Upgraded kernel and microcode but no effect on Spectre Vulnerability

[steveis2]

Hi, I am not an expert and am rather confused about what to do about Spectre.
Be that as it may I installed Kernel 4.13.0-26 and the intel microcode, which does include my cpu. However when I ran a script "sh spectre-meltdown-checker.sh2 having downloaded it. It tells me that I am still vulnerable to both variants of spectre despite the microcode update. I then ran "dmesg|grep microcode" which I think (?) tells me what microcode I have and it tells me I have the following -
~ $ dmesg|grep microcode
[ 0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
[ 0.929217] microcode: sig=0x306a9, pf=0x2, revision=0x1c
[ 0.929307] microcode: Microcode Update Driver: v2.2.

This appears to tell me I have microcode dated from 26/02/15 which is not what I thought I had updated to.

If anyone can suggest any advice as to what I need to do I'd appreciate it. I don't know what the problem now is or what a solution might look like.

Regards Steve

[steveis2]

Oops I should have said I'm running Linux Mint 18.2

[Flemur]

However when I ran a script "sh spectre-meltdown-checker.sh2 having downloaded it. It tells me that I am still vulnerable to both variants of spectre despite...

If you want, I can write a script that says you're not vulnerable. (That's a sarcastic way of saying "where'd you get it?")

[ 0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
[ 0.929217] microcode: sig=0x306a9, pf=0x2, revision=0x1c
[ 0.929307] microcode: Microcode Update Driver: v2.2.

FWIW, I have

Code: Select all

$ uname -a
Linux .... 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$
$ dmesg|grep microcode
[    0.000000] microcode: microcode updated early to revision 0xa0b, date = 2010-09-28
[    1.170499] microcode: sig=0x1067a, pf=0x1, revision=0xa0b
[    1.170600] microcode: Microcode Update Driver: v2.2.

[steveis2]

Hi
I got the script off wget https://raw.githubusercontent.com/speed ... checker.sh. I found this on https://www.ghacks.net/2018/01/11/check ... erability/.

With a bit of luck maybe the script is no good and the result is wrong.

However the result it came up with was as follows:-

Checking for vulnerabilities against running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)


Regards Steve

[trytip]

i'm assuming everyone running this script will get the same values. 2 vulnerable and 1 not vulnerable, i get the same thing in arch linux with kernel 4.14.12 which is higher than the kernels in mint repos

and the thing with dmesg | grep microcode is that it will only be as recent as the last time your processor was updated into the intel processor list. everyones date will be somewhere around 2010 if you have older cpu

if you wonder why the date is 2010 you need to ask intel not the kernel developers because the kernel devs get the updates from intel

[steveis2]

Thank you for your insight. Looking inside the script its creator does say it might not work so perhaps the microcode is working as it should. Given that the processor came out in 2012 it could be it was added to the list in 2015 I suppose.

Regards Steve

i'm assuming everyone running this script will get the same values. 2 vulnerable and 1 not vulnerable, i get the same thing in arch linux with kernel 4.14.12 which is higher than the kernels in mint repos

and the thing with dmesg | grep microcode is that it will only be as recent as the last time your processor was updated into the intel processor list. everyones date will be somewhere around 2010 if you have older cpu

if you wonder why the date is 2010 you need to ask intel not the kernel developers because the kernel devs get the updates from intel

[Pjotr]

If your CPU is less than 10 years old, you can probably expect a future update for the intel-microcode package, which does contain fixed microcode for Meltdown/Spectre.

[michael louwe]

@ steveis2, .......

...

.
Your CPU is Intel 3rd-gen Ivy Bridge (= sig=0x306a9) which is not covered by the Intel microcode 20180108 update. Only Intel 3rd-gen Ivy Town(= Xeon) and 4th-gen Haswell or newer are covered.

[steveis2]

Hi,
I think it is in there because on their Linux microcode page for 20180108 it does make reference to the I5 3470 in the list of included CPUs. Having said that, even if it is included there could still be something wrong somewhere.

Regards Steve

@ steveis2, .......

...

.
Your CPU is Intel 3rd-gen Ivy Bridge (= sig=0x306a9) which is not covered by the Intel microcode 20180108 update. Only Intel 3rd-gen Ivy Town(= Xeon) and 4th-gen Haswell or newer are covered.

[Petermint]

If you compare Meltdown/Spectre to building a safe house, Meltdown is equivalent to forgetting to install the front door and Spectre is equivalent to forgetting to install the walls. Spectre protection includes updating all your applications including your Web browser and javascript interpreters to stop advertisers using Spectre to improve their breaches of your privacy.

[michael louwe]

@ steveis2, .......

sig=0x306a9, , pf=0x2, revision=0x1c...

.
* Sync package to xenial's latest update
* New upstream microcode datafile 20180108
+ New Microcodes:
sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384
sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280
sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
+ Updated Microcodes:
sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360
sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408
sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312
sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648
sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744
sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528
sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304
* source: remove unneeded intel-ucode/ directory
* source: remove superseded upstream data file: 20170707

-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 09 Jan 2018 13:28:52 -0500

[smurphos]

If anyone can suggest any advice as to what I need to do I'd appreciate it. I don't know what the problem now is or what a solution might look like.

Sit tight and wait for further kernel updates and microcode updates. Enjoy your patched web browser.

The current 4.4.0-109 and 4.13.0-26 kernels are only patched against Meltdown. Ubuntu are working on the next updates which will include the Spectre patches. They are currently in testing.

https://insights.ubuntu.com/2018/01/12/ ... us-update/
https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown

Re the Microcode package - it contains microcodes for all Intel CPUs that have ever had Microcode updates as listed on the Intel page here - https://downloadcenter.intel.com/downlo ... -Data-File

But not all of those microcodes (including the one for your processor) have been patched for Spectre yet as has been mentioned. The most recent update included 16 updated Microcodes and 4 new ones. There are a lot more that presumably, Intel are working on.
https://launchpad.net/ubuntu/+source/in ... ntu16.04.2

[steveis2]

Hi,
I think I will do as you say and wait to see what happens. Hopefully things will work out. I can't see a BIOS update coming from the Motherboard manufacturer for some of my older computers so the microcode is the only hope.

Regards Steve


[/quote]

Sit tight and wait for further kernel updates and microcode updates. Enjoy your patched web browser....

There are a lot more that presumably, Intel are working on.
https://launchpad.net/ubuntu/+source/in ... ntu16.04.2[/quote]

[godzilla]

interesting,
both of us have identical microcode revision 0x1c

Code: Select all

lynx@lynx-lappy ~ $ grep microcode /proc/cpuinfo
microcode	: 0x1c
microcode	: 0x1c
microcode	: 0x1c
microcode	: 0x1c
microcode	: 0x1c
microcode	: 0x1c
microcode	: 0x1c
microcode	: 0x1c

it supposed to be safe

Code: Select all

lynx@lynx-lappy ~ $ grep isolation /var/log/syslog
Feb 21 16:03:58 lynx-lappy kernel: [    0.000000] Kernel/User page tables isolation: enabled

but according to

Code: Select all

lynx@lynx-lappy ~ $ grep microcode /var/log/kern.log
Feb 18 20:23:33 lynx-lappy kernel: [    0.000000] [Firmware Bug]: TSC_DEADLINE disabled due to Errata; please update microcode to version: 0x22 (or later)
Feb 18 20:23:33 lynx-lappy kernel: [    2.909978] microcode: sig=0x306c3, pf=0x20, revision=0x1c
Feb 18 20:23:33 lynx-lappy kernel: [    2.910129] microcode: Microcode Update Driver: v2.2.

it has bugs related TSC ing but dont really know what it is mean for though
confusing