Closed DigTron closed 6 years ago
DigTron
commented
6 years ago My sincerest apologies, the CPU is a T2400, I copped on late to the fact that (likely because of libreboot) the system is reporting an odd and nonexistent model number. https://ark.intel.com/products/27235/Intel-Core-Duo-Processor-T2400-2M-Cache-1_83-GHz-667-MHz-FSB .
speed47
commented
6 years ago Hello DigTron,
Don't worry about the wrong CPU model reported by your kernel, as the script doesn't rely on it too much appart from whitelisting some CPUs that are known not to be vulnerable (in any case, the T2400 is not whitelisted, so this wouldn't have changed the output)
Now about the variant 1 check. As the official patches are coming out (this is the last variant to be taken care of by the kernel devs, because it's the hardest to exploit), I've implemented (today!) a new check that is not a heuristic, and based on the last official patches, but it's only valid for kernels that will be released in the following days/weeks from the vanilla tree. Some distros kernels (such as Ubuntu or RedHat) did implement some mitigation of variant 1 well ahead of time, but it's way harder to detect, the best way I've found is to count the number of LFENCE opcodes, but that's really a heuristic. It mostly works though, but I think I never tested on an i686 kernel, and that might be why you have a crazy count. I'll check that part and see if I can find a correct threshold for i686 for this heuristic. The 4.14.15 you (probably?) have compiled yourself is vanilla, and as the variant1 patches are not out yet, the kernel correctly reports itself as vulnerable to it.
Now on to Meltdown. The script detects that you're vulnerable because you don't have PTI. This is the official mitigation for meltdown, and I think this is only available for x86_64, so the script would correctly report you as being vulnerable to it. What I'm wondering however, is whether the meltdown PoCs do work in 32 bits mode. I'm not sure they do, and that might be why you don't see yourself as vulnerable. You might want to compile a 64 bits kernels to check that! (or boot some live usb maybe)
speed47
commented
6 years ago Would you be able to test the script from the lfence branch?
I've updated the variant1 heuristic that is based on lfence opcodes, I've tested it on some x86_64 and i686 kernels, and the results seem way better than the previous method.
DigTron
commented
6 years ago Thanks for your time and sorry for the trouble and being so slow getting back. This is a 32-bit cpu, so 64-bit kernels are not an option right? The marketing-boys-at-Intel's troll of a naming scheme may have struck again over a decade later. I think it was something like Core Duo = 32bit and Core 2 Duo = 64bit, confusing AF at a glance.
I asked for clarification regarding the Meltdown test. Looking at the issues there was trouble compiling on 32bit at one point but that's resolved, and there are a couple 32bit kernels on the not vulnerable list over there but I suppose anyone could add to it not knowing if its valid or not.
Ran that branch, hope this is of some help and not a waste of your time, this is a wacky configuration after all.
Spectre and Meltdown mitigation detection tool v0.33+
Checking for vulnerabilities on current system
Kernel is Linux 4.14.15-041415-generic #201801231530 SMP Tue Jan 23 20:51:49 UTC 2018 i686
CPU is Genuine Intel(R) CPU 1400 @ 1.83GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
* Kernel has array_index_mask_nospec: NO
* Checking count of LFENCE instructions following a jump in kernel: NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS: VULNERABLE (Kernel source needs to be patched to mitigate the vulnerability)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: NO (kernel reports minimal retpoline compilation)
* Retpoline enabled: YES
> STATUS: VULNERABLE (Vulnerable: Minimal generic ASM retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Running as a Xen PV DomU: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimerSpectre and Meltdown mitigation detection tool v0.33+
Checking for vulnerabilities on current system
Kernel is Linux 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:35 UTC 2017 i686
CPU is Genuine Intel(R) CPU 1400 @ 1.83GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec: UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
* Checking count of LFENCE instructions following a jump in kernel: UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
> STATUS: UNKNOWN (Couldn't find kernel image or tools missing to execute the checks)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
* Retpoline enabled: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Running as a Xen PV DomU: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)And those other 2 kernels I was using
Spectre and Meltdown mitigation detection tool v0.33+
Checking for vulnerabilities on current system
Kernel is Linux 4.13.0-31-generic #34-Ubuntu SMP Fri Jan 19 16:34:16 UTC 2018 i686
CPU is Genuine Intel(R) CPU 1400 @ 1.83GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec: NO
* Checking count of LFENCE instructions following a jump in kernel: NO (only 4 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS: VULNERABLE (Kernel source needs to be patched to mitigate the vulnerability)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: YES
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
* Retpoline enabled: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Running as a Xen PV DomU: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)Spectre and Meltdown mitigation detection tool v0.33+
Checking for vulnerabilities on current system
Kernel is Linux 4.10.0-35-generic #39-Ubuntu SMP Wed Sep 13 07:45:58 UTC 2017 i686
CPU is Genuine Intel(R) CPU 1400 @ 1.83GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec: NO
* Checking count of LFENCE instructions following a jump in kernel: NO (only 1 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS: VULNERABLE (Kernel source needs to be patched to mitigate the vulnerability)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
* Retpoline enabled: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Running as a Xen PV DomU: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)Ah, I didn't remember that some "Intel Core" commercial names were 32 bits back in the days.
Anyway, I can see that the new heuristic for variant1 is way better : it now correctly detects your 4.14.15-041415-generic (which is a vanilla kernel compiled by Ubuntu, but without the Ubuntu patches) as vulnerable to variant 1 (0 opcodes found).
About meltdown, let's wait for the answer of the PoC author, but I'm pretty sure that the vulnerability itself applies to 32 bits too. Just unsure that this PoC does work out of the box on 32 bits. What's pretty sure however at this stage, is that there's currently no kernel mitigation for 32 bits, as PTI is not (yet?) implemented for 32 bits. I would still be interested to know, however, if Yonah CPUs (as yours) are in fact vulnerable to meltdown or not, in the end. They're not in the couple "whitelists" that are starting to appear in e.g. the linux kernels (some old Atoms are OK for example)
DigTron
commented
6 years ago I'm glad you are at least finding it interesting :D, just wish I had a non Libreboot'd X60 to test with now to be of more use. Do you think the neutered IME and/or missing microcode updates could be whats making it not vulnerable?, if it actually turns out to be not vulnerable that is.
speed47
commented
6 years ago I don't think the neutered IME has any impact (positive or negative) on this precise range of vulnerabilities, as Spectre and Meltdown root causes are really deep inside the CPU functions. On a side note, I've included some fixes for detection of the mitigation of variant1 for Ubuntu and Red Hat kernels. You might want to try the latest version of the script!
speed47
commented
6 years ago Closing to tidy up the issues list a bit, feel free to reopen if needed!
(Libreboot) First thanks for the script, and I understand this is a zany edge case but thought you should know. Reports not being vulnerable to Spectre 1 on 4.10.0-35 and 4.13.0-31 but that it is on 4.14.15-041415... and 4.14.13 that I don't have the output on hand for. Constantly reports vulnerability to Meltdown yet when testing https://github.com/paboldin/meltdown-exploit on all three of these kernels it results in a not vulnerable result. (here) Going to try and get a POC of Spectre running and will report back with the results. (having trouble compiling https://github.com/crozone/SpectrePoC)