[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Intel-Microcode 20180312 - Meltdown/Spectre

Hi,

under Debian Stretch i have updated the Microcode from Intel
<https://downloadcenter.intel.com/download/27591/Linux-Processor-Microcode-Data-File?v=t>
according to the readme
<http://metadata.ftp-master.debian.org/changelogs/non-free/i/intel-microcode/unstable_README.Debian>
instructions.

~# dmesg | grep micro
[    0.000000] microcode: microcode updated early to revision 0x24, date
= 2018-01-21
[    0.640195] microcode: sig=0x306c3, pf=0x2, revision=0x24
[    0.640313] microcode: Microcode Update Driver: v2.2.

With a vanilla kernel compiled with Meltdown/Spectre
mitigations, i get with spectre-meltdown-checker v0.35:

Kernel is Linux 4.15.8-vanilla1 #1 SMP Sat Mar 10 18:53:16 CET 2018 x86_64
CPU is Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available: YES
    * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available: YES
    * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available: YES
    * CPU indicates STIBP capability: YES
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability: NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
  * CPU microcode is known to cause stability problems: NO (model 60
stepping 3 ucode 0x24)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1: YES
  * Vulnerable to Variant 2: YES
  * Vulnerable to Variant 3: YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (kernel confirms that
the mitigation is active)
* Kernel has array_index_mask_nospec: YES (1 occurence(s) found of 64
bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that
the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support: NO
  * Currently enabled features
    * IBRS enabled for Kernel space: NO
    * IBRS enabled for User space: NO
    * IBPB enabled: NO
* Mitigation 2
  * Kernel compiled with retpoline option: YES
  * Kernel compiled with a retpoline-aware compiler: YES (kernel reports
full retpoline compilation)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline, IBPB)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that
the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)

~# cat /poc/cpuinfo | grep flags
flags: ... ibpb ibrs stibp ...

No problems or performance losses so far.

-- 
mlnl
Reply to: