4.15.0-1-MANJARO installed and SPECTRE still NOT SOLVED


Here my results from spectre-meltdown-checker

sudo sh spectre-meltdown-checker.sh
[sudo] password for user:
Spectre and Meltdown mitigation detection tool v0.33+

Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-1-MANJARO #1 SMP PREEMPT Sun Jan 21 07:58:15 UTC 2018 x86_64
CPU is AMD FX™-8350 Eight-Core Processor

Hardware check

  • Hardware support (CPU microcode) for mitigation techniques
    • Indirect Branch Restricted Speculation (IBRS)
      • SPEC_CTRL MSR is available: NO
      • CPU indicates IBRS capability: NO
    • Indirect Branch Prediction Barrier (IBPB)
      • PRED_CMD MSR is available: NO
      • CPU indicates IBPB capability: NO
    • Single Thread Indirect Branch Predictors (STIBP)
      • SPEC_CTRL MSR is available: NO
      • CPU indicates STIBP capability: NO
    • Enhanced IBRS (IBRS_ALL)
      • CPU indicates ARCH_CAPABILITIES MSR availability: NO
      • ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
    • CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
    • CPU microcode is known to cause stability problems: NO
  • CPU vulnerability to the three speculative execution attacks variants
    • Vulnerable to Variant 1: YES
    • Vulnerable to Variant 2: YES
    • Vulnerable to Variant 3: NO

CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’

  • Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)


CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’

  • Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
  • Mitigation 1
    • Kernel is compiled with IBRS/IBPB support: NO
    • Currently enabled features
      • IBRS enabled for Kernel space: NO
      • IBRS enabled for User space: NO
      • IBPB enabled: NO
  • Mitigation 2
    • Kernel compiled with retpoline option: YES
    • Kernel compiled with a retpoline-aware compiler: NO (kernel reports minimal retpoline compilation)
    • Retpoline enabled: YES

STATUS: VULNERABLE (Vulnerable: Minimal AMD ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’

  • Mitigated according to the /sys interface: YES (kernel confirms that your CPU is unaffected)
  • Kernel supports Page Table Isolation (PTI): YES
  • PTI enabled and active: NO
  • Running as a Xen PV DomU: NO

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer


Spectre patches are still in development and it will take some time until everything’s fine.
Also depends on patched GCC.
For the rest, please look here:

Don’t panic!


To better manage your expectations Spectre is a catastrophic hardware design flaw that will never be properly “solved” via software patches.

A brand new CPU design is the only real solution to this cluster****.

Certain identified variants and attack vectors can be mitigated against, once discovered, but any company that raises a “Mission Accomplished” flag is lying through their teeth.


Design or “design”, that is the question.


This. When gcc gets updated to 7.3 in manjaro you’ll have full spectre v2 mitigation.

grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline

^ This is with gcc 7.3.0-1 and linux 4.15.0
Spectre v1 remains an issue at large.


I assume there will be LTS kernel backports?

The Chinese do it, the Russians do it, probably should assume the Yanks do it also.


AFAIK KPTI was backported, spectre v1 is work in progress and v2 is reliant on compiler being patched too.


This must be solved by the CPU manufacturers.