On Fri, 26 Jan 2018 22:19:27 +0530
"tv.debian@googlemail.com" <tv.debian@googlemail.com> wrote:
gcc-7[.2] was really gcc-7.3-rc for a while, and was doing a good job
at enabling Spectre mitigation (as tested by the
spectre-meltdown-checker and /sys/devices/system/cpu/vulnerabilities/*
entries). No it is really gcc-7.3 and is fully capable.
I have not tested with a 4.4.15 kernel yet, but that should work too
since most (all?) mitigation have been back-ported by now.
I am definitely anything but an expert on this; but with sid's 4.14.15
(which I assumed was compiled with said gcc-7.2) the script here says:
##########################################################
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: UNKNOWN (couldn't
read /dev/cpu/0/msr, is msr support enabled in your kernel?)
* CPU indicates IBRS capability: UNKNOWN (couldn't
read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: UNKNOWN (couldn't read /dev/cpu/0/msr,
is msr support enabled in your kernel?)
* CPU indicates IBPB capability: UNKNOWN (couldn't
read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: UNKNOWN (couldn't
read /dev/cpu/0/msr, is msr support enabled in your kernel?)
* CPU indicates STIBP capability: UNKNOWN (couldn't
read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: UNKNOWN
(couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):
NO
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: NO
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: NO (kernel confirms your
system is vulnerable)
STATUS: VULNERABLE (Vulnerable)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: NO (kernel confirms your
system is vulnerable)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: NO (kernel reports
minimal retpoline compilation)
* Retpoline enabled: YES
STATUS: VULNERABLE (Vulnerable: Minimal AMD ASM retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that
your CPU is unaffected)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and
relaunch this script)
* Running under Xen PV (64 bits): UNKNOWN (dmesg truncated, please
reboot and relaunch this script)
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as
not vulnerable)
A false sense of security is worse than no security at all, see
--disclaimer
#######################################################
I have no idea though if this is due to my hardware, the compiler or the
kernel. Maybe for the fun of it I'll try to compile 4.15rc9 later with
that new gcc-7.3 and see what happens.
Regards
Michael
.-.. .. ...- . .-.. --- -. --. .- -. -.. .--. .-. --- ... .--. . .-.
I'm a soldier, not a diplomat. I can only tell the truth.
-- Kirk, "Errand of Mercy", stardate 3198.9