IMO You first need to provide source for your spectre-meltdown checker, like any app of this type it's important to understand how it works and its limitations, possibly leading to false positives or ineffectiveness.
Personally, I prefer the following It was one of the first tools available and the author seems to be reasonably conscientious about keeping his tool up to date.. It also doesn't hurt that it's open source and he describes what his tool does. https://github.com/speed47/spectre-meltdown-checker As for Spectre and Meltdown specifically... It's my understanding that openSUSE installs microcode patches during every bootup including Spectre and Meltdown mitigations. I don't know if simply booting an updated machine is sufficient to address the specific vulnerability you want to patch but in part that is what the vulnerability checker is supposed to tell you. Note also that regarding Meltdown and Spectre (more importantly the latter), the best first step to address these vulnerabilities is to be using a CPU shipped sometime between February 2018 and today, only those processors can be patched "properly." Once patched, it's my understanding that Meltdown and Spectre just won't work. Any earlier CPU cannot be properly patched, the only thing that can be done is to mitigate by blocking attack vectors as they are discovered. HTH and that is the best of my understanding, Tony On Sun, Apr 14, 2019 at 9:02 PM PGNet Dev <[email protected]> wrote: > > Following along at > > CVE-2018-3646 Common Vulnerabilities and Exposures > https://www.suse.com/security/cve/CVE-2018-3646/ > > & > > Security Vulnerability: Spectre Variant 4 (Speculative Store Bypass) > aka CVE-2018-3639. > https://www.suse.com/support/kb/doc/?id=7022937 > > piecing together a number of other posts, and noting > > > https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00073.html > > An update that solves 9 vulnerabilities and has four fixes > is now available. This update for xen fixes the following > issues: > > Update to Xen 4.10.2 bug fix release (bsc#1027519). > ... > - CVE-2018-3646: Mitigations for VMM aspects of L1 Terminal > Fault (XSA-273) (bsc#1091107) > > which references, > > Bug 1091107 - VUL-0: CVE-2018-3646: xen: L1 Terminal Fault -VMM > (XSA-273) > https://bugzilla.suse.com/show_bug.cgi?id=1091107 > ==> Status: RESOLVED FIXED > > on > > uname -rm > 5.0.7-lp150.5.g012b5f1-default x86_64 > > lsb_release -rd > Description: openSUSE Leap 15.0 > Release: 15.0 > > grep "model name" /proc/cpuinfo | head -n 1 > model name : Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz > > booting a Xen Dom0 host, > > dmesg | grep -i "xen version" > [ 1.188399] Xen version: 4.12.0_09-lp150.640 (preserve-AD) > > > In my grub cfg, > > GRUB_CMDLINE_LINUX_XEN_REPLACE="... spectre_v2=retpoline,generic > spec_store_bypass_disable=on ..." > GRUB_CMDLINE_XEN="... spec-ctrl=ssbd,l1d-flush=true > pv-l1tf=dom0=true,domu=true smt=true ucode=scan ..." > > > Updating microcode in Xen environments > https://www.suse.com/support/kb/doc/?id=7022546 > > > after grub re-config & mkinitrd, then reboot, > > per > > Updating microcode in Xen environments > https://www.suse.com/support/kb/doc/?id=7022546 > > verifying, > > egrep "family|model|stepping" /proc/cpuinfo -m 4 > cpu family : 6 > model : 60 > model name : Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz > stepping : 3 > > in hex, > > [cpu family]-[model]-[stepping] === 06-3C-03 > > rpm -qa | grep -i ucode-intel > ucode-intel-20190312-lp150.3.1.x86_64 > > rpm -ql ucode-intel | grep -i 06-3C-03 > /lib/firmware/intel-ucode/06-3c-03 > > lsinitrd /boot/initrd-5.0.7-lp150.5.g012b5f1-default > Image: /boot/initrd-5.0.7-lp150.5.g012b5f1-default: 18M > > ======================================================================== > Early CPIO image > > ======================================================================== > drwxr-xr-x 3 root root 0 Apr 14 20:15 . > -rw-r--r-- 1 root root 2 Apr 14 20:15 > early_cpio > drwxr-xr-x 3 root root 0 Apr 14 20:15 kernel > drwxr-xr-x 3 root root 0 Apr 14 20:15 > kernel/x86 > drwxr-xr-x 2 root root 0 Apr 14 20:15 > kernel/x86/microcode > -rw-r--r-- 1 root root 23552 Apr 14 20:15 > kernel/x86/microcode/GenuineIntel.bin > > ======================================================================== > Version: dracut-044-lp150.14.27.1 > > grep -m1 microcode /proc/cpuinfo > microcode : 0x25 > > > in serial log > > (XEN) [00000027c847dc37] Xen version 4.12.0_09-lp150.640 > ([email protected]) (gcc (SUSE Linux) 8.3.1 20190305 [gcc-8-branch revi > sion 269383]) debug=n Thu Apr 11 22:29:39 UTC 2019 > (XEN) [00000027cb3e1267] Latest ChangeSet: > (XEN) [00000027cbff3231] Bootloader: EFI > (XEN) [00000027ccb72e3d] Command line: dom0_mem=4016M,max:4096M > bootscrub=false dom0_max_vcpus=4 spec-ctrl=ssbd,l1d-flush=true > pv-l1tf=dom0=true,domu=true smt=true com1=115200,8n1,pci console=com1,vga > console_timestamps console_to_ring conring_size=64 sched=credit2 reboot=acpi > ucode=scan log_buf_len=16M loglvl=warning guest_loglvl=none/warning > noreboot=false iommu=verbose > ... > (XEN) [00000028c099c50b] Speculative mitigation facilities: > (XEN) [00000028c19f6e50] Hardware features: IBRS/IBPB STIBP > L1D_FLUSH SSBD > (XEN) [00000028c2f57689] Compiled-in support: INDIRECT_THUNK > SHADOW_PAGING > (XEN) [00000028c445abaf] Xen settings: BTI-Thunk RETPOLINE, > SPEC_CTRL: IBRS- SSBD+, Other: IBPB L1D_FLUSH > (XEN) [00000028c61da08b] L1TF: believed vulnerable, maxphysaddr L1D > 46, CPUID 39, Safe address 8000000000 > (XEN) [00000028c7f67494] Support for HVM VMs: MSR_SPEC_CTRL RSB > EAGER_FPU > (XEN) [00000028c94630dc] Support for PV VMs: MSR_SPEC_CTRL RSB > EAGER_FPU > (XEN) [00000028ca92b21c] XPTI (64-bit PV only): Dom0 enabled, DomU > enabled (with PCID) > (XEN) [00000028cc1cfa07] PV L1TF shadowing: Dom0 enabled, DomU > enabled > > then, > > cd /sys/devices/system/cpu/vulnerabilities/ > for f in $(ls); do echo -e "\n$f"; cat $f; done > > l1tf > Mitigation: PTE Inversion > > meltdown > Unknown (XEN PV detected, hypervisor mitigation required) > > spec_store_bypass > Mitigation: Speculative Store Bypass disabled > > spectre_v1 > Mitigation: __user pointer sanitization > > spectre_v2 > Mitigation: Full generic retpoline, IBPB: conditional, > IBRS_FW, STIBP: conditional, RSB filling > > > BUT, checking with > > spectre-meltdown-checker.sh > > still returns "STATUS: VULNERABLE", > > ... > CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault' > * Information from the /sys interface: > * This system is a host running an hypervisor: YES > * Mitigation 1 (KVM) > * EPT is disabled: N/A (the kvm_intel module is not loaded) > * Mitigation 2 > * L1D flush is supported by kernel: YES (found flush_l1d in > kernel image) > * L1D flush enabled: UNKNOWN (unrecognized mode) > * Hardware-backed L1D flush supported: NO (flush will be done in > software, this is slower) > * Hyper-Threading (SMT) is enabled: YES > > STATUS: VULNERABLE (disable EPT or enabled L1D flushing to > mitigate the vulnerability) > ... > > > Since I'm on Xen, 'Mitigation 1' isn't an option. > > Two things catch my attention: > > (1) L1D flush enabled: UNKNOWN (unrecognized mode) > > Not sure yet why I'm seeing UNKNOWN here, > > & > > (2) Hardware-backed L1D flush supported: NO > > even though > > (XEN) [00000028c19f6e50] Hardware features: IBRS/IBPB STIBP > L1D_FLUSH SSBD > > ^^^^^^^^^ > > What's missing in my config to mitigate/remove the CVE-2018-3646 > vulnerability? > > -- > To unsubscribe, e-mail: [email protected] > To contact the owner, e-mail: [email protected] > -- To unsubscribe, e-mail: [email protected] To contact the owner, e-mail: [email protected]
