Open threevi opened 6 years ago
speed47
commented
6 years ago In order to dig the issue, could you run the script in very verbose mode (using -v -v) under the two setups you described (the 2 different versions of the microcode_ctl package), and post the results here?
threevi
commented
6 years ago To minimize variance, I ran both iterations on the same system with the same kernel. I also made sure to pull the most recent script. The first pass was with microcode_ctl-2.1-29.10.el7_5.x86_64 installed. I then upgraded the package to microcode_ctl-2.1-29.16.el7_5.x86_64, rebooted, and ran the second pass.
These are the results...
With microcode_ctl-2.1-29.10.el7_5.x86_64:
Spectre and Meltdown mitigation detection tool v0.39+
(debug) cpuid: leaf1 on cpu0, eax-ebx-ecx-edx: 263921 4196352 2147417087 3219913727
(debug) cpuid: wanted register (1) has value 263921 aka 000406f1
(debug) cpuid: shifted value by 0 is 263921 aka 406f1
(debug) cpuid: after AND 0xFFFFFFFF, final value is 263921 aka 406f1
Checking for vulnerabilities on current system
Kernel is Linux 3.10.0-862.11.6.el7.x86_64 #1 SMP Thu Sep 13 16:08:36 PDT 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz
(debug) found opt_kernel=/vmlinuz-3.10.0-862.11.6.el7.x86_64 in /proc/cmdline
(debug) opt_kernel is now /boot//vmlinuz-3.10.0-862.11.6.el7.x86_64
Will use kernel image /boot//vmlinuz-3.10.0-862.11.6.el7.x86_64
Will use kconfig /boot/config-3.10.0-862.11.6.el7.x86_64
Will use System.map file /proc/kallsyms
(debug) check_kernel: ret=0 size=6398512 sections=0 warnings=readelf: /boot//vmlinuz-3.10.0-862.11.6.el7.x86_64: Error: Not an ELF file - it has the wrong magic bytes at the start/
(debug) check_kernel: ... file is invalid
(debug) try_decompress: looking for gunzip magic in /boot//vmlinuz-3.10.0-862.11.6.el7.x86_64
(debug) try_decompress: magic for gunzip found at offset 18357:xy
(debug) check_kernel: ret=0 size=21173228 sections=11 warnings=
(debug) check_kernel: ... file is valid
(debug) try_decompress: decompressed with gunzip successfully!
Kernel image is Linux version 3.10.0-862.11.6.el7.x86_64 (root@kernel-build01.jf.intel.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Thu Sep 13 16:08:36 PDT 2018
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: (debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
(debug) read_msr: using perl
(debug) read_msr: MSR=0x48 value is 0
YES
* CPU indicates IBRS capability: (debug) cpuid: leaf7 on cpu0, eax-ebx-ecx-edx: 0 35438523 0 2617245696
(debug) cpuid: wanted register (4) has value 2617245696 aka 9c000000
(debug) cpuid: shifted value by 26 is 39 aka 27
(debug) cpuid: after AND 1, final value is 1 aka 1
(debug) cpuid: wanted 1 and got 1
YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: (debug) write_msr: using perl
(debug) write_msr: for cpu 0 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 1 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 2 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 3 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 4 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 5 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 6 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 7 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 8 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 9 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 10 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 11 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 12 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 13 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 14 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 15 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 16 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 17 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 18 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 19 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 20 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 21 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 22 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 23 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 24 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 25 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 26 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 27 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 28 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 29 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 30 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 31 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 32 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 33 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 34 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 35 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 36 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 37 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 38 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 39 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 40 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 41 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 42 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 43 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 44 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 45 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 46 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 47 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 48 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 49 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 50 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 51 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 52 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 53 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 54 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 55 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 56 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 57 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 58 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 59 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 60 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 61 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 62 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 63 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 64 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 65 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 66 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 67 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 68 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 69 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 70 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 71 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 72 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 73 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 74 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 75 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 76 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 77 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 78 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 79 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 80 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 81 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 82 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 83 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 84 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 85 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 86 on msr 73, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 87 on msr 73, ret=0
YES
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: (debug) cpuid: leaf7 on cpu0, eax-ebx-ecx-edx: 0 35438523 0 2617245696
(debug) cpuid: wanted register (4) has value 2617245696 aka 9c000000
(debug) cpuid: shifted value by 27 is 19 aka 13
(debug) cpuid: after AND 1, final value is 1 aka 1
(debug) cpuid: wanted 1 and got 1
YES (Intel STIBP feature bit)
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: (debug) cpuid: leaf7 on cpu0, eax-ebx-ecx-edx: 0 35438523 0 2617245696
(debug) cpuid: wanted register (4) has value 2617245696 aka 9c000000
(debug) cpuid: shifted value by 31 is 1 aka 1
(debug) cpuid: after AND 1, final value is 1 aka 1
(debug) cpuid: wanted 1 and got 1
YES (Intel SSBD)
* L1 data cache invalidation
* FLUSH_CMD MSR is available: (debug) write_msr: using perl
(debug) write_msr: for cpu 0 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 1 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 2 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 3 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 4 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 5 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 6 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 7 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 8 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 9 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 10 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 11 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 12 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 13 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 14 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 15 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 16 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 17 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 18 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 19 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 20 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 21 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 22 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 23 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 24 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 25 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 26 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 27 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 28 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 29 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 30 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 31 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 32 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 33 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 34 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 35 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 36 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 37 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 38 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 39 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 40 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 41 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 42 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 43 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 44 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 45 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 46 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 47 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 48 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 49 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 50 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 51 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 52 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 53 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 54 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 55 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 56 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 57 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 58 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 59 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 60 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 61 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 62 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 63 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 64 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 65 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 66 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 67 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 68 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 69 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 70 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 71 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 72 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 73 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 74 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 75 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 76 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 77 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 78 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 79 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 80 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 81 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 82 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 83 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 84 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 85 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 86 on msr 267, ret=0
(debug) write_msr: using perl
(debug) write_msr: for cpu 87 on msr 267, ret=0
YES
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: (debug) cpuid: leaf7 on cpu0, eax-ebx-ecx-edx: 0 35438523 0 2617245696
(debug) cpuid: wanted register (4) has value 2617245696 aka 9c000000
(debug) cpuid: shifted value by 29 is 4 aka 4
(debug) cpuid: after AND 1, final value is 0 aka 0
(debug) cpuid: wanted 1 and got 0
NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
* CPU microcode is known to cause stability problems: (debug) is_ucode_blacklisted: no (79/1/184549422)
NO (model 0x4f family 0x6 stepping 0x1 ucode 0xb00002e cpuid 0x406f1)
* CPU microcode is the latest known available version: (debug) is_latest_known_ucode: with cpuid 263921 has ucode 184549422, last known is 263921
YES (latest known version is 0xb00002e according to Intel Microcode Guidance, August 8 2018)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to Variant 1: (debug) is_cpu_vulnerable: intel family 6 is vuln
(debug) is_cpu_vulnerable: temp results are <> <> <> <> <> <vuln>
(debug) is_cpu_vulnerable: final results are <0> <0> <0> <0> <0> <0>
YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
* Vulnerable to Variant 3a: YES
* Vulnerable to Variant 4: YES
* Vulnerable to Variant l1tf: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (Mitigation: Load fences, __user pointer sanitization)
(debug) sys_interface_check: /sys/devices/system/cpu/vulnerabilities/spectre_v1=Mitigation: Load fences, __user pointer sanitization
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: (debug) found redhat/canonical version of the variant2 patch (implies variant1)
YES
* Kernel has mask_nospec64 (arm64): NO
* Checking count of LFENCE instructions following a jump in kernel... YES (42 jump-then-lfence instructions found, which is >= 30 (heuristic))
> STATUS: NOT VULNERABLE (Mitigation: Load fences, __user pointer sanitization)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (Mitigation: Full retpoline)
(debug) sys_interface_check: /sys/devices/system/cpu/vulnerabilities/spectre_v2=Mitigation: Full retpoline
* Mitigation 1
(debug) ibrs: /sys/kernel/debug/ibrs_enabled file doesn't exist
(debug) ibrs: found /sys/kernel/debug/x86/ibrs_enabled=0
(debug) ibpb: found /sys/kernel/debug/x86/ibpb_enabled=1
* Kernel is compiled with IBRS support: YES (/sys/kernel/debug/x86/ibrs_enabled exists)
* IBRS enabled and active: NO
* Kernel is compiled with IBPB support: YES (/sys/kernel/debug/x86/ibpb_enabled exists)
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
(debug) retpoline: found CONFIG_RETPOLINE=y in /boot/config-3.10.0-862.11.6.el7.x86_64
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
(debug) retpoline: found /sys/kernel/debug/x86/retp_enabled=1
* Retpoline is enabled: YES
* Local gcc is retpoline-aware: YES
* Kernel supports RSB filling: NO
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
(debug) sys_interface_check: /sys/devices/system/cpu/vulnerabilities/meltdown=Mitigation: PTI
* Kernel supports Page Table Isolation (PTI): (debug) kpti_support: found option 'CONFIG_PAGE_TABLE_ISOLATION=y' in /boot/config-3.10.0-862.11.6.el7.x86_64
YES (found 'CONFIG_PAGE_TABLE_ISOLATION=y')
* PTI enabled and active: (debug) kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: 1
YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability: YES
> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
(debug) sys_interface_check: /sys/devices/system/cpu/vulnerabilities/spec_store_bypass=Mitigation: Speculative Store Bypass disabled via prctl and seccomp
* Kernel supports speculation store bypass: (debug) found Speculation.Store.Bypass: in /proc/self/status
YES (found in /proc/self/status)
> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
CVE-2018-3615/3620/3646 [L1 terminal fault] aka 'Foreshadow & Foreshadow-NG'
* Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: SMT vulnerable, L1D conditional cache flushes)
(debug) sys_interface_check: /sys/devices/system/cpu/vulnerabilities/l1tf=Mitigation: PTE Inversion; VMX: SMT vulnerable, L1D conditional cache flushes
> STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: SMT vulnerable, L1D conditional cache flushes)
(debug) variables at end of script: '|bp_harden=|bp_harden_can_tell=1|capabilities_ibrs_all=0|capabilities_rdcl_no=0|capabilities_rsba=0|capabilities_ssb_no=0|cpu_cpuid=263921|cpu_family=6|cpu_friendly_name='Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz'|cpuid_arch_capabilities=0|cpuid_decimal=263921|cpuid_ibpb=SPEC_CTRL|cpuid_ibrs=SPEC_CTRL|cpuid_spec_ctrl=1|cpuid_ssbd='Intel SSBD'|cpu_invpcid=1|cpu_mismatch=0|cpu_model=79|cpu_pcid=1|cpu_stepping=1|cpu_ucode=184549422|cpu_vendor=GenuineIntel|cve=CVE-2018-3615/3620/3646|dir=/sys/kernel/debug/x86|dmesg_grep='Kernel/User page tables isolation: enabled|Kernel page table isolation enabled|x86/pti: Unmapping kernel while in userspace'|echo_cmd_type=printf|echo_cmd=/usr/bin/printf|ftp_proxy=http://proxy-us.intel.com:911|global_critical=0|global_unknown=0|http_proxy=http://proxy-us.intel.com:911|https_proxy=http://proxy-us.intel.com:911|i=87|ibpb_can_tell=0|ibpb_enabled=1|ibpb_supported='/sys/kernel/debug/x86/ibpb_enabled exists'|ibrs_can_tell=1|ibrs_enabled=0|ibrs_supported='/sys/kernel/debug/x86/ibrs_enabled exists'|idx_max_cpu=87|is_cpu_vulnerable_cached=1|kernel_err=|kernel_ssb='found in /proc/self/status'|kernel=/tmp/kernel-d32z0d|kerneltmp=/tmp/kernel-d32z0d|kernel_version='Linux version 3.10.0-862.11.6.el7.x86_64 (root@kernel-build01.jf.intel.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Thu Sep 13 16:08:36 PDT 2018'|kpti_can_tell=1|kpti_enabled=1|kpti_support=CONFIG_PAGE_TABLE_ISOLATION=y|mode=|model=45|msg='Mitigation: PTE Inversion; VMX: SMT vulnerable, L1D conditional cache flushes'|n=88|nb_lfence=42|ncpus=88|no_proxy=localhost,127.0.0.1,intel.com,.intel.com,cluster,.cluster,10.0.0.0/8,172.168.0.0/16,192.168.0.0/16,10.54.8.248,10.54.4.19,10.54.8.18,132.233.52.91|nrpe_vuln=|opt=|opt_allvariants=1|opt_arch_prefix=|opt_batch=0|opt_batch_format=text|opt_config=/boot/config-3.10.0-862.11.6.el7.x86_64|opt_coreos=0|opt_explain=0|opt_hw_only=0|opt_kernel=/boot//vmlinuz-3.10.0-862.11.6.el7.x86_64|opt_live=1|opt_live_explicit=0|opt_map=/proc/kallsyms|opt_no_color=0|opt_no_hw=0|opt_no_sysfs=0|opt_paranoid=0|opt_sysfs_only=0|opt_variant1=0|opt_variant2=0|opt_variant3=0|opt_variant3a=0|opt_variant4=0|opt_variantl1tf=0|opt_verbose=3|os=Linux|parse_cpu_details_done=1|pos=18357|procfs=/proc|pvulnstatus_last_cve=CVE-2018-3615/3620/3646|read_cpuid_value=0|read_msr_value=' 0'|redhat_canonical_spectre=1|ret=1|retp_enabled=1|retpoline=1|retpoline_compiler=1|retpoline_compiler_reason='kernel reports full retpoline compilation'|rsb_filling=|socks_proxy=http://proxy-us.intel.com:1080|spec_ctrl_msr=1|specex_knob_dir=/sys/kernel/debug/x86|status=OK|stepping=7|sys_interface_available=1|tuple=0x406F1,0xB00002E|ucode=0x712|ucode_decimal=184549422|ucode_found='model 0x4f family 0x6 stepping 0x1 ucode 0xb00002e cpuid 0x406f1'|ucode_latest='latest known version is 0xb00002e according to Intel Microcode Guidance, August 8 2018'|v1_lfence=1|v1_mask_nospec='x86 64 bits array_index_mask_nospec'|val=0|variant1=0|variant2=0|variant3=0|variant3a=0|variant4=0|variantl1tf=0|v=l1tf|vulnstatus=OK|
Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimerWith microcode_ctl-2.1-29.16.el7_5.x86_64:
Spectre and Meltdown mitigation detection tool v0.39+
(debug) cpuid: leaf1 on cpu0, eax-ebx-ecx-edx: 263921 4196352 2147417087 3219913727
(debug) cpuid: wanted register (1) has value 263921 aka 000406f1
(debug) cpuid: shifted value by 0 is 263921 aka 406f1
(debug) cpuid: after AND 0xFFFFFFFF, final value is 263921 aka 406f1
Checking for vulnerabilities on current system
Kernel is Linux 3.10.0-862.11.6.el7.x86_64 #1 SMP Thu Sep 13 16:08:36 PDT 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz
(debug) found opt_kernel=/vmlinuz-3.10.0-862.11.6.el7.x86_64 in /proc/cmdline
(debug) opt_kernel is now /boot//vmlinuz-3.10.0-862.11.6.el7.x86_64
Will use kernel image /boot//vmlinuz-3.10.0-862.11.6.el7.x86_64
Will use kconfig /boot/config-3.10.0-862.11.6.el7.x86_64
Will use System.map file /proc/kallsyms
(debug) check_kernel: ret=0 size=6398512 sections=0 warnings=readelf: /boot//vmlinuz-3.10.0-862.11.6.el7.x86_64: Error: Not an ELF file - it has the wrong magic bytes at the start/
(debug) check_kernel: ... file is invalid
(debug) try_decompress: looking for gunzip magic in /boot//vmlinuz-3.10.0-862.11.6.el7.x86_64
(debug) try_decompress: magic for gunzip found at offset 18357:xy
(debug) check_kernel: ret=0 size=21173228 sections=11 warnings=
(debug) check_kernel: ... file is valid
(debug) try_decompress: decompressed with gunzip successfully!
Kernel image is Linux version 3.10.0-862.11.6.el7.x86_64 (root@kernel-build01.jf.intel.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Thu Sep 13 16:08:36 PDT 2018
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: (debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
(debug) read_msr: using perl
NO
* CPU indicates IBRS capability: (debug) cpuid: leaf7 on cpu0, eax-ebx-ecx-edx: 0 35438523 0 0
(debug) cpuid: wanted register (4) has value 0 aka 00000000
(debug) cpuid: shifted value by 26 is 0 aka 0
(debug) cpuid: after AND 1, final value is 0 aka 0
(debug) cpuid: wanted 1 and got 0
NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: (debug) write_msr: using perl
(debug) write_msr: for cpu 0 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 1 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 2 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 3 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 4 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 5 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 6 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 7 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 8 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 9 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 10 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 11 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 12 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 13 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 14 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 15 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 16 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 17 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 18 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 19 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 20 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 21 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 22 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 23 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 24 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 25 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 26 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 27 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 28 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 29 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 30 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 31 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 32 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 33 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 34 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 35 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 36 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 37 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 38 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 39 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 40 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 41 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 42 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 43 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 44 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 45 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 46 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 47 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 48 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 49 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 50 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 51 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 52 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 53 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 54 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 55 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 56 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 57 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 58 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 59 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 60 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 61 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 62 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 63 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 64 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 65 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 66 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 67 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 68 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 69 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 70 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 71 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 72 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 73 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 74 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 75 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 76 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 77 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 78 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 79 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 80 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 81 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 82 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 83 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 84 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 85 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 86 on msr 73, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 87 on msr 73, ret=1
NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: (debug) cpuid: leaf7 on cpu0, eax-ebx-ecx-edx: 0 35438523 0 0
(debug) cpuid: wanted register (4) has value 0 aka 00000000
(debug) cpuid: shifted value by 27 is 0 aka 0
(debug) cpuid: after AND 1, final value is 0 aka 0
(debug) cpuid: wanted 1 and got 0
NO
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: (debug) cpuid: leaf7 on cpu0, eax-ebx-ecx-edx: 0 35438523 0 0
(debug) cpuid: wanted register (4) has value 0 aka 00000000
(debug) cpuid: shifted value by 31 is 0 aka 0
(debug) cpuid: after AND 1, final value is 0 aka 0
(debug) cpuid: wanted 1 and got 0
NO
* L1 data cache invalidation
* FLUSH_CMD MSR is available: (debug) write_msr: using perl
(debug) write_msr: for cpu 0 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 1 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 2 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 3 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 4 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 5 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 6 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 7 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 8 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 9 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 10 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 11 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 12 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 13 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 14 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 15 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 16 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 17 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 18 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 19 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 20 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 21 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 22 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 23 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 24 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 25 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 26 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 27 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 28 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 29 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 30 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 31 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 32 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 33 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 34 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 35 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 36 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 37 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 38 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 39 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 40 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 41 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 42 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 43 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 44 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 45 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 46 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 47 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 48 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 49 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 50 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 51 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 52 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 53 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 54 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 55 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 56 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 57 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 58 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 59 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 60 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 61 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 62 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 63 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 64 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 65 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 66 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 67 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 68 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 69 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 70 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 71 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 72 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 73 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 74 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 75 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 76 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 77 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 78 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 79 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 80 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 81 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 82 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 83 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 84 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 85 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 86 on msr 267, ret=1
(debug) write_msr: using perl
(debug) write_msr: for cpu 87 on msr 267, ret=1
NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: (debug) cpuid: leaf7 on cpu0, eax-ebx-ecx-edx: 0 35438523 0 0
(debug) cpuid: wanted register (4) has value 0 aka 00000000
(debug) cpuid: shifted value by 29 is 0 aka 0
(debug) cpuid: after AND 1, final value is 0 aka 0
(debug) cpuid: wanted 1 and got 0
NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
* CPU microcode is known to cause stability problems: (debug) is_ucode_blacklisted: no (79/1/184549403)
NO (model 0x4f family 0x6 stepping 0x1 ucode 0xb00001b cpuid 0x406f1)
* CPU microcode is the latest known available version: (debug) is_latest_known_ucode: with cpuid 263921 has ucode 184549403, last known is 263921
NO (latest known version is 0xb00002e according to Intel Microcode Guidance, August 8 2018)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to Variant 1: (debug) is_cpu_vulnerable: intel family 6 is vuln
(debug) is_cpu_vulnerable: temp results are <> <> <> <> <> <vuln>
(debug) is_cpu_vulnerable: final results are <0> <0> <0> <0> <0> <0>
YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
* Vulnerable to Variant 3a: YES
* Vulnerable to Variant 4: YES
* Vulnerable to Variant l1tf: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (Mitigation: Load fences, __user pointer sanitization)
(debug) sys_interface_check: /sys/devices/system/cpu/vulnerabilities/spectre_v1=Mitigation: Load fences, __user pointer sanitization
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: (debug) found redhat/canonical version of the variant2 patch (implies variant1)
YES
* Kernel has mask_nospec64 (arm64): NO
* Checking count of LFENCE instructions following a jump in kernel... YES (42 jump-then-lfence instructions found, which is >= 30 (heuristic))
> STATUS: NOT VULNERABLE (Mitigation: Load fences, __user pointer sanitization)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: NO (Vulnerable: Retpoline without IBPB)
(debug) sys_interface_check: /sys/devices/system/cpu/vulnerabilities/spectre_v2=Vulnerable: Retpoline without IBPB
* Mitigation 1
(debug) ibrs: /sys/kernel/debug/ibrs_enabled file doesn't exist
(debug) ibrs: found /sys/kernel/debug/x86/ibrs_enabled=0
(debug) ibpb: found /sys/kernel/debug/x86/ibpb_enabled=0
(debug) ibpb: found enabled in sysfs
* Kernel is compiled with IBRS support: YES (/sys/kernel/debug/x86/ibrs_enabled exists)
* IBRS enabled and active: NO
* Kernel is compiled with IBPB support: YES (/sys/kernel/debug/x86/ibpb_enabled exists)
* IBPB enabled and active: NO
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
(debug) retpoline: found CONFIG_RETPOLINE=y in /boot/config-3.10.0-862.11.6.el7.x86_64
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
(debug) retpoline: found /sys/kernel/debug/x86/retp_enabled=1
* Retpoline is enabled: YES
* Local gcc is retpoline-aware: YES
* Kernel supports RSB filling: NO
> STATUS: NOT VULNERABLE (Full retpoline is mitigating the vulnerability)
IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
(debug) sys_interface_check: /sys/devices/system/cpu/vulnerabilities/meltdown=Mitigation: PTI
* Kernel supports Page Table Isolation (PTI): (debug) kpti_support: found option 'CONFIG_PAGE_TABLE_ISOLATION=y' in /boot/config-3.10.0-862.11.6.el7.x86_64
YES (found 'CONFIG_PAGE_TABLE_ISOLATION=y')
* PTI enabled and active: (debug) kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: 1
YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface: NO (Vulnerable)
(debug) sys_interface_check: /sys/devices/system/cpu/vulnerabilities/spec_store_bypass=Vulnerable
* Kernel supports speculation store bypass: (debug) found Speculation.Store.Bypass: in /proc/self/status
YES (found in /proc/self/status)
> STATUS: VULNERABLE (Your CPU doesn't support SSBD)
CVE-2018-3615/3620/3646 [L1 terminal fault] aka 'Foreshadow & Foreshadow-NG'
* Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: SMT vulnerable, L1D conditional cache flushes)
(debug) sys_interface_check: /sys/devices/system/cpu/vulnerabilities/l1tf=Mitigation: PTE Inversion; VMX: SMT vulnerable, L1D conditional cache flushes
> STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: SMT vulnerable, L1D conditional cache flushes)
(debug) variables at end of script: '|bp_harden=|bp_harden_can_tell=1|capabilities_ibrs_all=0|capabilities_rdcl_no=0|capabilities_rsba=0|capabilities_ssb_no=0|cpu_cpuid=263921|cpu_family=6|cpu_friendly_name='Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz'|cpuid_arch_capabilities=0|cpuid_decimal=263921|cpu_invpcid=1|cpu_mismatch=0|cpu_model=79|cpu_pcid=1|cpu_stepping=1|cpu_ucode=184549403|cpu_vendor=GenuineIntel|cve=CVE-2018-3615/3620/3646|dir=/sys/kernel/debug/x86|dmesg_grep='Kernel/User page tables isolation: enabled|Kernel page table isolation enabled|x86/pti: Unmapping kernel while in userspace'|echo_cmd_type=printf|echo_cmd=/usr/bin/printf|ftp_proxy=http://proxy-us.intel.com:911|global_critical=1|global_unknown=0|http_proxy=http://proxy-us.intel.com:911|https_proxy=http://proxy-us.intel.com:911|i=87|ibpb_can_tell=0|ibpb_enabled=0|ibpb_supported='/sys/kernel/debug/x86/ibpb_enabled exists'|ibrs_can_tell=1|ibrs_enabled=0|ibrs_supported='/sys/kernel/debug/x86/ibrs_enabled exists'|idx_max_cpu=87|is_cpu_vulnerable_cached=1|kernel_err=|kernel_ssb='found in /proc/self/status'|kernel=/tmp/kernel-O3J9fo|kerneltmp=/tmp/kernel-O3J9fo|kernel_version='Linux version 3.10.0-862.11.6.el7.x86_64 (root@kernel-build01.jf.intel.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Thu Sep 13 16:08:36 PDT 2018'|kpti_can_tell=1|kpti_enabled=1|kpti_support=CONFIG_PAGE_TABLE_ISOLATION=y|mode=|model=45|msg='Mitigation: PTE Inversion; VMX: SMT vulnerable, L1D conditional cache flushes'|n=88|nb_lfence=42|ncpus=88|no_proxy=localhost,127.0.0.1,intel.com,.intel.com,cluster,.cluster,10.0.0.0/8,172.168.0.0/16,192.168.0.0/16,10.54.8.248,10.54.4.19,10.54.8.18,132.233.52.91|nrpe_vuln=|opt=|opt_allvariants=1|opt_arch_prefix=|opt_batch=0|opt_batch_format=text|opt_config=/boot/config-3.10.0-862.11.6.el7.x86_64|opt_coreos=0|opt_explain=0|opt_hw_only=0|opt_kernel=/boot//vmlinuz-3.10.0-862.11.6.el7.x86_64|opt_live=1|opt_live_explicit=0|opt_map=/proc/kallsyms|opt_no_color=0|opt_no_hw=0|opt_no_sysfs=0|opt_paranoid=0|opt_sysfs_only=0|opt_variant1=0|opt_variant2=0|opt_variant3=0|opt_variant3a=0|opt_variant4=0|opt_variantl1tf=0|opt_verbose=3|os=Linux|parse_cpu_details_done=1|pos=18357|procfs=/proc|pvulnstatus_last_cve=CVE-2018-3615/3620/3646|read_cpuid_value=0|read_msr_value=|redhat_canonical_spectre=1|ret=1|retp_enabled=1|retpoline=1|retpoline_compiler=1|retpoline_compiler_reason='kernel reports full retpoline compilation'|rsb_filling=|socks_proxy=http://proxy-us.intel.com:1080|spec_ctrl_msr=0|specex_knob_dir=/sys/kernel/debug/x86|status=OK|stepping=7|sys_interface_available=1|tuple=0x406F1,0xB00002E|ucode=0x712|ucode_decimal=184549422|ucode_found='model 0x4f family 0x6 stepping 0x1 ucode 0xb00001b cpuid 0x406f1'|ucode_latest='latest known version is 0xb00002e according to Intel Microcode Guidance, August 8 2018'|v1_lfence=1|v1_mask_nospec='x86 64 bits array_index_mask_nospec'|val=1|variant1=0|variant2=0|variant3=0|variant3a=0|variant4=0|variantl1tf=0|v=l1tf|vulnstatus=OK|
Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimerThank you! Let me know if you need anything further!
speed47
commented
6 years ago Well, this is not a bug from the script, the "oldest" microcode_ctl package you tried actually contains a more recent version of the microcode for your CPU than the "newer" microcode_ctl package:
2.1-29.10: model 0x4f family 0x6 stepping 0x1 ucode 0xb00002e cpuid 0x406f1 2.1-29.16: model 0x4f family 0x6 stepping 0x1 ucode 0xb00001b cpuid 0x406f1
I don't know why the CentOS maintainers took this decision! This might be explained in the changelog of the microcode_ctl package?
mattvw
commented
6 years ago This appears to be for RHEL/CentOS 6 version of microcode_ctl, but possibly they left it out for RHEL/CentOS 7 as well (just to be safe). But it matches the model/family/stepping that seems to be in use here.
I saw this in the changelog for the microcode_ctl package on a CentOS 6 system:
* Thu Aug 30 08:00:00 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:1.17-33.6
- Disable 06-4f-01 microcode in config (#1622180).Which lead me to this bugzilla and Red Hat solutions page:
https://bugzilla.redhat.com/show_bug.cgi?id=1622180 https://access.redhat.com/solutions/3314661
Looks like they disabled microcode updates for the affected CPUs in the newest microcode_ctl update cause it was causing systems to hang.
mattvw
commented
6 years ago Looking at the microcode_ctl package changelog on a RHEL 7 system (which should match CentOS 7 here), I see the same entry as was there for the CentOS 6 system I checked:
* Thu Aug 30 08:00:00 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-29.14
- Disable 06-4f-01 microcode in config (#1623630).It seems that the bugzilla listed is different here though (and it appears to be restricted for some reason): https://bugzilla.redhat.com/show_bug.cgi?id=1623630
Not sure if the reason for CentOS/RHEL 7 is the same as for CentOS/RHEL 6...but at least we know it was intentionally left out for both 6 and 7 now...
threevi
commented
6 years ago Thank you for looking into this, @speed47 and @mattvw!
It seems that the problem is not with the checker script but rather an issue of a removal of some microcode in the microcode_ctl package that causes some systems to hang on boot.
My current assumption at this point is that I should be safe with the microcode_ctl-2.1-29.10.el7_5.x86_64 package for now provided I don't experience any hangs on boot. Does that sound reasonable/accurate?
I suppose I could also try pulling the most recent microcode directly from Intel's website to see if there's a difference between the CentOS package and the official release from Intel. I can post my findings here if that would be useful information.
I have two CentOS 7.5 systems, both running the 3.10.0-862.11.6.el7 kernel, but one is using microcode_ctl-2.1-29.10.el7_5.x86_64 and the other is using the newest microcode_ctl package, microcode_ctl-2.1-29.16.el7_5.x86_64.
The system running microcode_ctl-2.1-29.10.el7_5.x86_64 shows no vulnerabilities when the spectre-meltdown-checker script is run. The system running microcode_ctl-2.1-29.16.el7_5.x86_64 shows CVE-2018-3640 and CVE-2018-3639 vulnerabilities when the spectre-meltdown-checker script is run.
It looks like the CentOS package maintainers added this newer microcode_ctl package to the default updates repo yesterday (Sept 13th, 2018).
I'm not sure if there's a problem in the newer microcode_ctl package that's making things vulnerable again, or if the spectre-meltdown-checker script needs to be updated to check new parameters added by the newer microcode? Just guessing as I'm pretty unfamiliar with how things work under the hood.
I tried reinstalling the microcode_ctl-2.1-29.16.el7_5.x86_64 package in the off chance that the first microcode flashing failed, but I'm seeing the same results.
I then tried downgrading from microcode_ctl-2.1-29.16.el7_5.x86_64 to microcode_ctl-2.1-29.10.el7_5.x86_64, rebooted, and reran the script. No vulnerabilities found this time. So, the problem definitely seems to be tied to the newer microcode_ctl package.
Please let me know if you have any questions/need clarification! Thank you!