This is similar to viewtopic.php?f=51&t=65693 but I wanted to provide more detail and check that it is actually the same issue/cause.
I'm running a CentOS 7 instance within Amazon's EC2 environment, I have run yum update successfully.
After completing the update, I can see that the expected patches are applied (output at bottom of this post for ref.), however when running the meltdown checker again (output again below), it's failing Spectre Variant 2 because IBRS isn't enabled. I'm not sure if this is something in my control which I can enable? or if this is related to the microcode updates that I believe are required (Note that I have run the check for microcode updates and it doesn't show anything available). According to Amazon https://aws.amazon.com/security/securit ... -2018-013/ all their hardware has been updated, and recommend a software update (as I've now already done)
So in summary, I suppose my question is: Is there something I need to do to 'enable' IBRS since the checker report shows support exists? Or am I maybe missing something entirely different?
Many thanks in advance.
Console output / more info included below for completeness
Code: Select all
$ cat /etc/*release
CentOS Linux release 7.4.1708 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
CentOS Linux release 7.4.1708 (Core)
CentOS Linux release 7.4.1708 (Core)
Code: Select all
$ dmesg | grep microcode
[ 2.309797] microcode: CPU0 sig=0x306f2, pf=0x1, revision=0x3b
[ 2.319746] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
Code: Select all
$ sudo sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.26
Checking for vulnerabilities against live running kernel Linux 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: YES
> STATUS: NOT VULNERABLE (106 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
Code: Select all
$ sudo rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
- [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] kaiser/mm: skip IBRS/CR3 restore when paranoid exception returns to userland (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] kaiser/mm: consider the init_mm.pgd a kaiser pgd (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: Prevent unwanted speculation without IBRS (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Remove trampoline check from paranoid entry path (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] spec_ctrl: remove SPEC_CTRL_DEBUG code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add noibrs noibpb boot options (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] entry: Use retpoline for syscall's indirect calls (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] syscall: Clear unused extra registers on 32-bit compatible syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: cleanup unnecessary ptregscall_common function (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: CLEAR_EXTRA_REGS and extra regs save/restore (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] syscall: Clear unused extra registers on syscall entrance (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: rescan cpuid after a late microcode update (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add debugfs ibrs_enabled ibpb_enabled (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: consolidate the spec control boot detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] KVM/spec_ctrl: allow IBRS to stay enabled in host userland (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: add debug aid to test the entry code without microcode (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: move stuff_RSB in spec_ctrl.h (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] entry: Stuff RSB for entry to kernel for non-SMEP platform (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] mm: Only set IBPB when the new thread cannot ptrace current thread (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] mm: Set IBPB upon context switch (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] idle: Disable IBRS when offlining cpu and re-enable on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] idle: Disable IBRS entering idle and enable it on wakeup (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: implement spec ctrl C methods (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: save IBRS MSR value in save_paranoid for NMI (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] enter: Use IBRS on syscall and interrupts (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: swap rdx with rsi for nmi nesting detection (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: spec_ctrl_pcp and kaiser_enabled_pcp in same cachline (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] spec_ctrl: use per-cpu knob instead of ALTERNATIVES for ibpb and ibrs (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] enter: MACROS to set/clear IBRS and set IBPB (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] x86: add SPEC_CTRL to MSR and CPUID lists (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] svm: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] vmx: Set IBPB when running a different VCPU (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [kvm] x86: clear registers on VM exit (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] kvm: pad RSB on VM transition (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] cpu/AMD: Control indirect branch predictor when SPEC_CTRL not available (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] feature: Report presence of IBPB and IBRS control (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [x86] feature: Enable the x86 feature to control Speculation (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [tools] objtool: Don't print 'call dest' warnings for ignored functions (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715}
- [misc] locking/barriers: prevent speculative execution based on Coverity scan results (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [fs] udf: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [fs] prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [kernel] userns: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [scsi] qla2xxx: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [netdrv] p54: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [netdrv] carl9170: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [media] uvcvideo: prevent speculative execution (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [misc] locking/barriers: introduce new memory barrier gmb() (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] mm/kaiser: Replace kaiser with kpti to sync with upstream (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add "kaiser" and "nokaiser" boot options (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map the trace idt tables in userland shadow pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: fix RESTORE_CR3 crash in kaiser_stop_machine (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use stop_machine for enable/disable knob (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use atomic ops to poison/unpoison user pagetables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use invpcid to flush the two kaiser PCID AISD (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use two PCID ASIDs optimize the TLB during enter/exit kernel (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: stop patching flush_tlb_single (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: use PCID feature to make user and kernel switches faster (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: If INVPCID is available, use it to flush global mappings (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/64: Fix reboot interaction with CR4.PCIDE (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/64: Initialize CR4.PCIDE early (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Add a 'noinvpcid' boot option to turn off INVPCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Add the 'nopcid' boot option to turn off PCID (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: validate trampoline stack (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] entry: Move SYSENTER_stack to the beginning of struct tss_struct (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: isolate the user mapped per cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: enable kaiser in build (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: selective boot time defaults (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: handle call to xen_pv_domain() on PREEMPT_RT (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser/xen: Dynamically disable KAISER when running under Xen PV (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add Kconfig (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: avoid false positives during non-kaiser pgd updates (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: Respect disabled CPU features (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: trampoline stack comments (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: stack trampoline (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: remove paravirt clock warning (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: re-enable vsyscalls (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow to build KAISER with KASRL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow KAISER to be enabled/disabled at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: un-poison PGDs at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add a function to check for KAISER being enabled (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add debugfs file to turn KAISER on/off at runtime (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: disable native VSYSCALL (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map virtually-addressed performance monitoring buffers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map debug IDT tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add kprobes text section (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map trace interrupt entry (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map entry stack per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: map dynamically-allocated LDTs (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: make sure static PGDs are 8k in size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: allow NX poison to be set in p4d/pgd (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: unmap kernel from userspace page tables (core patch) (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: mark per-cpu data structures required for entry/exit (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: introduce user-mapped per-cpu areas (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: add cr3 switches to entry code (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: remove scratch registers (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: prepare assembly for entry/exit CR3 switching (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/kaiser: Disable global pages by default with KAISER (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Document X86_CR4_PGE toggling behavior (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm/tlb: Make CR4-based TLB flushes more robust (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] mm: Do not set _PAGE_USER for init_mm page tables (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [x86] increase robusteness of bad_iret fixup handler (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [perf] x86/intel/uncore: Fix memory leaks on allocation failures (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [fs] userfaultfd: non-cooperative: fix fork use after free (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] userfaultfd: hugetlbfs: remove superfluous page unlock in VM_SHARED case (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}
- [mm] fix bad rss-counter if remap_file_pages raced migration (Josh Poimboeuf) [1519800 1519801] {CVE-2017-5754}