Fedora 確認方法 – 近代的CPUの脆弱性

確認方法

まず、Ubuntu の確認方法同様に dmesg と proc/cpuinfo を利用して確認してみます。

base on kernel - How to check that KPTI is enabled on my Ubuntu? - Ask Ubuntu

  • /proc/cpuinfo
    grep -q "cpu_insecure|cpu_meltdown|kaiser" /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
  • dmesg
    dmesg | grep -q "Kernel/User page tables isolation: enabled" && echo "patched :)" || echo "unpatched :("

確認環境

下記物理サーバ上の仮想イメージ。

Spec Details
OS Fedora 27 x64
CPU Celeron Processor 1007U (2M Cache, 1.50 GHz)
MEM 2GB
# cat /etc/os-release 
NAME=Fedora
VERSION="27 (Twenty Seven)"
ID=fedora
VERSION_ID=27
PRETTY_NAME="Fedora 27 (Twenty Seven)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:27"
HOME_URL="https://fedoraproject.org/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=27
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=27
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"

# uname -r
4.15.12-301.fc27.x86_64

実行サンプル

# dmesg | grep -q "Kernel/User page tables isolation: enabled" && echo "patched :)" || echo "unpatched :("
patched :)

# grep -q "cpu_insecure¥|cpu_meltdown¥|kaiser" /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
unpatched :(

# ls -lh /sys/devices/system/cpu/vulnerabilities/
合計 0
-r--r--r--. 1 root root 4.0K  6月 20 23:41 meltdown
-r--r--r--. 1 root root 4.0K  6月 20 23:41 spectre_v1
-r--r--r--. 1 root root 4.0K  6月 20 23:41 spectre_v2

# cat /sys/devices/system/cpu/vulnerabilities/meltdown 
Mitigation: PTI

# cat /sys/devices/system/cpu/vulnerabilities/spectre_v1 
Mitigation: __user pointer sanitization

# cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 
Mitigation: Full generic retpoline

解説

  • Mitigation: PTI
    カーネルはページテーブル分離をサポートしている。
  • Mitigation: __user pointer sanitization
    ユーザ ポインタ サニタイズ フィックスがあたっている。
    ※サニタイズとは Inputが無効(有害)な値の場合、無害なものに置換する手法。
  • Mitigation: Full generic retpoline
    Retpoline フィックスがあたっている。

Linux 共通 確認方法

GitHub で紹介されている Linux 向けのシェルスクリプトを使います。

base on GitHub - speed47/spectre-meltdown-checker: Spectre & Meltdown vulnerability/mitigation checker for Linux

  • Get the latest version of the script using curl or wget
curl -L https://meltdown.ovh -o spectre-meltdown-checker.sh
wget https://meltdown.ovh -O spectre-meltdown-checker.sh
  • When you're ready, run the script as root
chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh

導入・実行サンプル

# wget https://meltdown.ovh -O spectre-meltdown-checker.sh
# chmod +x ./spectre-meltdown-checker.sh
# sh ./spectre-meltdown-checker.sh

実行結果

# sh ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is Linux 4.15.12-301.fc27.x86_64 #1 SMP Thu Mar 22 19:25:27 UTC 2018 x86_64
CPU is Intel(R) Celeron(R) CPU 1007U @ 1.50GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  NO 
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  NO 
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  NO 
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 0x3a family 0x6 stepping 0x9 ucode 0x1c cpuid 0x306a9)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 
  * Vulnerable to Variant 3a:  YES 
  * Vulnerable to Variant 4:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec (x86):  YES  (1 occurrence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm):  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  NO 
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  NO 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Full retpoline is mitigating the vulnerability)
IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  YES  (CPU supports PCID, performance impact of PTI will be reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability:  NO 
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

> How to fix: The microcode of your CPU needs to be upgraded to mitigate this vulnerability. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). The microcode update is enough, there is no additional OS, kernel or software change needed.

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Kernel supports speculation store bypass:  NO 
> STATUS:  VULNERABLE  (Neither your CPU nor your kernel support SSBD)

> How to fix: Both your CPU microcode and your kernel are lacking support for mitigation. If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel from recent-enough sources. The microcode of your CPU also needs to be upgraded. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).

A false sense of security is worse than no security at all, see --disclaimer

要約

脆弱性 判断 備考
Spectre V1 OK
Spectre V2 NG カーネルはサポートしているが有効になっていない(CPUのマイクロコード未サポート)
Meltdown (V3) OK
Meltdown (V3a) NG
SpectreNG NG