该楼层疑似违规已被系统折叠 隐藏此楼查看此楼

下面是完整数据：

Spectre and Meltdown mitigation detection tool v0.42

Checking for vulnerabilities on current system

Kernel is Linux 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64

CPU is Intel(R) Core(TM) i3 CPU M 380 @ 2.53GHz

Hardware check

* Hardware support (CPU microcode) for mitigation techniques

* Indirect Branch Restricted Speculation (IBRS)

* SPEC_CTRL MSR is available: YES

* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)

* Indirect Branch Prediction Barrier (IBPB)

* PRED_CMD MSR is available: YES

* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)

* Single Thread Indirect Branch Predictors (STIBP)

* SPEC_CTRL MSR is available: YES

* CPU indicates STIBP capability: YES (Intel STIBP feature bit)

* Speculative Store Bypass Disable (SSBD)

* CPU indicates SSBD capability: YES (Intel SSBD)

* L1 data cache invalidation

* FLUSH_CMD MSR is available: YES

* CPU indicates L1D flush capability: YES (L1D flush feature bit)

* Microarchitecture Data Sampling

* VERW instruction is available: NO

* Enhanced IBRS (IBRS_ALL)

* CPU indicates ARCH_CAPABILITIES MSR availability: NO

* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO

* CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO

* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO

* CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO

* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO

* CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO

* CPU supports Software Guard Extensions (SGX): NO

* CPU microcode is known to cause stability problems: NO (model 0x25 family 0x6 stepping 0x5 ucode 0x7 cpuid 0x20655)

* CPU microcode is the latest known available version: YES (latest version is 0x7 dated 2018/04/23 according to builtin MCExtractor DB v111 - 2019/05/18)

* CPU vulnerability to the speculative execution attack variants

* Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES

* Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES

* Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES

* Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES

* Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES

* Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO

* Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES

* Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES

* Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES

* Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES

* Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES

* Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'

* Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)

* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())

* Kernel has the Red Hat/Ubuntu patch: NO

* Kernel has mask_nospec64 (arm64): NO

> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'

* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)

* Mitigation 1

* Kernel is compiled with IBRS support: YES

* IBRS enabled and active: YES (for firmware code only)

* Kernel is compiled with IBPB support: YES

* IBPB enabled and active: YES

* Mitigation 2

* Kernel has branch predictor hardening (arm): NO

* Kernel compiled with retpoline option: YES

* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)

> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'

* Mitigated according to the /sys interface: YES (Mitigation: PTI)

* Kernel supports Page Table Isolation (PTI): YES

* PTI enabled and active: YES

* Reduced performance impact of PTI: YES (CPU supports PCID, performance impact of PTI will be reduced)

* Running as a Xen PV DomU: NO

> STATUS: NOT VULNERABLE (Mitigation: PTI)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'

* CPU microcode mitigates the vulnerability: YES

> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'

* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)

* Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)

* SSB mitigation is enabled and active: YES (per-thread through prctl)

* SSB mitigation currently active for selected processes: YES (firefox ModemManager systemd-journald systemd-logind systemd-resolved systemd-timesyncd systemd-udevd tor)

> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'

* CPU microcode mitigates the vulnerability: N/A

> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'

* Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)

* Kernel supports PTE inversion: YES (found in kernel image)

* PTE inversion enabled and active: YES

> STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'

* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable

* This system is a host running a hypervisor: NO

* Mitigation 1 (KVM)

* EPT is disabled: NO

* Mitigation 2

* L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)

* L1D flush enabled: YES (conditional flushes)

* Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)

* Hyper-Threading (SMT) is enabled: YES

> STATUS: NOT VULNERABLE (this system is not running a hypervisor)

CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'

* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable)

* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)

* Kernel mitigation is enabled and active: NO

* SMT is either mitigated or disabled: NO

> STATUS: VULNERABLE (Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable)

CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'

* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable)

* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)

* Kernel mitigation is enabled and active: NO

* SMT is either mitigated or disabled: NO

> STATUS: VULNERABLE (Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable)

CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'

* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable)

* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)

* Kernel mitigation is enabled and active: NO

* SMT is either mitigated or disabled: NO

> STATUS: VULNERABLE (Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable)

CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'

* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable)

* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)

* Kernel mitigation is enabled and active: NO

* SMT is either mitigated or disabled: NO

> STATUS: VULNERABLE (Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable)

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO

Need more detailed information about mitigation options? Use --explain

A false sense of security is worse than no security at all, see --disclaimer