4.15.0-1-MANJARO installed and SPECTRE still NOT SOLVED


#1

Here my results from spectre-meltdown-checker

sudo sh spectre-meltdown-checker.sh
[sudo] password for user:
Spectre and Meltdown mitigation detection tool v0.33+

Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-1-MANJARO #1 SMP PREEMPT Sun Jan 21 07:58:15 UTC 2018 x86_64
CPU is AMD FX™-8350 Eight-Core Processor

Hardware check

  • Hardware support (CPU microcode) for mitigation techniques
    • Indirect Branch Restricted Speculation (IBRS)
      • SPEC_CTRL MSR is available: NO
      • CPU indicates IBRS capability: NO
    • Indirect Branch Prediction Barrier (IBPB)
      • PRED_CMD MSR is available: NO
      • CPU indicates IBPB capability: NO
    • Single Thread Indirect Branch Predictors (STIBP)
      • SPEC_CTRL MSR is available: NO
      • CPU indicates STIBP capability: NO
    • Enhanced IBRS (IBRS_ALL)
      • CPU indicates ARCH_CAPABILITIES MSR availability: NO
      • ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
    • CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
    • CPU microcode is known to cause stability problems: NO
  • CPU vulnerability to the three speculative execution attacks variants
    • Vulnerable to Variant 1: YES
    • Vulnerable to Variant 2: YES
    • Vulnerable to Variant 3: NO

CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’

  • Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)

STATUS: VULNERABLE (Vulnerable)

CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’

  • Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
  • Mitigation 1
    • Kernel is compiled with IBRS/IBPB support: NO
    • Currently enabled features
      • IBRS enabled for Kernel space: NO
      • IBRS enabled for User space: NO
      • IBPB enabled: NO
  • Mitigation 2
    • Kernel compiled with retpoline option: YES
    • Kernel compiled with a retpoline-aware compiler: NO (kernel reports minimal retpoline compilation)
    • Retpoline enabled: YES

STATUS: VULNERABLE (Vulnerable: Minimal AMD ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’

  • Mitigated according to the /sys interface: YES (kernel confirms that your CPU is unaffected)
  • Kernel supports Page Table Isolation (PTI): YES
  • PTI enabled and active: NO
  • Running as a Xen PV DomU: NO

STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer


#2

Spectre patches are still in development and it will take some time until everything’s fine.
Also depends on patched GCC.
For the rest, please look here:

Don’t panic!


#3

To better manage your expectations Spectre is a catastrophic hardware design flaw that will never be properly “solved” via software patches.

A brand new CPU design is the only real solution to this cluster****.

Certain identified variants and attack vectors can be mitigated against, once discovered, but any company that raises a “Mission Accomplished” flag is lying through their teeth.


#4

Design or “design”, that is the question.


#5

This. When gcc gets updated to 7.3 in manjaro you’ll have full spectre v2 mitigation.

grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline

^ This is with gcc 7.3.0-1 and linux 4.15.0
Spectre v1 remains an issue at large.


#6

I assume there will be LTS kernel backports?

The Chinese do it, the Russians do it, probably should assume the Yanks do it also.


#7

AFAIK KPTI was backported, spectre v1 is work in progress and v2 is reliant on compiler being patched too.


#8

This must be solved by the CPU manufacturers.


#9