No more IBRS since 3.10.0-693.21.1.el7 kernel update?

Latest response

Hi,

I patched our Dell PowerEdge R730 machines with the latest BIOS last week and when I booted kernel-3.10.0-693.17.1.el7.x86_64 afterwards, I ran the spectre-meltdown-checker.sh script. It listed I was no longer vulnerable to spectre as I had IBRS enabled.

Since then I've upgraded to kernel 3.10.0-693.21.1.el7 which contains the retpoline patches. When I now run the test script it indicates that I'm still vulnerable to spectre?

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: NO

STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

It still detects the IBRS feature, but does not seem to use it because it has retpoline support? It indicates the kernel was not compiled with a retpoline-aware compiler.

These machines are also oVirt hosts, and the oVirt engine now shows IBRS: 0 in the host details.

Is this expected? Should the kernel be recompiled with a retpoline-aware compiler first? I've noticed a gcc update that includes that support?

Regards,

Rik

RT
Log in to join the conversation

Responses

DM Community Member 35 points
12 March 2018 7:17 PM

I'm also running 3.10.0-693.21.1.el7, I found this article that confirms RETP replaced IBRS for processors prior to Skylake:

"Retpoline Kernels As of March 2018, on X86 cpus, Red Hat is using “Retpoline” code sequences for indirect branches in the kernel to isolate those branches from speculative execution. For Intel processors prior to Skylake, Retpolines are used instead of the ibrs feature for mitigation against Spectre variant 2. For Skylake, due to full CVE mitigation concerns, ibrs will still be used and Retpolines will be disabled."

https://access.redhat.com/articles/3311301#retpoline-kernels-2

I'm assuming the RedHat spectre check script needs to be updated accordingly. This generic checker script indicates the kernel is compiled with retpoline option and that it was compiled with a retpoline-aware compiler, therefore it's not vulnerable (Note: Mitigation 1 IBRS shows not enabled but Mitigation 2 RETP is good): https://github.com/speed47/spectre-meltdown-checker

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active) * Mitigation 1 * Kernel is compiled with IBRS/IBPB support: YES * Currently enabled features * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * IBPB enabled: YES * Mitigation 2 * Kernel compiled with retpoline option: YES * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)

STATUS: NOT VULNERABLE (Mitigation: Full retpoline)

Akemi Yagi's picture Guru 2404 points
12 March 2018 11:30 PM

Darcy,

You are seeing "Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)" in your output from the script. On my RHEL systems, I get "Kernel compiled with a retpoline-aware compiler: UNKNOWN". Any idea where this difference comes from?

DM Community Member 35 points
13 March 2018 2:13 PM

I would manually check what the script looks for, assuming your also running kernel 3.10.0-693.21.1.el7 you could check the kernel config for CONFIG_RETPOLINE=y:

grep RETPOLINE /boot/config-3.10.0-693.21.1.el7.x86_64

CONFIG_RETPOLINE=y

Judging by the logic in the script, this is presumably the case for you, then the next check grep's the contents of /sys/devices/system/cpu/vulnerabilities/spectre_v2 for "Full" or "Minimal", if neither returns then it checks if CONFIG_RETPOLINE=y and gives a yellow UNKNOWN status (lines 1590-1602).

In short, I would check to see what the contents of /sys/devices/system/cpu/vulnerabilities/spectre_v2 says, mine states "Mitigation: Full retpoline"

cat /sys/devices/system/cpu/vulnerabilities/spectre_v2

Mitigation: Full retpoline

Reference: lines 945-954 (kernel config checks) and lines 1568 - 1602 (retpoline checks) in spectre-meltdown-checker.sh -- note this script is constantly changing so the line numbers might be off, for reference sake, you can check the version I compared with: https://github.com/speed47/spectre-meltdown-checker/blob/bda18d04a018361623b95bb5fffaa0426e88c519/spectre-meltdown-checker.sh

CW Newbie 7 points
3 September 2018 3:56 PM

This seems to be this issue: https://github.com/speed47/spectre-meltdown-checker/issues/235 Red Hat says that they're doing RSB filling anyway, but they're not exposing any way to detect that?

(spectre-meltdown-checker's output has since been changed again to point fingers at (lack of) RSB filling in this case.)

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.