Downfall

[Martinligabue]

Can this vulnerability be added?

https://downfall.page/

[speed47]

Apparently the only possible mitigation is a microcode firmware update. We'll see whether, once upgraded, the microcode exposes the information that it has mitigation for this vuln, still gathering data about this.

I'll at least be able to add affected/not affected check as the list of impacted CPUs has been published by Intel at their usual page (https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html) and I now have a script to parse that and integrate it easily.

[Martinligabue]

https://www.phoronix.com/news/Intel-20230808-Microcode does this help?

[speed47]

Yes indeed thanks!

[speed47]

Thanks @pandipanda69 , I see contradictory information about Intel CPUs that support AVX2/512, that are out of support (a few years old), and not listed in the Kernel vuln blacklist. Intel won't say, and the kernel would deem them unaffected, but it seems contradictory to the Downfall white paper, which implies all models from 4th hen are affected...

[speed47]

Added a commit to your PR, can you test it, if possible?

[PandiPanda69]

Tested on a different kind of CPU (Atom, ARM, AMD, Intel) with old ucode, new ucode, old kernel, patched kernel, vanilla & grsec, behavior is as expected 👍

[speed47]

Merged, thanks for your help.

I'm leaving this open because we still miss minor things to deem this complete, these will be implemented when I'm back from holidays:

• offline mode support
• kernel avx disabling detection without relying on dmesg

These are just convenience features, current code is enough to answer questions such as "am I affected/vulnerable?"