Kernel 6.9 now vulnerable due to CONFIG_RETPOLINE

I’ve just updated Manjaro to Kernel 6.9 and spectre-meltdown-checker now detects that the kernel is not safe anymore (that was not the case with kernel 6.8):

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  YES  (Mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: always-on; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  UNKNOWN 
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  NO 
> STATUS:  VULNERABLE  (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

> How to fix: To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. The retpoline + IBPB approach is generally preferred as the performance impact is lower. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches.

> How to fix: The microcode of your CPU needs to be upgraded to be able to use IBRS. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If you're running under a hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. You may need to reconfigure your VM to use a CPU model that has IBRS capability; in Libvirt, such CPUs are listed with an IBRS suffix.

> How to fix: Your kernel is not compiled with retpoline support, so you need to either upgrade your kernel (if you're using a distro) or recompile your kernel with the CONFIG_RETPOLINE option enabled. You also need to compile your kernel with a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware).

Is that correct? Any chance it will get fixed? Anything I can do?

1 Like

That tool is outdated. The new value is this: CONFIG_MITIGATION_RETPOLINE See also here: config · master · Packages / Core / linux69 · GitLab

Thanks! Is there a newer tool doing the same? Can I teach this tool to reinterpret the value?

See here: False positive for CVE-2017-5715 on linux 6.9, retpoline not recognized · Issue #490 · speed47/spectre-meltdown-checker · GitHub That tool had seen its last commit Feb 15, 2024 and last release on Jul 26, 2023. So I wonder how trustworthy it is …

1 Like

Wow, thanks for the replies and info! Actually this tool detected a new CPU vulnerability a couple of months ago. Maybe there just weren’t major new ones.
In any case, if you happen to know a tool which does something similar, I’d be interested to know :slight_smile: