He aprovechado ahora para sacar al pequeñajo de donde está guardado y pasarle la prueba con el script puesto aquí en el foro.
Una vez sometido a las correspondientes pruebas a cargo de nuestro grupo de expertos bytes
estos han emitido el siguiente informe.
(Ordenador samsung np-nc20, entorno debian 8.8 tal cual, sin modificar ni parchear) :
Spectre and Meltdown mitigation detection tool v0.34
Checking for vulnerabilities on current system
Kernel is Linux 3.16.0-4-586 #1 Debian 3.16.43-2 (2017-04-30) i686
CPU is VIA Nano processor U2250@1300+MHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: YES
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: YES
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec: NO
* Checking count of LFENCE instructions following a jump in kernel: NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS: VULNERABLE (Kernel source needs to be patched to mitigate the vulnerability)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
* Retpoline enabled: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Running as a Xen PV DomU: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
Es decir, tan seguro y prestigiosamente fiable como el mejor intel. (Pentium pro y posteriores),
Un coladero, vamos.
Vale. Pues que le vamos a hacer!, hubiera estado bien que al menos hubiera sabido defenderse de alguno
por si solo. Pero lo que hay es lo que hay. :(
Con vuestro permiso pero, no voy a cerrar el hilo aún, pues en verano, cuando esté con las vacaciones
le voy a instalar el estable que haya entonces y repetiré la prueba.
Asi además de tener el reporte del chip en si mismo tendremos a la vista las mitigaciones conseguidas por las
modificaciones y trucos del software.
Remarcando mitigar, que no eliminar.
He aprovechado ahora para sacar al pequeñajo de donde está guardado y pasarle la prueba con el script puesto aquí en el foro.
Una vez sometido a las correspondientes pruebas a cargo de nuestro grupo de expertos bytes
estos han emitido el siguiente informe.
(Ordenador samsung np-nc20, entorno debian 8.8 tal cual, sin modificar ni parchear) :
Spectre and Meltdown mitigation detection tool v0.34
Checking for vulnerabilities on current system
Kernel is Linux 3.16.0-4-586 #1 Debian 3.16.43-2 (2017-04-30) i686
CPU is VIA Nano processor U2250@1300+MHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: YES
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: YES
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec: NO
* Checking count of LFENCE instructions following a jump in kernel: NO (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS: VULNERABLE (Kernel source needs to be patched to mitigate the vulnerability)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
* Retpoline enabled: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Running as a Xen PV DomU: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
Es decir, tan seguro y prestigiosamente fiable como el mejor intel. (Pentium pro y posteriores),
Un coladero, vamos.
Vale. Pues que le vamos a hacer!, hubiera estado bien que al menos hubiera sabido defenderse de alguno
por si solo. Pero lo que hay es lo que hay. :(
Con vuestro permiso pero, no voy a cerrar el hilo aún, pues en verano, cuando esté con las vacaciones
le voy a instalar el estable que haya entonces y repetiré la prueba.
Asi además de tener el reporte del chip en si mismo tendremos a la vista las mitigaciones conseguidas por las
modificaciones y trucos del software.
Hasta entonces.