/.sav-protect.systemd.prestart.sh (code=exited, status=0/SUCCESS)
 Main PID: 11458 (savd)
    Tasks: 35 (limit: 4317)
   CGroup: /system.slice/sav-protect.service
           ├─11458 savd etc/savd.cfg
           ├─11621 savscand --incident=unix://tmp/incident --namedscan=unix://root@tmp/namedscansprocessor.0 --ondemandc
           └─11929 savscand --incident=unix://tmp/incident socketpair://51/52 --threads=5

févr. 28 12:23:36 debian systemd[1]: Starting "Sophos Anti-Virus daemon"...
févr. 28 12:24:05 debian savd[11458]: savd.daemon: SAVD-STARTED
févr. 28 12:24:42 debian savd[11458]: savd.daemon: ONACCESS-ENABLED talpa
févr. 28 12:24:42 debian systemd[1]: Started "Sophos Anti-Virus daemon".
root@debian:/# journalctl -xb | grep retpoline
févr. 28 12:23:13 debian kernel: Spectre V2 : Mitigation: Full AMD retpoline
root@debian:/#   grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline
root@debian:/#