Simple command to check Meltdown and Spectre kernel status

Message
Author
User avatar
Stevo
Developer
Posts: 12776
Joined: Fri Dec 15, 2006 8:07 pm

Simple command to check Meltdown and Spectre kernel status

#1 Post by Stevo »

From here: http://kroah.com/log/blog/2018/01/19/meltdown-status-2/

Code: Select all

grep . /sys/devices/system/cpu/vulnerabilities/*

Code: Select all

/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline



This only applies to 64-bit, and probably only the latest kernels, too. I get the same results as Greg on the latest Liquorix kernel. YMMV

User avatar
Jerry3904
Administrator
Posts: 21881
Joined: Wed Jul 19, 2006 6:13 am

Re: Simple command to check Meltdown and Spectre kernel status

#2 Post by Jerry3904 »

I get "no such file or directory" running 4.14.0-3-amd64. GK says about that response:
If your kernel does not have that sysfs directory or files, then obviously there is a problem and you need to upgrade your kernel!

Some “enterprise” distributions did not backport the changes for this reporting, so if you are running one of those types of kernels, go bug the vendor to fix that, you really want a unified way of knowing the state of your system.
Did I miss a memo?
Production: 5.10, MX-23 Xfce, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 16 GB, SSD 120 GB, Data 1TB
Personal: Lenovo X1 Carbon with MX-23 Fluxbox and Windows 10
Other: Raspberry Pi 5 with MX-23 Xfce Raspberry Pi Respin

User avatar
Paul..
Posts: 1777
Joined: Sun Mar 18, 2007 6:34 pm

Re: Simple command to check Meltdown and Spectre kernel status

#3 Post by Paul.. »

same here

Asus Prime X570-Pro | AMD Ryzen 7 3700X
16 Gig DDR4 3600 | Radeon RX 5600 XT Graphics
Samsung 860 500GB SSDs (2)

User avatar
Adrian
Developer
Posts: 8250
Joined: Wed Jul 12, 2006 1:42 am

Re: Simple command to check Meltdown and Spectre kernel status

#4 Post by Adrian »

That command works only for linux 4.15 and higher
A /sys/devices/system/cpu/vulnerabilities/ directory has been added that will show the vulnerabilities affecting your CPU and the mitigations being currently applied.
https://kernelnewbies.org/Linux_4.15?hi ... ilities%29

It might have been ported to other older versions, probably in 4.14.x that is maintained by Greg Kroah-Hartman

User avatar
Stevo
Developer
Posts: 12776
Joined: Fri Dec 15, 2006 8:07 pm

Re: Simple command to check Meltdown and Spectre kernel status

#5 Post by Stevo »

It does work in the latest 4.14 Liquorix kernels---it was probably ported in by the Zen patches. Mike is working on the latest Debian kernel from upstream, so we can see if Debian added it.

dr-kart
Posts: 135
Joined: Sun Oct 22, 2017 8:12 pm

Re: Simple command to check Meltdown and Spectre kernel status

#6 Post by dr-kart »

and it works on Anti's 4.14.14-antix.1-amd64 current kernel too.

Code: Select all

/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline

User avatar
rokytnji.1
Global Moderator
Posts: 706
Joined: Sun Apr 13, 2014 9:06 pm

Re: Simple command to check Meltdown and Spectre kernel status

#7 Post by rokytnji.1 »

While google searching mine I ended up here.

Code: Select all

$ inxi -S
System:    Host: biker Kernel: 4.9.77-antix.1-686-smp-pae i686 bits: 32 Desktop: IceWM 1.3.8
           Distro: antiX-15-V_386-full Killah P 30 June 2015
           

Code: Select all

harry@biker:~
$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline
after following these instructions

https://antixlinux.com/spectre-and-melt ... -upgrades/

But keeping in mind this sentence
Keep in mind that there are not yet kernel patches available anywhere for all spectre variants and it may be some time before there are.
So I am not afeared. Just exploring. :popcorn:

OOOOPs. :tumbleweed:
That command works only for linux 4.15 and higher
Edit by dumb scooter tramp who glances way too quickly at posts.
it might have been ported to other older versions,

User avatar
rokytnji.1
Global Moderator
Posts: 706
Joined: Sun Apr 13, 2014 9:06 pm

Re: Simple command to check Meltdown and Spectre kernel status

#8 Post by rokytnji.1 »

Still exploring . Trying a Ubuntu version later than 109 < 111 > that is supposed to be newer for this snafu

Code: Select all

harry@biker:~
$ inxi -S
System:    Host: biker Kernel: 4.4.11-040411-generic i686 bits: 32 Desktop: IceWM 1.3.8
           Distro: antiX-15-V_386-full Killah P 30 June 2015
harry@biker:~
$ inxi -M
Machine:   Device: laptop System: LENOVO product: 2347DS2 v: ThinkPad T430 serial: N/A
           Mobo: LENOVO model: 2347DS2 serial: N/A
           UEFI [Legacy]: LENOVO v: G1ET41WW (1.16 ) date: 05/25/2012
At least the i386 kernel picks up my 16 gig of ram

Code: Select all

Info:      Processes: 174 Uptime: 9 min Memory: 414.5/15934.1MB
But Adrian is right about this one. Edit: Don't yell at me , bro. I missed this in my earlier post.
it might have been ported to other older versions,

Code: Select all

harry@biker:~
$ grep . /sys/devices/system/cpu/vulnerabilities/*
grep: /sys/devices/system/cpu/vulnerabilities/*: No such file or directory
Sooooooooooo ;)

Code: Select all

harry@biker:~
$ cd /tmp/
harry@biker:/tmp
$ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
--2018-02-24 10:39:00--  https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.184.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.184.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 65907 (64K) [text/plain]
Saving to: ‘spectre-meltdown-checker.sh’

spectre-meltdown-checker 100%[====================================>]  64.36K  --.-KB/s   in 0.1s   

2018-02-24 10:39:01 (485 KB/s) - ‘spectre-meltdown-checker.sh’ saved [65907/65907]

harry@biker:/tmp
$ sudo sh spectre-meltdown-checker.sh
[sudo] password for harry: 
Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.4.11-040411-generic #201605182255 SMP Thu May 19 03:10:00 UTC 2016 i686
CPU is Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates IBRS capability:  NO 
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO 
    * CPU indicates IBPB capability:  NO 
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates STIBP capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 58 stepping 9 ucode 0x12)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO 
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Checking count of LFENCE instructions following a jump in kernel...  NO  (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  NO 
  * Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  UNKNOWN  (dmesg truncated, please reboot and relaunch this script)
* Running as a Xen PV DomU:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
harry@biker:/tmp
$ 
So off to uninstall ubuntus i386 kernel

https://askubuntu.com/questions/992232/ ... rabilities

Because all this techy jargon is way over my head. I am baffled by bull pucky. So just exploring options. Done for today.

User avatar
anticapitalista
Developer
Posts: 4160
Joined: Sat Jul 15, 2006 10:40 am

Re: Simple command to check Meltdown and Spectre kernel status

#9 Post by anticapitalista »

I don't think any 32 bit kernel has been secured, even partially.
anticapitalista
Reg. linux user #395339.

Philosophers have interpreted the world in many ways; the point is to change it.

antiX with runit - lean and mean.
https://antixlinux.com

User avatar
Stevo
Developer
Posts: 12776
Joined: Fri Dec 15, 2006 8:07 pm

Re: Simple command to check Meltdown and Spectre kernel status

#10 Post by Stevo »

We are hoping that building kernels with the updated compilers will provide better results. For example, with the Liquorix 4.14-29 amd64 now in the test repo, I get:

Code: Select all

$ grep . /sys/devices/system/cpu/vulnerabilities/*

/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
I'm uploading a backported 4.15.4 kernel from Debian testing, and Tim & I are building a newer 4.14 kernel that we hope will have the same good news and be the default 17.1 kernel.

Post Reply

Return to “General”