What is current status on firmware vulnerability mitigations?

I don’t know how to keep up to date on this.
I think manjaro-firmware was replaced by linux-firmware.
So you should uninstall manjaro-firmware and install linux-firmware but it should already be that way if you have properly maintained your system.

Then there is also another foreign package from AUR called spectre-meltdown-checker
https://aur.archlinux.org/packages/spectre-meltdown-checker

Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad vulnerability/mitigation checker

I don’t know if linux-firmware already does everything which this AUR package does. Is it best to uninstall that AUR package if you have it? I don’t remember how I ended up installing it but I know it’s a popular package, I’ve seen many people here writing that they have it.

Lastly I wonder how to keep up to date on this firmware stuff going forward.
Is there a list of which vulnerabilities linux-firmware protects against and which vulnerabilities there are no mitigations against?

linux-fimware brings a few patches, the linked package checks if they are activated/applied.

Spectre-meltdown checker still works, but has not been updated for a long time.
An easy way to check i to use inxi.
To sum up: almost everything is patched. If your system is up to date, that is. Kernel and firmware.

1 Like

That is just a script to assess and report the systems vulnerability in relation to those various exploits.

linux-firmware (or any other firmware package) … provides firmware files. They dont make you more or less vulnerable to those exploits, and none of the firmware packages provide any checker script.

Should you keep the spectre-meltdown-checker package?

Only if you want to check on the status of your spectre+ vulnerability from time to time.

3 Likes

Further to @cscs reply, according to Linux firmware - Gentoo wiki:

Linux firmware is a package distributed alongside the Linux kernel that contains firmware binary blobs necessary for partial or full functionality of certain hardware devices. These binary blobs are usually proprietary because some hardware manufacturers do not release source code necessary to build the firmware itself.

Modern graphics cards from AMD and NVIDIA almost certainly require binary blobs to be loaded for the hardware to operate correctly.

Starting at Broxton (a Skylake-based micro-architecture) Intel CPUs require binary blobs for additional low-power idle states (DMC), graphics workload scheduling on the various graphics parallel engines (GuC), and offloading some media functions from the CPU to GPU (HuC).[1]

Additionally, modern Intel Wi-Fi chipsets almost always require blobs.[2]

So, basically, the linux-firmware package contains closed-source drivers plus some other stuff.

You can check what firmware is loaded on your system by running the command:

run0 dmesg | grep -i firmware

or

sudo dmesg | grep -i firmware

Running one of the above commands on my system shows Spectre mitigation as the first entry:

run0 dmesg | grep -i firmware 
[    0.125031] Spectre V2 : Enabling Restricted Speculation for firmware calls
[    0.335745] ACPI: [Firmware Bug]: BIOS _OSI(Linux) query ignored
[    0.358389] acpi PNP0A08:00: [Firmware Info]: ECAM [mem 0xf0000000-0xf7ffffff] for domain 0000 [bus 00-7f] only partially covers this bridge
[    2.561485] [drm] Loading DMUB firmware via PSP: version=0x0101002B
[    2.561877] [drm] Found VCN firmware Version ENC: 1.24 DEC: 8 VEP: 0 Revision: 3
[    4.511651] systemd[1]: Clear Stale Hibernate Storage Info was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67).
[    4.942583] iwlwifi 0000:02:00.0: loaded firmware version 77.0b4c06ad.0 cc-a0-77.ucode op_mode iwlmvm
[    4.951735] Bluetooth: hci0: Found device firmware: intel/ibt-20-1-3.sfi
[    4.951746] Bluetooth: hci0: Firmware Version: 132-3.24
[    4.951748] Bluetooth: hci0: Firmware already loaded

And, as @teo mentioned, running inxi also will show the status of Spectre mitigation. Here’s the relevant part of the output of inxi -Farz on my machine:

Vulnerabilities:
  Type: gather_data_sampling status: Not affected
  Type: itlb_multihit status: Not affected
  Type: l1tf status: Not affected
  Type: mds status: Not affected
  Type: meltdown status: Not affected
  Type: mmio_stale_data status: Not affected
  Type: reg_file_data_sampling status: Not affected
  Type: retbleed status: Not affected
  Type: spec_rstack_overflow mitigation: Safe RET
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: Retpolines; IBPB: conditional; IBRS_FW;
    STIBP: always-on; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not
    affected
  Type: srbds status: Not affected
  Type: tsx_async_abort status: Not affected
2 Likes

spctre-meltdown-checker was only ever really intended to be a … checker script.

inxi will use it if present.

But the real use is … just running the script.

$ sudo spectre-meltdown-checker

Spectre and Meltdown mitigation detection tool v0.46

Checking for vulnerabilities on current system
Kernel is Linux 6.12.5-2-MANJARO #1 SMP PREEMPT_DYNAMIC Sun, 15 Dec 2024 16:12:43 +0000 x86_64
CPU is AMD Ryzen 5 5600U with Radeon Graphics

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (IBRS_SUPPORT feature bit)
    * CPU indicates preferring IBRS always-on:  NO 
    * CPU indicates preferring IBRS over retpoline:  YES 
  * Indirect Branch Prediction Barrier (IBPB)
    * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (AMD STIBP feature bit)
    * CPU indicates preferring STIBP always-on:  YES 
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  YES  (AMD SSBD in SPEC_CTRL)
  * L1 data cache invalidation
    * CPU indicates L1D flush capability:  NO 
  * CPU supports Transactional Synchronization Extensions (TSX):  NO 
  * CPU supports Software Guard Extensions (SGX):  NO 
  * CPU supports Special Register Buffer Data Sampling (SRBDS):  NO 
  * CPU microcode is known to fix Zenbleed:  NO 
  * CPU microcode is known to cause stability problems:  NO  (family 0x19 model 0x50 stepping 0x0 ucode 0xa500011 cpuid 0xa50f00)
  * CPU microcode is the latest known available version:  YES  (latest version is 0xa50000d dated 2021/10/14 according to builtin firmwares DB v271+i20230614)
* CPU vulnerability to the speculative execution attack variants
  * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES 
  * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES 
  * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  NO 
  * Affected by CVE-2018-3640 (Variant 3a, rogue system register read):  NO 
  * Affected by CVE-2018-3639 (Variant 4, speculative store bypass):  YES 
  * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  NO 
  * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  NO 
  * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  NO 
  * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)):  NO 
  * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)):  NO 
  * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)):  NO 
  * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)):  NO 
  * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)):  NO 
  * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)):  NO 
  * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)):  NO 
  * Affected by CVE-2023-20593 (Zenbleed, cross-process information leak):  NO 

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec:  NO 
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm64):  NO 
* Kernel has array_index_nospec (arm64):  NO 
* Checking count of LFENCE instructions following a jump in kernel...  NO  (only 25 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  NOT VULNERABLE  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)

[...]

But thats all it does.

Report.

It does not make anything more or less vulnerable, it provides no fixes or mitigations, it only reports vulnerability in relation to spectre, meltdown, etc.

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.