Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?
On Fri, Feb 23, 2018 at 03:05:18PM +0100, mlnl wrote:
> Hi,
>
> > Can it be true? A version of gcc that runs on stretch that will
> > compile the latest fancy spectre fixes etc?
>
> with latest vanilla kernel 4.15.4 and updated gcc-6:
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Mitigated according to the /sys interface: YES (kernel confirms that
> the mitigation is active)
> * Kernel has array_index_mask_nospec: YES (1 occurence(s) found of 64
> bits array_index_mask_nospec())
> > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface: YES (kernel confirms that
> the mitigation is active)
> * Mitigation 1
> * Kernel is compiled with IBRS/IBPB support: NO
> * Currently enabled features
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * IBPB enabled: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: YES
> * Kernel compiled with a retpoline-aware compiler: YES (kernel
> reports full retpoline compilation)
> * Retpoline enabled: NO
^^
I get the same result. I wonder why reptoline is disabled.
> > STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Mitigated according to the /sys interface: YES (kernel confirms that
> the mitigation is active)
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> * Running as a Xen PV DomU: NO
> > STATUS: NOT VULNERABLE (Mitigation: PTI)
>
> grep bugs /proc/cpuinfo
> bugs : cpu_meltdown spectre_v1 spectre_v2
> model name : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
>
>
>
> stepping : 3
>
>
>
> microcode : 0x22
>
> --
> mlnl
--
Felipe Salvador
Reply to: