"Both your CPU and your kernel have IBRS support, but it is currently disabled." when IBRS+IBRP are present

[candrews]

For CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2': IBRS enabled and active: YES IBPB enabled and active: YES STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability) But then immediately below that: How to fix: Both your CPU and your kernel have IBRS support, but it is currently disabled. which seems to me to be contradictory and doesn't make any sense.

# ./spectre-meltdown-checker.sh -v
Spectre and Meltdown mitigation detection tool v0.36+

Checking for vulnerabilities on current system
Kernel is Linux 4.16.1-300.fc28.x86_64 #1 SMP Mon Apr 9 15:29:05 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz
Will use kernel image /boot//vmlinuz-4.16.1-300.fc28.x86_64
Will use kconfig /lib/modules/4.16.1-300.fc28.x86_64/config
Will use System.map file /proc/kallsyms
Kernel image is Linux version 4.16.1-300.fc28.x86_64 (mockbuild@bkernel01.phx2.fedoraproject.org) (gcc version 8.0.1 20180324 (Red Hat 8.0.1-0.20) (GCC)) #1 SMP Mon Apr 9 15:29:05 UTC 2018

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 69 stepping 1 ucode 0x23 cpuid 0x40651)
* CPU vulnerability to the three speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec (x86):  YES  (1 occurrence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm):  NO 
* Checking count of LFENCE instructions following a jump in kernel...  NO  (only 6 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES  (found IBRS_FW in sysfs)
    * IBRS enabled and active:  YES  (for firmware code)
  * Kernel is compiled with IBPB support:  YES  (IBPB found enabled in sysfs)
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
    * Local gcc is retpoline-aware:  YES 
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)

> How to fix: Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this.

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES  (found 'CONFIG_PAGE_TABLE_ISOLATION=y')
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

[Dansthunder]

v35 on x86_64 shows NOT VULN -- v36+ shows Vulnerable due to the addition of ARM code:

V35: CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'

• Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
• Mitigation 1
  • Kernel is compiled with IBRS/IBPB support: NO
  • Currently enabled features
  • IBRS enabled for Kernel space: NO
  • IBRS enabled for User space: NO
  • IBPB enabled: NO
• Mitigation 2
  • Kernel compiled with retpoline option: YES
  • Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)

    STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)

V36+ CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'

• Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline)
• Mitigation 1
  • Kernel is compiled with IBRS support: NO
  • IBRS enabled and active: UNKNOWN
  • Kernel is compiled with IBPB support: NO
  • IBPB enabled and active: NO
• Mitigation 2
  • Kernel has branch predictor hardening (arm): NO
  • Kernel compiled with retpoline option: YES
  • Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)

    STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

How to fix: To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. The retpoline + IBPB approach is generally preferred as the performance impact is lower. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches.

[speed47]

@candrews @Dansthunder Following the discussion in #181, missing IBPB is now not considered a deal-breaker unless you're under --paranoid mode. Can you retry the latest branch? @Dansthunder The issue was not related to the addition of the ARM code, but another change I've made around the same time, to require IBPB in addition to retpoline. This is technically correct, but might freak out people, so I've implemented it only in --paranoid mode (check #181 for more info)

[speed47]

Closing this issue as it's believed to be fixed. Please don't hesitate to reopen if this is not the case, thanks!

[tobby88]

Hi

I'm maybe facing the same "problem" (if you can call it that?). All checks are green, but not the Spectre v2 check and I don't really understand the discrepancy of the output.

So this command: ./spectre-meltdown-checker.sh --explain -v --no-color --variant 2 is giving me this output:

Spectre and Meltdown mitigation detection tool v0.43

Checking for vulnerabilities on current system Kernel is Linux 5.3.18-2-pve #1 SMP PVE 5.3.18-2 (Sat, 15 Feb 2020 15:11:52 +0100) x86_64 CPU is Intel(R) Xeon(R) CPU E3-1240 v6 @ 3.70GHz Will use kernel image /boot/vmlinuz-5.3.18-2-pve Will use kconfig /boot/config-5.3.18-2-pve Will use System.map file /proc/kallsyms Couldn't extract the kernel image (kernel compression format is unknown or image is invalid), > accuracy might be reduced

Hardware check

• Hardware support (CPU microcode) for mitigation techniques
  • Indirect Branch Restricted Speculation (IBRS)
  • SPEC_CTRL MSR is available: YES
  • CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
  • Indirect Branch Prediction Barrier (IBPB)
  • PRED_CMD MSR is available: YES
  • CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
  • Single Thread Indirect Branch Predictors (STIBP)
  • SPEC_CTRL MSR is available: YES
  • CPU indicates STIBP capability: YES (Intel STIBP feature bit)
  • Speculative Store Bypass Disable (SSBD)
  • CPU indicates SSBD capability: YES (Intel SSBD)
  • L1 data cache invalidation
  • FLUSH_CMD MSR is available: YES
  • CPU indicates L1D flush capability: YES (L1D flush feature bit)
  • Microarchitectural Data Sampling
  • VERW instruction is available: YES (MD_CLEAR feature bit)
  • Enhanced IBRS (IBRS_ALL)
  • CPU indicates ARCH_CAPABILITIES MSR availability: NO
  • ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
  • CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
  • CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
  • CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
  • Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
  • CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): > NO
  • CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
  • CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
  • CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
  • CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit)
  • CPU supports Software Guard Extensions (SGX): YES
  • CPU microcode is known to cause stability problems: NO (family 0x6 model 0x9e stepping 0x9 ucode 0xca cpuid 0x906e9)
  • CPU microcode is the latest known available version: NO (latest version is 0xd2 dated 2020/01/09 according to local firmwares DB v134.20200212+i20200123)
• CPU vulnerability to the speculative execution attack variants
  • Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
  • Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
  • Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
  • Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
  • Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
  • Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): YES
  • Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
  • Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
  • Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
  • Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
  • Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
  • Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
  • Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES
  • Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'

• Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: always-on, IBRS_FW, STIBP: forced, RSB filling)
• Mitigation 1
  • Kernel is compiled with IBRS support: YES (found IBRS_FW in sysfs)
  • IBRS enabled and active: YES (for firmware code only)
  • Kernel is compiled with IBPB support: YES (IBPB found enabled in sysfs)
  • IBPB enabled and active: YES

• Mitigation 2

  • Kernel has branch predictor hardening (arm): NO
  • Kernel compiled with retpoline option: YES
  • Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
  • Local gcc is retpoline-aware: NO (gcc is not installed)
  • Kernel supports RSB filling: UNKNOWN (couldn't check (kernel compression format is unknown or image is invalid))

  STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability)

  How to fix: To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. You also need a recent-enough kernel that supports RSB filling if you plan to use retpoline. For Skylake+ CPUs, the IBRS + IBPB approach is generally preferred as it guarantees complete protection, and the performance impact is not as high as with older CPUs in comparison with retpoline. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches.

  How to fix: Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this.

SUMMARY: CVE-2017-5715:KO

A false sense of security is worse than no security at all, see --disclaimer

I don't understand this part:

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'

• Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: always-on, IBRS_FW, STIBP: forced, RSB filling)
• Mitigation 1
  • Kernel is compiled with IBRS support: YES (found IBRS_FW in sysfs)
  • IBRS enabled and active: YES (for firmware code only) [...]
• Mitigation 2 [...] STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability) [...] How to fix: Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this.

So first it says, that IBRS is enabled and active, then it tells me, that it's currently disabled? How can it be?