[gentoo-user] spec_store_bypass mitigation

[gentoo-user] spec_store_bypass mitigation

[zless]

Hello,

I just finished installing kernel 4.14.48 on two 
Intel laptops and I have different results for

/sys/devices/system/cpu/vulnerabilities/spec_store_bypass

On one of them it looks nice: 
"Mitigation: Speculative Store Bypass disabled via prctl and seccomp"
but on the other it still says "Vulnerable".

Any idea on what might influence this? The kernel configs are fairly similar, the only thing that's different is the microcode, which is from 2017 for the "vulnerable" one.

Thanks

Re: [gentoo-user] spec_store_bypass mitigation

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1469 bytes --]

On Thursday, 7 June 2018 08:37:41 BST zless wrote:
> Hello,
> 
> I just finished installing kernel 4.14.48 on two
> Intel laptops and I have different results for
> 
> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
> 
> On one of them it looks nice:
> "Mitigation: Speculative Store Bypass disabled via prctl and seccomp"
> but on the other it still says "Vulnerable".
> 
> Any idea on what might influence this? The kernel configs are fairly
> similar, the only thing that's different is the microcode, which is from
> 2017 for the "vulnerable" one.
> 
> Thanks

I would think it is cause by the microcode.

I have two really old Intel laptops and despite announcements to the contrary 
I noticed the latest (stable) sys-firmware/intel-microcode-20180527-r1 changed 
the Intel microcode version being loaded on both PCs, after I rebuilt the 
kernel (4.9.95) to incorporate it (no initrd on either of them).

I see this for Spectre V2 which now includes IBPB and IBRS_FW:

$ dmesg | grep Spectre
[    0.011385] Spectre V2 : Mitigation: Full generic retpoline
[    0.011507] Spectre V2 : Spectre v2 mitigation: Enabling Indirect Branch 
Prediction Barrier
[    0.011645] Spectre V2 : Enabling Restricted Speculation for firmware calls


After you updated sys-firmware/intel-microcode did you rebuild and reboot the 
*rebuilt* kernel on both PCs?

PS.  For good measure I ran make clean first, but I'm not sure if this affects 
the firmware.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] spec_store_bypass mitigation

[zless]

Hi Mick

În ziua de sâmbătă, 9 iunie 2018, la 22:08:23 EEST, Mick a scris:
> On Thursday, 7 June 2018 08:37:41 BST zless wrote:
> > Hello,
> > 
> > I just finished installing kernel 4.14.48 on two
> > Intel laptops and I have different results for
> > 
> > /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
> > 
> > On one of them it looks nice:
> > "Mitigation: Speculative Store Bypass disabled via prctl and seccomp"
> > but on the other it still says "Vulnerable".
> > 
> > Any idea on what might influence this? The kernel configs are fairly
> > similar, the only thing that's different is the microcode, which is from
> > 2017 for the "vulnerable" one.
> > 
> > Thanks
> 
> I would think it is cause by the microcode.
> 
> After you updated sys-firmware/intel-microcode did you rebuild and reboot the 
> *rebuilt* kernel on both PCs?

I just booted in a even newer 4.14.49 kernel but no change so far.

dmesg: Speculative Store Bypass: Vulnerable

I can only conclude that yes, it is closely related to the firmware version.

Thanks