Bug in the detection script "spectre-meltdown--a79614b.sh" (Version: 2.3)?
Hi support.
From my comment on article "Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715" ( https://access.redhat.com/security/vulnerabilities/speculativeexecution#comment-1285831 ):
The detection script "spectre-meltdown--a79614b.sh" (Version: 2.3) does not accurately identify vulnerabilities for pre-Skylake CPUs. For example, from your article (https://access.redhat.com/articles/3311301#architectural-defaults-11):
"pti=1 ibrs=0 retp=1 ibpb=1-> fix variant#1 #2 #3 for pre-Skylake cpus"
It's true on my old server with a fresh BIOS:
Kernel is Linux 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 CPU is Intel(R) Pentium(R) CPU G850 @ 2.90GHz # cat /sys/kernel/debug/x86/pti_enabled 1 # cat /sys/kernel/debug/x86/ibrs_enabled 0 # cat /sys/kernel/debug/x86/retp_enabled 1 # cat /sys/kernel/debug/x86/ibpb_enabled 1
I.e., again from your article above:
"For Intel processors prior to Skylake, Retpolines are used instead of the ibrs feature for mitigation against Spectre variant 2."
I.e., my old server with fresh BIOS and kernel is completely protected from the above-mentioned vulnerabilities. But your detection script claims the opposite, for example:
# ./spectre-meltdown--a79614b.sh This script is primarily designed to detect Spectre / Meltdown on supported Red Hat Enterprise Linux systems and kernel packages. Result may be inaccurate for other RPM based systems. Detected CPU vendor: Intel Running kernel: 3.10.0-693.21.1.el7.x86_64 Variant #1 (Spectre): Mitigated CVE-2017-5753 - speculative execution bounds-check bypass - Kernel with mitigation patches: OK Variant #2 (Spectre): Vulnerable CVE-2017-5715 - speculative execution branch target injection - Kernel with mitigation patches: OK - HW support / updated microcode: YES - IBRS: Not disabled on kernel commandline - IBPB: Not disabled on kernel commandline Variant #3 (Meltdown): Vulnerable CVE-2017-5754 - speculative execution permission faults handling - Kernel with mitigation patches: OK - PTI: Not disabled on kernel commandline Red Hat recommends that you: Note about virtualization In virtualized environment, there are more steps to mitigate the issue, including: * Host needs to have updated kernel and CPU microcode * Host needs to have updated virtualization software * Guest needs to have updated kernel * Hypervisor needs to propagate new CPU features correctly For more details about mitigations in virtualized environment see: https://access.redhat.com/articles/3331571 For more information about the vulnerabilities see: https://access.redhat.com/security/vulnerabilities/speculativeexecution
It's like a script bug. What do you say about this?
Responses