2 Replies Latest reply on Apr 10, 2018 12:16 PM by N.Scott.Pearson

    Spectre Variant 2 for kernel 2.6.x

    tsrini

      Hi Team,

       

      I'm trying to mitigate Spectre Variant 2 in my linux box running CentOS 6.5. The CPU model is Intel(R) Xeon(R) CPU L5638 @ 2.00GHz,

       

      Below are the kernel, OS & CPU information,

      [root@c5bng-src9 etc]# uname -a

      Linux c5bng-src9 2.6.32-573.12.1.SCLC6_5.R3.9.1.x86_64 #1 SMP Thu Feb 25 14:47:37 EST 2016 x86_64 x86_64 x86_64 GNU/Linux

      [root@c5bng-src9 etc]# cat /etc/*release*

      CentOS release 6.5 (Final)

      CentOS release 6.5 (Final)

      cpe:/o:centos:linux:6:GA

      There are 16 cores, sample information is below,

      [root@c5bng-src9 etc]# cat /proc/cpuinfo | more

      processor       : 0

      vendor_id       : GenuineIntel

      cpu family      : 6

      model           : 44

      model name      : Intel(R) Xeon(R) CPU           L5638  @ 2.00GHz

      stepping        : 2

      microcode       : 12

      cpu MHz         : 2000.131

      cache size      : 12288 KB

      physical id     : 0

      siblings        : 12

      core id         : 0

      cpu cores       : 6

      apicid          : 0

      initial apicid  : 0

      fpu             : yes

      fpu_exception   : yes

      cpuid level     : 11

      wp              : yes

      flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 popcnt aes lahf_lm ida arat dts tpr_shadow vnmi flexpriority ept vpid

      bogomips        : 4000.26

      clflush size    : 64

      cache_alignment : 64

      address sizes   : 40 bits physical, 48 bits virtual

      power management:

       

      As per the microcode update guide published on Apr 2nd ( https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf ), it seems a production update available for the CPU model (Intel(R) Xeon(R) CPU L5638). I tried applying the patch microcode-20180312.tgz but the patch was not applied.

       

      [root@c5bng-src9 2018]# dd if=microcode.dat of=/dev/cpu/microcode bs=1M

      dd: writing `/dev/cpu/microcode': Invalid argument

      1+0 records in

      0+0 records out

      0 bytes (0 B) copied, 0.0531313 s, 0.0 kB/s

      [root@c5bng-src9 2018]#

       

      From dmesg,

       

      platform microcode: firmware: requesting intel-ucode/06-2c-02

      microcode: CPU22 sig=0x206c2, pf=0x1, revision=0xc

      platform microcode: firmware: requesting intel-ucode/06-2c-02

      microcode: CPU23 sig=0x206c2, pf=0x1, revision=0xc

      platform microcode: firmware: requesting intel-ucode/06-2c-02

      Microcode Update Driver: v2.00 <tigran@aivazian.fsnet.co.uk>, Peter Oruba

      microcode: error!Bad data in microcode data file

      microcode: error!Bad data in microcode data file

      From the CentOS forum (from the link https://www.centos.org/forums/viewtopic.php?f=17&t=66332 ), it was advised to check with Intel for any BIOS update whicih includes microcode update.

       

      Below is my spectre checker output,

       

      [root@c5bng-src9 spectre-meltdown-checker-master]# ./spectre-meltdown-checker.sh

      Spectre and Meltdown mitigation detection tool v0.36+

       

      Checking for vulnerabilities on current system

      Kernel is Linux 2.6.32-573.12.1.SCLC6_5.R3.9.1.x86_64 #1 SMP Thu Feb 25 14:47:37 EST 2016 x86_64

      CPU is Intel(R) Xeon(R) CPU           L5638  @ 2.00GHz

       

      Hardware check

      * Hardware support (CPU microcode) for mitigation techniques

        * Indirect Branch Restricted Speculation (IBRS)

          * SPEC_CTRL MSR is available:  NO

          * CPU indicates IBRS capability:  NO

        * Indirect Branch Prediction Barrier (IBPB)

          * PRED_CMD MSR is available:  NO

          * CPU indicates IBPB capability:  NO

        * Single Thread Indirect Branch Predictors (STIBP)

          * SPEC_CTRL MSR is available:  NO

          * CPU indicates STIBP capability:  NO

        * Enhanced IBRS (IBRS_ALL)

          * CPU indicates ARCH_CAPABILITIES MSR availability:  NO

          * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO

        * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO

        * CPU microcode is known to cause stability problems:  NO  (model 44 stepping 2 ucode 12)

      * CPU vulnerability to the three speculative execution attack variants

        * Vulnerable to Variant 1:  YES

        * Vulnerable to Variant 2:  YES

        * Vulnerable to Variant 3:  YES

       

      CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'

      * Kernel has array_index_mask_nospec:  NO

      * Kernel has the Red Hat/Ubuntu patch:  NO

      * Checking count of LFENCE instructions following a jump in kernel...  NO  (only 7 jump-then-lfence instructions found, should be >= 30 (heuristic))

      > STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

       

      CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'

      * Mitigation 1

        * Kernel is compiled with IBRS/IBPB support:  NO

        * Currently enabled features

          * IBRS enabled for Kernel space:  NO

          * IBRS enabled for User space:  NO

          * IBPB enabled:  NO

      * Mitigation 2

        * Kernel has branch predictor hardening (ARM):  NO

        * Kernel compiled with retpoline option:  NO

        * Kernel compiled with a retpoline-aware compiler:  NO

      > STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

       

      CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'

      * Kernel supports Page Table Isolation (PTI):  NO

      * PTI enabled and active:  NO

      * Running as a Xen PV DomU:  NO

      > STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

       

      Can someone help on this. Thanks in advance.

       

      Regards,

      Srini

        • 1. Re: Spectre Variant 2 for kernel 2.6.x
          N.Scott.Pearson

          First of all, the guidance to talk to Intel is absolute baloney. You need to talk to your motherboard vendor. They are responsible for delivering the BIOS update that includes the latest microcode.

           

          While it is certainly true that most O/Ss include support for loading microcode, this is not an optimal solution. It leaves a time window within which nefarious code could sneak in and make use these types of vulnerabilities to break through security. It is thus important to get a BIOS update that includes the latest microcode releases. If your motherboard vendor won't provide one, you should be complaining loudly. If enough of you do so, they will get the message and provide the updates. Otherwise, you should be dropping them from the list of motherboard vendors that you will deal with in the future (and saying so loudly).

           

          Ok, off my soapbox. Your attempts to load the microcode update into your O/S build are failing because the tool is saying that the file seems to be corrupted. You should re-download this file and try again. If you cannot get this to work, you need to contact the CentOS folks and have them look into it (are you sure they haven't already done a build that contains this update?). If the problem is verified (by them, not just you) to be a corrupted file, then come back here and complain.

           

          ...S

          • 2. Re: Spectre Variant 2 for kernel 2.6.x
            tsrini

            Hi Scott,

             

            Thanks for the pointers. Let me find and check with motherboard vendor on this for any BIOS update.

             

            Will get back in case of any clarifications.