diff options
Diffstat (limited to 'docs/report')
24 files changed, 1156 insertions, 1203 deletions
diff --git a/docs/report/dpdk_performance_tests/csit_release_notes.rst b/docs/report/dpdk_performance_tests/csit_release_notes.rst index 622d9c415c..4f33231549 100644 --- a/docs/report/dpdk_performance_tests/csit_release_notes.rst +++ b/docs/report/dpdk_performance_tests/csit_release_notes.rst @@ -4,16 +4,6 @@ Release Notes Changes in |csit-release| ------------------------- -#. DPDK PERFORMANCE TESTS - - - Fixed DPDK compilation on ARM systems. - - - **AMD 2n-zn2 testbed**: New physical testbed type installed in - FD.io CSIT, with DPDK performance data added to this report. - - - **Arm 2n-tx2 testbed**: New physical testbed type installed in - FD.io CSIT, with DPDK performance data added to this report. - #. DPDK RELEASE VERSION CHANGE - |csit-release| tested |dpdk-release|, as used by |vpp-release|. @@ -28,9 +18,6 @@ List of known issues in |csit-release| for DPDK performance tests: +----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+ | # | JiraID | Issue Description | +====+=========================================+===========================================================================================================+ -| 1 | `CSIT-1761 | Denverton systems in FD.io CSIT lab (2n-dnv and 3n-dnv) reports dpdk compilation error very often. | -| | <https://jira.fd.io/browse/CSIT-1761>`_ | | -+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+ -| 2 | `CSIT-1762 | TRex reports link DOWN in case of dpdk testpmd tests on FD.io CSIT Denverton systems (2n-dnv and 3n-dnv). | +| 1 | `CSIT-1762 | TRex reports link DOWN in case of dpdk testpmd tests on FD.io CSIT Denverton systems (2n-dnv and 3n-dnv). | | | <https://jira.fd.io/browse/CSIT-1762>`_ | | +----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+ diff --git a/docs/report/introduction/methodology_ipsec.rst b/docs/report/introduction/methodology_ipsec.rst index 99119e18d0..6cfa69cd88 100644 --- a/docs/report/introduction/methodology_ipsec.rst +++ b/docs/report/introduction/methodology_ipsec.rst @@ -47,7 +47,3 @@ dpdk_cryptodev | crypto_ipsecmb | async/crypto worker | AES[128]-CBC | SHA[256|512] | 1, 4, 1k tunnels | +-------------------+---------------------+------------------+----------------+------------------+ -.. - VPP IPsec with HW crypto are executed in both tunnel and policy modes, - with tests running on 3-node Haswell testbeds (3n-hsw), as these are the - only testbeds equipped with Intel QAT cards. diff --git a/docs/report/introduction/methodology_multi_core_speedup.rst b/docs/report/introduction/methodology_multi_core_speedup.rst index 095f0f7796..05307549f4 100644 --- a/docs/report/introduction/methodology_multi_core_speedup.rst +++ b/docs/report/introduction/methodology_multi_core_speedup.rst @@ -14,8 +14,7 @@ applied in BIOS and requires server SUT reload for it to take effect, making it impractical for continuous changes of HT mode of operation. |csit-release| performance tests are executed with server SUTs' Intel -XEON processors configured with Intel Hyper-Threading Disabled for all -Xeon Haswell testbeds (3n-hsw) and with Intel Hyper-Threading Enabled +XEON processors configured with Intel Hyper-Threading Enabled for all Xeon Skylake and Xeon Cascadelake testbeds. More information about physical testbeds is provided in @@ -27,13 +26,6 @@ Multi-core Tests |csit-release| multi-core tests are executed in the following VPP worker thread and physical core configurations: -#. Intel Xeon Haswell testbeds (3n-hsw) with Intel HT disabled - (1 logical CPU core per each physical core): - - #. 1t1c - 1 VPP worker thread on 1 physical core. - #. 2t2c - 2 VPP worker threads on 2 physical cores. - #. 4t4c - 4 VPP worker threads on 4 physical cores. - #. Intel Xeon Skylake and Cascadelake testbeds (2n-skx, 3n-skx, 2n-clx) with Intel HT enabled (2 logical CPU cores per each physical core): diff --git a/docs/report/introduction/methodology_vpp_startup_settings.rst b/docs/report/introduction/methodology_vpp_startup_settings.rst index e3e8d29b23..c583ae7bed 100644 --- a/docs/report/introduction/methodology_vpp_startup_settings.rst +++ b/docs/report/introduction/methodology_vpp_startup_settings.rst @@ -26,7 +26,7 @@ List of VPP startup.conf settings applied to all tests: 256). For Xeon Skylake platforms configured with 2MB hugepages and VPP data-size and buffer-size defaults (2048B and 2496B respectively), this results in value of 215040 (256 * 840 = 215040, 840 * 2496B buffers fit - in 2MB hugepage ). For Xeon Haswell nodes value of 107520 is used. + in 2MB hugepage). Per Test Settings ~~~~~~~~~~~~~~~~~ diff --git a/docs/report/introduction/physical_testbeds.rst b/docs/report/introduction/physical_testbeds.rst index 5f62f1bb06..7755bdddeb 100644 --- a/docs/report/introduction/physical_testbeds.rst +++ b/docs/report/introduction/physical_testbeds.rst @@ -26,8 +26,8 @@ Two physical server topology types are used: Current FD.io production testbeds are built with SUT servers based on the following processor architectures: -- Intel Xeon: Skylake Platinum 8180, Haswell-SP E5-2699v3, - Cascade Lake Platinum 8280, Cascade Lake 6252N. +- Intel Xeon: Skylake Platinum 8180, Cascade Lake Platinum 8280, + Cascade Lake 6252N. - Intel Atom: Denverton C3858. - Arm: TaiShan 2280, hip07-d05. - AMD EPYC: Zen2 7532. diff --git a/docs/report/introduction/test_environment_intro.rst b/docs/report/introduction/test_environment_intro.rst index 2aa4f44e40..c1ab7ea6ad 100644 --- a/docs/report/introduction/test_environment_intro.rst +++ b/docs/report/introduction/test_environment_intro.rst @@ -79,7 +79,17 @@ Following is the list of CSIT versions to date: - The main change is TRex version upgrade: `increase from 2.82 to 2.86 <https://gerrit.fd.io/r/c/csit/+/29980>`_. +- Ver. 7 associated with CSIT rls2106 branch (`HW + <https://git.fd.io/csit/tree/docs/lab?h=rls2106>`_, `Linux + <https://docs.fd.io/csit/rls2106/report/vpp_performance_tests/test_environment.html#sut-settings-linux>`_, + `TRex + <https://docs.fd.io/csit/rls2106/report/vpp_performance_tests/test_environment.html#tg-settings-trex>`_, + `CSIT <https://git.fd.io/csit/tree/?h=rls2106>`_). + - TRex version upgrade: + `increase from 2.86 to 2.88 <https://gerrit.fd.io/r/c/csit/+/31652>`_. + - Ubuntu upgrade: + `upgrade from 18.04 LTS to 20.04.2 LTS <https://gerrit.fd.io/r/c/csit/+/31290>`_. To identify performance changes due to VPP code development between previous and current VPP release version, both have been tested in CSIT environment of @@ -101,7 +111,7 @@ topology types are used: server as TG both connected in ring topology. Tested SUT servers are based on a range of processors including Intel -Xeon Haswell-SP, Intel Xeon Skylake-SP, Intel Xeon Cascade Lake-SP, Arm, +Intel Xeon Skylake-SP, Intel Xeon Cascade Lake-SP, Arm, Intel Atom. More detailed description is provided in :ref:`tested_physical_topologies`. Tested logical topologies are described in :ref:`tested_logical_topologies`. @@ -112,5 +122,4 @@ Server Specifications Complete technical specifications of compute servers used in CSIT physical testbeds are maintained in FD.io CSIT repository: `FD.io CSIT testbeds - Xeon Cascade Lake`_, -`FD.io CSIT testbeds - Xeon Skylake, Arm, Atom`_ and -`FD.io CSIT Testbeds - Xeon Haswell`_. +`FD.io CSIT testbeds - Xeon Skylake, Arm, Atom`_.
\ No newline at end of file diff --git a/docs/report/introduction/test_environment_sut_calib_clx.rst b/docs/report/introduction/test_environment_sut_calib_clx.rst index ed44eb92d2..ef4812d2e1 100644 --- a/docs/report/introduction/test_environment_sut_calib_clx.rst +++ b/docs/report/introduction/test_environment_sut_calib_clx.rst @@ -15,7 +15,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=1d03969e-a2a0-41b2-a97e-1cc171b07e88 ro isolcpus=1-23,25-47,49-71,73-95 nohz_full=1-23,25-47,49-71,73-95 rcu_nocbs=1-23,25-47,49-71,73-95 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 + BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=b1f0dc29-1d4f-4777-b37d-a5e26e233d55 ro audit=0 hpet=disable intel_idle.max_cstate=1 intel_iommu=on intel_pstate=disable iommu=pt isolcpus=1-27,29-55,57-83,85-111 mce=off nmi_watchdog=0 nohz_full=1-27,29-55,57-83,85-111 nosoftlockup numa_balancing=disable processor.max_cstate=1 rcu_nocbs=1-27,29-55,57-83,85-111 tsc=reliable console=ttyS0,115200n8 quiet Linux uname ^^^^^^^^^^^ @@ -23,7 +23,7 @@ Linux uname :: $ uname -a - Linux s32-t27-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux System-level Core Jitter diff --git a/docs/report/introduction/test_environment_sut_calib_dnv.rst b/docs/report/introduction/test_environment_sut_calib_dnv.rst index 13f980656a..d38ba2fb8b 100644 --- a/docs/report/introduction/test_environment_sut_calib_dnv.rst +++ b/docs/report/introduction/test_environment_sut_calib_dnv.rst @@ -14,7 +14,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/boot/vmlinuz-4.15.0-36-generic root=UUID=d3cfffd0-1e77-423a-a53a-a117199b6025 ro intel_iommu=on iommu=pt isolcpus=1-11 nohz_full=1-11 rcu_nocbs=1-11 default_hugepagesz=1G hugepagesz=1G hugepages=8 intel_pstate=disable nmi_watchdog=0 numa_balancing=disable tsc=reliable nosoftlockup quiet splash vt.handoff=7 + BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=26ca7b0f-904a-462d-a1c6-98c420c29515 ro audit=0 hpet=disable intel_idle.max_cstate=1 intel_iommu=on intel_pstate=disable iommu=pt isolcpus=1-5 mce=off nmi_watchdog=0 nohz_full=1-5 nosoftlockup numa_balancing=disable processor.max_cstate=1 rcu_nocbs=1-5 tsc=reliable console=tty0 console=ttyS0,115200n8 Linux uname @@ -23,7 +23,7 @@ Linux uname :: $ uname -a - Linux 4.15.0-36-generic #39~16.04.1-Ubuntu SMP Tue Sep 25 08:59:23 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux + Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux System-level Core Jitter diff --git a/docs/report/introduction/test_environment_sut_calib_hsw.rst b/docs/report/introduction/test_environment_sut_calib_hsw.rst deleted file mode 100644 index d2e8d3d33d..0000000000 --- a/docs/report/introduction/test_environment_sut_calib_hsw.rst +++ /dev/null @@ -1,223 +0,0 @@ -Haswell -~~~~~~~ - -Following sections include sample calibration data measured on t1-sut1 -server running in one of the Intel Xeon Haswell testbeds as specified in -`FD.io CSIT Testbeds - Xeon Haswell`_. - -Calibration data obtained from all other servers in Haswell testbeds -shows the same or similar values. - -Linux cmdline -^^^^^^^^^^^^^ - -:: - - $ cat /proc/cmdline - BOOT_IMAGE=/vmlinuz-4.15.0-72-generic root=UUID=c59ae603-8076-41f4-bb5d-bc3fc8dd3ea1 ro isolcpus=1-17,19-35 nohz_full=1-17,19-35 rcu_nocbs=1-17,19-35 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0console=ttyS0,115200n8 - - -Linux uname -^^^^^^^^^^^ - -:: - - $ uname -a - Linux t1-tg1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux - - -System-level Core Jitter -^^^^^^^^^^^^^^^^^^^^^^^^ - -:: - - $ sudo taskset -c 3 /home/testuser/pma_tools/jitter/jitter -i 30 - Linux Jitter testing program version 1.8 - Iterations=30 - The pragram will execute a dummy function 80000 times - Display is updated every 20000 displayUpdate intervals - Timings are in CPU Core cycles - Inst_Min: Minimum Excution time during the display update interval(default is ~1 second) - Inst_Max: Maximum Excution time during the display update interval(default is ~1 second) - Inst_jitter: Jitter in the Excution time during rhe display update interval. This is the value of interest - last_Exec: The Excution time of last iteration just before the display update - Abs_Min: Absolute Minimum Excution time since the program started or statistics were reset - Abs_Max: Absolute Maximum Excution time since the program started or statistics were reset - tmp: Cumulative value calcualted by the dummy function - Interval: Time interval between the display updates in Core Cycles - Sample No: Sample number - - Inst_Min Inst_Max Inst_jitter last_Exec Abs_min Abs_max tmp Interval Sample No - 160024 172636 12612 160028 160024 172636 1573060608 3205463144 1 - 160024 188236 28212 160028 160024 188236 958595072 3205500844 2 - 160024 185676 25652 160028 160024 188236 344129536 3205485976 3 - 160024 172608 12584 160024 160024 188236 4024631296 3205472740 4 - 160024 179260 19236 160028 160024 188236 3410165760 3205502164 5 - 160024 172432 12408 160024 160024 188236 2795700224 3205452036 6 - 160024 178820 18796 160024 160024 188236 2181234688 3205455408 7 - 160024 172512 12488 160028 160024 188236 1566769152 3205461528 8 - 160024 172636 12612 160028 160024 188236 952303616 3205478820 9 - 160024 173676 13652 160028 160024 188236 337838080 3205470412 10 - 160024 178776 18752 160028 160024 188236 4018339840 3205481472 11 - 160024 172788 12764 160028 160024 188236 3403874304 3205492336 12 - 160024 174616 14592 160028 160024 188236 2789408768 3205474904 13 - 160024 174440 14416 160028 160024 188236 2174943232 3205479448 14 - 160024 178748 18724 160024 160024 188236 1560477696 3205482668 15 - 160024 172588 12564 169404 160024 188236 946012160 3205510496 16 - 160024 172636 12612 160024 160024 188236 331546624 3205472204 17 - 160024 172480 12456 160024 160024 188236 4012048384 3205455864 18 - 160024 172740 12716 160028 160024 188236 3397582848 3205464932 19 - 160024 179200 19176 160028 160024 188236 2783117312 3205476012 20 - 160024 172480 12456 160028 160024 188236 2168651776 3205465632 21 - 160024 172728 12704 160024 160024 188236 1554186240 3205497204 22 - 160024 172620 12596 160028 160024 188236 939720704 3205466972 23 - 160024 172640 12616 160028 160024 188236 325255168 3205471216 24 - 160024 172484 12460 160028 160024 188236 4005756928 3205467388 25 - 160024 172636 12612 160028 160024 188236 3391291392 3205482748 26 - 160024 179056 19032 160024 160024 188236 2776825856 3205467152 27 - 160024 172672 12648 160024 160024 188236 2162360320 3205483268 28 - 160024 176932 16908 160024 160024 188236 1547894784 3205488536 29 - 160024 172452 12428 160028 160024 188236 933429248 3205440636 30 - - -Memory Bandwidth -^^^^^^^^^^^^^^^^ - -:: - - $ sudo /home/testuser/mlc --bandwidth_matrix - Intel(R) Memory Latency Checker - v3.5 - Command line parameters: --bandwidth_matrix - - Using buffer size of 100.000MB/thread for reads and an additional 100.000MB/thread for writes - Measuring Memory Bandwidths between nodes within system - Bandwidths are in MB/sec (1 MB/sec = 1,000,000 Bytes/sec) - Using all the threads from each core if Hyper-threading is enabled - Using Read-only traffic type - Numa node - Numa node 0 1 - 0 57935.5 30265.2 - 1 30284.6 58409.9 - -:: - - $ sudo /home/testuser/mlc --peak_injection_bandwidth - Intel(R) Memory Latency Checker - v3.5 - Command line parameters: --peak_injection_bandwidth - - Using buffer size of 100.000MB/thread for reads and an additional 100.000MB/thread for writes - - Measuring Peak Injection Memory Bandwidths for the system - Bandwidths are in MB/sec (1 MB/sec = 1,000,000 Bytes/sec) - Using all the threads from each core if Hyper-threading is enabled - Using traffic with the following read-write ratios - ALL Reads : 115762.2 - 3:1 Reads-Writes : 106242.2 - 2:1 Reads-Writes : 103031.8 - 1:1 Reads-Writes : 87943.7 - Stream-triad like: 100048.4 - -:: - - $ sudo /home/testuser/mlc --max_bandwidth - Intel(R) Memory Latency Checker - v3.5 - Command line parameters: --max_bandwidth - - Using buffer size of 100.000MB/thread for reads and an additional 100.000MB/thread for writes - - Measuring Maximum Memory Bandwidths for the system - Will take several minutes to complete as multiple injection rates will be tried to get the best bandwidth - Bandwidths are in MB/sec (1 MB/sec = 1,000,000 Bytes/sec) - Using all the threads from each core if Hyper-threading is enabled - Using traffic with the following read-write ratios - ALL Reads : 115782.41 - 3:1 Reads-Writes : 105965.78 - 2:1 Reads-Writes : 103162.38 - 1:1 Reads-Writes : 88255.82 - Stream-triad like: 105608.10 - - -Memory Latency -^^^^^^^^^^^^^^ - -:: - - $ sudo /home/testuser/mlc --latency_matrix - Intel(R) Memory Latency Checker - v3.5 - Command line parameters: --latency_matrix - - Using buffer size of 200.000MB - Measuring idle latencies (in ns)... - Numa node - Numa node 0 1 - 0 101.0 132.0 - 1 141.2 98.8 - -:: - - $ sudo /home/testuser/mlc --idle_latency - Intel(R) Memory Latency Checker - v3.5 - Command line parameters: --idle_latency - - Using buffer size of 200.000MB - Each iteration took 227.2 core clocks ( 99.0 ns) - -:: - - $ sudo /home/testuser/mlc --loaded_latency - Intel(R) Memory Latency Checker - v3.5 - Command line parameters: --loaded_latency - - Using buffer size of 100.000MB/thread for reads and an additional 100.000MB/thread for writes - - Measuring Loaded Latencies for the system - Using all the threads from each core if Hyper-threading is enabled - Using Read-only traffic type - Inject Latency Bandwidth - Delay (ns) MB/sec - ========================== - 00000 294.08 115841.6 - 00002 294.27 115851.5 - 00008 293.67 115821.8 - 00015 278.92 115587.5 - 00050 246.80 113991.2 - 00100 206.86 104508.1 - 00200 123.72 72873.6 - 00300 113.35 52641.1 - 00400 108.89 41078.9 - 00500 108.11 33699.1 - 00700 106.19 24878.0 - 01000 104.75 17948.1 - 01300 103.72 14089.0 - 01700 102.95 11013.6 - 02500 102.25 7756.3 - 03500 101.81 5749.3 - 05000 101.46 4230.4 - 09000 101.05 2641.4 - 20000 100.77 1542.5 - - -L1/L2/LLC Latency -^^^^^^^^^^^^^^^^^ - -:: - - $ sudo /home/testuser/mlc --c2c_latency - Intel(R) Memory Latency Checker - v3.5 - Command line parameters: --c2c_latency - - Measuring cache-to-cache transfer latency (in ns)... - Local Socket L2->L2 HIT latency 42.1 - Local Socket L2->L2 HITM latency 47.0 - Remote Socket L2->L2 HITM latency (data address homed in writer socket) - Reader Numa Node - Writer Numa Node 0 1 - 0 - 108.0 - 1 106.9 - - Remote Socket L2->L2 HITM latency (data address homed in reader socket) - Reader Numa Node - Writer Numa Node 0 1 - 0 - 107.7 - 1 106.6 - - -.. include:: ../introduction/test_environment_sut_meltspec_hsw.rst diff --git a/docs/report/introduction/test_environment_sut_calib_skx.rst b/docs/report/introduction/test_environment_sut_calib_skx.rst index e3038a230a..cbb8011fe0 100644 --- a/docs/report/introduction/test_environment_sut_calib_skx.rst +++ b/docs/report/introduction/test_environment_sut_calib_skx.rst @@ -15,7 +15,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=e05120bb-7127-43db-b1e3-a66edd4c43bd ro isolcpus=1-27,29-55,57-83,85-111 nohz_full=1-27,29-55,57-83,85-111 rcu_nocbs=1-27,29-55,57-83,85-111 numa_balancing=disable intel_pstate=disable intel_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 intel_idle.max_cstate=1 hpet=disable tsc=reliable mce=off console=tty0 console=ttyS0,115200n8 + BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=55d44abd-94d6-4b26-9d93-5877a8658016 ro audit=0 hpet=disable intel_idle.max_cstate=1 intel_iommu=on intel_pstate=disable iommu=pt isolcpus=1-27,29-55,57-83,85-111 mce=off nmi_watchdog=0 nohz_full=1-27,29-55,57-83,85-111 nosoftlockup numa_balancing=disable processor.max_cstate=1 rcu_nocbs=1-27,29-55,57-83,85-111 tsc=reliable console=ttyS0,115200n8 quiet Linux uname @@ -24,7 +24,7 @@ Linux uname :: $ uname -a - Linux s3-t21-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux System-level Core Jitter diff --git a/docs/report/introduction/test_environment_sut_calib_tsh.rst b/docs/report/introduction/test_environment_sut_calib_tsh.rst index a503a42404..36284f3e60 100644 --- a/docs/report/introduction/test_environment_sut_calib_tsh.rst +++ b/docs/report/introduction/test_environment_sut_calib_tsh.rst @@ -14,7 +14,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/boot/vmlinuz-4.15.0-54-generic root=/dev/mapper/huawei--1--vg-root ro isolcpus=1-15,17-31,33-47,49-63 nohz_full=1-15 17-31,33-47,49-63 rcu_nocbs=1-15 17-31,33-47,49-63 intel_iommu=on nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=1 console=ttyAMA0,115200n8 + BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=7d1d0e77-4df0-43df-9619-a99db29ffb83 ro audit=0 intel_iommu=on isolcpus=1-27,29-55 nmi_watchdog=0 nohz_full=1-27,29-55 nosoftlockup processor.max_cstate=1 rcu_nocbs=1-27,29-55 console=ttyAMA0,115200n8 quiet Linux uname ^^^^^^^^^^^ @@ -22,7 +22,7 @@ Linux uname :: $ uname -a - Linux s17-t33-sut1 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:56:40 UTC 2019 aarch64 aarch64 aarch64 GNU/Linux + Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux System-level Core Jitter diff --git a/docs/report/introduction/test_environment_sut_calib_tx2.rst b/docs/report/introduction/test_environment_sut_calib_tx2.rst index 4b715c86f0..2844ec169a 100644 --- a/docs/report/introduction/test_environment_sut_calib_tx2.rst +++ b/docs/report/introduction/test_environment_sut_calib_tx2.rst @@ -11,7 +11,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=19debf43-de1a-4f0d-97a7-c4d0ccd04327 ro audit=0 intel_iommu=on isolcpus=1-27,29-55 nmi_watchdog=0 nohz_full=1-27,29-55 nosoftlockup processor.max_cstate=1 rcu_nocbs=1-27,29-55 splash quiet vt.handoff=1 + BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=7d1d0e77-4df0-43df-9619-a99db29ffb83 ro audit=0 intel_iommu=on isolcpus=1-27,29-55 nmi_watchdog=0 nohz_full=1-27,29-55 nosoftlockup processor.max_cstate=1 rcu_nocbs=1-27,29-55 console=ttyAMA0,115200n8 quiet Linux uname ^^^^^^^^^^^ @@ -19,7 +19,7 @@ Linux uname :: $ uname -a - Linux s27-t34-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:21:09 UTC 2019 aarch64 aarch64 aarch64 GNU/Linux + Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux .. include:: ../introduction/test_environment_sut_meltspec_tx2.rst diff --git a/docs/report/introduction/test_environment_sut_calib_zn2.rst b/docs/report/introduction/test_environment_sut_calib_zn2.rst index c181b5f34c..9454edd2a6 100644 --- a/docs/report/introduction/test_environment_sut_calib_zn2.rst +++ b/docs/report/introduction/test_environment_sut_calib_zn2.rst @@ -12,7 +12,7 @@ Linux cmdline :: $ cat /proc/cmdline - BOOT_IMAGE=/boot/vmlinuz-4.15.0-72-generic root=UUID=1672f0ef-755e-4a26-884d-02a3f4ac933c ro isolcpus=1-15,33-47,17-31,49-63 nohz_full=1-15,33-47,17-31,49-63 rcu_nocbs=1-15,33-47,17-31,49-63 numa_balancing=disable amd_iommu=on iommu=pt nmi_watchdog=0 audit=0 nosoftlockup processor.max_cstate=0 hpet=disable tsc=reliable mce=off splash quiet vt.handoff=1 + BOOT_IMAGE=/boot/vmlinuz-5.4.0-65-generic root=UUID=3c4b56e3-1f01-4211-a652-ea77468f58b7 ro amd_iommu=on audit=0 hpet=disable iommu=pt isolcpus=1-15,17-31,33-47,49-63 nmi_watchdog=0 nohz_full=off nosoftlockup numa_balancing=disable processor.max_cstate=0 rcu_nocbs=1-15,17-31,33-47,49-63 tsc=reliable console=ttyS0,115200n8 quiet Linux uname @@ -21,7 +21,7 @@ Linux uname :: $ uname -a - Linux s60-t210-sut1 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux System-level Core Jitter diff --git a/docs/report/introduction/test_environment_sut_conf_1.rst b/docs/report/introduction/test_environment_sut_conf_1.rst index 63ff50205d..7f724dd6ea 100644 --- a/docs/report/introduction/test_environment_sut_conf_1.rst +++ b/docs/report/introduction/test_environment_sut_conf_1.rst @@ -5,19 +5,6 @@ System provisioning is done by combination of PXE boot unattented install and `Ansible <https://www.ansible.com>`_ described in `CSIT Testbed Setup`_. -Below a subset of the running configuration: - -1. Ubuntu 18.04.2 LTS - -:: - - $ lsb_release -a - No LSB modules are available. - Distributor ID: Ubuntu - Description: Ubuntu 18.04.2 LTS - Release: 18.04 - Codename: bionic - Linux Boot Parameters ~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/report/introduction/test_environment_sut_meltspec_clx.rst b/docs/report/introduction/test_environment_sut_meltspec_clx.rst index 826e6d37b4..6261c5653c 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_clx.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_clx.rst @@ -8,174 +8,130 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github :: - Spectre and Meltdown mitigation detection tool v0.43 - - awk: fatal: cannot open file `bash for reading (No such file or directory) - Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 - CPU is Intel(R) Xeon(R) Platinum 8280 CPU @ 2.70GHz + Spectre and Meltdown mitigation detection tool v0.44+ Hardware check - * Hardware support (CPU microcode) for mitigation techniques - * Indirect Branch Restricted Speculation (IBRS) - * SPEC_CTRL MSR is available: YES - * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit) - * Indirect Branch Prediction Barrier (IBPB) - * PRED_CMD MSR is available: YES - * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit) - * Single Thread Indirect Branch Predictors (STIBP) - * SPEC_CTRL MSR is available: YES - * CPU indicates STIBP capability: YES (Intel STIBP feature bit) - * Speculative Store Bypass Disable (SSBD) - * CPU indicates SSBD capability: YES (Intel SSBD) - * L1 data cache invalidation - * FLUSH_CMD MSR is available: YES - * CPU indicates L1D flush capability: YES (L1D flush feature bit) - * Microarchitectural Data Sampling - * VERW instruction is available: YES (MD_CLEAR feature bit) - * Enhanced IBRS (IBRS_ALL) - * CPU indicates ARCH_CAPABILITIES MSR availability: YES - * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: YES - * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): YES - * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO - * CPU/Hypervisor indicates L1D flushing is not necessary on this system: YES - * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO - * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): YES - * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO - * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO - * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): YES - * TSX_CTRL MSR indicates TSX RTM is disabled: YES - * TSX_CTRL MSR indicates TSX CPUID bit is cleared: YES - * CPU supports Transactional Synchronization Extensions (TSX): NO - * CPU supports Software Guard Extensions (SGX): NO - * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x7 ucode 0x500002c cpuid 0x50657) - * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash for reading (No such file or directory) - UNKNOWN (latest microcode version for your CPU model is unknown) - * CPU vulnerability to the speculative execution attack variants - * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES - * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES - * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO - * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES - * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES - * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES - * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO - * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO - * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO - * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO - * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO - * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES - - CVE-2017-5753 aka Spectre Variant 1, bounds check bypass - * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) - * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) - * Kernel has the Red Hat/Ubuntu patch: NO - * Kernel has mask_nospec64 (arm64): NO - > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) - - CVE-2017-5715 aka Spectre Variant 2, branch target injection - * Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling) - * Mitigation 1 - * Kernel is compiled with IBRS support: YES - * IBRS enabled and active: YES (Enhanced flavor, performance impact will be greatly reduced) - * Kernel is compiled with IBPB support: YES - * IBPB enabled and active: YES - * Mitigation 2 - * Kernel has branch predictor hardening (arm): NO - * Kernel compiled with retpoline option: YES - * Kernel supports RSB filling: YES - > STATUS: NOT VULNERABLE (Enhanced IBRS + IBPB are mitigating the vulnerability) - - CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports Page Table Isolation (PTI): YES - * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script) - * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) - * Running as a Xen PV DomU: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-3640 aka Variant 3a, rogue system register read - * CPU microcode mitigates the vulnerability: YES - > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability) - - CVE-2018-3639 aka Variant 4, speculative store bypass - * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) - * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) - * SSB mitigation is enabled and active: YES (per-thread through prctl) - * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) - > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) - - CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault - * CPU microcode mitigates the vulnerability: N/A - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports PTE inversion: YES (found in kernel image) - * PTE inversion enabled and active: NO - > STATUS: NOT VULNERABLE (Not affected) - - CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault - * Information from the /sys interface: Not affected - * This system is a host running a hypervisor: NO - * Mitigation 1 (KVM) - * EPT is disabled: NO - * Mitigation 2 - * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) - * L1D flush enabled: NO - * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) - * Hyper-Threading (SMT) is enabled: YES - > STATUS: NOT VULNERABLE (your kernel reported your CPU model as not vulnerable) - - CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) - * Mitigated according to the /sys interface: YES (Mitigation: TSX disabled) - * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) - * TAA mitigation enabled and active: YES (Mitigation: TSX disabled) - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) - * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) - * This system is a host running a hypervisor: NO - * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) - * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) - > STATUS: NOT VULNERABLE (this system is not running a hypervisor) - - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK + * Hardware support (CPU microcode) for mitigation techniques + * Indirect Branch Restricted Speculation (IBRS) + * SPEC_CTRL MSR is available: YES + * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit) + * Indirect Branch Prediction Barrier (IBPB) + * PRED_CMD MSR is available: YES + * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit) + * Single Thread Indirect Branch Predictors (STIBP) + * SPEC_CTRL MSR is available: YES + * CPU indicates STIBP capability: YES (Intel STIBP feature bit) + * Speculative Store Bypass Disable (SSBD) + * CPU indicates SSBD capability: YES (Intel SSBD) + * L1 data cache invalidation + * FLUSH_CMD MSR is available: YES + * CPU indicates L1D flush capability: YES (L1D flush feature bit) + * Microarchitectural Data Sampling + * VERW instruction is available: YES (MD_CLEAR feature bit) + * Enhanced IBRS (IBRS_ALL) + * CPU indicates ARCH_CAPABILITIES MSR availability: YES + * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: YES + * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): YES + * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO + * CPU/Hypervisor indicates L1D flushing is not necessary on this system: YES + * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO + * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): YES + * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO + * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO + * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): YES + * TSX_CTRL MSR indicates TSX RTM is disabled: YES + * TSX_CTRL MSR indicates TSX CPUID bit is cleared: YES + * CPU supports Transactional Synchronization Extensions (TSX): NO + * CPU supports Software Guard Extensions (SGX): NO + * CPU supports Special Register Buffer Data Sampling (SRBDS): NO + * CPU microcode is known to cause stability problems: NO (family 0x6 model 0x55 stepping 0x7 ucode 0x500002c cpuid 0x50657) + * CPU microcode is the latest known available version: NO (latest version is 0x5003102 dated 2021/03/08 according to builtin firmwares DB v191+i20210217) + * CPU vulnerability to the speculative execution attack variants + * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO + * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES + * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES + * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES + * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO + * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO + * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO + * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO + * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES + * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO + + CVE-2017-5753 aka Spectre Variant 1, bounds check bypass + * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) + > STATUS: UNKNOWN (/sys vulnerability interface use forced, but it s not available!) + + CVE-2017-5715 aka Spectre Variant 2, branch target injection + * Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling) + > STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability) + + CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load + * Mitigated according to the /sys interface: YES (Not affected) + * Running as a Xen PV DomU: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3640 aka Variant 3a, rogue system register read + * CPU microcode mitigates the vulnerability: YES + > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability) + + CVE-2018-3639 aka Variant 4, speculative store bypass + * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) + > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) + + CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault + * CPU microcode mitigates the vulnerability: N/A + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault + * Mitigated according to the /sys interface: YES (Not affected) + > STATUS: NOT VULNERABLE (Not affected) + + CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault + * Information from the /sys interface: Not affected + > STATUS: NOT VULNERABLE (your kernel reported your CPU model as not vulnerable) + + CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) + * Mitigated according to the /sys interface: YES (Not affected) + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) + * Mitigated according to the /sys interface: YES (Not affected) + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) + * Mitigated according to the /sys interface: YES (Not affected) + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) + * Mitigated according to the /sys interface: YES (Not affected) + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Mitigation: TSX disabled) + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) + > STATUS: NOT VULNERABLE (KVM: Mitigation: Split huge pages) + + CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS) + * Mitigated according to the /sys interface: YES (Not affected) + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + > SUMMARY: CVE-2017-5753:?? CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK :: - awk: fatal: cannot open file `bash for reading (No such file or directory) + Spectre and Meltdown mitigation detection tool v0.44+ + Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 + Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 CPU is Intel(R) Xeon(R) Gold 6252N CPU @ 2.30GHz Hardware check @@ -211,50 +167,36 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * TSX_CTRL MSR indicates TSX CPUID bit is cleared: YES * CPU supports Transactional Synchronization Extensions (TSX): NO * CPU supports Software Guard Extensions (SGX): NO + * CPU supports Special Register Buffer Data Sampling (SRBDS): NO * CPU microcode is known to cause stability problems: NO (family 0x6 model 0x55 stepping 0x7 ucode 0x500002c cpuid 0x50657) - * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash for reading (No such file or directory) - UNKNOWN (latest microcode version for your CPU model is unknown) + * CPU microcode is the latest known available version: NO (latest version is 0x5003102 dated 2021/03/08 according to builtin firmwares DB v191+i20210217) * CPU vulnerability to the speculative execution attack variants - * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES - * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES - * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO - * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES - * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES - * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES - * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO - * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO - * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO - * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO - * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO - * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES + * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO + * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES + * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES + * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES + * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO + * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO + * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO + * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO + * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES + * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO CVE-2017-5753 aka Spectre Variant 1, bounds check bypass * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) - * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) - * Kernel has the Red Hat/Ubuntu patch: NO - * Kernel has mask_nospec64 (arm64): NO - > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) + > STATUS: UNKNOWN (/sys vulnerability interface use forced, but its not available!) CVE-2017-5715 aka Spectre Variant 2, branch target injection * Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling) - * Mitigation 1 - * Kernel is compiled with IBRS support: YES - * IBRS enabled and active: YES (Enhanced flavor, performance impact will be greatly reduced) - * Kernel is compiled with IBPB support: YES - * IBPB enabled and active: YES - * Mitigation 2 - * Kernel has branch predictor hardening (arm): NO - * Kernel compiled with retpoline option: YES - * Kernel supports RSB filling: YES - > STATUS: NOT VULNERABLE (Enhanced IBRS + IBPB are mitigating the vulnerability) + > STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability) CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports Page Table Isolation (PTI): YES - * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script) - * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) * Running as a Xen PV DomU: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) @@ -264,9 +206,6 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github CVE-2018-3639 aka Variant 4, speculative store bypass * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) - * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) - * SSB mitigation is enabled and active: YES (per-thread through prctl) - * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault @@ -275,61 +214,38 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports PTE inversion: YES (found in kernel image) - * PTE inversion enabled and active: NO > STATUS: NOT VULNERABLE (Not affected) CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault * Information from the /sys interface: Not affected - * This system is a host running a hypervisor: NO - * Mitigation 1 (KVM) - * EPT is disabled: NO - * Mitigation 2 - * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) - * L1D flush enabled: NO - * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) - * Hyper-Threading (SMT) is enabled: YES > STATUS: NOT VULNERABLE (your kernel reported your CPU model as not vulnerable) CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) * Mitigated according to the /sys interface: YES (Mitigation: TSX disabled) - * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) - * TAA mitigation enabled and active: YES (Mitigation: TSX disabled) > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) - * This system is a host running a hypervisor: NO - * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) - * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) - > STATUS: NOT VULNERABLE (this system is not running a hypervisor) + > STATUS: NOT VULNERABLE (KVM: Mitigation: Split huge pages) + + CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS) + * Mitigated according to the /sys interface: YES (Not affected) + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK + > SUMMARY: CVE-2017-5753:?? CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK diff --git a/docs/report/introduction/test_environment_sut_meltspec_dnv.rst b/docs/report/introduction/test_environment_sut_meltspec_dnv.rst index 616449efd7..4b3a8a134d 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_dnv.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_dnv.rst @@ -8,10 +8,11 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github :: - Spectre and Meltdown mitigation detection tool v0.42 + Spectre and Meltdown mitigation detection tool v0.44+ + Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-51-generic #55-Ubuntu SMP Wed May 15 14:27:21 UTC 2019 x86_64 - CPU is Intel(R) Atom(TM) CPU C3858 @ 2.00GHz + Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 + CPU is Intel(R) Xeon(R) Platinum 8180 CPU @ 2.50GHz Hardware check * Hardware support (CPU microcode) for mitigation techniques @@ -27,42 +28,221 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Speculative Store Bypass Disable (SSBD) * CPU indicates SSBD capability: YES (Intel SSBD) * L1 data cache invalidation + * FLUSH_CMD MSR is available: YES + * CPU indicates L1D flush capability: YES (L1D flush feature bit) + * Microarchitectural Data Sampling + * VERW instruction is available: YES (MD_CLEAR feature bit) + * Enhanced IBRS (IBRS_ALL) + * CPU indicates ARCH_CAPABILITIES MSR availability: NO + * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO + * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO + * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO + * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO + * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO + * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO + * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO + * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO + * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO + * CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit) + * CPU supports Software Guard Extensions (SGX): NO + * CPU supports Special Register Buffer Data Sampling (SRBDS): NO + * CPU microcode is known to cause stability problems: NO (family 0x6 model 0x55 stepping 0x4 ucode 0x2000065 cpuid 0x50654) + * CPU microcode is the latest known available version: NO (latest version is 0x2006b06 dated 2021/03/08 according to builtin firmwares DB v191+i20210217) + * CPU vulnerability to the speculative execution attack variants + * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES + * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES + * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES + * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES + * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES + * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES + * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES + * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES + * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES + * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES + * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO + + CVE-2017-5753 aka Spectre Variant 1, bounds check bypass + * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) + * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) + * Kernel has the Red Hat/Ubuntu patch: NO + * Kernel has mask_nospec64 (arm64): NO + * Kernel has array_index_nospec (arm64): NO + > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) + + CVE-2017-5715 aka Spectre Variant 2, branch target injection + * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) + * Mitigation 1 + * Kernel is compiled with IBRS support: YES + * IBRS enabled and active: YES (for firmware code only) + * Kernel is compiled with IBPB support: YES + * IBPB enabled and active: YES + * Mitigation 2 + * Kernel has branch predictor hardening (arm): NO + * Kernel compiled with retpoline option: YES + * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) + * Kernel supports RSB filling: YES + > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability) + + CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load + * Mitigated according to the /sys interface: YES (Mitigation: PTI) + * Kernel supports Page Table Isolation (PTI): YES + * PTI enabled and active: YES + * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) + * Running as a Xen PV DomU: NO + > STATUS: NOT VULNERABLE (Mitigation: PTI) + + CVE-2018-3640 aka Variant 3a, rogue system register read + * CPU microcode mitigates the vulnerability: YES + > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability) + + CVE-2018-3639 aka Variant 4, speculative store bypass + * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) + * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) + * SSB mitigation is enabled and active: YES (per-thread through prctl) + * SSB mitigation currently active for selected processes: YES (boltd fwupd irqbalance systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) + > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) + + CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault + * CPU microcode mitigates the vulnerability: N/A + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault + * Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable) + * Kernel supports PTE inversion: YES (found in kernel image) + * PTE inversion enabled and active: YES + > STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable) + + CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault + * Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable + * This system is a host running a hypervisor: NO + * Mitigation 1 (KVM) + * EPT is disabled: NO + * Mitigation 2 + * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) + * L1D flush enabled: YES (conditional flushes) + * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) + * Hyper-Threading (SMT) is enabled: YES + > STATUS: NOT VULNERABLE (this system is not running a hypervisor) + + CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + > STATUS: NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) + * This system is a host running a hypervisor: NO + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) + > STATUS: NOT VULNERABLE (this system is not running a hypervisor) + + CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation) + * SRBDS mitigation control is enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK + +:: + + Spectre and Meltdown mitigation detection tool v0.44+ + + Checking for vulnerabilities on current system + Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 + CPU is Intel(R) Atom(TM) CPU C3858 @ 2.00GHz + + Hardware check + * Hardware support (CPU microcode) for mitigation techniques + * Indirect Branch Restricted Speculation (IBRS) + * SPEC_CTRL MSR is available: YES + * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit) + * Indirect Branch Prediction Barrier (IBPB) + * PRED_CMD MSR is available: YES + * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit) + * Single Thread Indirect Branch Predictors (STIBP) + * SPEC_CTRL MSR is available: YES + * CPU indicates STIBP capability: YES (Intel STIBP feature bit) + * Speculative Store Bypass Disable (SSBD) + * CPU indicates SSBD capability: NO + * L1 data cache invalidation * FLUSH_CMD MSR is available: NO * CPU indicates L1D flush capability: NO - * Microarchitecture Data Sampling - * VERW instruction is available: YES (MD_CLEAR feature bit) + * Microarchitectural Data Sampling + * VERW instruction is available: NO * Enhanced IBRS (IBRS_ALL) * CPU indicates ARCH_CAPABILITIES MSR availability: YES * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): YES * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO - * CPU/Hypervisor indicates L1D flushing is not necessary on this system: YES + * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO - * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): YES + * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO + * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO + * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO + * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO + * CPU supports Transactional Synchronization Extensions (TSX): NO * CPU supports Software Guard Extensions (SGX): NO - * CPU microcode is known to cause stability problems: NO (model 0x5f family 0x6 stepping 0x1 ucode 0x2e cpuid 0x506f1) - * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash for reading (No such file or directory) - UNKNOWN (latest microcode version for your CPU model is unknown) + * CPU supports Special Register Buffer Data Sampling (SRBDS): NO + * CPU microcode is known to cause stability problems: NO (family 0x6 model 0x5f stepping 0x1 ucode 0x20 cpuid 0x506f1) + * CPU microcode is the latest known available version: NO (latest version is 0x34 dated 2020/10/23 according to builtin firmwares DB v191+i20210217) * CPU vulnerability to the speculative execution attack variants - * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES - * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES - * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO - * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES - * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES - * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO - * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO - * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO - * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO - * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO + * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO + * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES + * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO + * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO + * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO + * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO + * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO + * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO + * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO + * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO CVE-2017-5753 aka Spectre Variant 1, bounds check bypass - * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) + * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) * Kernel has the Red Hat/Ubuntu patch: NO * Kernel has mask_nospec64 (arm64): NO - > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) + * Kernel has array_index_nospec (arm64): NO + > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) CVE-2017-5715 aka Spectre Variant 2, branch target injection * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling) @@ -80,21 +260,20 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports Page Table Isolation (PTI): YES - * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script) + * PTI enabled and active: NO * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant) * Running as a Xen PV DomU: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-3640 aka Variant 3a, rogue system register read - * CPU microcode mitigates the vulnerability: YES - > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability) + * CPU microcode mitigates the vulnerability: NO + > STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability) CVE-2018-3639 aka Variant 4, speculative store bypass - * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) + * Mitigated according to the /sys interface: NO (Vulnerable) * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) - * SSB mitigation is enabled and active: YES (per-thread through prctl) - * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) - > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) + * SSB mitigation is enabled and active: NO + > STATUS: VULNERABLE (Your CPU doesnt support SSBD) CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault * CPU microcode mitigates the vulnerability: N/A @@ -120,30 +299,49 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Not affected) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (Not affected) + * This system is a host running a hypervisor: NO + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation) + * SRBDS mitigation control is enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK diff --git a/docs/report/introduction/test_environment_sut_meltspec_hsw.rst b/docs/report/introduction/test_environment_sut_meltspec_hsw.rst deleted file mode 100644 index 092bfb3ca1..0000000000 --- a/docs/report/introduction/test_environment_sut_meltspec_hsw.rst +++ /dev/null @@ -1,170 +0,0 @@ -Spectre and Meltdown Checks -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Following section displays the output of a running shell script to tell if -system is vulnerable against the several "speculative execution" CVEs that were -made public in 2018. Script is available on `Spectre & Meltdown Checker Github -<https://github.com/speed47/spectre-meltdown-checker>`_. - -:: - - Spectre and Meltdown mitigation detection tool v0.43 - - awk: cannot open bash (No such file or directory) - Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 - CPU is Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz - - Hardware check - * Hardware support (CPU microcode) for mitigation techniques - * Indirect Branch Restricted Speculation (IBRS) - * SPEC_CTRL MSR is available: YES - * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit) - * Indirect Branch Prediction Barrier (IBPB) - * PRED_CMD MSR is available: YES - * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit) - * Single Thread Indirect Branch Predictors (STIBP) - * SPEC_CTRL MSR is available: YES - * CPU indicates STIBP capability: YES (Intel STIBP feature bit) - * Speculative Store Bypass Disable (SSBD) - * CPU indicates SSBD capability: YES (Intel SSBD) - * L1 data cache invalidation - * FLUSH_CMD MSR is available: YES - * CPU indicates L1D flush capability: YES (L1D flush feature bit) - * Microarchitectural Data Sampling - * VERW instruction is available: YES (MD_CLEAR feature bit) - * Enhanced IBRS (IBRS_ALL) - * CPU indicates ARCH_CAPABILITIES MSR availability: NO - * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO - * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO - * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO - * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO - * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO - * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO - * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO - * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO - * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO - * CPU supports Transactional Synchronization Extensions (TSX): NO - * CPU supports Software Guard Extensions (SGX): NO - * CPU microcode is known to cause stability problems: NO (model 0x3f family 0x6 stepping 0x2 ucode 0x43 cpuid 0x306f2) - * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory) - UNKNOWN (latest microcode version for your CPU model is unknown) - * CPU vulnerability to the speculative execution attack variants - * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES - * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES - * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES - * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES - * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES - * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES - * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES - * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES - * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES - * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES - * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO - * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES - - CVE-2017-5753 aka Spectre Variant 1, bounds check bypass - * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) - * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) - * Kernel has the Red Hat/Ubuntu patch: NO - * Kernel has mask_nospec64 (arm64): NO - > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) - - CVE-2017-5715 aka Spectre Variant 2, branch target injection - * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling) - * Mitigation 1 - * Kernel is compiled with IBRS support: YES - * IBRS enabled and active: YES (for firmware code only) - * Kernel is compiled with IBPB support: YES - * IBPB enabled and active: YES - * Mitigation 2 - * Kernel has branch predictor hardening (arm): NO - * Kernel compiled with retpoline option: YES - * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) - > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability) - - CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load - * Mitigated according to the /sys interface: YES (Mitigation: PTI) - * Kernel supports Page Table Isolation (PTI): YES - * PTI enabled and active: YES - * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) - * Running as a Xen PV DomU: NO - > STATUS: NOT VULNERABLE (Mitigation: PTI) - - CVE-2018-3640 aka Variant 3a, rogue system register read - * CPU microcode mitigates the vulnerability: YES - > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability) - - CVE-2018-3639 aka Variant 4, speculative store bypass - * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) - * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) - * SSB mitigation is enabled and active: YES (per-thread through prctl) - * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) - > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) - - CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault - * CPU microcode mitigates the vulnerability: N/A - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault - * Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled) - * Kernel supports PTE inversion: YES (found in kernel image) - * PTE inversion enabled and active: YES - > STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled) - - CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault - * Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled - * This system is a host running a hypervisor: NO - * Mitigation 1 (KVM) - * EPT is disabled: NO - * Mitigation 2 - * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) - * L1D flush enabled: YES (conditional flushes) - * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) - * Hyper-Threading (SMT) is enabled: NO - > STATUS: NOT VULNERABLE (this system is not running a hypervisor) - - CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) - * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: YES - * SMT is either mitigated or disabled: YES - > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) - - CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) - * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: YES - * SMT is either mitigated or disabled: YES - > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) - - CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) - * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: YES - * SMT is either mitigated or disabled: YES - > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) - - CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) - * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT disabled) - * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) - * Kernel mitigation is enabled and active: YES - * SMT is either mitigated or disabled: YES - > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) - - CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) - * Mitigated according to the /sys interface: YES (Not affected) - * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) - * TAA mitigation enabled and active: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) - * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) - * This system is a host running a hypervisor: NO - * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) - * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) - > STATUS: NOT VULNERABLE (this system is not running a hypervisor) - - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK diff --git a/docs/report/introduction/test_environment_sut_meltspec_skx.rst b/docs/report/introduction/test_environment_sut_meltspec_skx.rst index e242e19b7e..0e2f5b9783 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_skx.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_skx.rst @@ -8,89 +8,90 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github :: - Spectre and Meltdown mitigation detection tool v0.43 + Spectre and Meltdown mitigation detection tool v0.44+ - awk: cannot open bash (No such file or directory) Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 + Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 CPU is Intel(R) Xeon(R) Platinum 8180 CPU @ 2.50GHz Hardware check * Hardware support (CPU microcode) for mitigation techniques - * Indirect Branch Restricted Speculation (IBRS) - * SPEC_CTRL MSR is available: YES - * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit) - * Indirect Branch Prediction Barrier (IBPB) - * PRED_CMD MSR is available: YES - * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit) - * Single Thread Indirect Branch Predictors (STIBP) - * SPEC_CTRL MSR is available: YES - * CPU indicates STIBP capability: YES (Intel STIBP feature bit) - * Speculative Store Bypass Disable (SSBD) - * CPU indicates SSBD capability: YES (Intel SSBD) - * L1 data cache invalidation - * FLUSH_CMD MSR is available: YES - * CPU indicates L1D flush capability: YES (L1D flush feature bit) - * Microarchitectural Data Sampling - * VERW instruction is available: YES (MD_CLEAR feature bit) - * Enhanced IBRS (IBRS_ALL) - * CPU indicates ARCH_CAPABILITIES MSR availability: NO - * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO - * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO - * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO - * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO - * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO - * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO - * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO - * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO - * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO - * CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit) - * CPU supports Software Guard Extensions (SGX): NO - * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x4 ucode 0x2000064 cpuid 0x50654) - * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory) - UNKNOWN (latest microcode version for your CPU model is unknown) + * Indirect Branch Restricted Speculation (IBRS) + * SPEC_CTRL MSR is available: YES + * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit) + * Indirect Branch Prediction Barrier (IBPB) + * PRED_CMD MSR is available: YES + * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit) + * Single Thread Indirect Branch Predictors (STIBP) + * SPEC_CTRL MSR is available: YES + * CPU indicates STIBP capability: YES (Intel STIBP feature bit) + * Speculative Store Bypass Disable (SSBD) + * CPU indicates SSBD capability: YES (Intel SSBD) + * L1 data cache invalidation + * FLUSH_CMD MSR is available: YES + * CPU indicates L1D flush capability: YES (L1D flush feature bit) + * Microarchitectural Data Sampling + * VERW instruction is available: YES (MD_CLEAR feature bit) + * Enhanced IBRS (IBRS_ALL) + * CPU indicates ARCH_CAPABILITIES MSR availability: NO + * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO + * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO + * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO + * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO + * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO + * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO + * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO + * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO + * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO + * CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit) + * CPU supports Software Guard Extensions (SGX): NO + * CPU supports Special Register Buffer Data Sampling (SRBDS): NO + * CPU microcode is known to cause stability problems: NO (family 0x6 model 0x55 stepping 0x4 ucode 0x2000065 cpuid 0x50654) + * CPU microcode is the latest known available version: NO (latest version is 0x2006b06 dated 2021/03/08 according to builtin firmwares DB v191+i20210217) * CPU vulnerability to the speculative execution attack variants - * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES - * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES - * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES - * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES - * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES - * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES - * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES - * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES - * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES - * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES - * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES - * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES + * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES + * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES + * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES + * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES + * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES + * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES + * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES + * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES + * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES + * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES + * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO CVE-2017-5753 aka Spectre Variant 1, bounds check bypass * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) * Kernel has the Red Hat/Ubuntu patch: NO * Kernel has mask_nospec64 (arm64): NO + * Kernel has array_index_nospec (arm64): NO > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) CVE-2017-5715 aka Spectre Variant 2, branch target injection * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) * Mitigation 1 - * Kernel is compiled with IBRS support: YES - * IBRS enabled and active: YES (for firmware code only) - * Kernel is compiled with IBPB support: YES - * IBPB enabled and active: YES + * Kernel is compiled with IBRS support: YES + * IBRS enabled and active: YES (for firmware code only) + * Kernel is compiled with IBPB support: YES + * IBPB enabled and active: YES * Mitigation 2 - * Kernel has branch predictor hardening (arm): NO - * Kernel compiled with retpoline option: YES - * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) - * Kernel supports RSB filling: YES + * Kernel has branch predictor hardening (arm): NO + * Kernel compiled with retpoline option: YES + * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) + * Kernel supports RSB filling: YES > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability) CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load * Mitigated according to the /sys interface: YES (Mitigation: PTI) * Kernel supports Page Table Isolation (PTI): YES - * PTI enabled and active: YES - * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) + * PTI enabled and active: YES + * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced) * Running as a Xen PV DomU: NO > STATUS: NOT VULNERABLE (Mitigation: PTI) @@ -102,7 +103,7 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) * SSB mitigation is enabled and active: YES (per-thread through prctl) - * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) + * SSB mitigation currently active for selected processes: YES (boltd fwupd irqbalance systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault @@ -119,12 +120,12 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable * This system is a host running a hypervisor: NO * Mitigation 1 (KVM) - * EPT is disabled: NO + * EPT is disabled: NO * Mitigation 2 - * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) - * L1D flush enabled: YES (conditional flushes) - * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) - * Hyper-Threading (SMT) is enabled: YES + * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) + * L1D flush enabled: YES (conditional flushes) + * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) + * Hyper-Threading (SMT) is enabled: YES > STATUS: NOT VULNERABLE (this system is not running a hypervisor) CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) @@ -168,4 +169,10 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) > STATUS: NOT VULNERABLE (this system is not running a hypervisor) - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK + CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation) + * SRBDS mitigation control is enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK diff --git a/docs/report/introduction/test_environment_sut_meltspec_tsh.rst b/docs/report/introduction/test_environment_sut_meltspec_tsh.rst index f7d385061c..67c90559c8 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_tsh.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_tsh.rst @@ -8,11 +8,10 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github :: - Spectre and Meltdown mitigation detection tool v0.43 + Spectre and Meltdown mitigation detection tool v0.44+ - awk: cannot open bash (No such file or directory) Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 + Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 CPU is Intel(R) Xeon(R) Platinum 8180 CPU @ 2.50GHz Hardware check @@ -27,12 +26,12 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * SPEC_CTRL MSR is available: YES * CPU indicates STIBP capability: YES (Intel STIBP feature bit) * Speculative Store Bypass Disable (SSBD) - * CPU indicates SSBD capability: NO + * CPU indicates SSBD capability: YES (Intel SSBD) * L1 data cache invalidation - * FLUSH_CMD MSR is available: NO - * CPU indicates L1D flush capability: NO + * FLUSH_CMD MSR is available: YES + * CPU indicates L1D flush capability: YES (L1D flush feature bit) * Microarchitectural Data Sampling - * VERW instruction is available: NO + * VERW instruction is available: YES (MD_CLEAR feature bit) * Enhanced IBRS (IBRS_ALL) * CPU indicates ARCH_CAPABILITIES MSR availability: NO * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO @@ -46,34 +45,36 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO * CPU supports Transactional Synchronization Extensions (TSX): YES (RTM feature bit) * CPU supports Software Guard Extensions (SGX): NO - * CPU microcode is known to cause stability problems: NO (model 0x55 family 0x6 stepping 0x4 ucode 0x2000043 cpuid 0x50654) - * CPU microcode is the latest known available version: awk: cannot open bash (No such file or directory) - UNKNOWN (latest microcode version for your CPU model is unknown) + * CPU supports Special Register Buffer Data Sampling (SRBDS): NO + * CPU microcode is known to cause stability problems: NO (family 0x6 model 0x55 stepping 0x4 ucode 0x2000065 cpuid 0x50654) + * CPU microcode is the latest known available version: NO (latest version is 0x2006b06 dated 2021/03/08 according to builtin firmwares DB v191+i20210217) * CPU vulnerability to the speculative execution attack variants - * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES - * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES - * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES - * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES - * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES - * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES - * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES - * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES - * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES - * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES - * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES - * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES + * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES + * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES + * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES + * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES + * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES + * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES + * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES + * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES + * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): YES + * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES + * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO CVE-2017-5753 aka Spectre Variant 1, bounds check bypass - * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) + * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) * Kernel has the Red Hat/Ubuntu patch: NO * Kernel has mask_nospec64 (arm64): NO - > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) + * Kernel has array_index_nospec (arm64): NO + > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) CVE-2017-5715 aka Spectre Variant 2, branch target injection - * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW) + * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) * Mitigation 1 * Kernel is compiled with IBRS support: YES * IBRS enabled and active: YES (for firmware code only) @@ -95,6 +96,143 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github > STATUS: NOT VULNERABLE (Mitigation: PTI) CVE-2018-3640 aka Variant 3a, rogue system register read + * CPU microcode mitigates the vulnerability: YES + > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability) + + CVE-2018-3639 aka Variant 4, speculative store bypass + * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) + * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) + * SSB mitigation is enabled and active: YES (per-thread through prctl) + * SSB mitigation currently active for selected processes: YES (boltd fwupd irqbalance systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) + > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) + + CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault + * CPU microcode mitigates the vulnerability: N/A + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault + * Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable) + * Kernel supports PTE inversion: YES (found in kernel image) + * PTE inversion enabled and active: YES + > STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable) + + CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault + * Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable + * This system is a host running a hypervisor: NO + * Mitigation 1 (KVM) + * EPT is disabled: NO + * Mitigation 2 + * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo) + * L1D flush enabled: YES (conditional flushes) + * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced) + * Hyper-Threading (SMT) is enabled: YES + > STATUS: NOT VULNERABLE (this system is not running a hypervisor) + + CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo) + * Kernel mitigation is enabled and active: YES + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled) + + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: YES (Mitigation: Clear CPU buffers; SMT vulnerable) + > STATUS: NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (KVM: Mitigation: Split huge pages) + * This system is a host running a hypervisor: NO + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: Split huge pages) + > STATUS: NOT VULNERABLE (this system is not running a hypervisor) + + CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation) + * SRBDS mitigation control is enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK + +:: + + Spectre and Meltdown mitigation detection tool v0.44+ + + Checking for vulnerabilities on current system + Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:27:25 UTC 2021 aarch64 + CPU is ARM v8 model 0xd08 + + Hardware check + * CPU vulnerability to the speculative execution attack variants + * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO + * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES + * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO + * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO + * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO + * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO + * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO + * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO + * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO + * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO + + CVE-2017-5753 aka Spectre Variant 1, bounds check bypass + * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) + * Kernel has array_index_mask_nospec: NO + * Kernel has the Red Hat/Ubuntu patch: NO + * Kernel has mask_nospec64 (arm64): NO + * Kernel has array_index_nospec (arm64): NO + * Checking count of LFENCE instructions following a jump in kernel... NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic)) + > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) + + CVE-2017-5715 aka Spectre Variant 2, branch target injection + * Mitigated according to the /sys interface: NO (Vulnerable) + * Mitigation 1 + * Kernel is compiled with IBRS support: YES + * IBRS enabled and active: NO + * Kernel is compiled with IBPB support: NO + * IBPB enabled and active: NO + * Mitigation 2 + * Kernel has branch predictor hardening (arm): YES + * Kernel compiled with retpoline option: NO + > STATUS: NOT VULNERABLE (Branch predictor hardening mitigates the vulnerability) + + CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports Page Table Isolation (PTI): YES + * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script) + * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant) + * Running as a Xen PV DomU: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3640 aka Variant 3a, rogue system register read * CPU microcode mitigates the vulnerability: NO > STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability) @@ -109,46 +247,206 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault + * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports PTE inversion: NO - * PTE inversion enabled and active: UNKNOWN (sysfs interface not available) - > STATUS: VULNERABLE (Your kernel doesnt support PTE inversion, update it) + * PTE inversion enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault + * Information from the /sys interface: Not affected * This system is a host running a hypervisor: NO * Mitigation 1 (KVM) - * EPT is disabled: NO + * EPT is disabled: N/A (the kvm_intel module is not loaded) * Mitigation 2 * L1D flush is supported by kernel: NO - * L1D flush enabled: UNKNOWN (cant find or read /sys/devices/system/cpu/vulnerabilities/l1tf) + * L1D flush enabled: NO * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower) - * Hyper-Threading (SMT) is enabled: YES - > STATUS: NOT VULNERABLE (this system is not running a hypervisor) + * Hyper-Threading (SMT) is enabled: UNKNOWN + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) + * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) + * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) + * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) + * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: NO - > STATUS: VULNERABLE (Neither your kernel or your microcode support mitigation, upgrade both to mitigate the vulnerability) + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) - * TAA mitigation is supported by kernel: NO - * TAA mitigation enabled and active: NO (tsx_async_abort not found in sysfs hierarchy) - > STATUS: VULNERABLE (Your kernel doesnt support TAA mitigation, update it) + * Mitigated according to the /sys interface: YES (Not affected) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (Not affected) * This system is a host running a hypervisor: NO - * iTLB Multihit mitigation is supported by kernel: NO - * iTLB Multihit mitigation enabled and active: NO (itlb_multihit not found in sysfs hierarchy) - > STATUS: NOT VULNERABLE (this system is not running a hypervisor) + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * SRBDS mitigation control is supported by the kernel: NO + * SRBDS mitigation control is enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK + + Need more detailed information about mitigation options? Use --explain + A false sense of security is worse than no security at all, see --disclaimer +ok: [10.30.51.37] => + spectre_meltdown_poll_results.stdout_lines: + Spectre and Meltdown mitigation detection tool v0.44+ + + Checking for vulnerabilities on current system + Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:27:25 UTC 2021 aarch64 + CPU is ARM v8 model 0xd08 + + Hardware check + * CPU vulnerability to the speculative execution attack variants + * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO + * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES + * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO + * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO + * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO + * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO + * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO + * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO + * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO + * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO + + CVE-2017-5753 aka Spectre Variant 1, bounds check bypass + * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) + * Kernel has array_index_mask_nospec: NO + * Kernel has the Red Hat/Ubuntu patch: NO + * Kernel has mask_nospec64 (arm64): NO + * Kernel has array_index_nospec (arm64): NO + * Checking count of LFENCE instructions following a jump in kernel... NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic)) + > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) + + CVE-2017-5715 aka Spectre Variant 2, branch target injection + * Mitigated according to the /sys interface: NO (Vulnerable) + * Mitigation 1 + * Kernel is compiled with IBRS support: YES + * IBRS enabled and active: NO + * Kernel is compiled with IBPB support: NO + * IBPB enabled and active: NO + * Mitigation 2 + * Kernel has branch predictor hardening (arm): YES + * Kernel compiled with retpoline option: NO + > STATUS: NOT VULNERABLE (Branch predictor hardening mitigates the vulnerability) + + CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports Page Table Isolation (PTI): YES + * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script) + * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant) + * Running as a Xen PV DomU: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3640 aka Variant 3a, rogue system register read + * CPU microcode mitigates the vulnerability: NO + > STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability) + + CVE-2018-3639 aka Variant 4, speculative store bypass + * Mitigated according to the /sys interface: NO (Vulnerable) + * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) + * SSB mitigation is enabled and active: NO + > STATUS: VULNERABLE (Your CPU doesnt support SSBD) + + CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault + * CPU microcode mitigates the vulnerability: N/A + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports PTE inversion: NO + * PTE inversion enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault + * Information from the /sys interface: Not affected + * This system is a host running a hypervisor: NO + * Mitigation 1 (KVM) + * EPT is disabled: N/A (the kvm_intel module is not loaded) + * Mitigation 2 + * L1D flush is supported by kernel: NO + * L1D flush enabled: NO + * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower) + * Hyper-Threading (SMT) is enabled: UNKNOWN + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports using MD_CLEAR mitigation: NO + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports using MD_CLEAR mitigation: NO + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports using MD_CLEAR mitigation: NO + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports using MD_CLEAR mitigation: NO + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Not affected) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (Not affected) + * This system is a host running a hypervisor: NO + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * SRBDS mitigation control is supported by the kernel: NO + * SRBDS mitigation control is enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:KO CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO CVE-2019-11135:KO CVE-2018-12207:OK + > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK diff --git a/docs/report/introduction/test_environment_sut_meltspec_tx2.rst b/docs/report/introduction/test_environment_sut_meltspec_tx2.rst index 06a6921673..f12113a8bf 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_tx2.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_tx2.rst @@ -11,131 +11,133 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github Spectre and Meltdown mitigation detection tool v0.44+ Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:21:09 UTC 2019 aarch64 + Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:27:25 UTC 2021 aarch64 CPU is Hardware check * CPU vulnerability to the speculative execution attack variants - * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES - * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES - * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO - * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): NO - * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES - * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO - * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO - * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO - * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO - * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO - * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO - * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO - * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO - * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO - - CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass' - * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) - * Kernel has array_index_mask_nospec: NO - * Kernel has the Red Hat/Ubuntu patch: NO - * Kernel has mask_nospec64 (arm64): NO - * Kernel has array_index_nospec (arm64): NO - * Checking count of LFENCE instructions following a jump in kernel... NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic)) - > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) - - CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' - * Mitigated according to the /sys interface: NO (Vulnerable) + * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO + * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): NO + * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO + * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO + * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO + * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO + * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO + * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO + * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO + * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO + + CVE-2017-5753 aka Spectre Variant 1, bounds check bypass + * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) + * Kernel has array_index_mask_nospec: NO + * Kernel has the Red Hat/Ubuntu patch: NO + * Kernel has mask_nospec64 (arm64): NO + * Kernel has array_index_nospec (arm64): NO + * Checking count of LFENCE instructions following a jump in kernel... NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic)) + > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) + + CVE-2017-5715 aka Spectre Variant 2, branch target injection + * Mitigated according to the /sys interface: NO (Vulnerable) * Mitigation 1 - * Kernel is compiled with IBRS support: YES - * IBRS enabled and active: NO - * Kernel is compiled with IBPB support: NO - * IBPB enabled and active: NO + * Kernel is compiled with IBRS support: YES + * IBRS enabled and active: NO + * Kernel is compiled with IBPB support: NO + * IBPB enabled and active: NO * Mitigation 2 - * Kernel has branch predictor hardening (arm): YES - * Kernel compiled with retpoline option: NO - > STATUS: NOT VULNERABLE (Branch predictor hardening mitigates the vulnerability) - - CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports Page Table Isolation (PTI): YES - * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script) - * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant) - * Running as a Xen PV DomU: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-3640 aka 'Variant 3a, rogue system register read' - * CPU microcode mitigates the vulnerability: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-3639 aka 'Variant 4, speculative store bypass' - * Mitigated according to the /sys interface: NO (Vulnerable) - * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) - * SSB mitigation is enabled and active: > STATUS: VULNERABLE (Your CPU doesn't support SSBD) - - CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault' - * CPU microcode mitigates the vulnerability: N/A - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports PTE inversion: NO - * PTE inversion enabled and active: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault' + * Kernel has branch predictor hardening (arm): YES + * Kernel compiled with retpoline option: NO + > STATUS: NOT VULNERABLE (Branch predictor hardening mitigates the vulnerability) + + CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports Page Table Isolation (PTI): YES + * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script) + * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant) + * Running as a Xen PV DomU: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3640 aka Variant 3a, rogue system register read + * CPU microcode mitigates the vulnerability: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3639 aka Variant 4, speculative store bypass + * Mitigated according to the /sys interface: NO (Vulnerable) + * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) + * SSB mitigation is enabled and active: NO + > STATUS: VULNERABLE (Your CPU doesnt support SSBD) + + CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault + * CPU microcode mitigates the vulnerability: N/A + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports PTE inversion: NO + * PTE inversion enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault * Information from the /sys interface: Not affected - * This system is a host running a hypervisor: NO + * This system is a host running a hypervisor: NO * Mitigation 1 (KVM) - * EPT is disabled: N/A (the kvm_intel module is not loaded) + * EPT is disabled: N/A (the kvm_intel module is not loaded) * Mitigation 2 - * L1D flush is supported by kernel: NO - * L1D flush enabled: NO - * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower) - * Hyper-Threading (SMT) is enabled: UNKNOWN - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: NO - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: NO - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: NO - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: NO - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)' - * Mitigated according to the /sys interface: YES (Not affected) - * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) - * TAA mitigation enabled and active: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)' - * Mitigated according to the /sys interface: YES (Not affected) - * This system is a host running a hypervisor: NO - * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) - * iTLB Multihit mitigation enabled and active: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)' - * SRBDS mitigation control is supported by the kernel: NO - * SRBDS mitigation control is enabled and active: NO (SRBDS not found in sysfs hierarchy) - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + * L1D flush is supported by kernel: NO + * L1D flush enabled: NO + * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower) + * Hyper-Threading (SMT) is enabled: UNKNOWN + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports using MD_CLEAR mitigation: NO + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports using MD_CLEAR mitigation: NO + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports using MD_CLEAR mitigation: NO + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) + * Mitigated according to the /sys interface: YES (Not affected) + * Kernel supports using MD_CLEAR mitigation: NO + * Kernel mitigation is enabled and active: NO + * SMT is either mitigated or disabled: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) + * Mitigated according to the /sys interface: YES (Not affected) + * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) + * TAA mitigation enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) + * Mitigated according to the /sys interface: YES (Not affected) + * This system is a host running a hypervisor: NO + * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) + * iTLB Multihit mitigation enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + + CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * SRBDS mitigation control is supported by the kernel: NO + * SRBDS mitigation control is enabled and active: NO + > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK
\ No newline at end of file diff --git a/docs/report/introduction/test_environment_sut_meltspec_zn2.rst b/docs/report/introduction/test_environment_sut_meltspec_zn2.rst index 24169331a7..8269ce7f92 100644 --- a/docs/report/introduction/test_environment_sut_meltspec_zn2.rst +++ b/docs/report/introduction/test_environment_sut_meltspec_zn2.rst @@ -8,10 +8,10 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github :: - Spectre and Meltdown mitigation detection tool v0.43 + Spectre and Meltdown mitigation detection tool v0.44+ Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 + Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 CPU is AMD EPYC 7532 32-Core Processor Hardware check @@ -36,26 +36,26 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * CPU supports Transactional Synchronization Extensions (TSX): NO * CPU supports Software Guard Extensions (SGX): NO * CPU supports Special Register Buffer Data Sampling (SRBDS): NO - * CPU microcode is known to cause stability problems: NO (family 0x17 model 0x31 stepping 0x0 ucode 0x8301034 cpuid 0x830f10) - * CPU microcode is the latest known available version: NO (latest version is 0x8301039 dated 2020/02/07 according to builtin firmwares DB v160.20200912+i20200722) + * CPU microcode is known to cause stability problems: NO (family 0x17 model 0x31 stepping 0x0 ucode 0x8301038 cpuid 0x830f10) + * CPU microcode is the latest known available version: NO (latest version is 0x830104d dated 2020/07/28 according to builtin firmwares DB v191+i20210217) * CPU vulnerability to the speculative execution attack variants - * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES - * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES - * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO - * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): NO - * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES - * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO - * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO - * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO - * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO - * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO - * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO - * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO - * Vulnerable to CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO - - CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass' + * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO + * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): NO + * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO + * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO + * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO + * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO + * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO + * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO + * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO + * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO + + CVE-2017-5753 aka Spectre Variant 1, bounds check bypass * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) * Kernel has the Red Hat/Ubuntu patch: NO @@ -63,7 +63,7 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Kernel has array_index_nospec (arm64): NO > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) - CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' + CVE-2017-5715 aka Spectre Variant 2, branch target injection * Mitigated according to the /sys interface: YES (Mitigation: Full AMD retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) * Mitigation 1 * Kernel is compiled with IBRS support: YES @@ -76,7 +76,7 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability) - CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load' + CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports Page Table Isolation (PTI): YES * PTI enabled and active: NO @@ -84,28 +84,28 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Running as a Xen PV DomU: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-3640 aka 'Variant 3a, rogue system register read' + CVE-2018-3640 aka Variant 3a, rogue system register read * CPU microcode mitigates the vulnerability: YES > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-3639 aka 'Variant 4, speculative store bypass' + CVE-2018-3639 aka Variant 4, speculative store bypass * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) * SSB mitigation is enabled and active: YES (per-thread through prctl) - * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) + * SSB mitigation currently active for selected processes: YES (irqbalance systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) - CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault' + CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault * CPU microcode mitigates the vulnerability: N/A > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault' + CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports PTE inversion: YES (found in kernel image) * PTE inversion enabled and active: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault' + CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault * Information from the /sys interface: Not affected * This system is a host running a hypervisor: NO * Mitigation 1 (KVM) @@ -117,215 +117,211 @@ made public in 2018. Script is available on `Spectre & Meltdown Checker Github * Hyper-Threading (SMT) is enabled: YES > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' + CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' + CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' + CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' + CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)' + CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) * Mitigated according to the /sys interface: YES (Not affected) * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) * TAA mitigation enabled and active: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)' + CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) * Mitigated according to the /sys interface: YES (Not affected) * This system is a host running a hypervisor: NO * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) * iTLB Multihit mitigation enabled and active: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)' - * SRBDS mitigation control is supported by the kernel: NO - * SRBDS mitigation control is enabled and active: NO (SRBDS not found in sysfs hierarchy) + CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS) + * Mitigated according to the /sys interface: YES (Not affected) + * SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation) + * SRBDS mitigation control is enabled and active: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK - Need more detailed information about mitigation options? Use --explain - A false sense of security is worse than no security at all, see --disclaimer - :: - Spectre and Meltdown mitigation detection tool v0.43 - - Checking for vulnerabilities on current system - Kernel is Linux 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 - CPU is AMD EPYC 7532 32-Core Processor - - Hardware check - * Hardware support (CPU microcode) for mitigation techniques - * Indirect Branch Restricted Speculation (IBRS) - * SPEC_CTRL MSR is available: YES - * CPU indicates IBRS capability: YES (IBRS_SUPPORT feature bit) - * CPU indicates preferring IBRS always-on: NO - * CPU indicates preferring IBRS over retpoline: YES - * Indirect Branch Prediction Barrier (IBPB) - * PRED_CMD MSR is available: YES - * CPU indicates IBPB capability: YES (IBPB_SUPPORT feature bit) - * Single Thread Indirect Branch Predictors (STIBP) - * SPEC_CTRL MSR is available: YES - * CPU indicates STIBP capability: YES (AMD STIBP feature bit) - * CPU indicates preferring STIBP always-on: NO - * Speculative Store Bypass Disable (SSBD) - * CPU indicates SSBD capability: YES (AMD SSBD in SPEC_CTRL) - * L1 data cache invalidation - * FLUSH_CMD MSR is available: NO - * CPU indicates L1D flush capability: NO - * CPU supports Transactional Synchronization Extensions (TSX): NO - * CPU supports Software Guard Extensions (SGX): NO - * CPU supports Special Register Buffer Data Sampling (SRBDS): NO - * CPU microcode is known to cause stability problems: NO (family 0x17 model 0x31 stepping 0x0 ucode 0x8301034 cpuid 0x830f10) - * CPU microcode is the latest known available version: NO (latest version is 0x8301039 dated 2020/02/07 according to builtin firmwares DB v160.20200912+i20200722) - * CPU vulnerability to the speculative execution attack variants - * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES - * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES - * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO - * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): NO - * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES - * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO - * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO - * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO - * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO - * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO - * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO - * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO - * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO - * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO - * Vulnerable to CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO - - CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass' - * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) - * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) - * Kernel has the Red Hat/Ubuntu patch: NO - * Kernel has mask_nospec64 (arm64): NO - * Kernel has array_index_nospec (arm64): NO - > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) - - CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' - * Mitigated according to the /sys interface: YES (Mitigation: Full AMD retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) - * Mitigation 1 - * Kernel is compiled with IBRS support: YES - * IBRS enabled and active: YES (for firmware code only) - * Kernel is compiled with IBPB support: YES - * IBPB enabled and active: YES - * Mitigation 2 - * Kernel has branch predictor hardening (arm): NO - * Kernel compiled with retpoline option: YES - * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) - > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability) - - CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports Page Table Isolation (PTI): YES - * PTI enabled and active: NO - * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant) - * Running as a Xen PV DomU: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-3640 aka 'Variant 3a, rogue system register read' - * CPU microcode mitigates the vulnerability: YES - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-3639 aka 'Variant 4, speculative store bypass' - * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) - * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) - * SSB mitigation is enabled and active: YES (per-thread through prctl) - * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) - > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) - - CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault' - * CPU microcode mitigates the vulnerability: N/A - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports PTE inversion: YES (found in kernel image) - * PTE inversion enabled and active: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault' - * Information from the /sys interface: Not affected - * This system is a host running a hypervisor: NO - * Mitigation 1 (KVM) - * EPT is disabled: N/A (the kvm_intel module is not loaded) - * Mitigation 2 - * L1D flush is supported by kernel: YES (found flush_l1d in kernel image) - * L1D flush enabled: NO - * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower) - * Hyper-Threading (SMT) is enabled: YES - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' - * Mitigated according to the /sys interface: YES (Not affected) - * Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) - * Kernel mitigation is enabled and active: NO - * SMT is either mitigated or disabled: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)' - * Mitigated according to the /sys interface: YES (Not affected) - * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) - * TAA mitigation enabled and active: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)' - * Mitigated according to the /sys interface: YES (Not affected) - * This system is a host running a hypervisor: NO - * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) - * iTLB Multihit mitigation enabled and active: NO - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)' - * SRBDS mitigation control is supported by the kernel: NO - * SRBDS mitigation control is enabled and active: NO (SRBDS not found in sysfs hierarchy) - > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) - - > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK - - Need more detailed information about mitigation options? Use --explain - A false sense of security is worse than no security at all, see --disclaimer
\ No newline at end of file +Spectre and Meltdown mitigation detection tool v0.44+ + +Checking for vulnerabilities on current system +Kernel is Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 +CPU is AMD EPYC 7532 32-Core Processor + +Hardware check +* Hardware support (CPU microcode) for mitigation techniques + * Indirect Branch Restricted Speculation (IBRS) + * SPEC_CTRL MSR is available: YES + * CPU indicates IBRS capability: YES (IBRS_SUPPORT feature bit) + * CPU indicates preferring IBRS always-on: NO + * CPU indicates preferring IBRS over retpoline: YES + * Indirect Branch Prediction Barrier (IBPB) + * PRED_CMD MSR is available: YES + * CPU indicates IBPB capability: YES (IBPB_SUPPORT feature bit) + * Single Thread Indirect Branch Predictors (STIBP) + * SPEC_CTRL MSR is available: YES + * CPU indicates STIBP capability: YES (AMD STIBP feature bit) + * CPU indicates preferring STIBP always-on: NO + * Speculative Store Bypass Disable (SSBD) + * CPU indicates SSBD capability: YES (AMD SSBD in SPEC_CTRL) + * L1 data cache invalidation + * FLUSH_CMD MSR is available: NO + * CPU indicates L1D flush capability: NO + * CPU supports Transactional Synchronization Extensions (TSX): NO + * CPU supports Software Guard Extensions (SGX): NO + * CPU supports Special Register Buffer Data Sampling (SRBDS): NO + * CPU microcode is known to cause stability problems: NO (family 0x17 model 0x31 stepping 0x0 ucode 0x8301038 cpuid 0x830f10) + * CPU microcode is the latest known available version: NO (latest version is 0x830104d dated 2020/07/28 according to builtin firmwares DB v191+i20210217) +* CPU vulnerability to the speculative execution attack variants + * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES + * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES + * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO + * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): NO + * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES + * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO + * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO + * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO + * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO + * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO + * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO + * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO + * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO + * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO + * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO + +CVE-2017-5753 aka Spectre Variant 1, bounds check bypass +* Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) +* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec()) +* Kernel has the Red Hat/Ubuntu patch: NO +* Kernel has mask_nospec64 (arm64): NO +* Kernel has array_index_nospec (arm64): NO +> STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization) + +CVE-2017-5715 aka Spectre Variant 2, branch target injection +* Mitigated according to the /sys interface: YES (Mitigation: Full AMD retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) +* Mitigation 1 + * Kernel is compiled with IBRS support: YES + * IBRS enabled and active: YES (for firmware code only) + * Kernel is compiled with IBPB support: YES + * IBPB enabled and active: YES +* Mitigation 2 + * Kernel has branch predictor hardening (arm): NO + * Kernel compiled with retpoline option: YES + * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation) +> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability) + +CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load +* Mitigated according to the /sys interface: YES (Not affected) +* Kernel supports Page Table Isolation (PTI): YES + * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script) + * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant) +* Running as a Xen PV DomU: NO +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +CVE-2018-3640 aka Variant 3a, rogue system register read +* CPU microcode mitigates the vulnerability: YES +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +CVE-2018-3639 aka Variant 4, speculative store bypass +* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) +* Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) +* SSB mitigation is enabled and active: YES (per-thread through prctl) +* SSB mitigation currently active for selected processes: YES (irqbalance systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) +> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) + +CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault +* CPU microcode mitigates the vulnerability: N/A +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault +* Mitigated according to the /sys interface: YES (Not affected) +* Kernel supports PTE inversion: YES (found in kernel image) +* PTE inversion enabled and active: NO +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault +* Information from the /sys interface: Not affected +* This system is a host running a hypervisor: NO +* Mitigation 1 (KVM) + * EPT is disabled: N/A (the kvm_intel module is not loaded) +* Mitigation 2 + * L1D flush is supported by kernel: YES (found flush_l1d in kernel image) + * L1D flush enabled: NO + * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower) + * Hyper-Threading (SMT) is enabled: YES +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS) +* Mitigated according to the /sys interface: YES (Not affected) +* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) +* Kernel mitigation is enabled and active: NO +* SMT is either mitigated or disabled: NO +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS) +* Mitigated according to the /sys interface: YES (Not affected) +* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) +* Kernel mitigation is enabled and active: NO +* SMT is either mitigated or disabled: NO +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS) +* Mitigated according to the /sys interface: YES (Not affected) +* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) +* Kernel mitigation is enabled and active: NO +* SMT is either mitigated or disabled: NO +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM) +* Mitigated according to the /sys interface: YES (Not affected) +* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image) +* Kernel mitigation is enabled and active: NO +* SMT is either mitigated or disabled: NO +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +CVE-2019-11135 aka ZombieLoad V2, TSX Asynchronous Abort (TAA) +* Mitigated according to the /sys interface: YES (Not affected) +* TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) +* TAA mitigation enabled and active: NO +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +CVE-2018-12207 aka No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC) +* Mitigated according to the /sys interface: YES (Not affected) +* This system is a host running a hypervisor: NO +* iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) +* iTLB Multihit mitigation enabled and active: NO +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +CVE-2020-0543 aka Special Register Buffer Data Sampling (SRBDS) +* Mitigated according to the /sys interface: YES (Not affected) +* SRBDS mitigation control is supported by the kernel: YES (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation) +* SRBDS mitigation control is enabled and active: NO +> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable) + +> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK diff --git a/docs/report/introduction/test_scenarios_overview.rst b/docs/report/introduction/test_scenarios_overview.rst index 0d520f0296..1c3516b9eb 100644 --- a/docs/report/introduction/test_scenarios_overview.rst +++ b/docs/report/introduction/test_scenarios_overview.rst @@ -11,10 +11,10 @@ Brief overview of test scenarios covered in this report: #. **VPP Performance**: VPP performance tests are executed in physical FD.io testbeds, focusing on VPP network data plane performance in - NIC-to-NIC switching topologies. Tested across Intel Xeon Haswell - and Skylake servers, ARM, Denverton, range of NICs (10GE, 25GE, 40GE) and - multi-thread/multi-core configurations. VPP application runs in bare-metal - host user-mode handling NICs. TRex is used as a traffic generator. + NIC-to-NIC switching topologies. Tested across Intel Cascadelake + and Skylake servers, ARM, Denverton, range of NICs (10GE, 25GE, 40GE, 100GE) + and multi-thread/multi-core configurations. VPP application runs in + bare-metal host user-mode handling NICs. TRex is used as a traffic generator. #. **VPP Vhostuser Performance with KVM VMs**: VPP VM service switching performance tests using vhostuser virtual interface for @@ -55,7 +55,7 @@ against |vpp-release| artifacts. References are provided to the original FD.io Jenkins job results and all archived source files. FD.io CSIT system is developed using two main coding platforms: :abbr:`RF (Robot -Framework)` and Python2.7. |csit-release| source code for the executed test +Framework)` and Python. |csit-release| source code for the executed test suites is available in CSIT branch |release| in the directory :file:`./tests/<name_of_the_test_suite>`. A local copy of CSIT source code can be obtained by cloning CSIT git repository - :command:`git clone diff --git a/docs/report/vpp_device_tests/csit_release_notes.rst b/docs/report/vpp_device_tests/csit_release_notes.rst index b29e45da4d..ca5bf8285a 100644 --- a/docs/report/vpp_device_tests/csit_release_notes.rst +++ b/docs/report/vpp_device_tests/csit_release_notes.rst @@ -6,20 +6,10 @@ Changes in |csit-release| #. TEST FRAMEWORK - - **Bug fixes**. - - - **Speedup**: Shortened overall test job duration - by using a different test selection mechanism (using --test - instead of --include) and by avoiding unnecessary PAPI reconnects. - -#. TEST COVERAGE - - - Increased test coverage: **GENEVE**, **ACL** and **MACIP** from ACL plugin. - -#. DEPRECATED API MESSAGES - - - Updated API calls for **link bonding**, **COP**, **IPSEC**, **NAT** and - **NSIM**. + - **Upgrade to Ubuntu 20.04 LTS**: Reinstall base operating system to Ubuntu + 20.04.2 LTS. Upgrade includes also baseline Docker containers used for + spawning topology. In latest LTS version we are using iavf driver instead + of i40evf. Known Issues ------------ @@ -29,7 +19,5 @@ List of known issues in |csit-release| for VPP functional tests in VPP Device: +----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+ | # | JiraID | Issue Description | +====+=========================================+===========================================================================================================+ -| 1 | `VPP-1943 | Running multiple VPPs with SR-IOV VFs belonging to the same PF sometimes results in VPP not initializing | -| | <https://jira.fd.io/browse/VPP-1943>`_ | the VF interfaces properly due to a race condition between the PF and VFs. Observed with Intel NIC | -| | | firmware version 6.01 0x800035da 1.1747.0 and i40e driver versions 2.1.14-k and 2.13.10. | +| | | | +----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+ diff --git a/docs/report/vpp_performance_tests/csit_release_notes.rst b/docs/report/vpp_performance_tests/csit_release_notes.rst index a70061de9a..5b90710d24 100644 --- a/docs/report/vpp_performance_tests/csit_release_notes.rst +++ b/docs/report/vpp_performance_tests/csit_release_notes.rst @@ -9,39 +9,19 @@ Changes in |csit-release| - CSIT test environment is versioned, see :ref:`test_environment_versioning`. - - **GENEVE tests**: Added VPP performance tests for GENEVE tunnels. - See :ref:`geneve_methodology` for more details. + - **Upgrade to Ubuntu 20.04 LTS**: Reinstall base operating system to Ubuntu + 20.04.2 LTS. Upgrade includes also baseline Docker containers used for + spawning topology. + - **AF_XDP**: Added af_xdp driver testing for all testcases. - - **GSO tests**: Added VPP performance tests for GSOtap and GSOvirtio. - All tested topologies are compared with GSO enabled and disabled. - In |csit-release| there is only 1t1c tests running. - See :ref:`gso_methodology` for more details. + - **GTPU tunnel**: Added GTPU HW Offload IPv4 routing tests. - - - **NAT44 tests**: Added new test type, pure throughput tests. - They are similar to PPS tests, but they employ ramp-up trials - to ensure all sessions are created (and not timing out) - for performance trials. - - - **Jumbo for ipsec**: Test cases with 9000 byte frames are re-enabled - in ipsec suites. - - - **Randomized profiles**: Improved repeatability and cycle length. - For details, see :ref:`packet_flow_ordering`. - - - **Arm 2n-tx2 testbed**: New physical testbed type installed in - FD.io CSIT, with VPP and DPDK performance data added to CSIT - trending and this report. - - - **Framework speedup**: Shortened overall test job duration - by using a different test selection mechanism (using --test - instead of --include) and by avoiding unnecessary PAPI reconnects. + - **Telemetry retouch**: Redesign telemetry retrieval from DUT. Include + VPP perfmon plugin telemetry. #. TEST FRAMEWORK - - **TRex ASTF**: Improved capability to run TRex in advanced stateful mode. - - **CSIT PAPI support**: Due to issues with PAPI performance, VAT is still used in CSIT for all VPP scale tests. See known issues below. @@ -67,28 +47,18 @@ List of known issues in |csit-release| for VPP performance tests: +----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+ | # | JiraID | Issue Description | +====+=========================================+===========================================================================================================+ -| 1 | `CSIT-570 | Sporadic (1 in 200) NDR discovery test failures on x520. DPDK reporting rx-errors, indicating L1 issue. | -| | <https://jira.fd.io/browse/CSIT-570>`_ | Suspected issue with HW combination of X710-X520 in LF testbeds. Not observed outside of LF testbeds. | -+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+ -| 2 | `VPP-662 | 9000B packets not supported by NICs VIC1227 and VIC1387. | +| 1 | `VPP-662 | 9000B packets not supported by NICs VIC1227 and VIC1387. | | | <https://jira.fd.io/browse/VPP-662>`_ | | +----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+ -| 3 | `CSIT-1763 | Adapt ramp-up phase of nat44 tests for different frame sizes. | +| 2 | `CSIT-1763 | Adapt ramp-up phase of nat44 tests for different frame sizes. | | | <https://jira.fd.io/browse/CSIT-1763>`_ | Currently ramp-up phase rate and duration values are correctly set for tests with 64B frame size. | +----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+ -| 4 | `CSIT-1671 | All CSIT scale tests can not use PAPI due to much slower performance compared to VAT/CLI (it takes much | +| 3 | `CSIT-1671 | All CSIT scale tests can not use PAPI due to much slower performance compared to VAT/CLI (it takes much | | | <https://jira.fd.io/browse/CSIT-1671>`_ | longer to program VPP). This needs to be addressed on the PAPI side. | | +-----------------------------------------+ The usual PAPI library spends too much time parsing arguments, so even with async processing (hundreds of | | | `VPP-1763 | commands in flight over socket), the VPP configuration for large scale tests (millions of messages) takes | | | <https://jira.fd.io/browse/VPP-1763>`_ | too long. | +----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+ -| 5 | `VPP-1934 | [i40e] Interfaces are not brought up from carrier-down. | -| | <https://jira.fd.io/browse/VPP-1934>`_ | In case of i40e -based interface (e.g Intel x700 series NIC) is bound to kernel driver (i40e) and is in | -| | | state "no-carrier" (<NO-CARRIER,BROADCAST,MULTICAST,UP>) because previously it was disabled via | -| | | "I40E_AQ_PHY_LINK_ENABLED" call, then VPP during initialization of AVF interface is not re-enabling | -| | | interface link via i40e driver to up. | -| | | CSIT implemented `workaround for AVF interface <https://gerrit.fd.io/r/c/csit/+/29086>`_ until fixed. | -+----+-----------------------------------------+-----------------------------------------------------------------------------------------------------------+ Root Cause Analysis for Performance Changes ------------------------------------------- |