aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--docs/report/dpdk_performance_tests/csit_release_notes.rst15
-rw-r--r--docs/report/introduction/methodology_ipsec.rst4
-rw-r--r--docs/report/introduction/methodology_multi_core_speedup.rst10
-rw-r--r--docs/report/introduction/methodology_vpp_startup_settings.rst2
-rw-r--r--docs/report/introduction/physical_testbeds.rst4
-rw-r--r--docs/report/introduction/test_environment_intro.rst15
-rw-r--r--docs/report/introduction/test_environment_sut_calib_clx.rst4
-rw-r--r--docs/report/introduction/test_environment_sut_calib_dnv.rst4
-rw-r--r--docs/report/introduction/test_environment_sut_calib_hsw.rst223
-rw-r--r--docs/report/introduction/test_environment_sut_calib_skx.rst4
-rw-r--r--docs/report/introduction/test_environment_sut_calib_tsh.rst4
-rw-r--r--docs/report/introduction/test_environment_sut_calib_tx2.rst4
-rw-r--r--docs/report/introduction/test_environment_sut_calib_zn2.rst4
-rw-r--r--docs/report/introduction/test_environment_sut_conf_1.rst13
-rw-r--r--docs/report/introduction/test_environment_sut_meltspec_clx.rst370
-rw-r--r--docs/report/introduction/test_environment_sut_meltspec_dnv.rst270
-rw-r--r--docs/report/introduction/test_environment_sut_meltspec_hsw.rst170
-rw-r--r--docs/report/introduction/test_environment_sut_meltspec_skx.rst139
-rw-r--r--docs/report/introduction/test_environment_sut_meltspec_tsh.rst386
-rw-r--r--docs/report/introduction/test_environment_sut_meltspec_tx2.rst236
-rw-r--r--docs/report/introduction/test_environment_sut_meltspec_zn2.rst396
-rw-r--r--docs/report/introduction/test_scenarios_overview.rst10
-rw-r--r--docs/report/vpp_device_tests/csit_release_notes.rst22
-rw-r--r--docs/report/vpp_performance_tests/csit_release_notes.rst50
24 files changed, 1156 insertions, 1203 deletions
diff --git a/docs/report/dpdk_performance_tests/csit_release_notes.rst b/docs/report/dpdk_performance_tests/csit_release_notes.rst
index 622d9c415c..4f33231549 100644
--- a/docs/report/dpdk_performance_tests/csit_release_notes.rst
+++ b/docs/report/dpdk_performance_tests/csit_release_notes.rst
@@ -4,16 +4,6 @@ Release Notes
Changes in |csit-release|
-------------------------
-#. DPDK PERFORMANCE TESTS
-
- - Fixed DPDK compilation on ARM systems.
-
- - **AMD 2n-zn2 testbed**: New physical testbed type installed in
- FD.io CSIT, with DPDK performance data added to this report.
-
- - **Arm 2n-tx2 testbed**: New physical testbed type installed in
- FD.io CSIT, with DPDK performance data added to this report.
-
#. DPDK RELEASE VERSION CHANGE
- |csit-release| tested |dpdk-release|, as used by |vpp-release|.
@@ -28,9 +18,6 @@ List of known issues in |csit-release| for DPDK performance tests:
+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+
| # | JiraID | Issue Description |
+====+=========================================+===========================================================================================================+
-| 1 | `CSIT-1761 | Denverton systems in FD.io CSIT lab (2n-dnv and 3n-dnv) reports dpdk compilation error very often. |
-| | <https://jira.fd.io/browse/CSIT-1761>`_ | |
-+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+
-| 2 | `CSIT-1762 | TRex reports link DOWN in case of dpdk testpmd tests on FD.io CSIT Denverton systems (2n-dnv and 3n-dnv). |
+| 1 | `CSIT-1762 | TRex reports link DOWN in case of dpdk testpmd tests on FD.io CSIT Denverton systems (2n-dnv and 3n-dnv). |
| | <https://jira.fd.io/browse/CSIT-1762>`_ | |
+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+
diff --git a/docs/report/introduction/methodology_ipsec.rst b/docs/report/introduction/methodology_ipsec.rst
index 99119e18d0..6cfa69cd88 100644
--- a/docs/report/introduction/methodology_ipsec.rst
+++ b/docs/report/introduction/methodology_ipsec.rst
@@ -47,7 +47,3 @@ dpdk_cryptodev
| crypto_ipsecmb | async/crypto worker | AES[128]-CBC | SHA[256|512] | 1, 4, 1k tunnels |
+-------------------+---------------------+------------------+----------------+------------------+
-..
- VPP IPsec with HW crypto are executed in both tunnel and policy modes,
- with tests running on 3-node Haswell testbeds (3n-hsw), as these are the
- only testbeds equipped with Intel QAT cards.
diff --git a/docs/report/introduction/methodology_multi_core_speedup.rst b/docs/report/introduction/methodology_multi_core_speedup.rst
index 095f0f7796..05307549f4 100644
--- a/docs/report/introduction/methodology_multi_core_speedup.rst
+++ b/docs/report/introduction/methodology_multi_core_speedup.rst
@@ -14,8 +14,7 @@ applied in BIOS and requires server SUT reload for it to take effect,
making it impractical for continuous changes of HT mode of operation.
|csit-release| performance tests are executed with server SUTs' Intel
-XEON processors configured with Intel Hyper-Threading Disabled for all
-Xeon Haswell testbeds (3n-hsw) and with Intel Hyper-Threading Enabled
+XEON processors configured with Intel Hyper-Threading Enabled
for all Xeon Skylake and Xeon Cascadelake testbeds.
More information about physical testbeds is provided in
@@ -27,13 +26,6 @@ Multi-core Tests
|csit-release| multi-core tests are executed in the following VPP worker
thread and physical core configurations:
-#. Intel Xeon Haswell testbeds (3n-hsw) with Intel HT disabled
- (1 logical CPU core per each physical core):
-
- #. 1t1c - 1 VPP worker thread on 1 physical core.
- #. 2t2c - 2 VPP worker threads on 2 physical cores.
- #. 4t4c - 4 VPP worker threads on 4 physical cores.
-
#. Intel Xeon Skylake and Cascadelake testbeds (2n-skx, 3n-skx, 2n-clx)
with Intel HT enabled (2 logical CPU cores per each physical core):
diff --git a/docs/report/introduction/methodology_vpp_startup_settings.rst b/docs/report/introduction/methodology_vpp_startup_settings.rst
index e3e8d29b23..c583ae7bed 100644
--- a/docs/report/introduction/methodology_vpp_startup_settings.rst
+++ b/docs/report/introduction/methodology_vpp_startup_settings.rst
@@ -26,7 +26,7 @@ List of VPP startup.conf settings applied to all tests:
256). For Xeon Skylake platforms configured with 2MB hugepages and VPP
data-size and buffer-size defaults (2048B and 2496B respectively), this
results in value of 215040 (256 * 840 = 215040, 840 * 2496B buffers fit
- in 2MB hugepage ). For Xeon Haswell nodes value of 107520 is used.
+ in 2MB hugepage).
Per Test Settings
~~~~~~~~~~~~~~~~~
diff --git a/docs/report/introduction/physical_testbeds.rst b/docs/report/introduction/physical_testbeds.rst
index 5f62f1bb06..7755bdddeb 100644
--- a/docs/report/introduction/physical_testbeds.rst
+++ b/docs/report/introduction/physical_testbeds.rst
@@ -26,8 +26,8 @@ Two physical server topology types are used:
Current FD.io production testbeds are built with SUT servers based on
the following processor architectures:
-- Intel Xeon: Skylake Platinum 8180, Haswell-SP E5-2699v3,
- Cascade Lake Platinum 8280, Cascade Lake 6252N.
+- Intel Xeon: Skylake Platinum 8180, Cascade Lake Platinum 8280,
+ Cascade Lake 6252N.
- Intel Atom: Denverton C3858.
- Arm: TaiShan 2280, hip07-d05.
- AMD EPYC: Zen2 7532.
diff --git a/docs/report/introduction/test_environment_intro.rst b/docs/report/introduction/test_environment_intro.rst
index 2aa4f44e40..c1ab7ea6ad 100644
--- a/docs/report/introduction/test_environment_intro.rst
+++ b/docs/report/introduction/test_environment_intro.rst
@@ -79,7 +79,17 @@ Following is the list of CSIT versions to date:
- The main change is TRex version upgrade:
`increase from 2.82 to 2.86 <https://gerrit.fd.io/r/c/csit/+/29980>`_.
+- Ver. 7 associated with CSIT rls2106 branch (`HW
+ <https://git.fd.io/csit/tree/docs/lab?h=rls2106>`_, `Linux
+ <https://docs.fd.io/csit/rls2106/report/vpp_performance_tests/test_environment.html#sut-settings-linux>`_,
+ `TRex
+ <https://docs.fd.io/csit/rls2106/report/vpp_performance_tests/test_environment.html#tg-settings-trex>`_,
+ `CSIT <https://git.fd.io/csit/tree/?h=rls2106>`_).
+ - TRex version upgrade:
+ `increase from 2.86 to 2.88 <https://gerrit.fd.io/r/c/csit/+/31652>`_.
+ - Ubuntu upgrade:
+ `upgrade from 18.04 LTS to 20.04.2 LTS <https://gerrit.fd.io/r/c/csit/+/31290>`_.
To identify performance changes due to VPP code development between previous
and current VPP release version, both have been tested in CSIT environment of
@@ -101,7 +111,7 @@ topology types are used:
server as TG both connected in ring topology.
Tested SUT servers are based on a range of processors including Intel
-Xeon Haswell-SP, Intel Xeon Skylake-SP, Intel Xeon Cascade Lake-SP, Arm,
+Intel Xeon Skylake-SP, Intel Xeon Cascade Lake-SP, Arm,
Intel Atom. More detailed description is provided in
:ref:`tested_physical_topologies`. Tested logical topologies are
described in :ref:`tested_logical_topologies`.
@@ -112,5 +122,4 @@ Server Specifications
Complete technical specifications of compute servers used in CSIT
physical testbeds are maintained in FD.io CSIT repository:
`FD.io CSIT testbeds - Xeon Cascade Lake`_,
-`FD.io CSIT testbeds - Xeon Skylake, Arm, Atom`_ and
-`FD.io CSIT Testbeds - Xeon Haswell`_.
+`FD.io CSIT testbeds - Xeon Skylake, Arm, Atom`_. \ No newline at end of file
diff --git a/docs/report/introduction/test_environment_sut_calib_clx.rst b/docs/report/introduction/test_environment_sut_calib_clx.rst
index ed44eb92d2..ef4812d2e1 100644
--- a/docs/report/introduction/test_environment_sut_calib_clx.rst
+++ b/docs/report/introduction/test_environment_sut_calib_clx.rst
@@ -15,7 +15,7 @@ Linux cmdline
::
$ cat /proc/cmdline
- BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=1d03969e-a2a0-41b2-a97e-1cc171b07e88 ro isolcpus=1-23,25-47,49-71,73-95 nohz_full=1-23,25-47,49-71,73-95 rcu_nocbs=1-23,25-47,49-71,73-95 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8
+ BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=b1f0dc29-1d4f-4777-b37d-a5e26e233d55 ro audit=0 hpet=disable intel_idle.max_cstate=1 intel_iommu=on intel_pstate=disable iommu=pt isolcpus=1-27,29-55,57-83,85-111 mce=off nmi_watchdog=0 nohz_full=1-27,29-55,57-83,85-111 nosoftlockup numa_balancing=disable processor.max_cstate=1 rcu_nocbs=1-27,29-55,57-83,85-111 tsc=reliable console=ttyS0,115200n8 quiet
Linux uname
^^^^^^^^^^^
@@ -23,7 +23,7 @@ Linux uname
::
$ uname -a
- Linux s32-t27-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+ Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
System-level Core Jitter
diff --git a/docs/report/introduction/test_environment_sut_calib_dnv.rst b/docs/report/introduction/test_environment_sut_calib_dnv.rst
index 13f980656a..d38ba2fb8b 100644
--- a/docs/report/introduction/test_environment_sut_calib_dnv.rst
+++ b/docs/report/introduction/test_environment_sut_calib_dnv.rst
@@ -14,7 +14,7 @@ Linux cmdline
::
$ cat /proc/cmdline
- BOOT_IMAGE=/boot/vmlinuz-4.15.0-36-generic root=UUID=d3cfffd0-1e77-423a-a53a-a117199b6025 ro intel_iommu=on iommu=pt isolcpus=1-11 nohz_full=1-11 rcu_nocbs=1-11 default_hugepagesz=1G hugepagesz=1G hugepages=8 intel_pstate=disable nmi_watchdog=0 numa_balancing=disable tsc=reliable nosoftlockup quiet splash vt.handoff=7
+ BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=26ca7b0f-904a-462d-a1c6-98c420c29515 ro audit=0 hpet=disable intel_idle.max_cstate=1 intel_iommu=on intel_pstate=disable iommu=pt isolcpus=1-5 mce=off nmi_watchdog=0 nohz_full=1-5 nosoftlockup numa_balancing=disable processor.max_cstate=1 rcu_nocbs=1-5 tsc=reliable console=tty0 console=ttyS0,115200n8
Linux uname
@@ -23,7 +23,7 @@ Linux uname
::
$ uname -a
- Linux 4.15.0-36-generic #39~16.04.1-Ubuntu SMP Tue Sep 25 08:59:23 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+ Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
System-level Core Jitter
diff --git a/docs/report/introduction/test_environment_sut_calib_hsw.rst b/docs/report/introduction/test_environment_sut_calib_hsw.rst
deleted file mode 100644
index d2e8d3d33d..0000000000
--- a/docs/report/introduction/test_environment_sut_calib_hsw.rst
+++ /dev/null
@@ -1,223 +0,0 @@
-Haswell
-~~~~~~~
-
-Following sections include sample calibration data measured on t1-sut1
-server running in one of the Intel Xeon Haswell testbeds as specified in
-`FD.io CSIT Testbeds - Xeon Haswell`_.
-
-Calibration data obtained from all other servers in Haswell testbeds
-shows the same or similar values.
-
-Linux cmdline
-^^^^^^^^^^^^^
-
-::
-
- $ cat /proc/cmdline
- BOOT_IMAGE=/vmlinuz-4.15.0-72-generic root=UUID=c59ae603-8076-41f4-bb5d-bc3fc8dd3ea1 ro isolcpus=1-17,19-35 nohz_full=1-17,19-35 rcu_nocbs=1-17,19-35 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0console=ttyS0,115200n8
-
-
-Linux uname
-^^^^^^^^^^^
-
-::
-
- $ uname -a
- Linux t1-tg1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
-
-
-System-level Core Jitter
-^^^^^^^^^^^^^^^^^^^^^^^^
-
-::
-
- $ sudo taskset -c 3 /home/testuser/pma_tools/jitter/jitter -i 30
- Linux Jitter testing program version 1.8
- Iterations=30
- The pragram will execute a dummy function 80000 times
- Display is updated every 20000 displayUpdate intervals
- Timings are in CPU Core cycles
- Inst_Min: Minimum Excution time during the display update interval(default is ~1 second)
- Inst_Max: Maximum Excution time during the display update interval(default is ~1 second)
- Inst_jitter: Jitter in the Excution time during rhe display update interval. This is the value of interest
- last_Exec: The Excution time of last iteration just before the display update
- Abs_Min: Absolute Minimum Excution time since the program started or statistics were reset
- Abs_Max: Absolute Maximum Excution time since the program started or statistics were reset
- tmp: Cumulative value calcualted by the dummy function
- Interval: Time interval between the display updates in Core Cycles
- Sample No: Sample number
-
- Inst_Min Inst_Max Inst_jitter last_Exec Abs_min Abs_max tmp Interval Sample No
- 160024 172636 12612 160028 160024 172636 1573060608 3205463144 1
- 160024 188236 28212 160028 160024 188236 958595072 3205500844 2
- 160024 185676 25652 160028 160024 188236 344129536 3205485976 3
- 160024 172608 12584 160024 160024 188236 4024631296 3205472740 4
- 160024 179260 19236 160028 160024 188236 3410165760 3205502164 5
- 160024 172432 12408 160024 160024 188236 2795700224 3205452036 6
- 160024 178820 18796 160024 160024 188236 2181234688 3205455408 7
- 160024 172512 12488 160028 160024 188236 1566769152 3205461528 8
- 160024 172636 12612 160028 160024 188236 952303616 3205478820 9
- 160024 173676 13652 160028 160024 188236 337838080 3205470412 10
- 160024 178776 18752 160028 160024 188236 4018339840 3205481472 11
- 160024 172788 12764 160028 160024 188236 3403874304 3205492336 12
- 160024 174616 14592 160028 160024 188236 2789408768 3205474904 13
- 160024 174440 14416 160028 160024 188236 2174943232 3205479448 14
- 160024 178748 18724 160024 160024 188236 1560477696 3205482668 15
- 160024 172588 12564 169404 160024 188236 946012160 3205510496 16
- 160024 172636 12612 160024 160024 188236 331546624 3205472204 17
- 160024 172480 12456 160024 160024 188236 4012048384 3205455864 18
- 160024 172740 12716 160028 160024 188236 3397582848 3205464932 19
- 160024 179200 19176 160028 160024 188236 2783117312 3205476012 20
- 160024 172480 12456 160028 160024 188236 2168651776 3205465632 21
- 160024 172728 12704 160024 160024 188236 1554186240 3205497204 22
- 160024 172620 12596 160028 160024 188236 939720704 3205466972 23
- 160024 172640 12616 160028 160024 188236 325255168 3205471216 24
- 160024 172484 12460 160028 160024 188236 4005756928 3205467388 25
- 160024 172636 12612 160028 160024 188236 3391291392 3205482748 26
- 160024 179056 19032 160024 160024 188236 2776825856 3205467152 27
- 160024 172672 12648 160024 160024 188236 2162360320 3205483268 28
- 160024 176932 16908 160024 160024 188236 1547894784 3205488536 29
- 160024 172452 12428 160028 160024 188236 933429248 3205440636 30
-
-
-Memory Bandwidth
-^^^^^^^^^^^^^^^^
-
-::
-
- $ sudo /home/testuser/mlc --bandwidth_matrix
- Intel(R) Memory Latency Checker - v3.5
- Command line parameters: --bandwidth_matrix
-
- Using buffer size of 100.000MB/thread for reads and an additional 100.000MB/thread for writes
- Measuring Memory Bandwidths between nodes within system
- Bandwidths are in MB/sec (1 MB/sec = 1,000,000 Bytes/sec)
- Using all the threads from each core if Hyper-threading is enabled
- Using Read-only traffic type
- Numa node
- Numa node 0 1
- 0 57935.5 30265.2
- 1 30284.6 58409.9
-
-::
-
- $ sudo /home/testuser/mlc --peak_injection_bandwidth
- Intel(R) Memory Latency Checker - v3.5
- Command line parameters: --peak_injection_bandwidth
-
- Using buffer size of 100.000MB/thread for reads and an additional 100.000MB/thread for writes
-
- Measuring Peak Injection Memory Bandwidths for the system
- Bandwidths are in MB/sec (1 MB/sec = 1,000,000 Bytes/sec)
- Using all the threads from each core if Hyper-threading is enabled
- Using traffic with the following read-write ratios
- ALL Reads : 115762.2
- 3:1 Reads-Writes : 106242.2
- 2:1 Reads-Writes : 103031.8
- 1:1 Reads-Writes : 87943.7
- Stream-triad like: 100048.4
-
-::
-
- $ sudo /home/testuser/mlc --max_bandwidth
- Intel(R) Memory Latency Checker - v3.5
- Command line parameters: --max_bandwidth
-
- Using buffer size of 100.000MB/thread for reads and an additional 100.000MB/thread for writes
-
- Measuring Maximum Memory Bandwidths for the system
- Will take several minutes to complete as multiple injection rates will be tried to get the best bandwidth
- Bandwidths are in MB/sec (1 MB/sec = 1,000,000 Bytes/sec)
- Using all the threads from each core if Hyper-threading is enabled
- Using traffic with the following read-write ratios
- ALL Reads : 115782.41
- 3:1 Reads-Writes : 105965.78
- 2:1 Reads-Writes : 103162.38
- 1:1 Reads-Writes : 88255.82
- Stream-triad like: 105608.10
-
-
-Memory Latency
-^^^^^^^^^^^^^^
-
-::
-
- $ sudo /home/testuser/mlc --latency_matrix
- Intel(R) Memory Latency Checker - v3.5
- Command line parameters: --latency_matrix
-
- Using buffer size of 200.000MB
- Measuring idle latencies (in ns)...
- Numa node
- Numa node 0 1
- 0 101.0 132.0
- 1 141.2 98.8
-
-::
-
- $ sudo /home/testuser/mlc --idle_latency
- Intel(R) Memory Latency Checker - v3.5
- Command line parameters: --idle_latency
-
- Using buffer size of 200.000MB
- Each iteration took 227.2 core clocks ( 99.0 ns)
-
-::
-
- $ sudo /home/testuser/mlc --loaded_latency
- Intel(R) Memory Latency Checker - v3.5
- Command line parameters: --loaded_latency
-
- Using buffer size of 100.000MB/thread for reads and an additional 100.000MB/thread for writes
-
- Measuring Loaded Latencies for the system
- Using all the threads from each core if Hyper-threading is enabled
- Using Read-only traffic type
- Inject Latency Bandwidth
- Delay (ns) MB/sec
- ==========================
- 00000 294.08 115841.6
- 00002 294.27 115851.5
- 00008 293.67 115821.8
- 00015 278.92 115587.5
- 00050 246.80 113991.2
- 00100 206.86 104508.1
- 00200 123.72 72873.6
- 00300 113.35 52641.1
- 00400 108.89 41078.9
- 00500 108.11 33699.1
- 00700 106.19 24878.0
- 01000 104.75 17948.1
- 01300 103.72 14089.0
- 01700 102.95 11013.6
- 02500 102.25 7756.3
- 03500 101.81 5749.3
- 05000 101.46 4230.4
- 09000 101.05 2641.4
- 20000 100.77 1542.5
-
-
-L1/L2/LLC Latency
-^^^^^^^^^^^^^^^^^
-
-::
-
- $ sudo /home/testuser/mlc --c2c_latency
- Intel(R) Memory Latency Checker - v3.5
- Command line parameters: --c2c_latency
-
- Measuring cache-to-cache transfer latency (in ns)...
- Local Socket L2->L2 HIT latency 42.1
- Local Socket L2->L2 HITM latency 47.0
- Remote Socket L2->L2 HITM latency (data address homed in writer socket)
- Reader Numa Node
- Writer Numa Node 0 1
- 0 - 108.0
- 1 106.9 -
- Remote Socket L2->L2 HITM latency (data address homed in reader socket)
- Reader Numa Node
- Writer Numa Node 0 1
- 0 - 107.7
- 1 106.6 -
-
-.. include:: ../introduction/test_environment_sut_meltspec_hsw.rst
diff --git a/docs/report/introduction/test_environment_sut_calib_skx.rst b/docs/report/introduction/test_environment_sut_calib_skx.rst
index e3038a230a..cbb8011fe0 100644
--- a/docs/report/introduction/test_environment_sut_calib_skx.rst
+++ b/docs/report/introduction/test_environment_sut_calib_skx.rst
@@ -15,7 +15,7 @@ Linux cmdline
::
$ cat /proc/cmdline
- BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=e05120bb-7127-43db-b1e3-a66edd4c43bd ro isolcpus=1-27,29-55,57-83,85-111 nohz_full=1-27,29-55,57-83,85-111 rcu_nocbs=1-27,29-55,57-83,85-111 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8
+ BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=55d44abd-94d6-4b26-9d93-5877a8658016 ro audit=0 hpet=disable intel_idle.max_cstate=1 intel_iommu=on intel_pstate=disable iommu=pt isolcpus=1-27,29-55,57-83,85-111 mce=off nmi_watchdog=0 nohz_full=1-27,29-55,57-83,85-111 nosoftlockup numa_balancing=disable processor.max_cstate=1 rcu_nocbs=1-27,29-55,57-83,85-111 tsc=reliable console=ttyS0,115200n8 quiet
Linux uname
@@ -24,7 +24,7 @@ Linux uname
::
$ uname -a
- Linux s3-t21-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+ Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
System-level Core Jitter
diff --git a/docs/report/introduction/test_environment_sut_calib_tsh.rst b/docs/report/introduction/test_environment_sut_calib_tsh.rst
index a503a42404..36284f3e60 100644
--- a/docs/report/introduction/test_environment_sut_calib_tsh.rst
+++ b/docs/report/introduction/test_environment_sut_calib_tsh.rst
@@ -14,7 +14,7 @@ Linux cmdline
::
$ cat /proc/cmdline
- BOOT_IMAGE=/boot/vmlinuz-4.15.0-54-generic root=/dev/mapper/huawei--1--vg-root ro isolcpus=1-15,17-31,33-47,49-63 nohz_full=1-15 17-31,33-47,49-63 rcu_nocbs=1-15 17-31,33-47,49-63 intel_iommu=on nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 console=ttyAMA0,115200n8
+ BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=7d1d0e77-4df0-43df-9619-a99db29ffb83 ro audit=0 intel_iommu=on isolcpus=1-27,29-55 nmi_watchdog=0 nohz_full=1-27,29-55 nosoftlockup processor.max_cstate=1 rcu_nocbs=1-27,29-55 console=ttyAMA0,115200n8 quiet
Linux uname
^^^^^^^^^^^
@@ -22,7 +22,7 @@ Linux uname
::
$ uname -a
- Linux s17-t33-sut1 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:56:40 UTC 2019 aarch64 aarch64 aarch64 GNU/Linux
+ Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
System-level Core Jitter
diff --git a/docs/report/introduction/test_environment_sut_calib_tx2.rst b/docs/report/introduction/test_environment_sut_calib_tx2.rst
index 4b715c86f0..2844ec169a 100644
--- a/docs/report/introduction/test_environment_sut_calib_tx2.rst
+++ b/docs/report/introduction/test_environment_sut_calib_tx2.rst
@@ -11,7 +11,7 @@ Linux cmdline
::
$ cat /proc/cmdline
- BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=19debf43-de1a-4f0d-97a7-c4d0ccd04327 ro audit=0 intel_iommu=on isolcpus=1-27,29-55 nmi_watchdog=0 nohz_full=1-27,29-55 nosoftlockup processor.max_cstate=1 rcu_nocbs=1-27,29-55 splash quiet vt.handoff=1
+ BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=7d1d0e77-4df0-43df-9619-a99db29ffb83 ro audit=0 intel_iommu=on isolcpus=1-27,29-55 nmi_watchdog=0 nohz_full=1-27,29-55 nosoftlockup processor.max_cstate=1 rcu_nocbs=1-27,29-55 console=ttyAMA0,115200n8 quiet
Linux uname
^^^^^^^^^^^
@@ -19,7 +19,7 @@ Linux uname
::
$ uname -a
- Linux s27-t34-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:21:09 UTC 2019 aarch64 aarch64 aarch64 GNU/Linux
+ Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
.. include:: ../introduction/test_environment_sut_meltspec_tx2.rst
diff --git a/docs/report/introduction/test_environment_sut_calib_zn2.rst b/docs/report/introduction/test_environment_sut_calib_zn2.rst
index c181b5f34c..9454edd2a6 100644
--- a/docs/report/introduction/test_environment_sut_calib_zn2.rst
+++ b/docs/report/introduction/test_environment_sut_calib_zn2.rst
@@ -12,7 +12,7 @@ Linux cmdline
::
$ cat /proc/cmdline
- BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=1672f0ef-755e-4a26-884d-02a3f4ac933c ro isolcpus=1-15,33-47,17-31,49-63 nohz_full=1-15,33-47,17-31,49-63 rcu_nocbs=1-15,33-47,17-31,49-63 numa_balancing=disable amd_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=0 hpet=disable tsc=reliable mce=off splash quiet vt.handoff=1
+ BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=3c4b56e3-1f01-4211-a652-ea77468f58b7 ro amd_iommu=on audit=0 hpet=disable iommu=pt isolcpus=1-15,17-31,33-47,49-63 nmi_watchdog=0 nohz_full=off nosoftlockup numa_balancing=disable processor.max_cstate=0 rcu_nocbs=1-15,17-31,33-47,49-63 tsc=reliable console=ttyS0,115200n8 quiet
Linux uname
@@ -21,7 +21,7 @@ Linux uname
::
$ uname -a
- Linux s60-t210-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+ Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
System-level Core Jitter
diff --git a/docs/report/introduction/test_environment_sut_conf_1.rst b/docs/report/introduction/test_environment_sut_conf_1.rst
index 63ff50205d..7f724dd6ea 100644
--- a/docs/report/introduction/test_environment_sut_conf_1.rst
+++ b/docs/report/introduction/test_environment_sut_conf_1.rst
@@ -5,19 +5,6 @@ System provisioning is done by combination of PXE boot unattented
install and
`Ansible <https://www.ansible.com>`_ described in `CSIT Testbed Setup`_.
-Below a subset of the running configuration:
-
-1. Ubuntu 18.04.2 LTS
-
-::
-
- $ lsb_release -a
- No LSB modules are available.
- Distributor ID: Ubuntu
- Description: Ubuntu 18.04.2 LTS
- Release: 18.04
- Codename: bionic
-
Linux Boot Parameters
~~~~~~~~~~~~~~~~~~~~~
diff --git a/docs/report/introduction/test_environment_sut_meltspec_clx.rst b/docs/report/introduction/test_environment_sut_meltspec_clx.rst
index 826e6d37b4..6261c5653c 100644
--- a/docs/report/introduction/test_environment_sut_meltspec_clx.rst
+++ b/docs/report/introduction/test_environment_sut_meltspec_clx.rst
@@ -8,174 +8,130 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
::
- Spectre and Meltdown mitigation detection tool v0.43
-
- awk: fatal: cannot open file `bash for reading (No such file or directory)
- Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64
- CPU is Intel(R) Xeon(R) Platinum 8280 CPU @ 2.70GHz
+ Spectre and Meltdown mitigation detection tool v0.44+
Hardware check
- * Hardware support (CPU microcode) for mitigation techniques
- * Indirect Branch Restricted Speculation (IBRS)
- * SPEC_CTRL MSR is available: YES
- * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
- * Indirect Branch Prediction Barrier (IBPB)
- * PRED_CMD MSR is available: YES
- * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
- * Single Thread Indirect Branch Predictors (STIBP)
- * SPEC_CTRL MSR is available: YES
- * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
- * Speculative Store Bypass Disable (SSBD)
- * CPU indicates SSBD capability: YES (Intel SSBD)
- * L1 data cache invalidation
- * FLUSH_CMD MSR is available: YES
- * CPU indicates L1D flush capability: YES (L1D flush feature bit)
- * Microarchitectural Data Sampling
- * VERW instruction is available: YES (MD_CLEAR feature bit)
- * Enhanced IBRS (IBRS_ALL)
- * CPU indicates ARCH_CAPABILITIES MSR availability: YES
- * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: YES
- * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): YES
- * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
- * CPU/Hypervisor indicates L1D flushing is not necessary on this system: YES
- * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
- * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): YES
- * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
- * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
- * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): YES
- * TSX_CTRL MSR indicates TSX RTM is disabled: YES
- * TSX_CTRL MSR indicates TSX CPUID bit is cleared: YES
- * CPU supports Transactional Synchronization Extensions (TSX): NO
- * CPU supports Software Guard Extensions (SGX): NO
- * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x7 ucode 0x500002c cpuid 0x50657)
- * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash for reading (No such file or directory)
- UNKNOWN (latest microcode version for your CPU model is unknown)
- * CPU vulnerability to the speculative execution attack variants
- * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
- * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
- * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
- * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
- * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
- * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
- * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
- * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
- * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
- * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
- * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
-
- CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
- * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
- * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
- * Kernel has the Red Hat/Ubuntu patch: NO
- * Kernel has mask_nospec64 (arm64): NO
- > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
-
- CVE-2017-5715 aka Spectre Variant 2, branch target injection
- * Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling)
- * Mitigation 1
- * Kernel is compiled with IBRS support: YES
- * IBRS enabled and active: YES (Enhanced flavor, performance impact will be greatly reduced)
- * Kernel is compiled with IBPB support: YES
- * IBPB enabled and active: YES
- * Mitigation 2
- * Kernel has branch predictor hardening (arm): NO
- * Kernel compiled with retpoline option: YES
- * Kernel supports RSB filling: YES
- > STATUS: NOT VULNERABLE (Enhanced IBRS + IBPB are mitigating the vulnerability)
-
- CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports Page Table Isolation (PTI): YES
- * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script)
- * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
- * Running as a Xen PV DomU: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-3640 aka Variant 3a, rogue system register read
- * CPU microcode mitigates the vulnerability: YES
- > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
-
- CVE-2018-3639 aka Variant 4, speculative store bypass
- * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
- * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
- * SSB mitigation is enabled and active: YES (per-thread through prctl)
- * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
- > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
-
- CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
- * CPU microcode mitigates the vulnerability: N/A
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports PTE inversion: YES (found in kernel image)
- * PTE inversion enabled and active: NO
- > STATUS: NOT VULNERABLE (Not affected)
-
- CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
- * Information from the /sys interface: Not affected
- * This system is a host running a hypervisor: NO
- * Mitigation 1 (KVM)
- * EPT is disabled: NO
- * Mitigation 2
- * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
- * L1D flush enabled: NO
- * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
- * Hyper-Threading (SMT) is enabled: YES
- > STATUS: NOT VULNERABLE (your kernel reported your CPU model as not vulnerable)
-
- CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
- * Mitigated according to the /sys interface: YES (Mitigation: TSX disabled)
- * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
- * TAA mitigation enabled and active: YES (Mitigation: TSX disabled)
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
- * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
- * This system is a host running a hypervisor: NO
- * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
- * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)
- > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
-
- > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK
+ * Hardware support (CPU microcode) for mitigation techniques
+ * Indirect Branch Restricted Speculation (IBRS)
+ * SPEC_CTRL MSR is available: YES
+ * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
+ * Indirect Branch Prediction Barrier (IBPB)
+ * PRED_CMD MSR is available: YES
+ * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
+ * Single Thread Indirect Branch Predictors (STIBP)
+ * SPEC_CTRL MSR is available: YES
+ * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
+ * Speculative Store Bypass Disable (SSBD)
+ * CPU indicates SSBD capability: YES (Intel SSBD)
+ * L1 data cache invalidation
+ * FLUSH_CMD MSR is available: YES
+ * CPU indicates L1D flush capability: YES (L1D flush feature bit)
+ * Microarchitectural Data Sampling
+ * VERW instruction is available: YES (MD_CLEAR feature bit)
+ * Enhanced IBRS (IBRS_ALL)
+ * CPU indicates ARCH_CAPABILITIES MSR availability: YES
+ * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: YES
+ * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): YES
+ * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
+ * CPU/Hypervisor indicates L1D flushing is not necessary on this system: YES
+ * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
+ * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): YES
+ * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
+ * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
+ * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): YES
+ * TSX_CTRL MSR indicates TSX RTM is disabled: YES
+ * TSX_CTRL MSR indicates TSX CPUID bit is cleared: YES
+ * CPU supports Transactional Synchronization Extensions (TSX): NO
+ * CPU supports Software Guard Extensions (SGX): NO
+ * CPU supports Special Register Buffer Data Sampling (SRBDS): NO
+ * CPU microcode is known to cause stability problems: NO (family 0x6 model 0x55 stepping 0x7 ucode 0x500002c cpuid 0x50657)
+ * CPU microcode is the latest known available version: NO (latest version is 0x5003102 dated 2021/03/08 according to builtin firmwares DB v191+i20210217)
+ * CPU vulnerability to the speculative execution attack variants
+ * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
+ * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
+ * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
+ * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
+ * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
+ * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
+ * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
+ * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
+ * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
+ * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
+ * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
+
+ CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
+ * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
+ > STATUS: UNKNOWN (/sys vulnerability interface use forced, but it s not available!)
+
+ CVE-2017-5715 aka Spectre Variant 2, branch target injection
+ * Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling)
+ > STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability)
+
+ CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Running as a Xen PV DomU: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3640 aka Variant 3a, rogue system register read
+ * CPU microcode mitigates the vulnerability: YES
+ > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
+
+ CVE-2018-3639 aka Variant 4, speculative store bypass
+ * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
+ > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
+
+ CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
+ * CPU microcode mitigates the vulnerability: N/A
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
+ * Mitigated according to the /sys interface: YES (Not affected)
+ > STATUS: NOT VULNERABLE (Not affected)
+
+ CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
+ * Information from the /sys interface: Not affected
+ > STATUS: NOT VULNERABLE (your kernel reported your CPU model as not vulnerable)
+
+ CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
+ * Mitigated according to the /sys interface: YES (Mitigation: TSX disabled)
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+ * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
+ > STATUS: NOT VULNERABLE (KVM: Mitigation: Split huge pages)
+
+ CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ > SUMMARY: CVE-2017-5753:?? CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
::
- awk: fatal: cannot open file `bash for reading (No such file or directory)
+ Spectre and Meltdown mitigation detection tool v0.44+
+
Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64
+ Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64
CPU is Intel(R) Xeon(R) Gold 6252N CPU @ 2.30GHz
Hardware check
@@ -211,50 +167,36 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* TSX_CTRL MSR indicates TSX CPUID bit is cleared: YES
* CPU supports Transactional Synchronization Extensions (TSX): NO
* CPU supports Software Guard Extensions (SGX): NO
+ * CPU supports Special Register Buffer Data Sampling (SRBDS): NO
* CPU microcode is known to cause stability problems: NO (family 0x6 model 0x55 stepping 0x7 ucode 0x500002c cpuid 0x50657)
- * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash for reading (No such file or directory)
- UNKNOWN (latest microcode version for your CPU model is unknown)
+ * CPU microcode is the latest known available version: NO (latest version is 0x5003102 dated 2021/03/08 according to builtin firmwares DB v191+i20210217)
* CPU vulnerability to the speculative execution attack variants
- * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
- * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
- * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
- * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
- * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
- * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
- * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
- * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
- * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
- * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
- * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
+ * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
+ * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
+ * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
+ * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
+ * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
+ * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
+ * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
+ * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
+ * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
+ * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
+ * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
* Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
- * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
- * Kernel has the Red Hat/Ubuntu patch: NO
- * Kernel has mask_nospec64 (arm64): NO
- > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
+ > STATUS: UNKNOWN (/sys vulnerability interface use forced, but its not available!)
CVE-2017-5715 aka Spectre Variant 2, branch target injection
* Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling)
- * Mitigation 1
- * Kernel is compiled with IBRS support: YES
- * IBRS enabled and active: YES (Enhanced flavor, performance impact will be greatly reduced)
- * Kernel is compiled with IBPB support: YES
- * IBPB enabled and active: YES
- * Mitigation 2
- * Kernel has branch predictor hardening (arm): NO
- * Kernel compiled with retpoline option: YES
- * Kernel supports RSB filling: YES
- > STATUS: NOT VULNERABLE (Enhanced IBRS + IBPB are mitigating the vulnerability)
+ > STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability)
CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
* Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports Page Table Isolation (PTI): YES
- * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script)
- * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
@@ -264,9 +206,6 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
CVE-2018-3639 aka Variant 4, speculative store bypass
* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
- * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
- * SSB mitigation is enabled and active: YES (per-thread through prctl)
- * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
@@ -275,61 +214,38 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
* Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports PTE inversion: YES (found in kernel image)
- * PTE inversion enabled and active: NO
> STATUS: NOT VULNERABLE (Not affected)
CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
* Information from the /sys interface: Not affected
- * This system is a host running a hypervisor: NO
- * Mitigation 1 (KVM)
- * EPT is disabled: NO
- * Mitigation 2
- * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
- * L1D flush enabled: NO
- * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
- * Hyper-Threading (SMT) is enabled: YES
> STATUS: NOT VULNERABLE (your kernel reported your CPU model as not vulnerable)
CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
* Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
* Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
* Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
* Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
* Mitigated according to the /sys interface: YES (Mitigation: TSX disabled)
- * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
- * TAA mitigation enabled and active: YES (Mitigation: TSX disabled)
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
* Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
- * This system is a host running a hypervisor: NO
- * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
- * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)
- > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
+ > STATUS: NOT VULNERABLE (KVM: Mitigation: Split huge pages)
+
+ CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK
+ > SUMMARY: CVE-2017-5753:?? CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
diff --git a/docs/report/introduction/test_environment_sut_meltspec_dnv.rst b/docs/report/introduction/test_environment_sut_meltspec_dnv.rst
index 616449efd7..4b3a8a134d 100644
--- a/docs/report/introduction/test_environment_sut_meltspec_dnv.rst
+++ b/docs/report/introduction/test_environment_sut_meltspec_dnv.rst
@@ -8,10 +8,11 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
::
- Spectre and Meltdown mitigation detection tool v0.42
+ Spectre and Meltdown mitigation detection tool v0.44+
+
Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-51-generic #55-Ubuntu SMP Wed May 15 14:27:21 UTC 2019 x86_64
- CPU is Intel(R) Atom(TM) CPU C3858 @ 2.00GHz
+ Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64
+ CPU is Intel(R) Xeon(R) Platinum 8180 CPU @ 2.50GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
@@ -27,42 +28,221 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: YES (Intel SSBD)
* L1 data cache invalidation
+ * FLUSH_CMD MSR is available: YES
+ * CPU indicates L1D flush capability: YES (L1D flush feature bit)
+ * Microarchitectural Data Sampling
+ * VERW instruction is available: YES (MD_CLEAR feature bit)
+ * Enhanced IBRS (IBRS_ALL)
+ * CPU indicates ARCH_CAPABILITIES MSR availability: NO
+ * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
+ * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
+ * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
+ * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
+ * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
+ * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
+ * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
+ * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
+ * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
+ * CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit)
+ * CPU supports Software Guard Extensions (SGX): NO
+ * CPU supports Special Register Buffer Data Sampling (SRBDS): NO
+ * CPU microcode is known to cause stability problems: NO (family 0x6 model 0x55 stepping 0x4 ucode 0x2000065 cpuid 0x50654)
+ * CPU microcode is the latest known available version: NO (latest version is 0x2006b06 dated 2021/03/08 according to builtin firmwares DB v191+i20210217)
+ * CPU vulnerability to the speculative execution attack variants
+ * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
+ * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
+ * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
+ * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
+ * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
+ * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
+ * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
+ * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
+ * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES
+ * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
+ * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
+
+ CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
+ * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
+ * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
+ * Kernel has the Red Hat/Ubuntu patch: NO
+ * Kernel has mask_nospec64 (arm64): NO
+ * Kernel has array_index_nospec (arm64): NO
+ > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
+
+ CVE-2017-5715 aka Spectre Variant 2, branch target injection
+ * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
+ * Mitigation 1
+ * Kernel is compiled with IBRS support: YES
+ * IBRS enabled and active: YES (for firmware code only)
+ * Kernel is compiled with IBPB support: YES
+ * IBPB enabled and active: YES
+ * Mitigation 2
+ * Kernel has branch predictor hardening (arm): NO
+ * Kernel compiled with retpoline option: YES
+ * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
+ * Kernel supports RSB filling: YES
+ > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
+
+ CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
+ * Mitigated according to the /sys interface: YES (Mitigation: PTI)
+ * Kernel supports Page Table Isolation (PTI): YES
+ * PTI enabled and active: YES
+ * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
+ * Running as a Xen PV DomU: NO
+ > STATUS: NOT VULNERABLE (Mitigation: PTI)
+
+ CVE-2018-3640 aka Variant 3a, rogue system register read
+ * CPU microcode mitigates the vulnerability: YES
+ > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
+
+ CVE-2018-3639 aka Variant 4, speculative store bypass
+ * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
+ * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
+ * SSB mitigation is enabled and active: YES (per-thread through prctl)
+ * SSB mitigation currently active for selected processes: YES (boltd fwupd irqbalance systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
+ > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
+
+ CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
+ * CPU microcode mitigates the vulnerability: N/A
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
+ * Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
+ * Kernel supports PTE inversion: YES (found in kernel image)
+ * PTE inversion enabled and active: YES
+ > STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
+
+ CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
+ * Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
+ * This system is a host running a hypervisor: NO
+ * Mitigation 1 (KVM)
+ * EPT is disabled: NO
+ * Mitigation 2
+ * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
+ * L1D flush enabled: YES (conditional flushes)
+ * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
+ * Hyper-Threading (SMT) is enabled: YES
+ > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
+
+ CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
+
+ CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
+
+ CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
+
+ CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
+
+ CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
+ * TAA mitigation enabled and active: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ > STATUS: NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable)
+
+ CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+ * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
+ * This system is a host running a hypervisor: NO
+ * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
+ * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)
+ > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
+
+ CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
+ * SRBDS mitigation control is enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
+
+::
+
+ Spectre and Meltdown mitigation detection tool v0.44+
+
+ Checking for vulnerabilities on current system
+ Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64
+ CPU is Intel(R) Atom(TM) CPU C3858 @ 2.00GHz
+
+ Hardware check
+ * Hardware support (CPU microcode) for mitigation techniques
+ * Indirect Branch Restricted Speculation (IBRS)
+ * SPEC_CTRL MSR is available: YES
+ * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
+ * Indirect Branch Prediction Barrier (IBPB)
+ * PRED_CMD MSR is available: YES
+ * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
+ * Single Thread Indirect Branch Predictors (STIBP)
+ * SPEC_CTRL MSR is available: YES
+ * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
+ * Speculative Store Bypass Disable (SSBD)
+ * CPU indicates SSBD capability: NO
+ * L1 data cache invalidation
* FLUSH_CMD MSR is available: NO
* CPU indicates L1D flush capability: NO
- * Microarchitecture Data Sampling
- * VERW instruction is available: YES (MD_CLEAR feature bit)
+ * Microarchitectural Data Sampling
+ * VERW instruction is available: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: YES
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): YES
* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
- * CPU/Hypervisor indicates L1D flushing is not necessary on this system: YES
+ * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
- * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): YES
+ * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
+ * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
+ * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
+ * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
+ * CPU supports Transactional Synchronization Extensions (TSX): NO
* CPU supports Software Guard Extensions (SGX): NO
- * CPU microcode is known to cause stability problems: NO (model 0x5f family 0x6 stepping 0x1 ucode 0x2e cpuid 0x506f1)
- * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash for reading (No such file or directory)
- UNKNOWN (latest microcode version for your CPU model is unknown)
+ * CPU supports Special Register Buffer Data Sampling (SRBDS): NO
+ * CPU microcode is known to cause stability problems: NO (family 0x6 model 0x5f stepping 0x1 ucode 0x20 cpuid 0x506f1)
+ * CPU microcode is the latest known available version: NO (latest version is 0x34 dated 2020/10/23 according to builtin firmwares DB v191+i20210217)
* CPU vulnerability to the speculative execution attack variants
- * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
- * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
- * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
- * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
- * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
- * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
- * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
- * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
+ * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
+ * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
+ * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
+ * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
+ * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
+ * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
+ * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
+ * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
+ * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
+ * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO
+ * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
- * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
+ * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
- > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
+ * Kernel has array_index_nospec (arm64): NO
+ > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
CVE-2017-5715 aka Spectre Variant 2, branch target injection
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling)
@@ -80,21 +260,20 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports Page Table Isolation (PTI): YES
- * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script)
+ * PTI enabled and active: NO
* Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-3640 aka Variant 3a, rogue system register read
- * CPU microcode mitigates the vulnerability: YES
- > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
+ * CPU microcode mitigates the vulnerability: NO
+ > STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
CVE-2018-3639 aka Variant 4, speculative store bypass
- * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
+ * Mitigated according to the /sys interface: NO (Vulnerable)
* Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
- * SSB mitigation is enabled and active: YES (per-thread through prctl)
- * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
- > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
+ * SSB mitigation is enabled and active: NO
+ > STATUS: VULNERABLE (Your CPU doesnt support SSBD)
CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
* CPU microcode mitigates the vulnerability: N/A
@@ -120,30 +299,49 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
* Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
* Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
* Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
* Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
+ CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
+ * TAA mitigation enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * This system is a host running a hypervisor: NO
+ * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
+ * iTLB Multihit mitigation enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
+ * SRBDS mitigation control is enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
diff --git a/docs/report/introduction/test_environment_sut_meltspec_hsw.rst b/docs/report/introduction/test_environment_sut_meltspec_hsw.rst
deleted file mode 100644
index 092bfb3ca1..0000000000
--- a/docs/report/introduction/test_environment_sut_meltspec_hsw.rst
+++ /dev/null
@@ -1,170 +0,0 @@
-Spectre and Meltdown Checks
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-Following section displays the output of a running shell script to tell if
-system is vulnerable against the several "speculative execution" CVEs that were
-made public in 2018. Script is available on `Spectre & Meltdown Checker Github
-<https://github.com/speed47/spectre-meltdown-checker>`_.
-
-::
-
- Spectre and Meltdown mitigation detection tool v0.43
-
- awk: cannot open bash (No such file or directory)
- Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64
- CPU is Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz
-
- Hardware check
- * Hardware support (CPU microcode) for mitigation techniques
- * Indirect Branch Restricted Speculation (IBRS)
- * SPEC_CTRL MSR is available: YES
- * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
- * Indirect Branch Prediction Barrier (IBPB)
- * PRED_CMD MSR is available: YES
- * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
- * Single Thread Indirect Branch Predictors (STIBP)
- * SPEC_CTRL MSR is available: YES
- * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
- * Speculative Store Bypass Disable (SSBD)
- * CPU indicates SSBD capability: YES (Intel SSBD)
- * L1 data cache invalidation
- * FLUSH_CMD MSR is available: YES
- * CPU indicates L1D flush capability: YES (L1D flush feature bit)
- * Microarchitectural Data Sampling
- * VERW instruction is available: YES (MD_CLEAR feature bit)
- * Enhanced IBRS (IBRS_ALL)
- * CPU indicates ARCH_CAPABILITIES MSR availability: NO
- * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
- * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
- * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
- * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
- * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
- * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
- * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
- * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
- * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
- * CPU supports Transactional Synchronization Extensions (TSX): NO
- * CPU supports Software Guard Extensions (SGX): NO
- * CPU microcode is known to cause stability problems: NO (model 0x3f family 0x6 stepping 0x2 ucode 0x43 cpuid 0x306f2)
- * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory)
- UNKNOWN (latest microcode version for your CPU model is unknown)
- * CPU vulnerability to the speculative execution attack variants
- * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
- * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
- * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
- * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
- * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
- * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
- * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
- * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
- * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
- * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
- * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
-
- CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
- * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
- * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
- * Kernel has the Red Hat/Ubuntu patch: NO
- * Kernel has mask_nospec64 (arm64): NO
- > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
-
- CVE-2017-5715 aka Spectre Variant 2, branch target injection
- * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling)
- * Mitigation 1
- * Kernel is compiled with IBRS support: YES
- * IBRS enabled and active: YES (for firmware code only)
- * Kernel is compiled with IBPB support: YES
- * IBPB enabled and active: YES
- * Mitigation 2
- * Kernel has branch predictor hardening (arm): NO
- * Kernel compiled with retpoline option: YES
- * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
- > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
-
- CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
- * Mitigated according to the /sys interface: YES (Mitigation: PTI)
- * Kernel supports Page Table Isolation (PTI): YES
- * PTI enabled and active: YES
- * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
- * Running as a Xen PV DomU: NO
- > STATUS: NOT VULNERABLE (Mitigation: PTI)
-
- CVE-2018-3640 aka Variant 3a, rogue system register read
- * CPU microcode mitigates the vulnerability: YES
- > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
-
- CVE-2018-3639 aka Variant 4, speculative store bypass
- * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
- * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
- * SSB mitigation is enabled and active: YES (per-thread through prctl)
- * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
- > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
-
- CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
- * CPU microcode mitigates the vulnerability: N/A
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
- * Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
- * Kernel supports PTE inversion: YES (found in kernel image)
- * PTE inversion enabled and active: YES
- > STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
-
- CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
- * Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
- * This system is a host running a hypervisor: NO
- * Mitigation 1 (KVM)
- * EPT is disabled: NO
- * Mitigation 2
- * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
- * L1D flush enabled: YES (conditional flushes)
- * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
- * Hyper-Threading (SMT) is enabled: NO
- > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
-
- CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
- * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: YES
- * SMT is either mitigated or disabled: YES
- > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
-
- CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
- * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: YES
- * SMT is either mitigated or disabled: YES
- > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
-
- CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
- * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: YES
- * SMT is either mitigated or disabled: YES
- > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
-
- CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
- * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled)
- * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- * Kernel mitigation is enabled and active: YES
- * SMT is either mitigated or disabled: YES
- > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
-
- CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
- * Mitigated according to the /sys interface: YES (Not affected)
- * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
- * TAA mitigation enabled and active: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
- * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
- * This system is a host running a hypervisor: NO
- * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
- * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)
- > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
-
- > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK
diff --git a/docs/report/introduction/test_environment_sut_meltspec_skx.rst b/docs/report/introduction/test_environment_sut_meltspec_skx.rst
index e242e19b7e..0e2f5b9783 100644
--- a/docs/report/introduction/test_environment_sut_meltspec_skx.rst
+++ b/docs/report/introduction/test_environment_sut_meltspec_skx.rst
@@ -8,89 +8,90 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
::
- Spectre and Meltdown mitigation detection tool v0.43
+ Spectre and Meltdown mitigation detection tool v0.44+
- awk: cannot open bash (No such file or directory)
Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64
+ Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64
CPU is Intel(R) Xeon(R) Platinum 8180 CPU @ 2.50GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
- * Indirect Branch Restricted Speculation (IBRS)
- * SPEC_CTRL MSR is available: YES
- * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
- * Indirect Branch Prediction Barrier (IBPB)
- * PRED_CMD MSR is available: YES
- * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
- * Single Thread Indirect Branch Predictors (STIBP)
- * SPEC_CTRL MSR is available: YES
- * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
- * Speculative Store Bypass Disable (SSBD)
- * CPU indicates SSBD capability: YES (Intel SSBD)
- * L1 data cache invalidation
- * FLUSH_CMD MSR is available: YES
- * CPU indicates L1D flush capability: YES (L1D flush feature bit)
- * Microarchitectural Data Sampling
- * VERW instruction is available: YES (MD_CLEAR feature bit)
- * Enhanced IBRS (IBRS_ALL)
- * CPU indicates ARCH_CAPABILITIES MSR availability: NO
- * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
- * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
- * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
- * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
- * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
- * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
- * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
- * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
- * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
- * CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit)
- * CPU supports Software Guard Extensions (SGX): NO
- * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x4 ucode 0x2000064 cpuid 0x50654)
- * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory)
- UNKNOWN (latest microcode version for your CPU model is unknown)
+ * Indirect Branch Restricted Speculation (IBRS)
+ * SPEC_CTRL MSR is available: YES
+ * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
+ * Indirect Branch Prediction Barrier (IBPB)
+ * PRED_CMD MSR is available: YES
+ * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
+ * Single Thread Indirect Branch Predictors (STIBP)
+ * SPEC_CTRL MSR is available: YES
+ * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
+ * Speculative Store Bypass Disable (SSBD)
+ * CPU indicates SSBD capability: YES (Intel SSBD)
+ * L1 data cache invalidation
+ * FLUSH_CMD MSR is available: YES
+ * CPU indicates L1D flush capability: YES (L1D flush feature bit)
+ * Microarchitectural Data Sampling
+ * VERW instruction is available: YES (MD_CLEAR feature bit)
+ * Enhanced IBRS (IBRS_ALL)
+ * CPU indicates ARCH_CAPABILITIES MSR availability: NO
+ * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
+ * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
+ * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
+ * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
+ * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
+ * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
+ * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
+ * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
+ * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
+ * CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit)
+ * CPU supports Software Guard Extensions (SGX): NO
+ * CPU supports Special Register Buffer Data Sampling (SRBDS): NO
+ * CPU microcode is known to cause stability problems: NO (family 0x6 model 0x55 stepping 0x4 ucode 0x2000065 cpuid 0x50654)
+ * CPU microcode is the latest known available version: NO (latest version is 0x2006b06 dated 2021/03/08 according to builtin firmwares DB v191+i20210217)
* CPU vulnerability to the speculative execution attack variants
- * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
- * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
- * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
- * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
- * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
- * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
- * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
- * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
- * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
- * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES
- * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
+ * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
+ * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
+ * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
+ * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
+ * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
+ * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
+ * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
+ * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
+ * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES
+ * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
+ * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
* Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
+ * Kernel has array_index_nospec (arm64): NO
> STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
CVE-2017-5715 aka Spectre Variant 2, branch target injection
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
- * Kernel is compiled with IBRS support: YES
- * IBRS enabled and active: YES (for firmware code only)
- * Kernel is compiled with IBPB support: YES
- * IBPB enabled and active: YES
+ * Kernel is compiled with IBRS support: YES
+ * IBRS enabled and active: YES (for firmware code only)
+ * Kernel is compiled with IBPB support: YES
+ * IBPB enabled and active: YES
* Mitigation 2
- * Kernel has branch predictor hardening (arm): NO
- * Kernel compiled with retpoline option: YES
- * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
- * Kernel supports RSB filling: YES
+ * Kernel has branch predictor hardening (arm): NO
+ * Kernel compiled with retpoline option: YES
+ * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
+ * Kernel supports RSB filling: YES
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
- * PTI enabled and active: YES
- * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
+ * PTI enabled and active: YES
+ * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
@@ -102,7 +103,7 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
* SSB mitigation is enabled and active: YES (per-thread through prctl)
- * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
+ * SSB mitigation currently active for selected processes: YES (boltd fwupd irqbalance systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
@@ -119,12 +120,12 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
* This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
- * EPT is disabled: NO
+ * EPT is disabled: NO
* Mitigation 2
- * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
- * L1D flush enabled: YES (conditional flushes)
- * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
- * Hyper-Threading (SMT) is enabled: YES
+ * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
+ * L1D flush enabled: YES (conditional flushes)
+ * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
+ * Hyper-Threading (SMT) is enabled: YES
> STATUS: NOT VULNERABLE (this system is not running a hypervisor)
CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
@@ -168,4 +169,10 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)
> STATUS: NOT VULNERABLE (this system is not running a hypervisor)
- > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK
+ CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
+ * SRBDS mitigation control is enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
diff --git a/docs/report/introduction/test_environment_sut_meltspec_tsh.rst b/docs/report/introduction/test_environment_sut_meltspec_tsh.rst
index f7d385061c..67c90559c8 100644
--- a/docs/report/introduction/test_environment_sut_meltspec_tsh.rst
+++ b/docs/report/introduction/test_environment_sut_meltspec_tsh.rst
@@ -8,11 +8,10 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
::
- Spectre and Meltdown mitigation detection tool v0.43
+ Spectre and Meltdown mitigation detection tool v0.44+
- awk: cannot open bash (No such file or directory)
Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64
+ Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64
CPU is Intel(R) Xeon(R) Platinum 8180 CPU @ 2.50GHz
Hardware check
@@ -27,12 +26,12 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: YES (Intel STIBP feature bit)
* Speculative Store Bypass Disable (SSBD)
- * CPU indicates SSBD capability: NO
+ * CPU indicates SSBD capability: YES (Intel SSBD)
* L1 data cache invalidation
- * FLUSH_CMD MSR is available: NO
- * CPU indicates L1D flush capability: NO
+ * FLUSH_CMD MSR is available: YES
+ * CPU indicates L1D flush capability: YES (L1D flush feature bit)
* Microarchitectural Data Sampling
- * VERW instruction is available: NO
+ * VERW instruction is available: YES (MD_CLEAR feature bit)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
@@ -46,34 +45,36 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
* CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit)
* CPU supports Software Guard Extensions (SGX): NO
- * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x4 ucode 0x2000043 cpuid 0x50654)
- * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory)
- UNKNOWN (latest microcode version for your CPU model is unknown)
+ * CPU supports Special Register Buffer Data Sampling (SRBDS): NO
+ * CPU microcode is known to cause stability problems: NO (family 0x6 model 0x55 stepping 0x4 ucode 0x2000065 cpuid 0x50654)
+ * CPU microcode is the latest known available version: NO (latest version is 0x2006b06 dated 2021/03/08 according to builtin firmwares DB v191+i20210217)
* CPU vulnerability to the speculative execution attack variants
- * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
- * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
- * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
- * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
- * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
- * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
- * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
- * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
- * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
- * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES
- * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
+ * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
+ * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
+ * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
+ * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
+ * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
+ * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
+ * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
+ * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
+ * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES
+ * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
+ * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
- * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
+ * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
- > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
+ * Kernel has array_index_nospec (arm64): NO
+ > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
CVE-2017-5715 aka Spectre Variant 2, branch target injection
- * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
+ * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for firmware code only)
@@ -95,6 +96,143 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
> STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 aka Variant 3a, rogue system register read
+ * CPU microcode mitigates the vulnerability: YES
+ > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
+
+ CVE-2018-3639 aka Variant 4, speculative store bypass
+ * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
+ * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
+ * SSB mitigation is enabled and active: YES (per-thread through prctl)
+ * SSB mitigation currently active for selected processes: YES (boltd fwupd irqbalance systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
+ > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
+
+ CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
+ * CPU microcode mitigates the vulnerability: N/A
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
+ * Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
+ * Kernel supports PTE inversion: YES (found in kernel image)
+ * PTE inversion enabled and active: YES
+ > STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
+
+ CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
+ * Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
+ * This system is a host running a hypervisor: NO
+ * Mitigation 1 (KVM)
+ * EPT is disabled: NO
+ * Mitigation 2
+ * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
+ * L1D flush enabled: YES (conditional flushes)
+ * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
+ * Hyper-Threading (SMT) is enabled: YES
+ > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
+
+ CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
+
+ CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
+
+ CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
+
+ CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
+ * Kernel mitigation is enabled and active: YES
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
+
+ CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
+ * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
+ * TAA mitigation enabled and active: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
+ > STATUS: NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable)
+
+ CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+ * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages)
+ * This system is a host running a hypervisor: NO
+ * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
+ * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages)
+ > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
+
+ CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
+ * SRBDS mitigation control is enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
+
+::
+
+ Spectre and Meltdown mitigation detection tool v0.44+
+
+ Checking for vulnerabilities on current system
+ Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:27:25 UTC 2021 aarch64
+ CPU is ARM v8 model 0xd08
+
+ Hardware check
+ * CPU vulnerability to the speculative execution attack variants
+ * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
+ * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
+ * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
+ * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
+ * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
+ * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
+ * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
+ * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
+ * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
+ * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO
+ * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
+
+ CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
+ * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
+ * Kernel has array_index_mask_nospec: NO
+ * Kernel has the Red Hat/Ubuntu patch: NO
+ * Kernel has mask_nospec64 (arm64): NO
+ * Kernel has array_index_nospec (arm64): NO
+ * Checking count of LFENCE instructions following a jump in kernel... NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
+ > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
+
+ CVE-2017-5715 aka Spectre Variant 2, branch target injection
+ * Mitigated according to the /sys interface: NO (Vulnerable)
+ * Mitigation 1
+ * Kernel is compiled with IBRS support: YES
+ * IBRS enabled and active: NO
+ * Kernel is compiled with IBPB support: NO
+ * IBPB enabled and active: NO
+ * Mitigation 2
+ * Kernel has branch predictor hardening (arm): YES
+ * Kernel compiled with retpoline option: NO
+ > STATUS: NOT VULNERABLE (Branch predictor hardening mitigates the vulnerability)
+
+ CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports Page Table Isolation (PTI): YES
+ * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script)
+ * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)
+ * Running as a Xen PV DomU: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3640 aka Variant 3a, rogue system register read
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
@@ -109,46 +247,206 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
+ * Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports PTE inversion: NO
- * PTE inversion enabled and active: UNKNOWN (sysfs interface not available)
- > STATUS: VULNERABLE (Your kernel doesnt support PTE inversion, update it)
+ * PTE inversion enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
+ * Information from the /sys interface: Not affected
* This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
- * EPT is disabled: NO
+ * EPT is disabled: N/A (the kvm_intel module is not loaded)
* Mitigation 2
* L1D flush is supported by kernel: NO
- * L1D flush enabled: UNKNOWN (cant find or read /sys/devices/system/cpu/vulnerabilities/l1tf)
+ * L1D flush enabled: NO
* Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower)
- * Hyper-Threading (SMT) is enabled: YES
- > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
+ * Hyper-Threading (SMT) is enabled: UNKNOWN
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
+ * Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: NO
- > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability)
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
- * TAA mitigation is supported by kernel: NO
- * TAA mitigation enabled and active: NO (tsx_async_abort not found in sysfs hierarchy)
- > STATUS: VULNERABLE (Your kernel doesnt support TAA mitigation, update it)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
+ * TAA mitigation enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+ * Mitigated according to the /sys interface: YES (Not affected)
* This system is a host running a hypervisor: NO
- * iTLB Multihit mitigation is supported by kernel: NO
- * iTLB Multihit mitigation enabled and active: NO (itlb_multihit not found in sysfs hierarchy)
- > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
+ * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
+ * iTLB Multihit mitigation enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * SRBDS mitigation control is supported by the kernel: NO
+ * SRBDS mitigation control is enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
+
+ Need more detailed information about mitigation options? Use --explain
+ A false sense of security is worse than no security at all, see --disclaimer
+ok: [10.30.51.37] =>
+ spectre_meltdown_poll_results.stdout_lines:
+ Spectre and Meltdown mitigation detection tool v0.44+
+
+ Checking for vulnerabilities on current system
+ Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:27:25 UTC 2021 aarch64
+ CPU is ARM v8 model 0xd08
+
+ Hardware check
+ * CPU vulnerability to the speculative execution attack variants
+ * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
+ * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES
+ * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
+ * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
+ * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
+ * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
+ * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
+ * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
+ * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
+ * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO
+ * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
+
+ CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
+ * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
+ * Kernel has array_index_mask_nospec: NO
+ * Kernel has the Red Hat/Ubuntu patch: NO
+ * Kernel has mask_nospec64 (arm64): NO
+ * Kernel has array_index_nospec (arm64): NO
+ * Checking count of LFENCE instructions following a jump in kernel... NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
+ > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
+
+ CVE-2017-5715 aka Spectre Variant 2, branch target injection
+ * Mitigated according to the /sys interface: NO (Vulnerable)
+ * Mitigation 1
+ * Kernel is compiled with IBRS support: YES
+ * IBRS enabled and active: NO
+ * Kernel is compiled with IBPB support: NO
+ * IBPB enabled and active: NO
+ * Mitigation 2
+ * Kernel has branch predictor hardening (arm): YES
+ * Kernel compiled with retpoline option: NO
+ > STATUS: NOT VULNERABLE (Branch predictor hardening mitigates the vulnerability)
+
+ CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports Page Table Isolation (PTI): YES
+ * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script)
+ * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)
+ * Running as a Xen PV DomU: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3640 aka Variant 3a, rogue system register read
+ * CPU microcode mitigates the vulnerability: NO
+ > STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
+
+ CVE-2018-3639 aka Variant 4, speculative store bypass
+ * Mitigated according to the /sys interface: NO (Vulnerable)
+ * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
+ * SSB mitigation is enabled and active: NO
+ > STATUS: VULNERABLE (Your CPU doesnt support SSBD)
+
+ CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
+ * CPU microcode mitigates the vulnerability: N/A
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports PTE inversion: NO
+ * PTE inversion enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
+ * Information from the /sys interface: Not affected
+ * This system is a host running a hypervisor: NO
+ * Mitigation 1 (KVM)
+ * EPT is disabled: N/A (the kvm_intel module is not loaded)
+ * Mitigation 2
+ * L1D flush is supported by kernel: NO
+ * L1D flush enabled: NO
+ * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower)
+ * Hyper-Threading (SMT) is enabled: UNKNOWN
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports using MD_CLEAR mitigation: NO
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports using MD_CLEAR mitigation: NO
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports using MD_CLEAR mitigation: NO
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports using MD_CLEAR mitigation: NO
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
+ * TAA mitigation enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * This system is a host running a hypervisor: NO
+ * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
+ * iTLB Multihit mitigation enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * SRBDS mitigation control is supported by the kernel: NO
+ * SRBDS mitigation control is enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:KO CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO CVE-2019-11135:KO CVE-2018-12207:OK
+ > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
diff --git a/docs/report/introduction/test_environment_sut_meltspec_tx2.rst b/docs/report/introduction/test_environment_sut_meltspec_tx2.rst
index 06a6921673..f12113a8bf 100644
--- a/docs/report/introduction/test_environment_sut_meltspec_tx2.rst
+++ b/docs/report/introduction/test_environment_sut_meltspec_tx2.rst
@@ -11,131 +11,133 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
Spectre and Meltdown mitigation detection tool v0.44+
Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:21:09 UTC 2019 aarch64
+ Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:27:25 UTC 2021 aarch64
CPU is
Hardware check
* CPU vulnerability to the speculative execution attack variants
- * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
- * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): NO
- * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
- * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
- * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
- * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
- * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
- * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
- * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
- * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
- * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO
- * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
-
- CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
- * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
- * Kernel has array_index_mask_nospec: NO
- * Kernel has the Red Hat/Ubuntu patch: NO
- * Kernel has mask_nospec64 (arm64): NO
- * Kernel has array_index_nospec (arm64): NO
- * Checking count of LFENCE instructions following a jump in kernel... NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
- > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
-
- CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
- * Mitigated according to the /sys interface: NO (Vulnerable)
+ * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
+ * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): NO
+ * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
+ * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
+ * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
+ * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
+ * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
+ * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
+ * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
+ * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO
+ * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
+
+ CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
+ * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
+ * Kernel has array_index_mask_nospec: NO
+ * Kernel has the Red Hat/Ubuntu patch: NO
+ * Kernel has mask_nospec64 (arm64): NO
+ * Kernel has array_index_nospec (arm64): NO
+ * Checking count of LFENCE instructions following a jump in kernel... NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
+ > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
+
+ CVE-2017-5715 aka Spectre Variant 2, branch target injection
+ * Mitigated according to the /sys interface: NO (Vulnerable)
* Mitigation 1
- * Kernel is compiled with IBRS support: YES
- * IBRS enabled and active: NO
- * Kernel is compiled with IBPB support: NO
- * IBPB enabled and active: NO
+ * Kernel is compiled with IBRS support: YES
+ * IBRS enabled and active: NO
+ * Kernel is compiled with IBPB support: NO
+ * IBPB enabled and active: NO
* Mitigation 2
- * Kernel has branch predictor hardening (arm): YES
- * Kernel compiled with retpoline option: NO
- > STATUS: NOT VULNERABLE (Branch predictor hardening mitigates the vulnerability)
-
- CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports Page Table Isolation (PTI): YES
- * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script)
- * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)
- * Running as a Xen PV DomU: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-3640 aka 'Variant 3a, rogue system register read'
- * CPU microcode mitigates the vulnerability: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-3639 aka 'Variant 4, speculative store bypass'
- * Mitigated according to the /sys interface: NO (Vulnerable)
- * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
- * SSB mitigation is enabled and active: > STATUS: VULNERABLE (Your CPU doesn't support SSBD)
-
- CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
- * CPU microcode mitigates the vulnerability: N/A
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports PTE inversion: NO
- * PTE inversion enabled and active: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
+ * Kernel has branch predictor hardening (arm): YES
+ * Kernel compiled with retpoline option: NO
+ > STATUS: NOT VULNERABLE (Branch predictor hardening mitigates the vulnerability)
+
+ CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports Page Table Isolation (PTI): YES
+ * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script)
+ * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)
+ * Running as a Xen PV DomU: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3640 aka Variant 3a, rogue system register read
+ * CPU microcode mitigates the vulnerability: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3639 aka Variant 4, speculative store bypass
+ * Mitigated according to the /sys interface: NO (Vulnerable)
+ * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
+ * SSB mitigation is enabled and active: NO
+ > STATUS: VULNERABLE (Your CPU doesnt support SSBD)
+
+ CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
+ * CPU microcode mitigates the vulnerability: N/A
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports PTE inversion: NO
+ * PTE inversion enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
* Information from the /sys interface: Not affected
- * This system is a host running a hypervisor: NO
+ * This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
- * EPT is disabled: N/A (the kvm_intel module is not loaded)
+ * EPT is disabled: N/A (the kvm_intel module is not loaded)
* Mitigation 2
- * L1D flush is supported by kernel: NO
- * L1D flush enabled: NO
- * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower)
- * Hyper-Threading (SMT) is enabled: UNKNOWN
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: NO
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: NO
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: NO
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: NO
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
- * TAA mitigation enabled and active: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * This system is a host running a hypervisor: NO
- * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
- * iTLB Multihit mitigation enabled and active: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)'
- * SRBDS mitigation control is supported by the kernel: NO
- * SRBDS mitigation control is enabled and active: NO (SRBDS not found in sysfs hierarchy)
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+ * L1D flush is supported by kernel: NO
+ * L1D flush enabled: NO
+ * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower)
+ * Hyper-Threading (SMT) is enabled: UNKNOWN
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports using MD_CLEAR mitigation: NO
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports using MD_CLEAR mitigation: NO
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports using MD_CLEAR mitigation: NO
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * Kernel supports using MD_CLEAR mitigation: NO
+ * Kernel mitigation is enabled and active: NO
+ * SMT is either mitigated or disabled: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
+ * TAA mitigation enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * This system is a host running a hypervisor: NO
+ * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
+ * iTLB Multihit mitigation enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+ CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * SRBDS mitigation control is supported by the kernel: NO
+ * SRBDS mitigation control is enabled and active: NO
+ > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK \ No newline at end of file
diff --git a/docs/report/introduction/test_environment_sut_meltspec_zn2.rst b/docs/report/introduction/test_environment_sut_meltspec_zn2.rst
index 24169331a7..8269ce7f92 100644
--- a/docs/report/introduction/test_environment_sut_meltspec_zn2.rst
+++ b/docs/report/introduction/test_environment_sut_meltspec_zn2.rst
@@ -8,10 +8,10 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
::
- Spectre and Meltdown mitigation detection tool v0.43
+ Spectre and Meltdown mitigation detection tool v0.44+
Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64
+ Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64
CPU is AMD EPYC 7532 32-Core Processor
Hardware check
@@ -36,26 +36,26 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* CPU supports Transactional Synchronization Extensions (TSX): NO
* CPU supports Software Guard Extensions (SGX): NO
* CPU supports Special Register Buffer Data Sampling (SRBDS): NO
- * CPU microcode is known to cause stability problems: NO (family 0x17 model 0x31 stepping 0x0 ucode 0x8301034 cpuid 0x830f10)
- * CPU microcode is the latest known available version: NO (latest version is 0x8301039 dated 2020/02/07 according to builtin firmwares DB v160.20200912+i20200722)
+ * CPU microcode is known to cause stability problems: NO (family 0x17 model 0x31 stepping 0x0 ucode 0x8301038 cpuid 0x830f10)
+ * CPU microcode is the latest known available version: NO (latest version is 0x830104d dated 2020/07/28 according to builtin firmwares DB v191+i20210217)
* CPU vulnerability to the speculative execution attack variants
- * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
- * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): NO
- * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
- * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
- * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
- * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
- * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
- * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
- * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
- * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO
- * Vulnerable to CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
-
- CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
+ * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
+ * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): NO
+ * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
+ * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
+ * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
+ * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
+ * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
+ * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
+ * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
+ * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO
+ * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
+
+ CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
* Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
@@ -63,7 +63,7 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* Kernel has array_index_nospec (arm64): NO
> STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
- CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
+ CVE-2017-5715 aka Spectre Variant 2, branch target injection
* Mitigated according to the /sys interface: YES (Mitigation: Full AMD retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
@@ -76,7 +76,7 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
- CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
+ CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: NO
@@ -84,28 +84,28 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-3640 aka 'Variant 3a, rogue system register read'
+ CVE-2018-3640 aka Variant 3a, rogue system register read
* CPU microcode mitigates the vulnerability: YES
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-3639 aka 'Variant 4, speculative store bypass'
+ CVE-2018-3639 aka Variant 4, speculative store bypass
* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
* SSB mitigation is enabled and active: YES (per-thread through prctl)
- * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
+ * SSB mitigation currently active for selected processes: YES (irqbalance systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
- CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
+ CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
* CPU microcode mitigates the vulnerability: N/A
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
+ CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports PTE inversion: YES (found in kernel image)
* PTE inversion enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
+ CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
* Information from the /sys interface: Not affected
* This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
@@ -117,215 +117,211 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github
* Hyper-Threading (SMT) is enabled: YES
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
+ CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
+ CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
+ CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
+ CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
+ CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
* Mitigated according to the /sys interface: YES (Not affected)
* TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
* TAA mitigation enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
+ CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
* Mitigated according to the /sys interface: YES (Not affected)
* This system is a host running a hypervisor: NO
* iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
* iTLB Multihit mitigation enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
- CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)'
- * SRBDS mitigation control is supported by the kernel: NO
- * SRBDS mitigation control is enabled and active: NO (SRBDS not found in sysfs hierarchy)
+ CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS)
+ * Mitigated according to the /sys interface: YES (Not affected)
+ * SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
+ * SRBDS mitigation control is enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
- Need more detailed information about mitigation options? Use --explain
- A false sense of security is worse than no security at all, see --disclaimer
-
::
- Spectre and Meltdown mitigation detection tool v0.43
-
- Checking for vulnerabilities on current system
- Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64
- CPU is AMD EPYC 7532 32-Core Processor
-
- Hardware check
- * Hardware support (CPU microcode) for mitigation techniques
- * Indirect Branch Restricted Speculation (IBRS)
- * SPEC_CTRL MSR is available: YES
- * CPU indicates IBRS capability: YES (IBRS_SUPPORT feature bit)
- * CPU indicates preferring IBRS always-on: NO
- * CPU indicates preferring IBRS over retpoline: YES
- * Indirect Branch Prediction Barrier (IBPB)
- * PRED_CMD MSR is available: YES
- * CPU indicates IBPB capability: YES (IBPB_SUPPORT feature bit)
- * Single Thread Indirect Branch Predictors (STIBP)
- * SPEC_CTRL MSR is available: YES
- * CPU indicates STIBP capability: YES (AMD STIBP feature bit)
- * CPU indicates preferring STIBP always-on: NO
- * Speculative Store Bypass Disable (SSBD)
- * CPU indicates SSBD capability: YES (AMD SSBD in SPEC_CTRL)
- * L1 data cache invalidation
- * FLUSH_CMD MSR is available: NO
- * CPU indicates L1D flush capability: NO
- * CPU supports Transactional Synchronization Extensions (TSX): NO
- * CPU supports Software Guard Extensions (SGX): NO
- * CPU supports Special Register Buffer Data Sampling (SRBDS): NO
- * CPU microcode is known to cause stability problems: NO (family 0x17 model 0x31 stepping 0x0 ucode 0x8301034 cpuid 0x830f10)
- * CPU microcode is the latest known available version: NO (latest version is 0x8301039 dated 2020/02/07 according to builtin firmwares DB v160.20200912+i20200722)
- * CPU vulnerability to the speculative execution attack variants
- * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
- * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): NO
- * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
- * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
- * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
- * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
- * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
- * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
- * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
- * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
- * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO
- * Vulnerable to CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
-
- CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
- * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
- * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
- * Kernel has the Red Hat/Ubuntu patch: NO
- * Kernel has mask_nospec64 (arm64): NO
- * Kernel has array_index_nospec (arm64): NO
- > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
-
- CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
- * Mitigated according to the /sys interface: YES (Mitigation: Full AMD retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
- * Mitigation 1
- * Kernel is compiled with IBRS support: YES
- * IBRS enabled and active: YES (for firmware code only)
- * Kernel is compiled with IBPB support: YES
- * IBPB enabled and active: YES
- * Mitigation 2
- * Kernel has branch predictor hardening (arm): NO
- * Kernel compiled with retpoline option: YES
- * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
- > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
-
- CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports Page Table Isolation (PTI): YES
- * PTI enabled and active: NO
- * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)
- * Running as a Xen PV DomU: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-3640 aka 'Variant 3a, rogue system register read'
- * CPU microcode mitigates the vulnerability: YES
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-3639 aka 'Variant 4, speculative store bypass'
- * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
- * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
- * SSB mitigation is enabled and active: YES (per-thread through prctl)
- * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
- > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
-
- CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
- * CPU microcode mitigates the vulnerability: N/A
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports PTE inversion: YES (found in kernel image)
- * PTE inversion enabled and active: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
- * Information from the /sys interface: Not affected
- * This system is a host running a hypervisor: NO
- * Mitigation 1 (KVM)
- * EPT is disabled: N/A (the kvm_intel module is not loaded)
- * Mitigation 2
- * L1D flush is supported by kernel: YES (found flush_l1d in kernel image)
- * L1D flush enabled: NO
- * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower)
- * Hyper-Threading (SMT) is enabled: YES
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
- * Kernel mitigation is enabled and active: NO
- * SMT is either mitigated or disabled: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
- * TAA mitigation enabled and active: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
- * Mitigated according to the /sys interface: YES (Not affected)
- * This system is a host running a hypervisor: NO
- * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
- * iTLB Multihit mitigation enabled and active: NO
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)'
- * SRBDS mitigation control is supported by the kernel: NO
- * SRBDS mitigation control is enabled and active: NO (SRBDS not found in sysfs hierarchy)
- > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
-
- > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
-
- Need more detailed information about mitigation options? Use --explain
- A false sense of security is worse than no security at all, see --disclaimer \ No newline at end of file
+Spectre and Meltdown mitigation detection tool v0.44+
+
+Checking for vulnerabilities on current system
+Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64
+CPU is AMD EPYC 7532 32-Core Processor
+
+Hardware check
+* Hardware support (CPU microcode) for mitigation techniques
+ * Indirect Branch Restricted Speculation (IBRS)
+ * SPEC_CTRL MSR is available: YES
+ * CPU indicates IBRS capability: YES (IBRS_SUPPORT feature bit)
+ * CPU indicates preferring IBRS always-on: NO
+ * CPU indicates preferring IBRS over retpoline: YES
+ * Indirect Branch Prediction Barrier (IBPB)
+ * PRED_CMD MSR is available: YES
+ * CPU indicates IBPB capability: YES (IBPB_SUPPORT feature bit)
+ * Single Thread Indirect Branch Predictors (STIBP)
+ * SPEC_CTRL MSR is available: YES
+ * CPU indicates STIBP capability: YES (AMD STIBP feature bit)
+ * CPU indicates preferring STIBP always-on: NO
+ * Speculative Store Bypass Disable (SSBD)
+ * CPU indicates SSBD capability: YES (AMD SSBD in SPEC_CTRL)
+ * L1 data cache invalidation
+ * FLUSH_CMD MSR is available: NO
+ * CPU indicates L1D flush capability: NO
+ * CPU supports Transactional Synchronization Extensions (TSX): NO
+ * CPU supports Software Guard Extensions (SGX): NO
+ * CPU supports Special Register Buffer Data Sampling (SRBDS): NO
+ * CPU microcode is known to cause stability problems: NO (family 0x17 model 0x31 stepping 0x0 ucode 0x8301038 cpuid 0x830f10)
+ * CPU microcode is the latest known available version: NO (latest version is 0x830104d dated 2020/07/28 according to builtin firmwares DB v191+i20210217)
+* CPU vulnerability to the speculative execution attack variants
+ * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
+ * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
+ * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
+ * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): NO
+ * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
+ * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
+ * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
+ * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
+ * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
+ * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
+ * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
+ * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
+ * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
+ * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO
+ * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
+
+CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
+* Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
+* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
+* Kernel has the Red Hat/Ubuntu patch: NO
+* Kernel has mask_nospec64 (arm64): NO
+* Kernel has array_index_nospec (arm64): NO
+> STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
+
+CVE-2017-5715 aka Spectre Variant 2, branch target injection
+* Mitigated according to the /sys interface: YES (Mitigation: Full AMD retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
+* Mitigation 1
+ * Kernel is compiled with IBRS support: YES
+ * IBRS enabled and active: YES (for firmware code only)
+ * Kernel is compiled with IBPB support: YES
+ * IBPB enabled and active: YES
+* Mitigation 2
+ * Kernel has branch predictor hardening (arm): NO
+ * Kernel compiled with retpoline option: YES
+ * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
+> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
+
+CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
+* Mitigated according to the /sys interface: YES (Not affected)
+* Kernel supports Page Table Isolation (PTI): YES
+ * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script)
+ * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)
+* Running as a Xen PV DomU: NO
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+CVE-2018-3640 aka Variant 3a, rogue system register read
+* CPU microcode mitigates the vulnerability: YES
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+CVE-2018-3639 aka Variant 4, speculative store bypass
+* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
+* Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
+* SSB mitigation is enabled and active: YES (per-thread through prctl)
+* SSB mitigation currently active for selected processes: YES (irqbalance systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
+> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
+
+CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
+* CPU microcode mitigates the vulnerability: N/A
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
+* Mitigated according to the /sys interface: YES (Not affected)
+* Kernel supports PTE inversion: YES (found in kernel image)
+* PTE inversion enabled and active: NO
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
+* Information from the /sys interface: Not affected
+* This system is a host running a hypervisor: NO
+* Mitigation 1 (KVM)
+ * EPT is disabled: N/A (the kvm_intel module is not loaded)
+* Mitigation 2
+ * L1D flush is supported by kernel: YES (found flush_l1d in kernel image)
+ * L1D flush enabled: NO
+ * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower)
+ * Hyper-Threading (SMT) is enabled: YES
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
+* Mitigated according to the /sys interface: YES (Not affected)
+* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
+* Kernel mitigation is enabled and active: NO
+* SMT is either mitigated or disabled: NO
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
+* Mitigated according to the /sys interface: YES (Not affected)
+* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
+* Kernel mitigation is enabled and active: NO
+* SMT is either mitigated or disabled: NO
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
+* Mitigated according to the /sys interface: YES (Not affected)
+* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
+* Kernel mitigation is enabled and active: NO
+* SMT is either mitigated or disabled: NO
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
+* Mitigated according to the /sys interface: YES (Not affected)
+* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
+* Kernel mitigation is enabled and active: NO
+* SMT is either mitigated or disabled: NO
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA)
+* Mitigated according to the /sys interface: YES (Not affected)
+* TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image)
+* TAA mitigation enabled and active: NO
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)
+* Mitigated according to the /sys interface: YES (Not affected)
+* This system is a host running a hypervisor: NO
+* iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image)
+* iTLB Multihit mitigation enabled and active: NO
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS)
+* Mitigated according to the /sys interface: YES (Not affected)
+* SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
+* SRBDS mitigation control is enabled and active: NO
+> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
+
+> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
diff --git a/docs/report/introduction/test_scenarios_overview.rst b/docs/report/introduction/test_scenarios_overview.rst
index 0d520f0296..1c3516b9eb 100644
--- a/docs/report/introduction/test_scenarios_overview.rst
+++ b/docs/report/introduction/test_scenarios_overview.rst
@@ -11,10 +11,10 @@ Brief overview of test scenarios covered in this report:
#. **VPP Performance**: VPP performance tests are executed in physical
FD.io testbeds, focusing on VPP network data plane performance in
- NIC-to-NIC switching topologies. Tested across Intel Xeon Haswell
- and Skylake servers, ARM, Denverton, range of NICs (10GE, 25GE, 40GE) and
- multi-thread/multi-core configurations. VPP application runs in bare-metal
- host user-mode handling NICs. TRex is used as a traffic generator.
+ NIC-to-NIC switching topologies. Tested across Intel Cascadelake
+ and Skylake servers, ARM, Denverton, range of NICs (10GE, 25GE, 40GE, 100GE)
+ and multi-thread/multi-core configurations. VPP application runs in
+ bare-metal host user-mode handling NICs. TRex is used as a traffic generator.
#. **VPP Vhostuser Performance with KVM VMs**: VPP VM service switching
performance tests using vhostuser virtual interface for
@@ -55,7 +55,7 @@ against |vpp-release| artifacts. References are provided to the
original FD.io Jenkins job results and all archived source files.
FD.io CSIT system is developed using two main coding platforms: :abbr:`RF (Robot
-Framework)` and Python2.7. |csit-release| source code for the executed test
+Framework)` and Python. |csit-release| source code for the executed test
suites is available in CSIT branch |release| in the directory
:file:`./tests/<name_of_the_test_suite>`. A local copy of CSIT source code
can be obtained by cloning CSIT git repository - :command:`git clone
diff --git a/docs/report/vpp_device_tests/csit_release_notes.rst b/docs/report/vpp_device_tests/csit_release_notes.rst
index b29e45da4d..ca5bf8285a 100644
--- a/docs/report/vpp_device_tests/csit_release_notes.rst
+++ b/docs/report/vpp_device_tests/csit_release_notes.rst
@@ -6,20 +6,10 @@ Changes in |csit-release|
#. TEST FRAMEWORK
- - **Bug fixes**.
-
- - **Speedup**: Shortened overall test job duration
- by using a different test selection mechanism (using --test
- instead of --include) and by avoiding unnecessary PAPI reconnects.
-
-#. TEST COVERAGE
-
- - Increased test coverage: **GENEVE**, **ACL** and **MACIP** from ACL plugin.
-
-#. DEPRECATED API MESSAGES
-
- - Updated API calls for **link bonding**, **COP**, **IPSEC**, **NAT** and
- **NSIM**.
+ - **Upgrade to Ubuntu 20.04 LTS**: Reinstall base operating system to Ubuntu
+ 20.04.2 LTS. Upgrade includes also baseline Docker containers used for
+ spawning topology. In latest LTS version we are using iavf driver instead
+ of i40evf.
Known Issues
------------
@@ -29,7 +19,5 @@ List of known issues in |csit-release| for VPP functional tests in VPP Device:
+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+
| # | JiraID | Issue Description |
+====+=========================================+===========================================================================================================+
-| 1 | `VPP-1943 | Running multiple VPPs with SR-IOV VFs belonging to the same PF sometimes results in VPP not initializing |
-| | <https://jira.fd.io/browse/VPP-1943>`_ | the VF interfaces properly due to a race condition between the PF and VFs. Observed with Intel NIC |
-| | | firmware version 6.01 0x800035da 1.1747.0 and i40e driver versions 2.1.14-k and 2.13.10. |
+| | | |
+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+
diff --git a/docs/report/vpp_performance_tests/csit_release_notes.rst b/docs/report/vpp_performance_tests/csit_release_notes.rst
index a70061de9a..5b90710d24 100644
--- a/docs/report/vpp_performance_tests/csit_release_notes.rst
+++ b/docs/report/vpp_performance_tests/csit_release_notes.rst
@@ -9,39 +9,19 @@ Changes in |csit-release|
- CSIT test environment is versioned, see
:ref:`test_environment_versioning`.
- - **GENEVE tests**: Added VPP performance tests for GENEVE tunnels.
- See :ref:`geneve_methodology` for more details.
+ - **Upgrade to Ubuntu 20.04 LTS**: Reinstall base operating system to Ubuntu
+ 20.04.2 LTS. Upgrade includes also baseline Docker containers used for
+ spawning topology.
+ - **AF_XDP**: Added af_xdp driver testing for all testcases.
- - **GSO tests**: Added VPP performance tests for GSOtap and GSOvirtio.
- All tested topologies are compared with GSO enabled and disabled.
- In |csit-release| there is only 1t1c tests running.
- See :ref:`gso_methodology` for more details.
+ - **GTPU tunnel**: Added GTPU HW Offload IPv4 routing tests.
-
- - **NAT44 tests**: Added new test type, pure throughput tests.
- They are similar to PPS tests, but they employ ramp-up trials
- to ensure all sessions are created (and not timing out)
- for performance trials.
-
- - **Jumbo for ipsec**: Test cases with 9000 byte frames are re-enabled
- in ipsec suites.
-
- - **Randomized profiles**: Improved repeatability and cycle length.
- For details, see :ref:`packet_flow_ordering`.
-
- - **Arm 2n-tx2 testbed**: New physical testbed type installed in
- FD.io CSIT, with VPP and DPDK performance data added to CSIT
- trending and this report.
-
- - **Framework speedup**: Shortened overall test job duration
- by using a different test selection mechanism (using --test
- instead of --include) and by avoiding unnecessary PAPI reconnects.
+ - **Telemetry retouch**: Redesign telemetry retrieval from DUT. Include
+ VPP perfmon plugin telemetry.
#. TEST FRAMEWORK
- - **TRex ASTF**: Improved capability to run TRex in advanced stateful mode.
-
- **CSIT PAPI support**: Due to issues with PAPI performance, VAT is
still used in CSIT for all VPP scale tests. See known issues below.
@@ -67,28 +47,18 @@ List of known issues in |csit-release| for VPP performance tests:
+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+
| # | JiraID | Issue Description |
+====+=========================================+===========================================================================================================+
-| 1 | `CSIT-570 | Sporadic (1 in 200) NDR discovery test failures on x520. DPDK reporting rx-errors, indicating L1 issue. |
-| | <https://jira.fd.io/browse/CSIT-570>`_ | Suspected issue with HW combination of X710-X520 in LF testbeds. Not observed outside of LF testbeds. |
-+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+
-| 2 | `VPP-662 | 9000B packets not supported by NICs VIC1227 and VIC1387. |
+| 1 | `VPP-662 | 9000B packets not supported by NICs VIC1227 and VIC1387. |
| | <https://jira.fd.io/browse/VPP-662>`_ | |
+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+
-| 3 | `CSIT-1763 | Adapt ramp-up phase of nat44 tests for different frame sizes. |
+| 2 | `CSIT-1763 | Adapt ramp-up phase of nat44 tests for different frame sizes. |
| | <https://jira.fd.io/browse/CSIT-1763>`_ | Currently ramp-up phase rate and duration values are correctly set for tests with 64B frame size. |
+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+
-| 4 | `CSIT-1671 | All CSIT scale tests can not use PAPI due to much slower performance compared to VAT/CLI (it takes much |
+| 3 | `CSIT-1671 | All CSIT scale tests can not use PAPI due to much slower performance compared to VAT/CLI (it takes much |
| | <https://jira.fd.io/browse/CSIT-1671>`_ | longer to program VPP). This needs to be addressed on the PAPI side. |
| +-----------------------------------------+ The usual PAPI library spends too much time parsing arguments, so even with async processing (hundreds of |
| | `VPP-1763 | commands in flight over socket), the VPP configuration for large scale tests (millions of messages) takes |
| | <https://jira.fd.io/browse/VPP-1763>`_ | too long. |
+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+
-| 5 | `VPP-1934 | [i40e] Interfaces are not brought up from carrier-down. |
-| | <https://jira.fd.io/browse/VPP-1934>`_ | In case of i40e -based interface (e.g Intel x700 series NIC) is bound to kernel driver (i40e) and is in |
-| | | state "no-carrier" (<NO-CARRIER,BROADCAST,MULTICAST,UP>) because previously it was disabled via |
-| | | "I40E_AQ_PHY_LINK_ENABLED" call, then VPP during initialization of AVF interface is not re-enabling |
-| | | interface link via i40e driver to up. |
-| | | CSIT implemented `workaround for AVF interface <https://gerrit.fd.io/r/c/csit/+/29086>`_ until fixed. |
-+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+
Root Cause Analysis for Performance Changes
-------------------------------------------