On 26 January 2018 at 17:18, tv.deb...@googlemail.com < tv.deb...@googlemail.com> wrote:
> On 26/01/2018 22:37, Michael Lange wrote: > >> On Fri, 26 Jan 2018 22:19:27 +0530 >> "tv.deb...@googlemail.com" <tv.deb...@googlemail.com> wrote: >> >> >>> gcc-7[.2] was really gcc-7.3-rc for a while, and was doing a good job >>> at enabling Spectre mitigation (as tested by the >>> spectre-meltdown-checker and /sys/devices/system/cpu/vulnerabilities/* >>> entries). No it is really gcc-7.3 and is fully capable. >>> >>> I have not tested with a 4.4.15 kernel yet, but that should work too >>> since most (all?) mitigation have been back-ported by now. >>> >> >> I am definitely anything but an expert on this; but with sid's 4.14.15 >> (which I assumed was compiled with said gcc-7.2) the script here says: >> >> ########################################################## >> Hardware check >> * Hardware support (CPU microcode) for mitigation techniques >> * Indirect Branch Restricted Speculation (IBRS) >> * SPEC_CTRL MSR is available: UNKNOWN (couldn't >> read /dev/cpu/0/msr, is msr support enabled in your kernel?) >> * CPU indicates IBRS capability: UNKNOWN (couldn't >> read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?) >> * Indirect Branch Prediction Barrier (IBPB) >> * PRED_CMD MSR is available: UNKNOWN (couldn't read /dev/cpu/0/msr, >> is msr support enabled in your kernel?) >> * CPU indicates IBPB capability: UNKNOWN (couldn't >> read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?) >> * Single Thread Indirect Branch Predictors (STIBP) >> * SPEC_CTRL MSR is available: UNKNOWN (couldn't >> read /dev/cpu/0/msr, is msr support enabled in your kernel?) >> * CPU indicates STIBP capability: UNKNOWN (couldn't >> read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?) >> * Enhanced IBRS (IBRS_ALL) >> * CPU indicates ARCH_CAPABILITIES MSR availability: UNKNOWN >> (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?) >> * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO >> * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): >> NO >> * CPU vulnerability to the three speculative execution attacks variants >> * Vulnerable to Variant 1: YES >> * Vulnerable to Variant 2: YES >> * Vulnerable to Variant 3: NO >> >> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' >> * Mitigated according to the /sys interface: NO (kernel confirms your >> system is vulnerable) >> >>> STATUS: VULNERABLE (Vulnerable) >>> >> >> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' >> * Mitigated according to the /sys interface: NO (kernel confirms your >> system is vulnerable) >> * Mitigation 1 >> * Kernel is compiled with IBRS/IBPB support: NO >> * Currently enabled features >> * IBRS enabled for Kernel space: NO >> * IBRS enabled for User space: NO >> * IBPB enabled: NO >> * Mitigation 2 >> * Kernel compiled with retpoline option: YES >> * Kernel compiled with a retpoline-aware compiler: NO (kernel reports >> minimal retpoline compilation) >> * Retpoline enabled: YES >> >>> STATUS: VULNERABLE (Vulnerable: Minimal AMD ASM retpoline) >>> >> >> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' >> * Mitigated according to the /sys interface: YES (kernel confirms that >> your CPU is unaffected) >> * Kernel supports Page Table Isolation (PTI): YES >> * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and >> relaunch this script) >> * Running under Xen PV (64 bits): UNKNOWN (dmesg truncated, please >> reboot and relaunch this script) >> >>> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as >>> not vulnerable) >>> >> >> A false sense of security is worse than no security at all, see >> --disclaimer >> >> ####################################################### >> >> I have no idea though if this is due to my hardware, the compiler or the >> kernel. Maybe for the fun of it I'll try to compile 4.15rc9 later with >> that new gcc-7.3 and see what happens. >> >> Regards >> >> Michael >> >> .-.. .. ...- . .-.. --- -. --. .- -. -.. .--. .-. --- ... .--. . .-. >> >> I'm a soldier, not a diplomat. I can only tell the truth. >> -- Kirk, "Errand of Mercy", stardate 3198.9 >> >> > Tested with upstream vanilla 4.14.15 compiled with current Sid gcc-7.3, i > get a pass for Spectre v2 (full generic retpoline) and Meltdown (a.k.a. > "v3"). > > Spectre v1 is still vulnerable, but that will stay that way for a while. > Sounds like it believes in your the compiler and it has worked 100%. Cheers MF > > This is on an Intel Kaby Lake system (my only Intel system at he moment). > I would buy AMD from now on. MF > > PS: apologies for writing the previous message with my feet, it should > read "4.14.15 kernel" and NOT "4.4.15", and "now" instead of "no"... > >
