odroidxu4 Posted December 16, 2024 Posted December 16, 2024 Armbianmonitor: https://paste.next.armbian.com/tepocuheqe I used the Armbian 24.11.1 Bookworm Minimal / IOT Image from https://www.armbian.com/odroid-xu4/. When i checked the boot messages with journalctl -b, then i can see the message -> "system vulnerable" Later i can read the message "Spectre BHB: enabling loop workaround for all CPUs". Is this a fix for the first warning message, or is my system vulnerable? Dec 16 20:32:58 odroidxu4 kernel: smp: Bringing up secondary CPUs ... Dec 16 20:32:58 odroidxu4 kernel: CPU1: thread -1, cpu 1, socket 1, mpidr 80000101 Dec 16 20:32:58 odroidxu4 kernel: CPU2: thread -1, cpu 2, socket 1, mpidr 80000102 Dec 16 20:32:58 odroidxu4 kernel: CPU3: thread -1, cpu 3, socket 1, mpidr 80000103 Dec 16 20:32:58 odroidxu4 kernel: CPU4: thread -1, cpu 0, socket 0, mpidr 80000000 Dec 16 20:32:58 odroidxu4 kernel: CPU4: detected I-Cache line size mismatch, workaround enabled Dec 16 20:32:58 odroidxu4 kernel: CPU4: Spectre v2: firmware did not set auxiliary control register IBE bit, system vulnerable Dec 16 20:32:58 odroidxu4 kernel: CPU4: Spectre BHB: enabling loop workaround for all CPUs Dec 16 20:32:58 odroidxu4 kernel: CPU5: thread -1, cpu 1, socket 0, mpidr 80000001 Dec 16 20:32:58 odroidxu4 kernel: CPU5: detected I-Cache line size mismatch, workaround enabled Dec 16 20:32:58 odroidxu4 kernel: CPU5: Spectre v2: firmware did not set auxiliary control register IBE bit, system vulnerable Dec 16 20:32:58 odroidxu4 kernel: CPU6: thread -1, cpu 2, socket 0, mpidr 80000002 Dec 16 20:32:58 odroidxu4 kernel: CPU6: detected I-Cache line size mismatch, workaround enabled Dec 16 20:32:58 odroidxu4 kernel: CPU6: Spectre v2: firmware did not set auxiliary control register IBE bit, system vulnerable Dec 16 20:32:58 odroidxu4 kernel: CPU7: thread -1, cpu 3, socket 0, mpidr 80000003 Dec 16 20:32:58 odroidxu4 kernel: CPU7: detected I-Cache line size mismatch, workaround enabled Dec 16 20:32:58 odroidxu4 kernel: CPU7: Spectre v2: firmware did not set auxiliary control register IBE bit, system vulnerable Dec 16 20:32:58 odroidxu4 kernel: smp: Brought up 1 node, 8 CPUs Dec 16 20:32:58 odroidxu4 kernel: SMP: Total of 8 processors activated (384.00 BogoMIPS). Dec 16 20:32:58 odroidxu4 kernel: CPU: All CPU(s) started in HYP mode. Dec 16 20:32:58 odroidxu4 kernel: CPU: Virtualization extensions available. 0 Quote
Werner Posted December 17, 2024 Posted December 17, 2024 Hi, have you tried to check with a tool like this? https://github.com/speed47/spectre-meltdown-checker Just found this: https://patchwork.kernel.org/project/linux-arm-kernel/cover/20241214005248.198803-1-dianders@chromium.org/ So there might come some enhancements with Linux 6.14 or 6.15 0 Quote
odroidxu4 Posted December 17, 2024 Author Posted December 17, 2024 Thank you for the tip and the link. Unfortunately, the test shows that I cannot operate the hardware safely with the current Armbian software 😞 The second link with the reference to a new kernel 6.14 or 6.15 refers to arm64. I can't really make the connection either, it sounds really complicated to me and not like a simple solution. Is there any hope that next year the kernel version will be so far along at Armbian that I can simply leave the hardware unused in storage for the time being? Does anyone have any other practical ideas on how I can operate the hardware safely? ./spectre-meltdown-checker.sh Spectre and Meltdown mitigation detection tool v0.46+ Checking for vulnerabilities on current system Kernel is Linux 6.6.60-current-odroidxu4 #1 SMP PREEMPT Wed Nov 13 22:00:09 UTC 2024 armv7l CPU is ARM v7 model 0xc07 Hardware check * CPU vulnerability to the speculative execution attack variants * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO * Affected by CVE-2018-3640 (Variant 3a, rogue system register read): YES * Affected by CVE-2018-3639 (Variant 4, speculative store bypass): NO * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO * Affected by CVE-2023-20593 (Zenbleed, cross-process information leak): NO * Affected by CVE-2022-40982 (Downfall, gather data sampling (GDS)): NO * Affected by CVE-2023-20569 (Inception, return address security (RAS)): NO * Affected by CVE-2023-23583 (Reptar, redundant prefix issue): NO CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass' * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization) * Kernel has array_index_mask_nospec: YES (112 occurrence(s) found of arm 32 bits array_index_mask_nospec()) * Kernel has the Red Hat/Ubuntu patch: NO * Kernel has mask_nospec64 (arm64): NO * Kernel has array_index_nospec (arm64): NO > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization) CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' * Mitigated according to the /sys interface: NO (Vulnerable: Unprivileged eBPF enabled) * Mitigation 1 * Kernel is compiled with IBRS support: YES * IBRS enabled and active: NO * Kernel is compiled with IBPB support: NO * IBPB enabled and active: NO * Mitigation 2 * Kernel has branch predictor hardening (arm): YES * Kernel compiled with retpoline option: NO > STATUS: NOT VULNERABLE (Branch predictor hardening mitigates the vulnerability) CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load' * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports Page Table Isolation (PTI): NO * PTI enabled and active: NO * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant) * Running as a Xen PV DomU: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2018-3640 aka 'Variant 3a, rogue system register read' * CPU microcode mitigates the vulnerability: NO > STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability) CVE-2018-3639 aka 'Variant 4, speculative store bypass' * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status) * SSB mitigation is enabled and active: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault' * CPU microcode mitigates the vulnerability: N/A > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault' * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports PTE inversion: NO * PTE inversion enabled and active: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault' * Information from the /sys interface: Not affected * This system is a host running a hypervisor: NO * Mitigation 1 (KVM) * EPT is disabled: N/A (the kvm_intel module is not loaded) * Mitigation 2 * L1D flush is supported by kernel: NO * L1D flush enabled: NO * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower) * Hyper-Threading (SMT) is enabled: UNKNOWN > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: NO * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: NO * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: NO * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports using MD_CLEAR mitigation: NO * Kernel mitigation is enabled and active: NO * SMT is either mitigated or disabled: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)' * Mitigated according to the /sys interface: YES (Not affected) * TAA mitigation is supported by kernel: YES (found tsx_async_abort in kernel image) * TAA mitigation enabled and active: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)' * Mitigated according to the /sys interface: YES (Not affected) * This system is a host running a hypervisor: NO * iTLB Multihit mitigation is supported by kernel: YES (found itlb_multihit in kernel image) * iTLB Multihit mitigation enabled and active: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)' * Mitigated according to the /sys interface: YES (Not affected) * SRBDS mitigation control is supported by the kernel: NO * SRBDS mitigation control is enabled and active: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2023-20593 aka 'Zenbleed, cross-process information leak' * Zenbleed mitigation is supported by kernel: NO * Zenbleed kernel mitigation enabled and active: N/A (CPU is incompatible) * Zenbleed mitigation is supported by CPU microcode: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2022-40982 aka 'Downfall, gather data sampling (GDS)' * Mitigated according to the /sys interface: YES (Not affected) * GDS is mitigated by microcode: NO * Kernel supports software mitigation by disabling AVX: YES (found gather_data_sampling in kernel image) * Kernel has disabled AVX as a mitigation: UNKNOWN (No sign of mitigation in dmesg and couldn't read cpuid info) > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2023-20569 aka 'Inception, return address security (RAS)' * Mitigated according to the /sys interface: YES (Not affected) * Kernel supports mitigation: YES (found spec_rstack_overflow in kernel image) * Kernel compiled with SRSO support: NO (required for safe RET and ibpb_on_vmexit mitigations) * Kernel compiled with IBPB_ENTRY support: NO > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) CVE-2023-23583 aka 'Reptar, redundant prefix issue' > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected) > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK CVE-2022-40982:OK CVE-2023-20569:OK CVE-2023-23583:OK 0 Quote
Werner Posted December 18, 2024 Posted December 18, 2024 https://developer.arm.com/Arm Security Center/Speculative Processor Vulnerability Quote In general, it is not believed that software mitigations for this issue are necessary. However, an update for the latest release of the Cortex-A72 does include a hardware mitigation for this issue. Expand On the bottom line there is nothing we can do about this. If mitigation is upstreamed to ATF, Kernel or wherever needed/possible Armbian will adapt it most likely automatically. Dug a bit deeper https://developer.arm.com/-/media/Arm Developer Community/PDF/Security update 21 May 18/Software_Overview_for_Arm_Cores_PUBLIC v1.2.pdf?revision=7bb9a901-9a1d-4975-b460-743f5da90502&hash=14B19D60AC5650AF05225AEECC5E3D816E08B47B Quote In Linux this is mitigated by KPTI[...] Expand https://cateee.net/lkddb/web-lkddb/MITIGATION_PAGE_TABLE_ISOLATION.html Though this seems to be a software mitigation for x86 only. No clue if there is further development ongoing. 0 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.