search

speed47 / spectre-meltdown-checker

Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
3.87k stars 476 forks source link

Raspberry Pi 4 CVE-2018-3639 false positive after applying mitigation #373

Open lilyanatia opened 4 years ago

lilyanatia commented 4 years ago

after applying the ARM-recommended Spectre v4 mitigation on my Raspberry Pi 4, I confirmed that the spectre_v4 demo from Google SafeSide no longer succeeds, so the vulnerability is mitigated.

spectre-meltdown-checker still shows VULNERABLE for this vulnerability with the mitigation applied.

devZer0 commented 3 years ago

i'm also wondering here if my system is safe or not. spectre_meltdown_checker (but also linux kernel) is telling i'm vulnerable

getting this on AMD G-T40N APU:

root@s900:~/safeside# ./build/demos/spectre_v4 Leaking the string: Hello_World Does not converge

but spectre-meltdown checker is telling:

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  NO
> STATUS:  VULNERABLE  (Your CPU doesn't support SSBD)

> How to fix: Your kernel is recent enough to use the CPU microcode features for mitigation, 
but your CPU microcode doesn't actually provide the necessary features for the kernel to use. 
The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by 
your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). 
If you're using a distro, make sure you are up to date, as microcode updates are usually shipped 
alongside with the distro kernel. Availability of a microcode update for you CPU model depends 
on your CPU vendor. You can usually find out online if a microcode update is available for your 
CPU by searching for your CPUID (indicated in the Hardware Check section).

i set spec_store_bypass_disable=on on commandline

# dmesg |grep -i spec
[    0.000000] Command line: BOOT_IMAGE=/ROOT/pve-1@/boot/vmlinuz-5.4.101-1-pve root=ZFS=/ROOT/pve-1 ro root=ZFS=rpool/ROOT/pve-1 boot=zfs spec_store_bypass_disable=on
[    0.194582] Kernel command line: BOOT_IMAGE=/ROOT/pve-1@/boot/vmlinuz-5.4.101-1-pve root=ZFS=/ROOT/pve-1 ro root=ZFS=rpool/ROOT/pve-1 boot=zfs spec_store_bypass_disable=on
[    0.433544] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[    0.433610] Spectre V2 : Mitigation: Full AMD retpoline
[    0.433659] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[    0.433721] Speculative Store Bypass: Vulnerable

here it's being told that no microcode update is needed for AMD:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4 "Support for this mitigation requires updated microcode for Intel processors. New microcode is not needed for AMD processors."

AMD is telling this (i don't really understand all of that) https://developer.amd.com/wp-content/resources/124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf

so, if i do not need microcode update, what can i do to be on the safe side ?