You are not logged in.
I recently installed Arch 32 to a ThinkPad Z60m. I've JUST got a working install, no GUI working yet and minimal applications, and I'm going over the Arch Wiki for next steps. I perused the security page and decided to check what hardware vulnerabilities the system may have and what mitigations are in place by running the following:
grep -r . /sys/devices/system/cpu/vulnerabilities/I got this output revealing that the CPU suffers from several vulnerabilities that are not mitigated:
/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow: Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v2: Mitigation: Retpolines: STIBP: disabled; RSB filling: PBRSB-eIBRS: Not affected: BHI: Not affected
/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling: Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass: Vulnerable
/sys/devices/system/cpu/vulnerabilities/mds: Vulnerable: Clear CPU buffers attempted, no microcode: SMT disabled
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KUM: Mitigation: UMX unsupported
/sys/devices/system/cpu/vulnerabilities/11tf: Vulnerable
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort: Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1: Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data: Unknown: No mitigations
/sys/devices/system/cpu/vulnerabilities/retbleed: Not affected /sys/devices/system/cpu/vulnerabilities/meltdown: Vulnerable
/sys/devices/system/cpu/vulnerabilities/srbds: Not affected
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling: Not affectedAt this point I assume that I have missed a step or bunged something up during the install, so I've halted and asked for help from some friends. I was advised to run the spectre-meltdown-checker script, which gives the following output:
Spectre and Meltdown mitigation detection tool v0.46+
Checking for vulnerabilities on current system
Kernel is Linux 6.12.4-arch1-1.0 #1 SMP PREEMPT_DYNAMIC Tue, 10 Dec 2024 19:50:00 +0000 i686
CPU is Intel(R) Pentium(R) M processor 1.73GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: YES (Intel STIBP feature bit)
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: NO
* L1 data cache invalidation
* CPU indicates L1D flush capability: NO
* Microarchitectural Data Sampling
* VERW instruction is available: NO
* Indirect Branch Predictor Controls
* Indirect Predictor Disable feature is available: NO
* Bottomless RSB Disable feature is available: YES (RRSBA_CTRL feature bit)
* BHB-Focused Indirect Predictor Disable feature is available: YES (BHI_CTRL feature bit)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: YES
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being affected by Meltdown/L1TF (RDCL_NO): NO
* CPU explicitly indicates not being affected by Variant 4 (SSB_NO): NO
* CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
* Hypervisor indicates host CPU might be affected by RSB underflow (RSBA): NO
* CPU explicitly indicates not being affected by Microarchitectural Data Sampling (MDS_NO): NO
* CPU explicitly indicates not being affected by TSX Asynchronous Abort (TAA_NO): NO
* CPU explicitly indicates not being affected by iTLB Multihit (PSCHANGE_MSC_NO): NO
* CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
* CPU explicitly indicates being affected by GDS and having mitigation control (GDS_CTRL): NO
* CPU explicitly indicates not being affected by GDS (GDS_NO): NO
* CPU supports Transactional Synchronization Extensions (TSX): NO
* CPU supports Software Guard Extensions (SGX): NO
* CPU supports Special Register Buffer Data Sampling (SRBDS): NO
* CPU microcode is known to cause stability problems: NO (family 0x6 model 0xd stepping 0x8 ucode 0x20 cpuid 0x6d8 pfid 0x2)
* CPU microcode is the latest known available version: NO (latest version is 0x21 dated 2006/08/31 according to builtin firmwares DB v296+i20240514+988c)
* CPU vulnerability to the speculative execution attack variants
* Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
* Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
* Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
* Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
* Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
* Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
* Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
* Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
* Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
* Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
* Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
* Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
* Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
* Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
* Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
* Affected by CVE-2023-20593 (Zenbleed, cross-process information leak): NO
* Affected by CVE-2022-40982 (Downfall, gather data sampling (GDS)): NO
* Affected by CVE-2023-20569 (Inception, return address security (RAS)): NO
* Affected by CVE-2023-23583 (Reptar, redundant prefix issue): NO
CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec: NO
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
* Kernel has array_index_nospec (arm64): NO
* Checking count of LFENCE instructions following a jump in kernel... NO (only 12 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Retpolines; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: UNKNOWN
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: NO
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Full retpoline is mitigating the vulnerability)
You should enable IBPB to complete retpoline as a Variant 2 mitigation
CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface: NO (Vulnerable)
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)
* Running as a Xen PV DomU: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface: NO (Vulnerable)
* Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
* SSB mitigation is enabled and active: NO
> STATUS: VULNERABLE (Your CPU doesn't support SSBD)
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability: N/A
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface: NO (Vulnerable)
* Kernel supports PTE inversion: YES (found in kernel image)
* PTE inversion enabled and active: NO
> STATUS: VULNERABLE (Vulnerable)
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Vulnerable
* This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
* EPT is disabled: N/A (the kvm_intel module is not loaded)
* Mitigation 2
* L1D flush is supported by kernel: YES (found flush_l1d in kernel image)
* L1D flush enabled: UNKNOWN (unrecognized mode)
* Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower)
* Hyper-Threading (SMT) is enabled: NO
> STATUS: NOT VULNERABLE (this system is not running a hypervisor)
CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: YES
> STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: YES
> STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: YES
> STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: YES
> STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
* Mitigated according to the /sys interface: YES (Not affected)
* TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
* TAA mitigation enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
* Mitigated according to the /sys interface: YES (KVM: Mitigation: VMX unsupported)
* This system is a host running a hypervisor: NO
* iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
* iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: VMX unsupported)
> STATUS: NOT VULNERABLE (this system is not running a hypervisor)
CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)'
* Mitigated according to the /sys interface: YES (Not affected)
* SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
* SRBDS mitigation control is enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2023-20593 aka 'Zenbleed, cross-process information leak'
* Zenbleed mitigation is supported by kernel: YES (found zenbleed message in kernel image)
* Zenbleed kernel mitigation enabled and active: N/A (CPU is incompatible)
* Zenbleed mitigation is supported by CPU microcode: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2022-40982 aka 'Downfall, gather data sampling (GDS)'
* Mitigated according to the /sys interface: YES (Not affected)
* GDS is mitigated by microcode: NO
* Kernel supports software mitigation by disabling AVX: YES (found gather_data_sampling in kernel image)
* Kernel has disabled AVX as a mitigation: YES (AVX disabled by the kernel (cpuid))
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2023-20569 aka 'Inception, return address security (RAS)'
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports mitigation: YES (found spec_rstack_overflow in kernel image)
* Kernel compiled with SRSO support: NO (required for safe RET and ibpb_on_vmexit mitigations)
* Kernel compiled with IBPB_ENTRY support: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2023-23583 aka 'Reptar, redundant prefix issue'
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:KO CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:KO CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK CVE-2022-40982:OK CVE-2023-20569:OK CVE-2023-23583:OK
Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimerThis is weird to me because I'm 99% sure I followed the microcode steps correctly during install, so I'm unsure why so may of the mitigations are complaining about not having the updated microcode. I'm assuming I botched something at some point and I'm unsure where to go from here, I'm in need of some guidance.
Offline
Mmh. Interesting. I'm not sure how many security fixes are actually available for either the microcode of IA32-cpus and in the kernel..
This is a good point, they may just straight up not be fixable and I didn't do anything wrong. I pulled to the Arch 32 drive recently and started messing with a Debian install briefly, when I return from work this afternoon, I can check if the vulnerabilities are present under Debian as well and that should give an answer.
Offline
Sorry for the late reply, the Debian install got so cooked from me mucking with it I broke it and I've had to do a clean install. Under Debian the output of the same grep command is as follows:
/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Retpolines; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected
/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Mitigation: VMX unsupported
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Unknown: No mitigations
/sys/devices/system/cpu/vulnerabilities/retbleed:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/srbds:Not affected
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling:Not affectedThis output is different and implies that some of these vulnerabilities CAN be mitigated and I messed up my Arch 32 install or missed a step. Running the spectre-meltdown-checker script gives a different output as well that further confirms this:
Spectre and Meltdown mitigation detection tool v0.46+
Checking for vulnerabilities on current system
Kernel is Linux 6.1.0-30-686-pae #1 SMP PREEMPT_DYNAMIC Debian 6.1.124-1 (2025-01-12) i686
CPU is Intel(R) Pentium(R) M processor 1.73GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: YES (Intel STIBP feature bit)
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: NO
* L1 data cache invalidation
* CPU indicates L1D flush capability: NO
* Microarchitectural Data Sampling
* VERW instruction is available: NO
* Indirect Branch Predictor Controls
* Indirect Predictor Disable feature is available: NO
* Bottomless RSB Disable feature is available: YES (RRSBA_CTRL feature bit)
* BHB-Focused Indirect Predictor Disable feature is available: YES (BHI_CTRL feature bit)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: YES
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being affected by Meltdown/L1TF (RDCL_NO): NO
* CPU explicitly indicates not being affected by Variant 4 (SSB_NO): NO
* CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
* Hypervisor indicates host CPU might be affected by RSB underflow (RSBA): NO
* CPU explicitly indicates not being affected by Microarchitectural Data Sampling (MDS_NO): NO
* CPU explicitly indicates not being affected by TSX Asynchronous Abort (TAA_NO): NO
* CPU explicitly indicates not being affected by iTLB Multihit (PSCHANGE_MSC_NO): NO
* CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
* CPU explicitly indicates being affected by GDS and having mitigation control (GDS_CTRL): NO
* CPU explicitly indicates not being affected by GDS (GDS_NO): NO
* CPU supports Transactional Synchronization Extensions (TSX): NO
* CPU supports Software Guard Extensions (SGX): NO
* CPU supports Special Register Buffer Data Sampling (SRBDS): NO
* CPU microcode is known to cause stability problems: NO (family 0x6 model 0xd stepping 0x8 ucode 0x20 cpuid 0x6d8 pfid 0x2)
* CPU microcode is the latest known available version: NO (latest version is 0x21 dated 2006/08/31 according to builtin firmwares DB v296+i20240514+988c)
* CPU vulnerability to the speculative execution attack variants
* Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
* Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
* Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
* Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
* Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
* Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
* Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
* Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
* Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
* Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
* Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
* Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
* Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
* Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
* Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
* Affected by CVE-2023-20593 (Zenbleed, cross-process information leak): NO
* Affected by CVE-2022-40982 (Downfall, gather data sampling (GDS)): NO
* Affected by CVE-2023-20569 (Inception, return address security (RAS)): NO
* Affected by CVE-2023-23583 (Reptar, redundant prefix issue): NO
CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec: NO
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
* Kernel has array_index_nospec (arm64): NO
* Checking count of LFENCE instructions following a jump in kernel... NO (only 12 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Retpolines; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: UNKNOWN
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: NO
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Full retpoline is mitigating the vulnerability)
You should enable IBPB to complete retpoline as a Variant 2 mitigation
CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface: NO (Vulnerable)
* Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
* SSB mitigation is enabled and active: NO
> STATUS: VULNERABLE (Your CPU doesn't support SSBD)
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability: N/A
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion)
* Kernel supports PTE inversion: YES (found in kernel image)
* PTE inversion enabled and active: YES
> STATUS: NOT VULNERABLE (Mitigation: PTE Inversion)
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion
* This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
* EPT is disabled: N/A (the kvm_intel module is not loaded)
* Mitigation 2
* L1D flush is supported by kernel: YES (found flush_l1d in kernel image)
* L1D flush enabled: UNKNOWN (unrecognized mode)
* Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower)
* Hyper-Threading (SMT) is enabled: NO
> STATUS: NOT VULNERABLE (this system is not running a hypervisor)
CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: YES
> STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: YES
> STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: YES
> STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: YES
> STATUS: VULNERABLE (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)
CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
* Mitigated according to the /sys interface: YES (Not affected)
* TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
* TAA mitigation enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
* Mitigated according to the /sys interface: YES (KVM: Mitigation: VMX unsupported)
* This system is a host running a hypervisor: NO
* iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
* iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: VMX unsupported)
> STATUS: NOT VULNERABLE (this system is not running a hypervisor)
CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)'
* Mitigated according to the /sys interface: YES (Not affected)
* SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
* SRBDS mitigation control is enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2023-20593 aka 'Zenbleed, cross-process information leak'
* Zenbleed mitigation is supported by kernel: YES (found zenbleed message in kernel image)
* Zenbleed kernel mitigation enabled and active: N/A (CPU is incompatible)
* Zenbleed mitigation is supported by CPU microcode: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2022-40982 aka 'Downfall, gather data sampling (GDS)'
* Mitigated according to the /sys interface: YES (Not affected)
* GDS is mitigated by microcode: NO
* Kernel supports software mitigation by disabling AVX: YES (found gather_data_sampling in kernel image)
* Kernel has disabled AVX as a mitigation: YES (AVX disabled by the kernel (cpuid))
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2023-20569 aka 'Inception, return address security (RAS)'
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports mitigation: YES (found spec_rstack_overflow in kernel image)
* Kernel compiled with SRSO support: NO (required for safe RET and ibpb_on_vmexit mitigations)
* Kernel compiled with IBPB_ENTRY support: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2023-23583 aka 'Reptar, redundant prefix issue'
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK CVE-2022-40982:OK CVE-2023-20569:OK CVE-2023-23583:OK
Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimerAny clue what I may have done wrong and how I can remedy my issue on Arch 32?
Offline
I can only imagine that a) some older kernel versions lack some mitigations (in this case we have to check, if we have the latest kernels in Arch32, nothing for you to do in this case).
Or maybe the microcode ramdisk is not loaded at all or is also not up to date.
But again, running something mission critical on 32-bit Arch is a little bit - aeh - risky. :-)
Offline