Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
spectre-meltdown-checker and microcode (intel i7-6700)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3939
Location: Bavaria

PostPosted: Sun Jul 04, 2021 12:31 am    Post subject: spectre-meltdown-checker and microcode (intel i7-6700) Reply with quote

Because we had an update of the spectre-meltdown-checker I did a test with:
Code:
# spectre-meltdown-checker --kernel /boot/EFI/Boot/bzImage.efi --config /usr/src/linux/.config --map /usr/src/linux/System.map  --live

and got this information:
Code:
* CPU microcode is the latest known available version:  YES  (latest version is 0xe2 dated 2020/07/14 according to builtin firmwares DB v165.20201021+i20200616)

(0xe2 is correct) and (later) this:
Code:
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  NO
> STATUS:  VULNERABLE  (your CPU supports SGX and the microcode is not up to date)


Now I am confused. Does anybody knows something about this ?


Here is my complete output:
Code:
Spectre and Meltdown mitigation detection tool v0.44

Checking for vulnerabilities on current system
Kernel is Linux 5.10.46-gentoo #2 SMP Wed Jun 30 15:32:12 CEST 2021 x86_64
CPU is Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  YES  (Intel SSBD)
  * L1 data cache invalidation
    * FLUSH_CMD MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates L1D flush capability:  YES  (L1D flush feature bit)
  * Microarchitectural Data Sampling
    * VERW instruction is available:  YES  (MD_CLEAR feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO):  NO
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO
  * CPU/Hypervisor indicates L1D flushing is not necessary on this system:  NO
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO
  * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO):  NO
  * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO):  NO
  * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO):  NO
  * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR):  NO
  * CPU supports Transactional Synchronization Extensions (TSX):  YES  (RTM feature bit)
  * CPU supports Software Guard Extensions (SGX):  YES
  * CPU supports Special Register Buffer Data Sampling (SRBDS):  YES
  * CPU microcode is known to cause stability problems:  NO  (family 0x6 model 0x5e stepping 0x3 ucode 0xea cpuid 0x506e3)
  * CPU microcode is the latest known available version:  YES  (latest version is 0xe2 dated 2020/07/14 according to builtin firmwares DB v165.20201021+i20200616)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES
  * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES
  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  YES
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES
  * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES
  * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  YES
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  YES
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  YES
  * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)):  YES
  * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)):  YES
  * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)):  YES
  * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)):  YES
  * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)):  YES
  * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)):  YES
  * Vulnerable to CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)):  YES

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO
* Kernel has mask_nospec64 (arm64):  NO
* Kernel has array_index_nospec (arm64):  NO
> STATUS:  NOT VULNERABLE  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  YES  (for firmware code only)
  * Kernel is compiled with IBPB support:  YES
    * IBPB enabled and active:  YES
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO
  * Kernel compiled with retpoline option:  YES
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Kernel supports RSB filling:  YES
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES
  * PTI enabled and active:  YES
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  YES
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  YES  (per-thread through prctl)
* SSB mitigation currently active for selected processes:  NO  (no process found using SSB mitigation through prctl)
> STATUS:  NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  NO
> STATUS:  VULNERABLE  (your CPU supports SGX and the microcode is not up to date)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion)
* Kernel supports PTE inversion:  YES  (found in kernel image)
* PTE inversion enabled and active:  YES
> STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion
* This system is a host running a hypervisor:  NO
* Mitigation 1 (KVM)
  * EPT is disabled:  N/A  (the kvm_intel module is not loaded)
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  UNKNOWN  (unrecognized mode)
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  YES
> STATUS:  NOT VULNERABLE  (this system is not running a hypervisor)

CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES
* SMT is either mitigated or disabled:  NO
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES
* SMT is either mitigated or disabled:  NO
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES
* SMT is either mitigated or disabled:  NO
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES
* SMT is either mitigated or disabled:  NO
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* TAA mitigation is supported by kernel:  YES  (found tsx_async_abort in kernel image)
* TAA mitigation enabled and active:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
> STATUS:  NOT VULNERABLE  (Mitigation: Clear CPU buffers; SMT vulnerable)

CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
* Mitigated according to the /sys interface:  UNKNOWN  (Processor vulnerable)
* This system is a host running a hypervisor:  NO
* iTLB Multihit mitigation is supported by kernel:  YES  (found itlb_multihit in kernel image)
* iTLB Multihit mitigation enabled and active:  NO
> STATUS:  NOT VULNERABLE  (this system is not running a hypervisor)

CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Microcode)
* SRBDS mitigation control is supported by the kernel:  YES  (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
* SRBDS mitigation control is enabled and active:  YES  (Mitigation: Microcode)
> STATUS:  UNKNOWN  (Not able to enumerate MSR for SRBDS mitigation control)

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:KO CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:??

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
Back to top
View user's profile Send private message
Zucca
Moderator
Moderator


Joined: 14 Jun 2007
Posts: 3309
Location: Rasi, Finland

PostPosted: Mon Jul 05, 2021 7:40 pm    Post subject: Reply with quote

I've always looked at
Code:
lscpu | grep ^Vuln
Apparently this isn't enough?
_________________
..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote:
I am NaN! I am a man!
Back to top
View user's profile Send private message
disquz
n00b
n00b


Joined: 09 Feb 2019
Posts: 20

PostPosted: Sun Jan 30, 2022 8:54 pm    Post subject: Reply with quote

I have the same problem now.
Hardened everything and installed the newest ("~amd64") intel-microcode but that output still turns red for CVE-2018-3615.

Does anyone have any update on this?

Thanks in advance!
m
Back to top
View user's profile Send private message
figueroa
Advocate
Advocate


Joined: 14 Aug 2005
Posts: 2893
Location: Edge of marsh USA

PostPosted: Mon Jan 31, 2022 5:07 am    Post subject: Reply with quote

Run as root or with sudo. If I run as my user, CVE-2018-3640:KO and CVE-2018-3615:KO are both red. Run with sudo and they are green.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi
Back to top
View user's profile Send private message
disquz
n00b
n00b


Joined: 09 Feb 2019
Posts: 20

PostPosted: Fri Feb 04, 2022 9:34 am    Post subject: Reply with quote

figueroa wrote:
Run as root or with sudo. If I run as my user, CVE-2018-3640:KO and CVE-2018-3615:KO are both red. Run with sudo and they are green.


I have run it as root exclusively. No change, CVE-2018-3615 remains red.

It states:
Code:
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  NO
> STATUS:  VULNERABLE  (your CPU supports SGX and the microcode is not up to date)
Back to top
View user's profile Send private message
figueroa
Advocate
Advocate


Joined: 14 Aug 2005
Posts: 2893
Location: Edge of marsh USA

PostPosted: Fri Feb 04, 2022 3:28 pm    Post subject: Reply with quote

disquz

Are you USING intel-microcode? It's not activated automatically.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi
Back to top
View user's profile Send private message
disquz
n00b
n00b


Joined: 09 Feb 2019
Posts: 20

PostPosted: Fri Feb 04, 2022 9:41 pm    Post subject: Reply with quote

figueroa wrote:
disquz

Are you USING intel-microcode? It's not activated automatically.


Sure I am using intel-microcode.

Code:

mars ~ # dmesg | grep micro
[    3.217091] microcode: sig=0x806ea, pf=0x80, revision=0xec
[    3.218411] microcode: Microcode Update Driver: v2.2.


Code:

mars ~ # grep EXTRA /usr/src/linux/.config
CONFIG_EXTRA_FIRMWARE="intel-ucode/06-8e-0a intel/ibt-12-16.sfi intel/ibt-12-16.ddc i915/kbl_dmc_ver1_04.bin iwlwifi-8265-36.ucode regulatory.db regulatory.db.p7s"
CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware"
# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
Back to top
View user's profile Send private message
figueroa
Advocate
Advocate


Joined: 14 Aug 2005
Posts: 2893
Location: Edge of marsh USA

PostPosted: Sat Feb 05, 2022 4:14 am    Post subject: Reply with quote

I see what you are doing, using the Kernel method of loading the microcode. I've been manually building /boot/early_ucode.cpio and loading it as a GRUB initrd. In fact, I'm just now experimenting with building the intel-microcode automatically with the initramfs USE flag. Further, I can't comment on your CPU, as I only experience my older one. But, I haven't experienced a recent change.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi
Back to top
View user's profile Send private message
disquz
n00b
n00b


Joined: 09 Feb 2019
Posts: 20

PostPosted: Sun Feb 06, 2022 2:06 pm    Post subject: Reply with quote

Yeah exactly.

I'm following pietingers hardened gentoo setup (Installation Guide for Pranoid Dummies) , where I boot the stub-kernel directly from UEFI without any boot loader (grub). It's a monolithic kernel with everything builtin, no modules, no initramfs nothing like that.

In case you're interested, here's the guide: https://forums.gentoo.org/viewtopic-t-1112798.html (It's in German but Google Translate can help)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum