intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre variant 2 on Intel i7-6850k platform
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
intel-microcode (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Using the test script: spectre-
Checking for vulnerabilities against live running kernel Linux 4.13.0-
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: YES
> STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: intel-microcode 3.20180108.
ProcVersionSign
Uname: Linux 4.13.0-
NonfreeKernelMo
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
Date: Wed Jan 17 06:00:56 2018
InstallationDate: Installed on 2017-05-05 (256 days ago)
InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
ProcEnviron:
TERM=xterm-color
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: intel-microcode
UpgradeStatus: Upgraded to artful on 2017-10-20 (89 days ago)
Robert Dinse (nanook) wrote : | #1 |
- Dependencies.txt Edit (2.9 KiB, text/plain; charset="utf-8")
- JournalErrors.txt Edit (138.1 KiB, text/plain; charset="utf-8")
- ProcCpuinfoMinimal.txt Edit (1.2 KiB, text/plain; charset="utf-8")
Marc Deslauriers (mdeslaur) wrote : | #2 |
Robert Dinse (nanook) wrote : Re: [Bug 1743786] Re: intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre variant 2 on Intel i7-6850k platform | #3 |
On i7-6700k machine:
[ 0.000000] microcode: microcode updated early to revision 0xc2, date =
2017-11-16
On i7-6850k machine:
[ 0.000000] microcode: microcode updated early to revision 0xb000021, date =
2017-03-01
-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://
On Wed, 17 Jan 2018, Marc Deslauriers wrote:
> Date: Wed, 17 Jan 2018 14:36:59 -0000
> From: Marc Deslauriers <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode
> address spectre variant 2 on Intel i7-6850k platform
>
> Hi,
>
> What's the output of "dmesg | grep microcode" ?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> intel-microcode
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-
> Checking for vulnerabilities against live running kernel Linux 4.13.0-
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.
> ProcVersionSign
> Uname: Linux 4.13.0-
> NonfreeKernelMo
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
> ProcEnviron:
> TERM=xterm-color
> PATH=(custom, no user)
> XDG_RUNTIME_
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> ...
Marc Deslauriers (mdeslaur) wrote : | #4 |
Those aren't the lines I'm interested in seeing. Please post the complete results of the grep.
Robert Dinse (nanook) wrote : | #5 |
That is all the grep returned:
root@igloo:~# dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0xc2, date =
2017-11-16
root@igloo:~#
root@iglulik:~# dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0xb000021, date =
2017-03-01
root@iglulik:~#
-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://
On Wed, 17 Jan 2018, Marc Deslauriers wrote:
> Date: Wed, 17 Jan 2018 15:09:54 -0000
> From: Marc Deslauriers <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode
> address spectre variant 2 on Intel i7-6850k platform
>
> Those aren't the lines I'm interested in seeing. Please post the
> complete results of the grep.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> intel-microcode
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-
> Checking for vulnerabilities against live running kernel Linux 4.13.0-
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.
> ProcVersionSign
> Uname: Linux 4.13.0-
> NonfreeKernelMo
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
> ...
Marc Deslauriers (mdeslaur) wrote : | #6 |
That's odd...I was expecting something like this:
$ dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0x80, date = 2018-01-04
[ 1.694283] microcode: sig=0x806e9, pf=0x80, revision=0x80
[ 1.694368] microcode: Microcode Update Driver: v2.2.
I need the sig for your two cpus.
Robert Dinse (nanook) wrote : | #7 |
Sorry processor sig? Is this something I can get from /proc/cpuinfo?
-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://
On Wed, 17 Jan 2018, Marc Deslauriers wrote:
> Date: Wed, 17 Jan 2018 15:31:20 -0000
> From: Marc Deslauriers <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode
> address spectre variant 2 on Intel i7-6850k platform
>
> That's odd...I was expecting something like this:
>
> $ dmesg | grep microcode
> [ 0.000000] microcode: microcode updated early to revision 0x80, date = 2018-01-04
> [ 1.694283] microcode: sig=0x806e9, pf=0x80, revision=0x80
> [ 1.694368] microcode: Microcode Update Driver: v2.2.
>
> I need the sig for your two cpus.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> intel-microcode
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-
> Checking for vulnerabilities against live running kernel Linux 4.13.0-
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.
> ProcVersionSign
> Uname: Linux 4.13.0-
> NonfreeKernelMo
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
> ProcEnviron:
> T...
Marc Deslauriers (mdeslaur) wrote : | #8 |
You can install and use the cpuid tool:
cpuid -r | grep "0x00000001 0x00"
Robert Dinse (nanook) wrote : | #9 |
On the i7-6700k machine:
0x00000001 0x00: eax=0x000506e3 ebx=0x00100800 ecx=0x7ffafbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000506e3 ebx=0x02100800 ecx=0x7ffafbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000506e3 ebx=0x04100800 ecx=0x7ffafbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000506e3 ebx=0x06100800 ecx=0x7ffafbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000506e3 ebx=0x01100800 ecx=0x7ffafbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000506e3 ebx=0x03100800 ecx=0x7ffafbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000506e3 ebx=0x05100800 ecx=0x7ffafbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000506e3 ebx=0x07100800 ecx=0x7ffafbbf edx=0xbfebfbff
On the i7-6850k machine:
0x00000001 0x00: eax=0x000406f1 ebx=0x00100800 ecx=0x7ffefbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000406f1 ebx=0x02100800 ecx=0x7ffefbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000406f1 ebx=0x04100800 ecx=0x7ffefbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000406f1 ebx=0x06100800 ecx=0x7ffefbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000406f1 ebx=0x08100800 ecx=0x7ffefbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000406f1 ebx=0x0a100800 ecx=0x7ffefbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000406f1 ebx=0x01100800 ecx=0x7ffefbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000406f1 ebx=0x03100800 ecx=0x7ffefbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000406f1 ebx=0x05100800 ecx=0x7ffefbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000406f1 ebx=0x07100800 ecx=0x7ffefbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000406f1 ebx=0x09100800 ecx=0x7ffefbbf edx=0xbfebfbff
0x00000001 0x00: eax=0x000406f1 ebx=0x0b100800 ecx=0x7ffefbbf edx=0xbfebfbff
-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://
On Wed, 17 Jan 2018, Marc Deslauriers wrote:
> Date: Wed, 17 Jan 2018 20:20:08 -0000
> From: Marc Deslauriers <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode
> address spectre variant 2 on Intel i7-6850k platform
>
> You can install and use the cpuid tool:
>
> cpuid -r | grep "0x00000001 0x00"
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> intel-microcode
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-
> Checking for vulnerabilities against live running kernel Linux 4.13.0-
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches beco...
Emily Ratliff (emilyr) wrote : | #10 |
Hi Robert, would you mind installing and running the iucode-tool? With that tool you will see something like the following:
$ iucode-tool -S
iucode-tool: system has processor(s) with signature 0x000306c3
Robert Dinse (nanook) wrote : | #11 |
I received no body only subject.
-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://
On Wed, 17 Jan 2018, Emily Ratliff wrote:
> Date: Wed, 17 Jan 2018 21:26:54 -0000
> From: Emily Ratliff <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode
> address spectre variant 2 on Intel i7-6850k platform
>
Robert Dinse (nanook) wrote : | #12 |
On i7-6700k:
iucode-tool: system has processor(s) with signature 0x000506e3
On i7-6850k:
iucode-tool: system has processor(s) with signature 0x000406f1
-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://
On Wed, 17 Jan 2018, Emily Ratliff wrote:
> Date: Wed, 17 Jan 2018 21:26:54 -0000
> From: Emily Ratliff <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode
> address spectre variant 2 on Intel i7-6850k platform
>
> Hi Robert, would you mind installing and running the iucode-tool? With that tool you will see something like the following:
> $ iucode-tool -S
> iucode-tool: system has processor(s) with signature 0x000306c3
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> intel-microcode
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-
> Checking for vulnerabilities against live running kernel Linux 4.13.0-
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.
> ProcVersionSign
> Uname: Linux 4.13.0-
> NonfreeKernelMo
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
> ProcEnviron:
> TERM=xterm-color
> PATH=(custom, no user)
> XDG_RUNTIME_
> LANG=en_US.UTF-8
> ...
Marc Deslauriers (mdeslaur) wrote : | #13 |
OK, on the machine with the 506e3 cpu, you need to have microcode revision 0xc2
on the machine with the 406f1 cpu, you need to have microcode revision 0x25
Are you sure you have the intel-microcode package installed? If so, for some reason your microcode is not being updated at boot.
Robert Dinse (nanook) wrote : | #14 |
apt list intel-microcode -a
Listing... Done
intel-microcode
amd64 [installed]
intel-microcode
apt list intel-microcode -a
Listing... Done
intel-microcode
amd64 [installed]
intel-microcode
As you can see it is installed on both machines and it has been rebooted
since they were installed.
-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://
On Wed, 17 Jan 2018, Marc Deslauriers wrote:
> Date: Wed, 17 Jan 2018 22:08:21 -0000
> From: Marc Deslauriers <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode
> address spectre variant 2 on Intel i7-6850k platform
>
> OK, on the machine with the 506e3 cpu, you need to have microcode revision 0xc2
> on the machine with the 406f1 cpu, you need to have microcode revision 0x25
>
> Are you sure you have the intel-microcode package installed? If so, for
> some reason your microcode is not being updated at boot.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> intel-microcode
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-
> Checking for vulnerabilities against live running kernel Linux 4.13.0-
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.
> ProcVersionSign
Seth Arnold (seth-arnold) wrote : | #15 |
Hello Robert, is there a reason to keep this bug private? I believe others may benefit from it.
Thanks
Marc Deslauriers (mdeslaur) wrote : | #16 |
OK, I just looked at the Intel's microcode release from 20180108 and it does not yet contain the update for 406f1.
For 506e3, revision 0xc2 should be in the package.
What's the output of:
grep MICROCODE /boot/config-4.13*
Robert Dinse (nanook) wrote : | #17 |
Ok, guess will just have to wait for you to kick out a package
with that included.
On Wed, January 17, 2018 4:12 pm, Marc Deslauriers wrote:
> OK, I just looked at the Intel's microcode release from 20180108 and it
> does not yet contain the update for 406f1.
>
> For 506e3, revision 0xc2 should be in the package.
>
>
> What's the output of:
>
>
> grep MICROCODE /boot/config-4.13*
>
> --
> You received this bug notification because you are subscribed to the bug
> report. https:/
>
>
> Title:
> intel-microcode
> 2 on Intel i7-6850k platform
>
>
> Status in intel-microcode package in Ubuntu:
> New
>
>
> Bug description:
> Using the test script: spectre-
> Checking for vulnerabilities against live running kernel Linux
> 4.13.0-
> x86_64
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
>
>> STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic
>> to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
>
>> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with
>> retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
>
>> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>>
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.
> ProcVersionSign
> Uname: Linux 4.13.0-
> NonfreeKernelMo
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64
> (20170412)
> ProcEnviron:
> TERM=xterm-color
> PATH=(custom, no user)
> XDG_RUNTIME_
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: intel-microcode
> UpgradeStatus: Upgraded to artful on 2017-10-20 (89 days ago)
>
>
> To manage notifications about this bug go to:
> https:/
> bscriptions
>
Robert Dinse (nanook) wrote : | #18 |
Since the exploits are in public domain, I see no reason to.
On Wed, January 17, 2018 3:09 pm, Seth Arnold wrote:
> Hello Robert, is there a reason to keep this bug private? I believe
> others may benefit from it.
>
> Thanks
>
>
> --
> You received this bug notification because you are subscribed to the bug
> report. https:/
>
>
> Title:
> intel-microcode
> 2 on Intel i7-6850k platform
>
>
> Status in intel-microcode package in Ubuntu:
> New
>
>
> Bug description:
> Using the test script: spectre-
> Checking for vulnerabilities against live running kernel Linux
> 4.13.0-
> x86_64
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
>
>> STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic
>> to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
>
>> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with
>> retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
>
>> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>>
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.
> ProcVersionSign
> Uname: Linux 4.13.0-
> NonfreeKernelMo
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64
> (20170412)
> ProcEnviron:
> TERM=xterm-color
> PATH=(custom, no user)
> XDG_RUNTIME_
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: intel-microcode
> UpgradeStatus: Upgraded to artful on 2017-10-20 (89 days ago)
>
>
> To manage notifications about this bug go to:
> https:/
> bscriptions
>
information type: | Private Security → Public |
Henrique de Moraes Holschuh (hmh) wrote : | #19 |
I believe this is fixed in the latest version of intel-microcode available on every still-supported branch of Ubuntu...
Can you confirm and close the report, please?
Steve Beattie (sbeattie) wrote : | #20 |
Hi Robert,
The intel-microcode 3.20180807a.
002/001: sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672
001/001: sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328
Can you confirm, please? Thanks!
Changed in intel-microcode (Ubuntu): | |
status: | New → Incomplete |
Robert Dinse (nanook) wrote : | #21 |
I have stopped installing microcode on the i7-6850k because if I do then
it will not overclock. I do install on the i7-6700k machines as it does not
seem to be an issue with them.
-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://
On Fri, 21 Sep 2018, Steve Beattie wrote:
> Date: Fri, 21 Sep 2018 08:04:28 -0000
> From: Steve Beattie <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode
> address spectre variant 2 on Intel i7-6850k platform
>
> Hi Robert,
>
> The intel-microcode 3.20180807a.
> updates for both your hosts:
>
> 002/001: sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672
> 001/001: sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328
>
> Can you confirm, please? Thanks!
>
>
>
> ** Changed in: intel-microcode (Ubuntu)
> Status: New => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> intel-microcode
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> Incomplete
>
> Bug description:
> Using the test script: spectre-
> Checking for vulnerabilities against live running kernel Linux 4.13.0-
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.
> ProcVersionSign
> Uname: Linux 4.13.0-
> NonfreeKernelMo
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56...
Launchpad Janitor (janitor) wrote : | #22 |
[Expired for intel-microcode (Ubuntu) because there has been no activity for 60 days.]
Changed in intel-microcode (Ubuntu): | |
status: | Incomplete → Expired |
Hi,
What's the output of "dmesg | grep microcode" ?