我更新了我的 CentOS 7 系统。为什么 Meltdown/Spectre 只能部分缓解?
Mic*_*ton 42 security vulnerabilities rhel7 centos7
像我们中的许多人一样,我昨天花了很多时间更新大量系统以减轻Meltdown 和 Spectre 攻击。据我了解,有必要安装两个包并重新启动:
kernel-3.10.0-693.11.6.el7.x86_64
microcode_ctl-2.1-22.2.el7.x86_64
我有两个 CentOS 7 系统,我已经在这些系统上安装了这些软件包并重新启动。
根据 Red Hat 的说法,我可以通过检查这些 sysctl 并确保它们都为 1 来检查缓解的状态。 但是,在这些系统上,它们并非都是 1:
# cat /sys/kernel/debug/x86/pti_enabled
1
# cat /sys/kernel/debug/x86/ibpb_enabled
0
# cat /sys/kernel/debug/x86/ibrs_enabled
0
我也不能将它们设置为 1:
# echo 1 > /sys/kernel/debug/x86/ibpb_enabled
-bash: echo: write error: No such device
# echo 1 > /sys/kernel/debug/x86/ibrs_enabled
-bash: echo: write error: No such device
我确认英特尔微码似乎已在启动时加载:
# systemctl status microcode -l
? microcode.service - Load CPU microcode update
Loaded: loaded (/usr/lib/systemd/system/microcode.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Fri 2018-01-05 16:42:25 UTC; 9min ago
Process: 30383 ExecStart=/usr/bin/bash -c grep -l GenuineIntel /proc/cpuinfo | xargs grep -l -E "model[[:space:]]*: 79$" > /dev/null || echo 1 > /sys/devices/system/cpu/microcode/reload (code=exited, status=0/SUCCESS)
Main PID: 30383 (code=exited, status=0/SUCCESS)
Jan 05 16:42:25 makrura systemd[1]: Starting Load CPU microcode update...
Jan 05 16:42:25 makrura systemd[1]: Started Load CPU microcode update.
甚至dmesg似乎已经证实了这一点:
[ 3.245580] microcode: CPU0 sig=0x50662, pf=0x10, revision=0xf
[ 3.245627] microcode: CPU1 sig=0x50662, pf=0x10, revision=0xf
[ 3.245674] microcode: CPU2 sig=0x50662, pf=0x10, revision=0xf
[ 3.245722] microcode: CPU3 sig=0x50662, pf=0x10, revision=0xf
[ 3.245768] microcode: CPU4 sig=0x50662, pf=0x10, revision=0xf
[ 3.245816] microcode: CPU5 sig=0x50662, pf=0x10, revision=0xf
[ 3.245869] microcode: CPU6 sig=0x50662, pf=0x10, revision=0xf
[ 3.245880] microcode: CPU7 sig=0x50662, pf=0x10, revision=0xf
[ 3.245924] microcode: CPU8 sig=0x50662, pf=0x10, revision=0xf
[ 3.245972] microcode: CPU9 sig=0x50662, pf=0x10, revision=0xf
[ 3.245989] microcode: CPU10 sig=0x50662, pf=0x10, revision=0xf
[ 3.246036] microcode: CPU11 sig=0x50662, pf=0x10, revision=0xf
[ 3.246083] microcode: CPU12 sig=0x50662, pf=0x10, revision=0xf
[ 3.246131] microcode: CPU13 sig=0x50662, pf=0x10, revision=0xf
[ 3.246179] microcode: CPU14 sig=0x50662, pf=0x10, revision=0xf
[ 3.246194] microcode: CPU15 sig=0x50662, pf=0x10, revision=0xf
[ 3.246273] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
我有一个以前代号为 Broadwell 的 Intel CPU:
processor : 15
vendor_id : GenuineIntel
cpu family : 6
model : 86
model name : Intel(R) Xeon(R) CPU D-1540 @ 2.00GHz
stepping : 2
microcode : 0xf
cpu MHz : 2499.921
cache size : 12288 KB
physical id : 0
siblings : 16
core id : 7
cpu cores : 8
apicid : 15
initial apicid : 15
fpu : yes
fpu_exception : yes
cpuid level : 20
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb cat_l3 invpcid_single intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cqm rdt_a rdseed adx smap xsaveopt cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts
bogomips : 3999.90
clflush size : 64
cache_alignment : 64
address sizes : 46 bits physical, 48 bits virtual
power management:
该cpuid实用程序报告:
# cpuid -1
Disclaimer: cpuid may not support decoding of all cpuid registers.
CPU:
vendor_id = "GenuineIntel"
version information (1/eax):
processor type = primary processor (0)
family = Intel Pentium Pro/II/III/Celeron/Core/Core 2/Atom, AMD Athlon/Duron, Cyrix M2, VIA C3 (6)
model = 0x6 (6)
stepping id = 0x2 (2)
extended family = 0x0 (0)
extended model = 0x5 (5)
(simple synth) = Intel Xeon D-1500 (Broadwell-DE V1), 14nm
miscellaneous (1/ebx):
process local APIC physical ID = 0x9 (9)
cpu count = 0x10 (16)
CLFLUSH line size = 0x8 (8)
brand index = 0x0 (0)
brand id = 0x00 (0): unknown
feature information (1/edx):
x87 FPU on chip = true
virtual-8086 mode enhancement = true
debugging extensions = true
page size extensions = true
time stamp counter = true
RDMSR and WRMSR support = true
physical address extensions = true
machine check exception = true
CMPXCHG8B inst. = true
APIC on chip = true
SYSENTER and SYSEXIT = true
memory type range registers = true
PTE global bit = true
machine check architecture = true
conditional move/compare instruction = true
page attribute table = true
page size extension = true
processor serial number = false
CLFLUSH instruction = true
debug store = true
thermal monitor and clock ctrl = true
MMX Technology = true
FXSAVE/FXRSTOR = true
SSE extensions = true
SSE2 extensions = true
self snoop = true
hyper-threading / multi-core supported = true
therm. monitor = true
IA64 = false
pending break event = true
feature information (1/ecx):
PNI/SSE3: Prescott New Instructions = true
PCLMULDQ instruction = true
64-bit debug store = true
MONITOR/MWAIT = true
CPL-qualified debug store = true
VMX: virtual machine extensions = true
SMX: safer mode extensions = true
Enhanced Intel SpeedStep Technology = true
thermal monitor 2 = true
SSSE3 extensions = true
context ID: adaptive or shared L1 data = false
FMA instruction = true
CMPXCHG16B instruction = true
xTPR disable = true
perfmon and debug = true
process context identifiers = true
direct cache access = true
SSE4.1 extensions = true
SSE4.2 extensions = true
extended xAPIC support = true
MOVBE instruction = true
POPCNT instruction = true
time stamp counter deadline = true
AES instruction = true
XSAVE/XSTOR states = true
OS-enabled XSAVE/XSTOR = true
AVX: advanced vector extensions = true
F16C half-precision convert instruction = true
RDRAND instruction = true
hypervisor guest status = false
cache and TLB information (2):
0x63: data TLB: 1G pages, 4-way, 4 entries
0x03: data TLB: 4K pages, 4-way, 64 entries
0x76: instruction TLB: 2M/4M pages, fully, 8 entries
0xff: cache data is in CPUID 4
0xb5: instruction TLB: 4K, 8-way, 64 entries
0xf0: 64 byte prefetching
0xc3: L2 TLB: 4K/2M pages, 6-way, 1536 entries
processor serial number: 0005-0662-0000-0000-0000-0000
deterministic cache parameters (4):
--- cache 0 ---
cache type = data cache (1)
cache level = 0x1 (1)
self-initializing cache level = true
fully associative cache = false
extra threads sharing this cache = 0x1 (1)
extra processor cores on this die = 0x7 (7)
system coherency line size = 0x3f (63)
physical line partitions = 0x0 (0)
ways of associativity = 0x7 (7)
ways of associativity = 0x0 (0)
WBINVD/INVD behavior on lower caches = false
inclusive to lower caches = false
complex cache indexing = false
number of sets - 1 (s) = 63
--- cache 1 ---
cache type = instruction cache (2)
cache level = 0x1 (1)
self-initializing cache level = true
fully associative cache = false
extra threads sharing this cache = 0x1 (1)
extra processor cores on this die = 0x7 (7)
system coherency line size = 0x3f (63)
physical line partitions = 0x0 (0)
ways of associativity = 0x7 (7)
ways of associativity = 0x0 (0)
WBINVD/INVD behavior on lower caches = false
inclusive to lower caches = false
complex cache indexing = false
number of sets - 1 (s) = 63
--- cache 2 ---
cache type = unified cache (3)
cache level = 0x2 (2)
self-initializing cache level = true
fully associative cache = false
extra threads sharing this cache = 0x1 (1)
extra processor cores on this die = 0x7 (7)
system coherency line size = 0x3f (63)
physical line partitions = 0x0 (0)
ways of associativity = 0x7 (7)
ways of associativity = 0x0 (0)
WBINVD/INVD behavior on lower caches = false
inclusive to lower caches = false
complex cache indexing = false
number of sets - 1 (s) = 511
--- cache 3 ---
cache type = unified cache (3)
cache level = 0x3 (3)
self-initializing cache level = true
fully associative cache = false
extra threads sharing this cache = 0xf (15)
extra processor cores on this die = 0x7 (7)
system coherency line size = 0x3f (63)
physical line partitions = 0x0 (0)
ways of associativity = 0xb (11)
ways of associativity = 0x6 (6)
WBINVD/INVD behavior on lower caches = false
inclusive to lower caches = true
complex cache indexing = true
number of sets - 1 (s) = 16383
MONITOR/MWAIT (5):
smallest monitor-line size (bytes) = 0x40 (64)
largest monitor-line size (bytes) = 0x40 (64)
enum of Monitor-MWAIT exts supported = true
supports intrs as break-event for MWAIT = true
number of C0 sub C-states using MWAIT = 0x0 (0)
number of C1 sub C-states using MWAIT = 0x2 (2)
number of C2 sub C-states using MWAIT = 0x1 (1)
number of C3 sub C-states using MWAIT = 0x2 (2)
number of C4 sub C-states using MWAIT = 0x0 (0)
number of C5 sub C-states using MWAIT = 0x0 (0)
number of C6 sub C-states using MWAIT = 0x0 (0)
number of C7 sub C-states using MWAIT = 0x0 (0)
Thermal and Power Management Features (6):
digital thermometer = true
Intel Turbo Boost Technology = true
ARAT always running APIC timer = true
PLN power limit notification = true
ECMD extended clock modulation duty = true
PTM package thermal management = true
HWP base registers = false
HWP notification = false
HWP activity window = false
HWP energy performance preference = false
HWP package level request = false
HDC base registers = false
digital thermometer thresholds = 0x2 (2)
ACNT/MCNT supported performance measure = true
ACNT2 available = false
performance-energy bias capability = true
extended feature flags (7):
FSGSBASE instructions = true
IA32_TSC_ADJUST MSR supported = true
SGX: Software Guard Extensions supported = false
BMI instruction = true
HLE hardware lock elision = true
AVX2: advanced vector extensions 2 = true
FDP_EXCPTN_ONLY = false
SMEP supervisor mode exec protection = true
BMI2 instructions = true
enhanced REP MOVSB/STOSB = true
INVPCID instruction = true
RTM: restricted transactional memory = true
QM: quality of service monitoring = true
deprecated FPU CS/DS = true
intel memory protection extensions = false
PQE: platform quality of service enforce = true
AVX512F: AVX-512 foundation instructions = false
AVX512DQ: double & quadword instructions = false
RDSEED instruction = true
ADX instructions = true
SMAP: supervisor mode access prevention = true
AVX512IFMA: fused multiply add = false
CLFLUSHOPT instruction = false
CLWB instruction = false
Intel processor trace = true
AVX512PF: prefetch instructions = false
AVX512ER: exponent & reciprocal instrs = false
AVX512CD: conflict detection instrs = false
SHA instructions = false
AVX512BW: byte & word instructions = false
AVX512VL: vector length = false
PREFETCHWT1 = false
AVX512VBMI: vector byte manipulation = false
UMIP: user-mode instruction prevention = false
PKU protection keys for user-mode = false
OSPKE CR4.PKE and RDPKRU/WRPKRU = false
BNDLDX/BNDSTX MAWAU value in 64-bit mode = 0x0 (0)
RDPID: read processor D supported = false
SGX_LC: SGX launch config supported = false
AVX512_4VNNIW: neural network instrs = false
AVX512_4FMAPS: multiply acc single prec = false
Direct Cache Access Parameters (9):
PLATFORM_DCA_CAP MSR bits = 1
Architecture Performance Monitoring Features (0xa/eax):
version ID = 0x3 (3)
number of counters per logical processor = 0x4 (4)
bit width of counter = 0x30 (48)
length of EBX bit vector = 0x7 (7)
Architecture Performance Monitoring Features (0xa/ebx):
core cycle event not available = false
instruction retired event not available = false
reference cycles event not available = false
last-level cache ref event not available = false
last-level cache miss event not avail = false
branch inst retired event not available = false
branch mispred retired event not avail = false
Architecture Performance Monitoring Features (0xa/edx):
number of fixed counters = 0x3 (3)
bit width of fixed counters = 0x30 (48)
x2APIC features / processor topology (0xb):
--- level 0 (thread) ---
bits to shift APIC ID to get next = 0x1 (1)
logical processors at this level = 0x2 (2)
level number = 0x0 (0)
level type = thread (1)
extended APIC ID = 9
--- level 1 (core) ---
bits to shift APIC ID to get next = 0x4 (4)
logical processors at this level = 0x10 (16)
level number = 0x1 (1)
level type = core (2)
extended APIC ID = 9
XSAVE features (0xd/0):
XCR0 lower 32 bits valid bit field mask = 0x00000007
XCR0 upper 32 bits valid bit field mask = 0x00000000
XCR0 supported: x87 state = true
XCR0 supported: SSE state = true
XCR0 supported: AVX state = true
XCR0 supported: MPX BNDREGS = false
XCR0 supported: MPX BNDCSR = false
XCR0 supported: AVX-512 opmask = false
XCR0 supported: AVX-512 ZMM_Hi256 = false
XCR0 supported: AVX-512 Hi16_ZMM = false
IA32_XSS supported: PT state = false
XCR0 supported: PKRU state = false
bytes required by fields in XCR0 = 0x00000340 (832)
bytes required by XSAVE/XRSTOR area = 0x00000340 (832)
XSAVE features (0xd/1):
XSAVEOPT instruction = true
XSAVEC instruction = false
XGETBV instruction = false
XSAVES/XRSTORS instructions = false
SAVE area size in bytes = 0x00000000 (0)
IA32_XSS lower 32 bits valid bit field mask = 0x00000000
IA32_XSS upper 32 bits valid bit field mask = 0x00000000
AVX/YMM features (0xd/2):
AVX/YMM save state byte size = 0x00000100 (256)
AVX/YMM save state byte offset = 0x00000240 (576)
supported in IA32_XSS or XCR0 = XCR0 (user state)
64-byte alignment in compacted XSAVE = false
Quality of Service Monitoring Resource Type (0xf/0):
Maximum range of RMID = 63
supports L3 cache QoS monitoring = false
L3 Cache Quality of Service Monitoring (0xf/1):
Conversion factor from IA32_QM_CTR to bytes = 32768
Maximum range of RMID = 63
supports L3 occupancy monitoring = true
supports L3 total bandwidth monitoring = true
supports L3 local bandwidth monitoring = true
Resource Director Technology allocation (0x10/0):
L3 cache allocation technology supported = true
L2 cache allocation technology supported = false
L3 Cache Allocation Technology (0x10/1):
length of capacity bit mask - 1 = 0xb (11)
Bit-granular map of isolation/contention = 0x00000c00
infrequent updates of COS = true
code and data prioritization supported = false
highest COS number supported = 0xb (11)
0x00000011 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00000000
SGX capability (0x12/0):
SGX1 supported = false
SGX2 supported = false
MISCSELECT.EXINFO supported: #PF & #GP = false
MaxEnclaveSize_Not64 (log2) = 0x0 (0)
MaxEnclaveSize_64 (log2) = 0x0 (0)
0x00000013
use*_*517 23
如https://access.redhat.com/articles/3311301 中所述
CVE-2017-5715(变体#2/Spectre)是一种间接分支中毒攻击,可导致数据泄露。这种攻击允许虚拟客户从主机系统读取内存。此问题已通过微代码以及对来宾和主机虚拟化软件的内核和虚拟化更新得到纠正。此漏洞需要更新的微码和内核补丁。变体#2 的行为由 ibrs 和 ibpb 可调参数(noibrs/ibrs_enabled 和 noibpb/ibpb_enabled)控制,它们与微码一起工作
...
如前所述,为您的硬件安装微码更新(如果由硬件供应商提供)是防止变体 2 所必需的。请联系您的硬件供应商获取微码更新。
您似乎还需要更新 BIOS 才能启用针对 CVE-2017-5715 的缓解措施。
我太早在别处读过这篇文章,但现在找不到参考。
- https://access.redhat.com/articles/3311301#architectural-defaults-9 告诉微码更新不适用于较旧的 CPU :(更新的包中此 CPU 不存在更新的微码有效负载。也许这可能会随着另一个更新而改变?) (4认同)
sho*_*hok 16
更新:似乎与操作系统更新一起发布的微码更新是正在运行的微码的二进制补丁,而不是完整的微码替换。换句话说,他们需要 BIOS/处理器中的特定基本 ucode 版本才能对其进行修补。出于这个原因,在我手头的所有机器上都需要进行 BIOS/固件更新,而这个 BIOS 更新已经嵌入了修补过的微代码。作为参考,DELL 刚刚发布了 14/13/12 代 PowerEdge 服务器所需的固件更新,第 11 代服务器的修复程序将在本月底发布。
TL;DR:微码更新似乎非常仓促。我认为我们必须等待几天/几周才能完全了解/发现哪些处理器/步进/型号/SKU 将收到正确的更新。
长版:在三个更新的系统中,一个(旧的)正确加载了新的微代码并启用了相关的缓解措施:
- 在 Ryzen 机器上,加载失败并出现“补丁不匹配”错误;
- 在 Clarkdale(Core i5)笔记本电脑上,没有加载新的微码,但正确的文件安装在
/lib/firmware/ - 一个非常旧的 PhenomII 盒子正确加载了新的微码并启用了所有适当的缓解措施。
我一直在使用Spectre Meltdown Checker脚本来快速了解我的物理和虚拟系统的状态,因为我要处理很多内核和平台变体。
请参阅:https : //github.com/speed47/spectre-meltdown-checker
输出显示需要在管理程序主机和裸机服务器上更新 BIOS。这是我处理的系统的供应商问题。我不会依赖 RHEL/CentOS 的微码补丁。
- 基于脚本输出 - 您能解释一下为什么需要更新 BIOS 的原因吗?Spectre Variant 2 输出中的失败部分显示了 retpoline 的内核编译问题 - 但它也表明“硬件(CPU 微码)支持缓解”。这让我很困惑。如果我们相信这个脚本,这个输出是否似乎表明内核本身存在问题? (2认同)