| View previous topic :: View next topic |
| Author |
Message |
pti-rem
Guru
Joined: 14 Oct 2011
Posts: 482
|
 Posted: Tue Mar 23, 2021 10:50 am Post subject: Vulnérabilités CPU : que faire de bien ? |
 |
|
Bonjour,
Je constate que ma machine est vulnérable pour certaines failles du CPU :
| Code: | rem@n73sm ~ $ uname -r
4.19.97-gentoo
rem@n73sm ~ $ lscpu | grep -e CPU -e Vulnerability
Nom de modèle : Intel(R) Core(TM) i7-2670QM CPU @ 2.20GHz
Vulnerability Itlb multihit: KVM: Mitigation: Split huge pages
Vulnerability L1tf: Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds: Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
Vulnerability Meltdown: Mitigation; PTI
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2: Mitigation; Full generic retpoline, STIBP disabled, RSB filling
Vulnerability Tsx async abort: Not affected
rem@n73sm ~ $ |
| Code: | rem@n73sm ~ $ cat /sys/devices/system/cpu/vulnerabilities/mds
Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
rem@n73sm ~ $ |
Est-ce que je peux faire quelque chose pour améliorer cette situation ?
J'ai lu rapidement https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
et je me demande si c'est une bonne chose de désactiver SMT avec l'option d'amorçage mds=full,nosmt ?
Je n'ai rien lu encore sur Spec store bypass.
Merci |
|
| Back to top |
|
 |
xaviermiller
Bodhisattva
Joined: 23 Jul 2004
Posts: 8718
Location: ~Brussels - Belgique
|
| Posted: Tue Mar 23, 2021 11:02 am Post subject: |
|
|
Bonjour,
As-tu intégré le microcode à jour dans ton noyau ?
voir https://wiki.gentoo.org/wiki/Intel-microcode
Ensuite, relance le test pour voir si toutes les failles ont été corrigées.
_________________
Kind regards,
Xavier Miller |
|
| Back to top |
|
|
pti-rem
Guru
Joined: 14 Oct 2011
Posts: 482
|
| Posted: Tue Mar 23, 2021 11:39 am Post subject: |
|
|
Les options du noyau étaient bien mises pour sys-firmware/intel-microcode
| Code: | rem@n73sm ~ $ zcat /proc/config.gz | grep -e CONFIG_BLK_DEV_INITRD -e CONFIG_MICROCODE -e CONFIG_MICROCODE_INTEL
CONFIG_BLK_DEV_INITRD=y
CONFIG_MICROCODE=y
CONFIG_MICROCODE_INTEL=y
CONFIG_MICROCODE_AMD=y
CONFIG_MICROCODE_OLD_INTERFACE=y
rem@n73sm ~ $ |
Je n'avais pas mis le drapeau initramfs pour sys-firmware/intel-microcode
Le microcode /boot/intel-uc.img a été automatiquement détecté lors de l'exécution de grub-mkconfig
| Code: | rem@n73sm ~ $ dmesg | head -n 1
[ 0.000000] microcode: microcode updated early to revision 0x2f, date = 2019-02-17
rem@n73sm ~ $ lscpu | grep Vulnerability
Vulnerability Itlb multihit: KVM: Mitigation: Split huge pages
Vulnerability L1tf: Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds: Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Meltdown: Mitigation; PTI
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2: Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP conditional, RSB filling
Vulnerability Tsx async abort: Not affected
rem@n73sm ~ $ |
| Code: | rem@n73sm ~ $ cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable
rem@n73sm ~ $ |
J'ai bien envie de désactiver SMT !
Ça va ralentir la machine ?
Merci Xavier  |
|
| Back to top |
|
|
pti-rem
Guru
Joined: 14 Oct 2011
Posts: 482
|
| Posted: Tue Mar 23, 2021 11:54 am Post subject: |
|
|
| Code: | rem@n73sm ~ $ dmesg | head -n 3
[ 0.000000] microcode: microcode updated early to revision 0x2f, date = 2019-02-17
[ 0.000000] Linux version 4.19.97-gentoo (root@n73sm) (gcc version 9.2.0 (Gentoo 9.2.0-r2 p3)) #2 SMP Mon Feb 3 07:13:03 CET 2020
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.97-gentoo root=UUID=b56ef48b-982a-499d-b02d-4442ac784b8a ro acpi_osi=Linux mds=full,nosmt quiet
rem@n73sm ~ $ |
| Code: | rem@n73sm ~ $ lscpu | grep Vulnerability
Vulnerability Itlb multihit: KVM: Mitigation: Split huge pages
Vulnerability L1tf: Mitigation; PTE Inversion; VMX conditional cache flushes, SMT disabled
Vulnerability Mds: Mitigation; Clear CPU buffers; SMT disabled
Vulnerability Meltdown: Mitigation; PTI
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2: Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, RSB filling
Vulnerability Tsx async abort: Not affected
rem@n73sm ~ $ |
| Code: | rem@n73sm ~ $ cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT disabled
rem@n73sm ~ $ |
Je verrai bien à l'usage.
Je me sens plus détendu tout d'un coup !
Comment j'ai pu passer à côté de ça, depuis le temps... |
|
| Back to top |
|
|
Skwal
Apprentice
Joined: 07 Jun 2019
Posts: 154
|
| Posted: Mon Mar 29, 2021 1:33 pm Post subject: |
|
|
Bonjour,
Merci pti-rem ! 
Suite à ton message je découvre le microcode, je ne m'y était pas spécialement intérresssé, et suis en train de le mettre en place.
Ca pourrait expliquer et réparer certains problèmes:
| Code: | ╰─ lscpu | grep -e CPU -e Vulnerability
Nom de modèle : Intel(R) Core(TM) i5-6400T CPU @ 2.20GHz
Vulnerability Itlb multihit: Processor vulnerable
Vulnerability L1tf: Mitigation; PTE Inversion
Vulnerability Mds: Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
Vulnerability Meltdown: Mitigation; PTI
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2: Mitigation; Full generic retpoline, STIBP disabled, RSB filling
Vulnerability Srbds: Vulnerable: No microcode
Vulnerability Tsx async abort: Not affected
|
Cordialement, Skwal. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
French
