Meltdown and Spectre Discussion Sticky

**corradoventu** · November 13th, 2019

On my PC meltdown-checker find 2 vulnerabilities on Ubuntu 19.10 with kernel 5.3.0-22-generic
but NO vulnerabilities on Ubuntu 19.04 w kernel 5.0.0-32-generic

Code:

corrado@corrado-p6-eoan-1017:~$ sudo ./spectre-meltdown-checker.sh
[sudo] password for corrado: 
Spectre and Meltdown mitigation detection tool v0.42

Checking for vulnerabilities on current system
Kernel is Linux 5.3.0-22-generic #24-Ubuntu SMP Sat Nov 9 17:34:30 UTC 2019 x86_64
CPU is Intel(R) Core(TM) i3-7100 CPU @ 3.90GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available: intel_rapl_msr 20480 0 - Live 0xffffffffc0873000
intel_rapl_common 24576 1 intel_rapl_msr, Live 0xffffffffc0839000
 UNKNOWN  (is msr kernel module available?)
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  YES  (Intel SSBD)
  * L1 data cache invalidation
    * FLUSH_CMD MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates L1D flush capability:  YES  (L1D flush feature bit)
  * Microarchitectural Data Sampling
    * VERW instruction is available:  YES  (MD_CLEAR feature bit)
  * TSX Asynchronous Abort
    * TSX support is available:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU/Hypervisor indicates L1D flushing is not necessary on this system:  NO 
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO 
  * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO):  NO 
  * CPU explicitly indicates not being vulnerable to TSX Asynchrnonous Abort (TAA_NO):  NO 
  * CPU supports Software Guard Extensions (SGX):  YES 
  * CPU microcode is known to cause stability problems:  NO  (model 0x9e family 0x6 stepping 0x9 ucode 0xc6 cpuid 0x906e9)
  * CPU microcode is the latest known available version:  YES  (latest version is 0xc6 dated 2019/08/14 according to builtin MCExtractor DB v130 - 2019/11/04)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES 
  * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES 
  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  YES 
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES 
  * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES 
  * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)):  YES 
  * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)):  YES 
  * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)):  YES 
  * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)):  YES 
  * Vulnerable to CVE-2019-11135 (Transactional Synchronization Extensions (TSX) Asynchronous Abort (TAA)):  NO 

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec:  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Kernel has the Red Hat/Ubuntu patch:  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Kernel has mask_nospec64 (arm64):  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Checking count of LFENCE instructions following a jump in kernel...  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
> STATUS:  NOT VULNERABLE  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  YES  (for firmware code only)
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Kernel supports RSB filling:  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
> STATUS:  VULNERABLE  (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  YES 
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  YES  (per-thread through prctl)
* SSB mitigation currently active for selected processes:  YES  (boltd firefox fwupd geoclue irqbalance ModemManager pulseaudio systemd-journald systemd-logind systemd-resolved systemd-timesyncd systemd-udevd upowerd)
> STATUS:  NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  NO 
> STATUS:  VULNERABLE  (your CPU supports SGX and the microcode is not up to date)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
* Kernel supports PTE inversion: strings: '': No such file
 NO 
* PTE inversion enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
* This system is a host running a hypervisor:  NO 
* Mitigation 1 (KVM)
  * EPT is disabled:  NO 
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  YES  (conditional flushes)
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  YES 
> STATUS:  NOT VULNERABLE  (this system is not running a hypervisor)

CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11135 aka 'Transactional Synchronization Extensions (TSX) Asynchronous Abort (TAA)'
* Mitigated according to the /sys interface:  YES  (Not affected)
* TAA mitigation is supported by kernel:  UNKNOWN  (missing 'lzop' tool, please install it, usually it's in the 'lzop' package)
* TAA mitigation enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:KO CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
corrado@corrado-p6-eoan-1017:~$

Code:

corrado@corrado-p5-disco:~$ date
mer 13 nov 2019, 13:46:48, CET
corrado@corrado-p5-disco:~$ 

corrado@corrado-p5-disco:~$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.42

Checking for vulnerabilities on current system
Kernel is Linux 5.0.0-32-generic #34-Ubuntu SMP Wed Oct 2 02:06:48 UTC 2019 x86_64
CPU is Intel(R) Core(TM) i3-7100 CPU @ 3.90GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  YES  (Intel SSBD)
  * L1 data cache invalidation
    * FLUSH_CMD MSR is available:  YES 
    * CPU indicates L1D flush capability:  YES  (L1D flush feature bit)
  * Microarchitectural Data Sampling
    * VERW instruction is available:  YES  (MD_CLEAR feature bit)
  * TSX Asynchronous Abort
    * TSX support is available:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU/Hypervisor indicates L1D flushing is not necessary on this system:  NO 
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO 
  * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO):  NO 
  * CPU explicitly indicates not being vulnerable to TSX Asynchrnonous Abort (TAA_NO):  NO 
  * CPU supports Software Guard Extensions (SGX):  YES 
  * CPU microcode is known to cause stability problems:  NO  (model 0x9e family 0x6 stepping 0x9 ucode 0xb4 cpuid 0x906e9)
  * CPU microcode is the latest known available version:  NO  (latest version is 0xc6 dated 2019/08/14 according to builtin MCExtractor DB v130 - 2019/11/04)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES 
  * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES 
  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  YES 
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES 
  * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES 
  * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)):  YES 
  * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)):  YES 
  * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)):  YES 
  * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)):  YES 
  * Vulnerable to CVE-2019-11135 (Transactional Synchronization Extensions (TSX) Asynchronous Abort (TAA)):  NO 

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm64):  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  YES  (for firmware code only)
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Kernel supports RSB filling:  YES 
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  YES 
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  YES  (per-thread through prctl)
* SSB mitigation currently active for selected processes:  YES  (boltd firefox fwupd geoclue irqbalance ModemManager systemd-journald systemd-logind systemd-resolved systemd-timesyncd systemd-udevd upowerd)
> STATUS:  NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  YES 
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
* Kernel supports PTE inversion:  YES  (found in kernel image)
* PTE inversion enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
* This system is a host running a hypervisor:  NO 
* Mitigation 1 (KVM)
  * EPT is disabled:  NO 
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  YES  (conditional flushes)
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  YES 
> STATUS:  NOT VULNERABLE  (this system is not running a hypervisor)

CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)

CVE-2019-11135 aka 'Transactional Synchronization Extensions (TSX) Asynchronous Abort (TAA)'
* TAA mitigation is supported by kernel:  NO 
* TAA mitigation enabled and active:  NO  (tsx_async_abort not found in sysfs hierarchy)
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
corrado@corrado-p5-disco:~$

Opened a problem on github: https://github.com/speed47/spectre-m...ker/issues/316
script has been updated, it was a false positive.

**kinddolphin8827** · August 13th, 2022

You can also always create a bootable persistent thumb drive installation of freedos and place the bios update packages provided by your equipment vender on the aforementioned freedos thumb drive.

**martinr** · July 27th, 2023

On July 25th 2023 Tavis Ormandy, a member of Google's Project Zero security team, disclosed a bug in many of AMD's newer consumer, workstation, and server processors. It is an encryption-breaking, password-leaking bug in many AMD CPUs, which could take months to fix.

The AMD Zen 2 architecture is vulnerable to the so called Zenbleed bug (see arstechnica.com, CVE-2023-20593, AMD Security Bulletin and the Debian Security Advisory DSA-5459-1).
This includes AMD CPUs:

CPU	Released	Planned fix	AGESA version with fixes
[strong]Ryzen 3000 (desktop)[/strong]	Mid-2019	December 2023	ComboAM4v2PI_1.2.0.C
[strong]Ryzen 4000G (desktop)[/strong]	Mid-2020	December 2023	ComboAM4v2PI_1.2.0.C
[strong]Ryzen 4000 (laptop)[/strong]	Early-mid 2020	November 2023	RenoirPI-FP6_1.0.0.D
[strong]Ryzen 5700U/5500U/5300U (laptop)[/strong]	Early 2021	December 2023	CezannePI-FP6_1.0.1.0
[strong]Ryzen 7020 (laptop)[/strong]	Late 2022	December 2023	MendocinoPI-FT6_1.0.0.6
[strong]Ryzen Threadripper 3000[/strong]	Late 2019	October 2023	CastlePeakPI-SP3r3 1.0.0.A
[strong]Ryzen Threadripper Pro 3000WX[/strong]	Mid-2020	November/December 2023	CastlePeakWSPI-sWRX8 1.0.0.C/ChagallWSPI-sWRX8 1.0.0.7
[strong]EPYC 7002[/strong]	Mid-2019	Patch available	RomePI 1.0.0.H

My rig is an Acer Swift 3 SF314-43 laptop with an AMD 5700U SoC / CPU.
I'm running XUbuntu 22.04 LTS.

How can I check the AGESA version currently active on my laptop from within Ubuntu?

When I check my XUbuntu for vulnerability for the Zenbleed bug with the spectre-meltdown-checker.
Then I get:

Code:

CVE-2023-20593 aka 'Zenbleed, cross-process information leak'
Zenbleed mitigation is supported by kernel:  NOZenbleed kernel mitigation enabled and active:  NO  (FP_BACKUP_FIX is cleared in DE_CFG)
Zenbleed mitigation is supported by CPU microcode:  NO
STATUS:  VULNERABLE  (Your kernel is too old to mitigate Zenbleed and your CPU microcode doesn't mitigate it either)

Which confirms it's vulnerable.

Before I bought this rig I tried to check vulnerability for the spectre and meltdown bugs, but couldn't find any information.

AMD plans to release a firmware fix by December, the motherboard or PC manufacturer will be responsible for distributing the update.

As I understand the vulnerability should be fixed in microcode which is to be released via a Firmware / BIOS update by my manufacturer Acer. Now Acer is terrible at releasing updated Firmware / BIOS code fixes even for brand new laptops.

But the Debian Security Advisory DSA-5459-1 seems to be mentioning a fix already.

The Debian fix is inside the amd64-microcode package according to the Debian Security Advisory
Now what has always riddled me is the amd64-microcode package in Ubuntu / Debian.
Did Debian patch the processor's microcode even before AMD were able to provide a patch (which is scheduled for December 2023)?
Is such a patch persistent to the microcode on my laptop or is it lost after a reboot to lets say Windows (it's a dual boot machine)?

How does the microcode package work?
Is the fix to microcode transitorilly installed at each boot of Ubuntu and lost from (microcode-)memory when shut down?

**#&thj^%** · July 27th, 2023

Originally Posted by martinr

On July 25th 2023 Tavis Ormandy, a member of Google's Project Zero security team, disclosed a bug in many of AMD's newer consumer, workstation, and server processors. It is an encryption-breaking, password-leaking bug in many AMD CPUs, which could take months to fix.

The AMD Zen 2 architecture is vulnerable to the so called Zenbleed bug (see arstechnica.com, CVE-2023-20593, AMD Security Bulletin and the Debian Security Advisory DSA-5459-1).
This includes AMD CPUs:

CPU	Released	Planned fix	AGESA version with fixes
[strong]Ryzen 3000 (desktop)[/strong]	Mid-2019	December 2023	ComboAM4v2PI_1.2.0.C
[strong]Ryzen 4000G (desktop)[/strong]	Mid-2020	December 2023	ComboAM4v2PI_1.2.0.C
[strong]Ryzen 4000 (laptop)[/strong]	Early-mid 2020	November 2023	RenoirPI-FP6_1.0.0.D
[strong]Ryzen 5700U/5500U/5300U (laptop)[/strong]	Early 2021	December 2023	CezannePI-FP6_1.0.1.0
[strong]Ryzen 7020 (laptop)[/strong]	Late 2022	December 2023	MendocinoPI-FT6_1.0.0.6
[strong]Ryzen Threadripper 3000[/strong]	Late 2019	October 2023	CastlePeakPI-SP3r3 1.0.0.A
[strong]Ryzen Threadripper Pro 3000WX[/strong]	Mid-2020	November/December 2023	CastlePeakWSPI-sWRX8 1.0.0.C/ChagallWSPI-sWRX8 1.0.0.7
[strong]EPYC 7002[/strong]	Mid-2019	Patch available	RomePI 1.0.0.H

My rig is an Acer Swift 3 SF314-43 laptop with an AMD 5700U SoC / CPU.
I'm running XUbuntu 22.04 LTS.

How can I check the AGESA version currently active on my laptop from within Ubuntu?

When I check my XUbuntu for vulnerability for the Zenbleed bug with the spectre-meltdown-checker.
Then I get:

Code:

CVE-2023-20593 aka 'Zenbleed, cross-process information leak'
Zenbleed mitigation is supported by kernel:  NOZenbleed kernel mitigation enabled and active:  NO  (FP_BACKUP_FIX is cleared in DE_CFG)
Zenbleed mitigation is supported by CPU microcode:  NO
STATUS:  VULNERABLE  (Your kernel is too old to mitigate Zenbleed and your CPU microcode doesn't mitigate it either)

Which confirms it's vulnerable.

Before I bought this rig I tried to check vulnerability for the spectre and meltdown bugs, but couldn't find any information.

AMD plans to release a firmware fix by December, the motherboard or PC manufacturer will be responsible for distributing the update.

As I understand the vulnerability should be fixed in microcode which is to be released via a Firmware / BIOS update by my manufacturer Acer. Now Acer is terrible at releasing updated Firmware / BIOS code fixes even for brand new laptops.

But the Debian Security Advisory DSA-5459-1 seems to be mentioning a fix already.

The Debian fix is inside the amd64-microcode package according to the Debian Security Advisory
Now what has always riddled me is the amd64-microcode package in Ubuntu / Debian.
Did Debian patch the processor's microcode even before AMD were able to provide a patch (which is scheduled for December 2023)?
Is such a patch persistent to the microcode on my laptop or is it lost after a reboot to lets say Windows (it's a dual boot machine)?

How does the microcode package work?
Is the fix to microcode transitorilly installed at each boot of Ubuntu and lost from (microcode-)memory when shut down?

This could end up as a very very long post, and I'll try to explain briefly. (This was explained to me by a couple of the Developers)

The origin of the word firmware is a mid-point between hardware and software - software embedded on hardware. It refers to software that is stored in non-volatile memory (such as ROM, EEPROM or Flash memory) on a hardware device, and is used by the device itself.

It's becoming more common in some types of hardware for its "firmware" to be stored in driver software and loaded onto the device when it's booted/initialized, instead of leaving it permanently on the device. It's not a big deal nowadays, for example, to store a few hundred KB of firmware code in a software driver loaded onto the host OS, and to send that down to the device as it's initialized by the driver.

Microcode is a subset of this. Microcode is not a generic term for all firmware that is loaded onto a device at boot. Instead, it's specific to CPUs, where the microcode forms the translation layer between higher level standard CPU instructions and the lower-level operations specific to that CPU. It may be loaded onto the CPU at boot, by the BIOS, and replaced later in the boot stage by the OS as well.

PLEASE NOTE: that unlike Spectre, Meltdown cannot be fixed with microcode updates alone and requires changes to core OS functionality, which may reduce performance even further. (This has not effected mine much at all)

Yes, microcode is basically firmware that runs on the processor. The special term "microcode" specifically refers to the firmware on a processor that contains the blueprint for translating from standard machine language to low level processor instructions. So it is a more specific term than firmware.

Oh to answer your question "How can I check the AGESA version currently active on my laptop from within Ubuntu"

It's a utility built into the BIOS of later AMD platforms.
(AMD Generic Encapsulated Software Architecture) - basically controls CPU, RAM etc. It's updated by updating your BIOS.

It's a utility built into the BIOS of later AMD platforms.
(AMD Generic Encapsulated Software Architecture) - basically controls CPU, RAM etc. It's updated by updating your BIOS.

**martinr** · July 27th, 2023

Originally Posted by 1fallen

This could end up as a very very long post, and I'll try to explain briefly. (This was explained to me by a couple of the Developers)
...
It's becoming more common in some types of hardware for its "firmware" to be stored in driver software and loaded onto the device when it's booted/initialized, instead of leaving it permanently on the device. It's not a big deal nowadays, for example, to store a few hundred KB of firmware code in a software driver loaded onto the host OS, and to send that down to the device as it's initialized by the driver.

Microcode is a subset of this. Microcode is not a generic term for all firmware that is loaded onto a device at boot. Instead, it's specific to CPUs, where the microcode forms the translation layer between higher level standard CPU instructions and the lower-level operations specific to that CPU. It may be loaded onto the CPU at boot, by the BIOS, and replaced later in the boot stage by the OS as well.

Oh to answer your question "How can I check the AGESA version currently active on my laptop from within Ubuntu"

It's a utility built into the BIOS of later AMD platforms.
(AMD Generic Encapsulated Software Architecture) - basically controls CPU, RAM etc. It's updated by updating your BIOS.

Thank you for your reply, can you get specific about the AMD 5700U SoC / CPU?

I always thought that micro code updates arrived in sealed blobs by Intel for Intel CPU's and assumed the same held true for AMD processors. So only AMD or Intel can make microcode updates that can be installed on their CPUs. Does this still hold true for the AMD 5700U?

If I understand you correctly then the amd64-microcode package can undo any microcode updates that are present in and installed by the UEFI Firmware (former BIOS on the fly at every boot). (Doesn't this bypass secure boot?)

When the OS boots, the microcode has to have been initialized already, hasn't it? Can it really be initialized again by the OS? The OS code runs on the very CPU that has to be re-initialized with new microcode.

Now I really don't understand how Debian can have patched amd64-microcode for the Zenbleed vulnerability already, whilst AMD still have to come up with a fix? And how the microcode can be reinitialized on an already running CPU.

Regarding finding out the AGESA version, I have an Insyde H2O UEFI Firmware interface (former BIOS), which doesn't reveal the AGESA version in any visible menus. Is there another way to determine it from within Ubuntu?

Handy list of abbreviations:

AGESA = AMD’s Generic Encapsulated Software Architecture
APU = AMD Accelerated Processing Unit, general purpose processors that feature integrated graphics processors
BIOS = Basic Input/Output Systen (is a legacy term that nowadays denotes UEFI firmware code)
MCU = CPU Microcode
PI = Platform Initialization
PSP = Platform Security Processor (the PSP itself is a simple ARM Cortex processor core)
SMU = System Management Unit
SoC = System on a Chip

**#&thj^%** · July 27th, 2023

The time and effort needed to execute exploit is mind numbing. (You would have to have something they really really wanted)
But I can only speak about mine here in this thread.

Code:

sudo inxi -CsM
[sudo] password for me: 
Machine:
  Type: Laptop System: LENOVO product: 82B5 v: Lenovo Legion 5 15ARH05
    serial: PF29L70E
  Mobo: LENOVO model: LNVNB161216 v: SDK0J40709 WIN serial: <Snip>
    UEFI: LENOVO v: EUCN37WW date: 04/14/2022
CPU:
  Info: 6-core model: AMD Ryzen 5 4600H with Radeon Graphics bits: 64
    type: MT MCP cache: L2: 3 MiB
  Speed (MHz): avg: 1558 min/max: 1400/3000 cores: 1: 1400 2: 1400 3: 1400
    4: 1400 5: 1700 6: 3000 7: 1400 8: 1400 9: 1400 10: 1400 11: 1400 12: 1400
Sensors:
  System Temperatures: cpu: 46.8 C mobo: N/A gpu: nvidia temp: 37 C
  Fan Speeds (RPM): N/A

Code:

Spectre and Meltdown mitigation detection tool v0.46

Checking for vulnerabilities on current system
Kernel is Linux 6.2.0-25-generic #25-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun 16 17:05:07 UTC 2023 x86_64
CPU is AMD Ryzen 5 4600H with Radeon Graphics

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (IBRS_SUPPORT feature bit)
    * CPU indicates preferring IBRS always-on:  NO 
    * CPU indicates preferring IBRS over retpoline:  YES 
  * Indirect Branch Prediction Barrier (IBPB)
    * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (AMD STIBP feature bit)
    * CPU indicates preferring STIBP always-on:  NO 
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  YES  (AMD SSBD in SPEC_CTRL)
  * L1 data cache invalidation
    * CPU indicates L1D flush capability:  NO 
  * CPU supports Transactional Synchronization Extensions (TSX):  NO 
  * CPU supports Software Guard Extensions (SGX):  NO 
  * CPU supports Special Register Buffer Data Sampling (SRBDS):  NO 
  * CPU microcode is known to fix Zenbleed:  NO  (required version: 0x0860010b)
  * CPU microcode is known to cause stability problems:  NO  (family 0x17 model 0x60 stepping 0x1 ucode 0x8600106 cpuid 0x860f01)
  * CPU microcode is the latest known available version:  NO  (latest version is 0x8600109 dated 2022/03/28 according to builtin firmwares DB v271+i20230614)
* CPU vulnerability to the speculative execution attack variants
  * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES 
  * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES 
  * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  NO 
  * Affected by CVE-2018-3640 (Variant 3a, rogue system register read):  NO 
  * Affected by CVE-2018-3639 (Variant 4, speculative store bypass):  YES 
  * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  NO 
  * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  NO 
  * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  NO 
  * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)):  NO 
  * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)):  NO 
  * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)):  NO 
  * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)):  NO 
  * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)):  NO 
  * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)):  NO 
  * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)):  NO 
  * Affected by CVE-2023-20593 (Zenbleed, cross-process information leak):  YES 

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm64):  NO 
* Kernel has array_index_nospec (arm64):  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  YES  (Mitigation: Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  UNKNOWN 
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface:  YES  (Not affected)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  NO 
  * Reduced performance impact of PTI:  NO  (PCID/INVPCID not supported, performance impact of PTI will be significant)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  YES 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl)
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  YES  (per-thread through prctl)
* SSB mitigation currently active for selected processes:  NO  (no process found using SSB mitigation through prctl)
> STATUS:  NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface:  YES  (Not affected)
* Kernel supports PTE inversion:  YES  (found in kernel image)
* PTE inversion enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Not affected
* This system is a host running a hypervisor:  NO 
* Mitigation 1 (KVM)
  * EPT is disabled:  N/A  (the kvm_intel module is not loaded)
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in kernel image)
  * L1D flush enabled:  NO 
  * Hardware-backed L1D flush supported:  NO  (flush will be done in software, this is slower)
  * Hyper-Threading (SMT) is enabled:  YES 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Mitigated according to the /sys interface:  YES  (Not affected)
* Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Mitigated according to the /sys interface:  YES  (Not affected)
* Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Mitigated according to the /sys interface:  YES  (Not affected)
* Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Mitigated according to the /sys interface:  YES  (Not affected)
* Kernel supports using MD_CLEAR mitigation:  YES  (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
* Mitigated according to the /sys interface:  YES  (Not affected)
* TAA mitigation is supported by kernel:  YES  (found tsx_async_abort in kernel image)
* TAA mitigation enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
* Mitigated according to the /sys interface:  YES  (Not affected)
* This system is a host running a hypervisor:  NO 
* iTLB Multihit mitigation is supported by kernel:  YES  (found itlb_multihit in kernel image)
* iTLB Multihit mitigation enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)'
* Mitigated according to the /sys interface:  YES  (Not affected)
* SRBDS mitigation control is supported by the kernel:  YES  (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
* SRBDS mitigation control is enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not affected)

CVE-2023-20593 aka 'Zenbleed, cross-process information leak'
* Zenbleed mitigation is supported by kernel:  NO 
* Zenbleed kernel mitigation enabled and active:  NO  (FP_BACKUP_FIX is cleared in DE_CFG)
* Zenbleed mitigation is supported by CPU microcode:  NO 
> STATUS:  VULNERABLE  (Your kernel is too old to mitigate Zenbleed and your CPU microcode doesn't mitigate it either)

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:KO

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer

**martinr** · July 29th, 2023

I checked all my computers for vulnerability to Spectre and Meltdown with the spectre-meltdown-checker. Three were vulnerable. Which led me to the following challenge. For my rig with with a 64 bit Intel processor:

Code:

Kernel is Linux 5.4.0-155-generic #172-Ubuntu SMP Fri Jul 7 16:10:02 UTC 2023 x86_64
CPU is Celeron(R) Dual-Core CPU       T3000  @ 1.80GHz

The checker reported:

Code:

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  NO 
> STATUS:  VULNERABLE  (Your CPU doesn't support SSBD)

> How to fix: Your kernel is recent enough to use the CPU microcode features for mitigation, but your CPU microcode doesn't actually provide the necessary features for the kernel to use. The microcode of your CPU hence needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).

The Celeron T3000 has a 64-bit architecture.
The advise from the spectre-meltdown-checker is to upgrade the microcode of the CPU in order for the kernel to make use of it to fix the vulnerability.

The computer has the latest BIOS version installed already, but apparently that does not have the microcode fix in it.
Now I was hoping that the intel-microcode package might contain fixed microcode that fixes this?
I'm running the latest updates.

This led me to the following two questions:

Is there newer microcode for the CPU that fixes the vulnerability?

How can I check which version of microcode is currently running on the CPU?
How can I check what the latest microcode version is, that is released for my processor: the Intel Celeron(R) Dual-Core CPU T3000 @ 1.80GHz.

I searched a lot on the internet, but couldn't find an answer only this microcode-update-guidance document, but it doesn't mention the T3000 CPU.

**DuckHook** · July 30th, 2023

Originally Posted by martinr

…Is there newer microcode for the CPU that fixes the vulnerability?

How can I check which version of microcode is currently running on the CPU?
How can I check what the latest microcode version is, that is released for my processor: the Intel Celeron(R) Dual-Core CPU T3000 @ 1.80GHz…

Code:

duckhook@Zeus:~$  apt show intel-microcode
Package: intel-microcode
Version: 3.20230214.0ubuntu0.22.04.1
Priority: extra
Section: admin
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 12.1 MB
Depends: iucode-tool (>= 1.0)
Recommends: initramfs-tools (>= 0.113~)
Conflicts: microcode.ctl (<< 0.18~0)
Homepage: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
Download-Size: 5,821 kB
APT-Manual-Installed: no
APT-Sources: http://ca.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
Description: Processor microcode firmware for Intel CPUs
 This package contains updated system processor microcode for
 Intel i686 and Intel X86-64 processors.  Intel releases microcode
 updates to correct processor behavior as documented in the
 respective processor specification updates.
 .
For AMD processors, please refer to the amd64-microcode package.

Note the highlighted URL
Reading through that github site should give you sufficient guidance on how to determine if your CPU has any outstanding microcode updates.

Further, note that Ubuntu's microcode updates will lag behind the the most recent issued by Intel. This is a designed safeguard: something as mission critical as microcode must be thoroughly tested before it is implemented system‑wide. Bad microcode will bork your system.

Yet further, note that Intel will abandon CPUs that it deems obsolete. Some Atom processors come to mind. I don't know about your Celeron—you can find this out on your own following the instructions in that github page. Such abandonware will not get updates or mitigations of any kind.

**#&thj^%** · October 9th, 2023

Originally Posted by martinr

Now I really don't understand how Debian can have patched amd64-microcode for the Zenbleed vulnerability already, whilst AMD still have to come up with a fix? And how the microcode can be reinitialized on an already running CPU.

Now fixed

Code:

pro fix CVE-2023-20593

CVE-2023-20593: Linux kernel (BlueField) vulnerabilities
 - https://ubuntu.com/security/CVE-2023-20593

2 affected source packages are installed: amd64-microcode, linux
(1/2, 2/2) amd64-microcode, linux:
A fix is available in Ubuntu standard updates.
The update is already installed.

✔ CVE-2023-20593 is resolved.

**martinr** · January 29th, 2024

Thanks for your reply. I've retested 20593 and low and behold here are the results:

Code:

CVE-2023-20593 aka 'Zenbleed, cross-process information leak'
* Zenbleed mitigation is supported by kernel:  YES  (found zenbleed message in kernel image)
* Zenbleed kernel mitigation enabled and active:  YES  (FP_BACKUP_FIX bit set in DE_CFG)
* Zenbleed mitigation is supported by CPU microcode:  NO 
> STATUS:  NOT VULNERABLE  (Your kernel mitigates Zenbleed)

I can confirm that it's fixed in kernel 5.15.0-91-generic in XUbuntu 22.04.3 LTS on Acer Swift 3 SF314-43 laptop with an AMD 5700U SoC / CPU.
Great!