Closed mauvehed closed 6 years ago
speed47
commented
6 years ago I don't have an AWS instance at hand, as their kernel is custom they might have modified the hints that indicate PTI is active. Could you share your dmesg right after booting? Maybe there's a hint there.
In addition to that, find /sys /proc -iname "*pti" might show something. Don't forget to mount -t debugfs debugfs /sys/kernel/debug before running the find, just in case
speed47
commented
6 years ago Could you also re-run the script in debug ? (-v -v). 4.9 kernels are supposed to have KAISER (~PTI light) and the script should detect that already.
mauvehed
commented
6 years ago -v -v as requested
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 4.9.75-25.55.amzn1.x86_64 #1 SMP Fri Jan 5 23:50:27 UTC 2018 x86_64 Will use vmlinux image /boot/vmlinuz-4.9.75-25.55.amzn1.x86_64 Will use kconfig /boot/config-4.9.75-25.55.amzn1.x86_64 Will use System.map file /proc/kallsyms (debug) try_decompress: magic for gunzip found at offset 17527:xy (debug) try_decompress: decompressed with gunzip successfully!
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
- Checking count of LFENCE opcodes in kernel: NO
STATUS: VULNERABLE (only 27 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
- Mitigation 1
- Hardware (CPU microcode) support for mitigation: YES
- Kernel support for IBRS: (debug) ibrs: file /sys/kernel/debug/ibrs_enabled doesn't exist (debug) ibrs: file /sys/kernel/debug/x86/ibrs_enabled doesn't exist (debug) ibrs: file /proc/sys/kernel/ibrs_enabled doesn't exist NO
- IBRS enabled for Kernel space: NO
- IBRS enabled for User space: NO
- Mitigation 2
- Kernel compiled with retpoline option: NO
- Kernel compiled with a retpoline-aware compiler: NO
STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
- Kernel supports Page Table Isolation (PTI): (debug) kpti_support: found option CONFIG_PAGE_TABLE_ISOLATION=y in /boot/config-4.9.75-25.55.amzn1.x86_64 YES
- PTI enabled and active: (debug) kpti_enabled: couldn't find any hint that PTI is enabled NO
STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
And find /sys /proc -iname "*pti" returned no results, even after the mount.
mehrotra-prateek
commented
6 years ago +1 same results and issue
speed47
commented
6 years ago Sorry, I forgot a * in my previous message, the command to try would be find /sys /proc -iname "*pti*".
If there's still nothing, could you share your dmesg? Maybe there's a hint there that I could implement. Also, if the AWS kernel is available from somewhere to download, please share the link, so I could try on my side.
louismrose
commented
6 years ago I'm also seeing the same issue. On my AWS EC2 instance (which is running Ubuntu 16.04 LTS), I see the following output:
$ sudo find /sys /proc -iname "*pti*"
/sys/fs/ext4/features/encryption
/sys/bus/serio/drivers/atkbd/description
/sys/devices/virtual/block/ram0/queue/optimal_io_size
/sys/devices/virtual/block/ram1/queue/optimal_io_size
/sys/devices/virtual/block/ram2/queue/optimal_io_size
/sys/devices/virtual/block/ram3/queue/optimal_io_size
/sys/devices/virtual/block/ram4/queue/optimal_io_size
/sys/devices/virtual/block/ram5/queue/optimal_io_size
/sys/devices/virtual/block/ram6/queue/optimal_io_size
/sys/devices/virtual/block/ram7/queue/optimal_io_size
/sys/devices/virtual/block/ram8/queue/optimal_io_size
/sys/devices/virtual/block/ram9/queue/optimal_io_size
/sys/devices/virtual/block/loop0/queue/optimal_io_size
/sys/devices/virtual/block/loop1/queue/optimal_io_size
/sys/devices/virtual/block/loop2/queue/optimal_io_size
/sys/devices/virtual/block/loop3/queue/optimal_io_size
/sys/devices/virtual/block/loop4/queue/optimal_io_size
/sys/devices/virtual/block/loop5/queue/optimal_io_size
/sys/devices/virtual/block/loop6/queue/optimal_io_size
/sys/devices/virtual/block/loop7/queue/optimal_io_size
/sys/devices/virtual/block/ram10/queue/optimal_io_size
/sys/devices/virtual/block/ram11/queue/optimal_io_size
/sys/devices/virtual/block/ram12/queue/optimal_io_size
/sys/devices/virtual/block/ram13/queue/optimal_io_size
/sys/devices/virtual/block/ram14/queue/optimal_io_size
/sys/devices/virtual/block/ram15/queue/optimal_io_size
/sys/devices/vbd-2049/block/xvda1/queue/optimal_io_size
/sys/devices/vbd-2064/block/xvdb/queue/optimal_io_size
/sys/kernel/debug/tracing/events/mpx/mpx_bounds_register_exception
/sys/kernel/debug/tracing/events/mpx/bounds_exception_mpx
/sys/kernel/debug/tracing/events/exceptions
/sys/kernel/debug/tracing/options
/sys/kernel/debug/tracing/trace_options
/proc/fs/ext4/xvdb/options
/proc/fs/ext4/xvda1/options
/proc/sys/debug/exception-trace
/proc/sys/debug/kprobes-optimization
/proc/uptime$ sudo dmesg
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 4.4.0-1048-aws (buildd@lgw01-amd64-037) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5) ) #57-Ubuntu SMP Tue Jan 9 21:45:57 UTC 2018 (Ubuntu 4.4.0-1048.57-aws 4.4.98)
[ 0.000000] Command line: root=LABEL=cloudimg-rootfs ro console=hvc0
[ 0.000000] KERNEL supported cpus:
[ 0.000000] Intel GenuineIntel
[ 0.000000] AMD AuthenticAMD
[ 0.000000] Centaur CentaurHauls
[ 0.000000] x86/fpu: Legacy x87 FPU detected.
[ 0.000000] x86/fpu: Using 'lazy' FPU context switches.
[ 0.000000] ACPI in unprivileged domain disabled
[ 0.000000] Released 0 page(s)
[ 0.000000] e820: BIOS-provided physical RAM map:
[ 0.000000] Xen: [mem 0x0000000000000000-0x000000000009ffff] usable
[ 0.000000] Xen: [mem 0x00000000000a0000-0x00000000000fffff] reserved
[ 0.000000] Xen: [mem 0x0000000000100000-0x00000001d2d1dfff] usable
[ 0.000000] NX (Execute Disable) protection: active
[ 0.000000] DMI not present or invalid.
[ 0.000000] Hypervisor detected: Xen
[ 0.000000] e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
[ 0.000000] e820: remove [mem 0x000a0000-0x000fffff] usable
[ 0.000000] e820: last_pfn = 0x1d2d1e max_arch_pfn = 0x400000000
[ 0.000000] MTRR: Disabled
[ 0.000000] x86/PAT: MTRRs disabled, skipping PAT initialization too.
[ 0.000000] x86/PAT: Configuration [0-7]: WB WT UC- UC WC WP UC UC
[ 0.000000] e820: last_pfn = 0x100000 max_arch_pfn = 0x400000000
[ 0.000000] Scanning 1 areas for low memory corruption
[ 0.000000] Base memory trampoline at [ffff88000009a000] 9a000 size 24576
[ 0.000000] BRK [0x021ff000, 0x021fffff] PGTABLE
[ 0.000000] BRK [0x02200000, 0x02200fff] PGTABLE
[ 0.000000] BRK [0x02201000, 0x02201fff] PGTABLE
[ 0.000000] BRK [0x02202000, 0x02202fff] PGTABLE
[ 0.000000] BRK [0x02203000, 0x02203fff] PGTABLE
[ 0.000000] BRK [0x02204000, 0x02204fff] PGTABLE
[ 0.000000] RAMDISK: [mem 0x02226000-0x0426afff]
[ 0.000000] NUMA turned off
[ 0.000000] Faking a node at [mem 0x0000000000000000-0x00000001d2d1dfff]
[ 0.000000] NODE_DATA(0) allocated [mem 0x1d2519000-0x1d251dfff]
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000000001000-0x0000000000ffffff]
[ 0.000000] DMA32 [mem 0x0000000001000000-0x00000000ffffffff]
[ 0.000000] Normal [mem 0x0000000100000000-0x00000001d2d1dfff]
[ 0.000000] Device empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000001000-0x000000000009ffff]
[ 0.000000] node 0: [mem 0x0000000000100000-0x00000001d2d1dfff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000001000-0x00000001d2d1dfff]
[ 0.000000] On node 0 totalpages: 1911997
[ 0.000000] DMA zone: 64 pages used for memmap
[ 0.000000] DMA zone: 21 pages reserved
[ 0.000000] DMA zone: 3999 pages, LIFO batch:0
[ 0.000000] DMA32 zone: 16320 pages used for memmap
[ 0.000000] DMA32 zone: 1044480 pages, LIFO batch:31
[ 0.000000] Normal zone: 13493 pages used for memmap
[ 0.000000] Normal zone: 863518 pages, LIFO batch:31
[ 0.000000] p2m virtual area at ffffc90000000000, size is 1000000
[ 0.000000] Remapped 0 page(s)
[ 0.000000] SFI: Simple Firmware Interface v0.81 http://simplefirmware.org
[ 0.000000] smpboot: Allowing 2 CPUs, 0 hotplug CPUs
[ 0.000000] PM: Registered nosave memory: [mem 0x00000000-0x00000fff]
[ 0.000000] PM: Registered nosave memory: [mem 0x000a0000-0x000fffff]
[ 0.000000] e820: cannot find a gap in the 32bit address range
e820: PCI devices with unassigned 32bit BARs may break!
[ 0.000000] e820: [mem 0x1d2e1e000-0x1d321dfff] available for PCI devices
[ 0.000000] Booting paravirtualized kernel on Xen
[ 0.000000] Xen version: 4.2.amazon (preserve-AD)
[ 0.000000] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645519600211568 ns
[ 0.000000] setup_percpu: NR_CPUS:256 nr_cpumask_bits:256 nr_cpu_ids:2 nr_node_ids:1
[ 0.000000] PERCPU: Embedded 34 pages/cpu @ffff8801c8e00000 s99160 r8192 d31912 u1048576
[ 0.000000] pcpu-alloc: s99160 r8192 d31912 u1048576 alloc=1*2097152
[ 0.000000] pcpu-alloc: [0] 0 1
[ 0.000000] xen: PV spinlocks enabled
[ 0.000000] PV qspinlock hash table entries: 256 (order: 0, 4096 bytes)
[ 0.000000] Built 1 zonelists in Node order, mobility grouping on. Total pages: 1882099
[ 0.000000] Policy zone: Normal
[ 0.000000] Kernel command line: root=LABEL=cloudimg-rootfs ro console=hvc0
[ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.000000] Memory: 7436508K/7647988K available (8307K kernel code, 1276K rwdata, 3872K rodata, 1484K init, 1288K bss, 211480K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] Build-time adjustment of leaf fanout to 64.
[ 0.000000] RCU restricting CPUs from NR_CPUS=256 to nr_cpu_ids=2.
[ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=2
[ 0.000000] Using NULL legacy PIC
[ 0.000000] NR_IRQS:16640 nr_irqs:48 0
[ 0.000000] xen:events: Using 2-level ABI
[ 0.000000] Console: colour dummy device 80x25
[ 0.000000] console [tty0] enabled
[ 0.000000] console [hvc0] enabled
[ 0.000000] clocksource: xen: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[ 0.000000] Xen: using vcpuop timer interface
[ 0.000000] installing Xen timer for CPU 0
[ 0.000000] tsc: Detected 2500.072 MHz processor
[ 0.008000] Calibrating delay loop (skipped), value calculated using timer frequency.. 5000.14 BogoMIPS (lpj=10000288)
[ 0.012004] pid_max: default: 32768 minimum: 301
[ 0.016267] Security Framework initialized
[ 0.020004] Yama: becoming mindful.
[ 0.024039] AppArmor: AppArmor initialized
[ 0.029029] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes)
[ 0.033970] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes)
[ 0.036781] Mount-cache hash table entries: 16384 (order: 5, 131072 bytes)
[ 0.040026] Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes)
[ 0.044291] Initializing cgroup subsys io
[ 0.048010] Initializing cgroup subsys memory
[ 0.052016] Initializing cgroup subsys devices
[ 0.056008] Initializing cgroup subsys freezer
[ 0.060007] Initializing cgroup subsys net_cls
[ 0.064006] Initializing cgroup subsys perf_event
[ 0.068011] Initializing cgroup subsys net_prio
[ 0.072010] Initializing cgroup subsys hugetlb
[ 0.076010] Initializing cgroup subsys pids
[ 0.080186] CPU: Physical Processor ID: 0
[ 0.084005] CPU: Processor Core ID: 0
[ 0.088759] Last level iTLB entries: 4KB 512, 2MB 8, 4MB 8
[ 0.092004] Last level dTLB entries: 4KB 512, 2MB 0, 4MB 0, 1GB 4
[ 0.150824] ftrace: allocating 31277 entries in 123 pages
[ 0.160081] cpu 0 spinlock event irq 1
[ 0.164040] smpboot: APIC(0) Converting physical 0 to logical package 0
[ 0.168008] smpboot: Max logical packages: 2
[ 0.172008] Could not initialize VPMU for cpu 0, error -95
[ 0.176046] Performance Events: unsupported p6 CPU model 62 no PMU driver, software events only.
[ 0.184703] NMI watchdog: disabled (cpu0): hardware events not enabled
[ 0.188008] NMI watchdog: Shutting down hard lockup detector on all cpus
[ 0.192100] SMP alternatives: switching to SMP code
[ 0.243920] installing Xen timer for CPU 1
[ 0.244024] cpu 1 spinlock event irq 8
[ 0.250197] x86: Booted up 1 node, 2 CPUs
[ 0.252165] devtmpfs: initialized
[ 0.256905] evm: security.selinux
[ 0.260000] evm: security.SMACK64
[ 0.260000] evm: security.SMACK64EXEC
[ 0.260000] evm: security.SMACK64TRANSMUTE
[ 0.260000] evm: security.SMACK64MMAP
[ 0.260005] evm: security.ima
[ 0.263907] evm: security.capability
[ 0.264018] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[ 0.264049] futex hash table entries: 512 (order: 3, 32768 bytes)
[ 0.291373] RTC time: 165:165:165, date: 165/165/65
[ 0.291373] NET: Registered protocol family 16
[ 0.292000] xen:grant_table: Grant tables using version 1 layout
[ 0.292034] Grant table initialized
[ 0.300570] PCI: setting up Xen PCI frontend stub
[ 0.300570] PCI: pci_cache_line_size set to 64 bytes
[ 0.312109] ACPI: Interpreter disabled.
[ 0.312109] xen:balloon: Initialising balloon driver
[ 0.320084] vgaarb: loaded
[ 0.324213] SCSI subsystem initialized
[ 0.328046] libata version 3.00 loaded.
[ 0.328084] usbcore: registered new interface driver usbfs
[ 0.328084] usbcore: registered new interface driver hub
[ 0.332000] usbcore: registered new device driver usb
[ 0.336106] dmi: Firmware registration failed.
[ 0.340000] PCI: System does not support PCI
[ 0.340006] PCI: System does not support PCI
[ 0.340131] NetLabel: Initializing
[ 0.344000] NetLabel: domain hash size = 128
[ 0.344005] NetLabel: protocols = UNLABELED CIPSOv4
[ 0.348004] NetLabel: unlabeled traffic allowed by default
[ 0.356038] amd_nb: Cannot enumerate AMD northbridges
[ 0.356121] clocksource: Switched to clocksource xen
[ 0.372542] AppArmor: AppArmor Filesystem Enabled
[ 0.378418] pnp: PnP ACPI: disabled
[ 0.390022] NET: Registered protocol family 2
[ 0.395998] TCP established hash table entries: 65536 (order: 7, 524288 bytes)
[ 0.405269] TCP bind hash table entries: 65536 (order: 8, 1048576 bytes)
[ 0.413911] TCP: Hash tables configured (established 65536 bind 65536)
[ 0.422472] UDP hash table entries: 4096 (order: 5, 131072 bytes)
[ 0.430187] UDP-Lite hash table entries: 4096 (order: 5, 131072 bytes)
[ 0.439099] NET: Registered protocol family 1
[ 0.444844] PCI: CLS 0 bytes, default 64
[ 0.444907] Trying to unpack rootfs image as initramfs...
[ 0.481700] Freeing initrd memory: 33044K
[ 0.486974] RAPL PMU detected, API unit is 2^-32 Joules, 3 fixed counters 163840 ms ovfl timer
[ 0.497836] hw unit of domain pp0-core 2^-16 Joules
[ 0.503858] hw unit of domain package 2^-16 Joules
[ 0.509981] hw unit of domain dram 2^-16 Joules
[ 0.515906] Scanning for low memory corruption every 60 seconds
[ 0.524001] audit: initializing netlink subsys (disabled)
[ 0.531240] audit: type=2000 audit(1515772217.120:1): initialized
[ 0.538991] Initialise system trusted keyring
[ 0.546154] zbud: loaded
[ 0.549820] VFS: Disk quotas dquot_6.6.0
[ 0.554669] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 0.563199] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.570318] hugetlbfs: disabling because there are no supported hugepage sizes
[ 0.579473] fuse init (API version 7.23)
[ 0.584448] Key type big_key registered
[ 0.589158] Allocating IMA MOK and blacklist keyrings.
[ 0.597559] Key type asymmetric registered
[ 0.602558] Asymmetric key parser 'x509' registered
[ 0.608545] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249)
[ 0.617711] io scheduler noop registered
[ 0.622570] io scheduler deadline registered (default)
[ 0.628937] io scheduler cfq registered
[ 0.633855] pci_hotplug: PCI Hot Plug PCI Core version: 0.5
[ 0.640669] pciehp: PCI Express Hot Plug Controller Driver version: 0.4
[ 0.649120] intel_idle: does not run on family 6 model 62
[ 0.650210] Serial: 8250/16550 driver, 32 ports, IRQ sharing enabled
[ 0.662038] Linux agpgart interface v0.103
[ 0.672610] brd: module loaded
[ 0.679078] loop: module loaded
[ 0.683302] Invalid max_queues (4), will use default max: 2.
[ 0.694289] libphy: Fixed MDIO Bus: probed
[ 0.700021] tun: Universal TUN/TAP device driver, 1.6
[ 0.706869] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ 0.715021] PPP generic driver version 2.4.2
[ 0.720584] xen_netfront: Initialising Xen virtual ethernet driver
[ 0.731466] blkfront: xvda1: barrier or flush: disabled; persistent grants: disabled; indirect descriptors: enabled;
[ 0.746296] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 0.754411] ehci-pci: EHCI PCI platform driver
[ 0.760061] ehci-platform: EHCI generic platform driver
[ 0.767131] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 0.775975] ohci-pci: OHCI PCI platform driver
[ 0.782371] ohci-platform: OHCI generic platform driver
[ 0.789573] uhci_hcd: USB Universal Host Controller Interface driver
[ 0.799031] i8042: PNP: No PS/2 controller found. Probing ports directly.
[ 0.808428] blkfront: xvdb: flush diskcache: enabled; persistent grants: disabled; indirect descriptors: enabled;
[ 1.825089] i8042: No controller found
[ 1.832355] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x24097dcaf44, max_idle_ns: 440795232711 ns
[ 1.850623] mousedev: PS/2 mouse device common for all mice
[ 1.858017] i2c /dev entries driver
[ 1.862467] device-mapper: uevent: version 1.0.3
[ 1.868564] device-mapper: ioctl: 4.34.0-ioctl (2015-10-28) initialised: dm-devel@redhat.com
[ 1.879590] NET: Registered protocol family 10
[ 1.885753] NET: Registered protocol family 17
[ 1.892029] Key type dns_resolver registered
[ 1.897854] mce: Unable to init device /dev/mcelog (rc: -5)
[ 1.905336] registered taskstats version 1
[ 1.910527] Loading compiled-in X.509 certificates
[ 1.917640] Loaded X.509 cert 'Build time autogenerated kernel key: df0c1fa9808dfce7cd3d3a8512d18f89c2da74b7'
[ 1.931400] zswap: loaded using pool lzo/zbud
[ 1.941727] Key type trusted registered
[ 1.955534] Key type encrypted registered
[ 1.960577] AppArmor: AppArmor sha1 policy hashing enabled
[ 1.967534] ima: No TPM chip found, activating TPM-bypass!
[ 1.974644] evm: HMAC attrs: 0x1
[ 1.979067] Magic number: 1:252:3141
[ 1.984097] hctosys: unable to open rtc device (rtc0)
[ 1.990468] BIOS EDD facility v0.16 2004-Jun-25, 0 devices found
[ 1.997925] EDD information not available.
[ 2.003624] PM: Hibernation image not present or could not be loaded.
[ 2.004455] Freeing unused kernel memory: 1484K
[ 2.010278] Write protecting the kernel read-only data: 14336k
[ 2.021545] Freeing unused kernel memory: 1920K
[ 2.027374] Freeing unused kernel memory: 224K
[ 2.075327] random: systemd-udevd: uninitialized urandom read (16 bytes read, 29 bits of entropy available)
[ 2.088232] random: systemd-udevd: uninitialized urandom read (16 bytes read, 29 bits of entropy available)
[ 2.101145] random: systemd-udevd: uninitialized urandom read (16 bytes read, 30 bits of entropy available)
[ 2.113679] random: systemd-udevd: uninitialized urandom read (16 bytes read, 30 bits of entropy available)
[ 2.128204] random: udevadm: uninitialized urandom read (16 bytes read, 30 bits of entropy available)
[ 2.140103] random: udevadm: uninitialized urandom read (16 bytes read, 30 bits of entropy available)
[ 2.161261] random: systemd-udevd: uninitialized urandom read (16 bytes read, 30 bits of entropy available)
[ 2.174129] random: systemd-udevd: uninitialized urandom read (16 bytes read, 30 bits of entropy available)
[ 2.186403] random: systemd-udevd: uninitialized urandom read (16 bytes read, 30 bits of entropy available)
[ 2.200957] random: systemd-udevd: uninitialized urandom read (16 bytes read, 30 bits of entropy available)
[ 2.317068] SSE version of gcm_enc/dec engaged.
[ 3.608046] md: linear personality registered for level -1
[ 3.622625] md: multipath personality registered for level -4
[ 3.637370] md: raid0 personality registered for level 0
[ 3.651677] md: raid1 personality registered for level 1
[ 3.716072] raid6: sse2x1 gen() 7473 MB/s
[ 3.764074] raid6: sse2x1 xor() 5640 MB/s
[ 3.816083] raid6: sse2x2 gen() 9226 MB/s
[ 3.868073] raid6: sse2x2 xor() 6678 MB/s
[ 3.916077] raid6: sse2x4 gen() 10564 MB/s
[ 3.968074] raid6: sse2x4 xor() 8087 MB/s
[ 3.977261] raid6: using algorithm sse2x4 gen() 10564 MB/s
[ 3.984889] raid6: .... xor() 8087 MB/s, rmw enabled
[ 3.995768] raid6: using ssse3x2 recovery algorithm
[ 4.015873] xor: measuring software checksum speed
[ 4.060069] prefetch64-sse: 15219.000 MB/sec
[ 4.100069] generic_sse: 14161.000 MB/sec
[ 4.106918] xor: using function: prefetch64-sse (15219.000 MB/sec)
[ 4.118728] async_tx: api initialized (async)
[ 4.137759] md: raid6 personality registered for level 6
[ 4.145583] md: raid5 personality registered for level 5
[ 4.152809] md: raid4 personality registered for level 4
[ 4.176711] md: raid10 personality registered for level 10
[ 4.258212] Btrfs loaded
[ 4.376279] EXT4-fs (xvda1): mounted filesystem with ordered data mode. Opts: (null)
[ 4.720950] systemd[1]: systemd 229 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN)
[ 4.744892] systemd[1]: Detected virtualization xen.
[ 4.751870] systemd[1]: Detected architecture x86-64.
[ 4.770929] systemd[1]: Set hostname to <i-041d634401e29eef5>.
[ 5.137772] systemd[1]: Reached target Swap.
[ 5.161405] systemd[1]: Listening on Journal Audit Socket.
[ 5.180667] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point.
[ 5.211145] systemd[1]: Listening on LVM2 poll daemon socket.
[ 5.226238] systemd[1]: Listening on /dev/initctl Compatibility Named Pipe.
[ 5.244549] systemd[1]: Listening on udev Control Socket.
[ 5.259096] systemd[1]: Reached target User and Group Name Lookups.
[ 5.279198] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[ 5.303056] systemd[1]: Started Trigger resolvconf update for networkd DNS.
[ 5.326942] systemd[1]: Listening on Journal Socket.
[ 5.343988] systemd[1]: Reached target Encrypted Volumes.
[ 5.364892] systemd[1]: Listening on Journal Socket (/dev/log).
[ 5.386433] systemd[1]: Listening on fsck to fsckd communication Socket.
[ 5.411547] systemd[1]: Created slice System Slice.
[ 5.440392] systemd[1]: Starting Uncomplicated firewall...
[ 5.460543] systemd[1]: Mounting Debug File System...
[ 5.491311] systemd[1]: Starting Load Kernel Modules...
[ 5.510063] systemd[1]: Starting Remount Root and Kernel File Systems...
[ 5.539874] systemd[1]: Starting Nameserver information manager...
[ 5.574456] systemd[1]: Starting Set console keymap...
[ 5.584977] EXT4-fs (xvda1): re-mounted. Opts: discard
[ 5.600819] systemd[1]: Created slice system-systemd\x2dfsck.slice.
[ 5.624437] Loading iSCSI transport class v2.0-870.
[ 5.637137] systemd[1]: Starting Create list of required static device nodes for the current kernel...
[ 5.673670] iscsi: registered transport (tcp)
[ 5.682935] systemd[1]: Mounting POSIX Message Queue File System...
[ 5.707334] systemd[1]: Listening on Syslog Socket.
[ 5.737167] systemd[1]: Starting Journal Service...
[ 5.753677] systemd[1]: Created slice User and Session Slice.
[ 5.778323] systemd[1]: Reached target Slices.
[ 5.790196] systemd[1]: Created slice system-serial\x2dgetty.slice.
[ 5.805218] systemd[1]: Listening on udev Kernel Socket.
[ 5.819731] systemd[1]: Listening on Device-mapper event daemon FIFOs.
[ 5.840738] systemd[1]: Listening on LVM2 metadata daemon socket.
[ 5.876689] systemd[1]: Starting Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling...
[ 5.898947] iscsi: registered transport (iser)
[ 5.927338] systemd[1]: Mounted POSIX Message Queue File System.
[ 5.956170] systemd[1]: Mounted Debug File System.
[ 5.983569] systemd[1]: Started Uncomplicated firewall.
[ 6.004166] systemd[1]: Started Load Kernel Modules.
[ 6.021355] systemd[1]: Started Remount Root and Kernel File Systems.
[ 6.062162] systemd[1]: Started Set console keymap.
[ 6.084231] systemd[1]: Started Create list of required static device nodes for the current kernel.
[ 6.113122] systemd[1]: Started Journal Service.
[ 6.529593] systemd-journald[388]: Received request to flush runtime journal from PID 1
[ 6.704250] random: nonblocking pool is initialized
[ 7.607573] audit: type=1400 audit(1515772224.200:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=643 comm="apparmor_parser"
[ 7.607585] audit: type=1400 audit(1515772224.200:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=643 comm="apparmor_parser"
[ 7.607592] audit: type=1400 audit(1515772224.200:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=643 comm="apparmor_parser"
[ 7.607597] audit: type=1400 audit(1515772224.200:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=643 comm="apparmor_parser"
[ 7.615497] audit: type=1400 audit(1515772224.208:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=642 comm="apparmor_parser"
[ 7.615509] audit: type=1400 audit(1515772224.208:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=642 comm="apparmor_parser"
[ 7.615516] audit: type=1400 audit(1515772224.208:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-mounting" pid=642 comm="apparmor_parser"
[ 7.615523] audit: type=1400 audit(1515772224.208:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-nesting" pid=642 comm="apparmor_parser"
[ 7.615818] audit: type=1400 audit(1515772224.208:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=646 comm="apparmor_parser"
[ 7.639286] audit: type=1400 audit(1515772224.232:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/lxd/lxd-bridge-proxy" pid=647 comm="apparmor_parser"
[ 11.766782] EXT4-fs (xvdb): mounting ext3 file system using the ext4 subsystem
[ 11.800817] EXT4-fs (xvdb): mounted filesystem with ordered data mode. Opts: (null)
[ 12.110470] cgroup: new mount options do not match the existing superblock, will be ignored
[ 12.746228] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 14.769511] nf_conntrack version 0.5.0 (65536 buckets, 262144 max)
[ 14.840600] ip6_tables: (C) 2000-2006 Netfilter Core TeamI can find no hint that KAISER is enabled. However, this commit message from the kernel changelog seems to show that it's disabled for Xen PV (paravirtualized).
Excerpt from your dmesg
[ 0.000000] Booting paravirtualized kernel on Xen
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.75
commit 402e63de94afdf7cd64e4eb209a8a77310e02d2c Author: Jiri Kosina jkosina@suse.cz Date: Tue Jan 2 14:19:49 2018 +0100
kaiser: disabled on Xen PV Kaiser cannot be used on paravirtualized MMUs (namely reading and writing CR3). This does not work with KAISER as the CR3 switch from and to user space PGD would require to map the whole XEN_PV machinery into both. More importantly, enabling KAISER on Xen PV doesn't make too much sense, as PV guests use distinct %cr3 values for kernel and user already. Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
So this might be what's to be expected after all.
louismrose
commented
6 years ago Thanks @speed47.
Perhaps this is related to the following from Amazon?
PV Instance Guidance
After ongoing research and detailed analysis of operating system patches available for this issue, we have determined that operating system protections are insufficient to address process-to-process concerns within para-virtualized (PV) instances. While PV instances are protected by AWS hypervisors from any instance-to-instance concerns as described above, customers concerned with process isolation within their PV instances (eg. process untrusted data, run untrusted code, host untrusted users), are strongly encouraged to migrate to HVM instance types for longer-term security benefits.
For more information on the differences between PV and HVM (as well as instance upgrade path documentation), please see:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/virtualization_types.html
jon-strayer
commented
6 years ago I'm seeing:
My dmesg includes: [ 0.000000] DMI: Xen HVM domU, BIOS 4.2.amazon 08/24/2006 [ 0.000000] Hypervisor detected: Xen HVM [ 0.000000] Xen version 4.2. [ 0.000000] Xen Platform PCI: I/O protocol version 1
speed47
commented
6 years ago Some information from #56 :
KPTI/KAISER is automatically and silently disabled when running under Xen PV as seen in the following patch https://patchwork.kernel.org/patch/10143255/
Also, from https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/
Interestingly, guest kernels running in 64-bit PV mode are not vulnerable to attack using Variant 3, because 64-bit PV guests already run in a KPTI-like mode.
I have to find a reliable way to detect if the script is running in a 64 bits guest Xen PV to report that pti/kaiser is disabled at runtime but it's not a problem
ghost
commented
6 years ago on a xen dom0/vm, the info can be found in /sys/hypervisor for exemple, cat /sys/hypervisor/type gives "xen" ;)
speed47
commented
6 years ago Do you have more info about that ? The script needs not only to detect the fact that it's running on a Xen, but more precisely under a Xen PV. is this information available somewhere under the /sys/hypervisor tree ? (I don't have a Xen at hand to check that)
ghost
commented
6 years ago well , that's essentially version informations. here is what i can find on my xen pv
cat /sys/hypervisor/type xen
cat /sys/hypervisor/version/major 4
cat /sys/hypervisor/version/minor 4
cat /sys/hypervisor/version/extra .1
cat /sys/hypervisor/properties/capabilities xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64
speed47
commented
6 years ago For now, I'll be relying on what dmesg has to say.
/sys/hypervisor/properties/capabilities doesn't seem to help for our use case.
Could you try the xen branch?
It should report non-vulnerable for Meltdown only for Xen PV
ghost
commented
6 years ago yes, seems the best option. i tried the xen branch, there is a small typo, line 1011 :)
if [ "$(uname -i)" = "x86_64" ]; then
instead of
if [ "$(uname -m)" = "x86_64" ]; then
(uname -i often gives 'uknown') and the rest works fine thanks
speed47
commented
6 years ago Changed to -m and merged to master. Thanks for testing! I'm leaving this open for now in case OP wants to test and report.
mauvehed
commented
6 years ago Just saw the latest update, @speed47. I'll test today and get back to you!
mauvehed
commented
6 years ago Welp, somewhat different results now.
Here's output from a yum update, followed by running the script, then a reboot, then running the script again.
PRE-REBOOT
Spectre and Meltdown mitigation detection tool v0.31
Checking for vulnerabilities against running kernel Linux 4.9.75-25.55.amzn1.x86_64 #1 SMP Fri Jan 5 23:50:27 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2651 v2 @ 1.80GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 27 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: YES
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: NO
* Checking if we're running under Xen PV (64 bits): YES (Xen PV is not vulnerable)
> STATUS: NOT VULNERABLE (Xen PV 64 bits is not vulnerable)Note it says NOT vuln to Meltdown.
This is AFTER-REBOOT
Spectre and Meltdown mitigation detection tool v0.31
Checking for vulnerabilities against running kernel Linux 4.9.76-3.78.amzn1.x86_64 #1 SMP Fri Jan 12 19:51:35 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2651 v2 @ 1.80GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface: NO (kernel confirms your system is vulnerable)
> STATUS: VULNERABLE (Vulnerable)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface: NO (kernel confirms your system is vulnerable)
> STATUS: VULNERABLE (Vulnerable)
A false sense of security is worse than no security at all, see --disclaimerNot that Meltdown is now vulnerable again but Vairiant 2 is not.
speed47
commented
6 years ago The new kernel you have (and are running after the reboot) has the vulnerability information as seen by the kernel directly exported to the /sys/kernel/debug hierarchy. This is the better way to check whether mitigations are in place or not, because it's directly reported by the kernel itself. This is also why the output is way shorter: we just need to read to what the kernel has to say.
It would seem strange that Amazon disabled the PTI mitigation from their kernel, but maybe it's disabled by default to avoid impacting your performance? You can try launching the script with the --no-sysfs param to force the script to ignore what the kernel has to say and go dig for the information (as this is done when the /sys/kernel/debug hierarchy is not available). If it says vulnerable too, it would mean that PTI is indeed disabled, but maybe enabling it at runtime is possible in that case (this will be reported by the script as kernel supports PTI = yes, PTI enabled = no)
speed47
commented
6 years ago Should be fixed by #108, please test latest version on master branch. If no negative feedback, I'll tag a new release
speed47
commented
6 years ago Merged to master / v0.33. Please reopen issue if needed.
Per https://alas.aws.amazon.com/ALAS-2018-939.html, the correct kernel for AWS AMIs should be: *-4.9.75-25.55.amzn1.[arch]
Anyone know why this is still showing up as vuln to all three?
Even stranger, when I first applied kernel updates via yum, I ran the tool before rebooting and it said meltdown was patched. Then I rebooted and it said all three are vuln. This paste below is PRE-reboot, note the kernel difference.