Installing package intel-microcode in Debian 10 (Buster) mitigates most vulnerabilities as per spectre-meltdown-checker. However, CVE-2018-3640
and CVE-2018-3615 are still displayed as unmitigated after reboot, with spectre-meltdown-checker --explain (executed as su) pointing to missing microcode upgrades.

According to the Debian package description of intel-microcode, the two vulnerabilities are fixed in the current version of the package.

This occurs in exactly the same way on two different machines, one with
an i5-3320M CPU and another one with an E3-1235L v5.

If I remember correctly, I was all green as per spectre-meltdown-checker
in Debian 9 (Stretch).

Does anybody have an explanation and/or fix for this issue?


Thanks and best regards,

Christoph

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote:

Installing package intel-microcode in Debian 10 (Buster) mitigates
most vulnerabilities as per spectre-meltdown-checker. However,
CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated
after reboot, with spectre-meltdown-checker --explain (executed as su) >pointing to missing microcode upgrades.

According to the Debian package description of intel-microcode, the
two vulnerabilities are fixed in the current version of the package.

This occurs in exactly the same way on two different machines, one
with an i5-3320M CPU and another one with an E3-1235L v5.

If I remember correctly, I was all green as per
spectre-meltdown-checker in Debian 9 (Stretch).

What version of intel-microcode do you have installed?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 08.01.21 22:34, Michael Stone wrote:

On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote:

Installing package intel-microcode in Debian 10 (Buster) mitigates
most vulnerabilities as per spectre-meltdown-checker. However,
CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated
after reboot, with spectre-meltdown-checker --explain (executed as
su) pointing to missing microcode upgrades.

According to the Debian package description of intel-microcode, the
two vulnerabilities are fixed in the current version of the package.

This occurs in exactly the same way on two different machines, one
with an i5-3320M CPU and another one with an E3-1235L v5.

If I remember correctly, I was all green as per
spectre-meltdown-checker in Debian 9 (Stretch).

What version of intel-microcode do you have installed?

intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed
from Debian non-free repository

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Jan 08, 2021 at 10:48:30PM +0100, Christoph Pflügler wrote:

On 08.01.21 22:34, Michael Stone wrote:

On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote: >>>Installing package intel-microcode in Debian 10 (Buster) mitigates

most vulnerabilities as per spectre-meltdown-checker. However, >>>CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated
after reboot, with spectre-meltdown-checker --explain (executed as
su) pointing to missing microcode upgrades.

According to the Debian package description of intel-microcode,
the two vulnerabilities are fixed in the current version of the
package.

This occurs in exactly the same way on two different machines, one
with an i5-3320M CPU and another one with an E3-1235L v5.

If I remember correctly, I was all green as per
spectre-meltdown-checker in Debian 9 (Stretch).

What version of intel-microcode do you have installed? >intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed

from Debian non-free repository

With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the
checker reports green for those checks on my test system. Do you have
the latest spectre-meltdown-checker, and are you running it as root? If
I run the current version as an unprivileged user those checks come up
red (presumably because it can't read the cpu registers it is trying to
read).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 08.01.21 23:40, Michael Stone wrote:

On Fri, Jan 08, 2021 at 10:48:30PM +0100, Christoph Pflügler wrote:

On 08.01.21 22:34, Michael Stone wrote:

On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote:

Installing package intel-microcode in Debian 10 (Buster) mitigates
most vulnerabilities as per spectre-meltdown-checker. However,
CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated
after reboot, with spectre-meltdown-checker --explain (executed as
su) pointing to missing microcode upgrades.

According to the Debian package description of intel-microcode, the
two vulnerabilities are fixed in the current version of the package.

This occurs in exactly the same way on two different machines, one
with an i5-3320M CPU and another one with an E3-1235L v5.

If I remember correctly, I was all green as per
spectre-meltdown-checker in Debian 9 (Stretch).

What version of intel-microcode do you have installed?

intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed
from Debian non-free repository

With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the
checker reports green for those checks on my test system. Do you have
the latest spectre-meltdown-checker, and are you running it as root?
If I run the current version as an unprivileged user those checks come
up red (presumably because it can't read the cpu registers it is
trying to read).

spectre-meltdown-checker:all/buster 0.42-1 uptodate, installed from
Debian repository.

Yes, I executed it as root (su -> <passwd> -> spectre-meltdown-checker).
I get exactly the same results running it as an unprivileged user. This
is what spectre-meltdown-checker, run as root, shows for the two CVEs:

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A

STATUS:  VULNERABLE  (your CPU supports SGX and the microcode is not

up to date)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  NO

STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to

mitigate this vulnerability)

Linux version is also 4.19.0-13-amd64.

Both my instances are (almost) fresh installations (GNOME) based on
recently released debian-10.7.0-amd64-netinst.iso.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 1/9/21 9:48 AM, Christoph Pflügler wrote:

On 08.01.21 23:40, Michael Stone wrote:

On Fri, Jan 08, 2021 at 10:48:30PM +0100, Christoph Pflügler wrote:

On 08.01.21 22:34, Michael Stone wrote:

On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote:

Installing package intel-microcode in Debian 10 (Buster) mitigates
most vulnerabilities as per spectre-meltdown-checker. However,
CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated
after reboot, with spectre-meltdown-checker --explain (executed as
su) pointing to missing microcode upgrades.

According to the Debian package description of intel-microcode, the
two vulnerabilities are fixed in the current version of the package. >>>>>
This occurs in exactly the same way on two different machines, one
with an i5-3320M CPU and another one with an E3-1235L v5.

If I remember correctly, I was all green as per
spectre-meltdown-checker in Debian 9 (Stretch).

What version of intel-microcode do you have installed?

intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed
from Debian non-free repository

With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the
checker reports green for those checks on my test system. Do you have
the latest spectre-meltdown-checker, and are you running it as root?
If I run the current version as an unprivileged user those checks come
up red (presumably because it can't read the cpu registers it is
trying to read).

spectre-meltdown-checker:all/buster 0.42-1 uptodate, installed from
Debian repository.

Yes, I executed it as root (su -> <passwd> -> spectre-meltdown-checker).
I get exactly the same results running it as an unprivileged user. This
is what spectre-meltdown-checker, run as root, shows for the two CVEs:

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A

STATUS:  VULNERABLE  (your CPU supports SGX and the microcode is not

up to date)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  NO

STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to

mitigate this vulnerability)

Linux version is also 4.19.0-13-amd64.

Both my instances are (almost) fresh installations (GNOME) based on
recently released debian-10.7.0-amd64-netinst.iso.

I can confirm spectre-meltdown-checker reporting CVE-2018-3640 is not
being mitigated by intel-microcode on a NUC6CAYS system, full-updated Bullseye/Sid. This is a Celeron system.

However, the same intel-microcode version on same OS does mitigate this vulnerability on NUC5i7RYH and NUC8i3BEH systems.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 09.01.2021 20:42, James Wallen wrote:

On 1/9/21 9:48 AM, Christoph Pflügler wrote:

With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the
checker reports green for those checks on my test system. Do you have
the latest spectre-meltdown-checker, and are you running it as root?
If I run the current version as an unprivileged user those checks
come up red (presumably because it can't read the cpu registers it is
trying to read).

spectre-meltdown-checker:all/buster 0.42-1 uptodate, installed from
Debian repository.

Yes, I executed it as root (su -> <passwd> ->
spectre-meltdown-checker). I get exactly the same results running it
as an unprivileged user. This is what spectre-meltdown-checker, run as
root, shows for the two CVEs:

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A

STATUS:  VULNERABLE  (your CPU supports SGX and the microcode is

not up to date)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  NO

STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to

mitigate this vulnerability)

Linux version is also 4.19.0-13-amd64.

Both my instances are (almost) fresh installations (GNOME) based on
recently released debian-10.7.0-amd64-netinst.iso.

I can confirm spectre-meltdown-checker reporting CVE-2018-3640 is not
being mitigated by intel-microcode on a NUC6CAYS system, full-updated Bullseye/Sid. This is a Celeron system.

However, the same intel-microcode version on same OS does mitigate this vulnerability on NUC5i7RYH and NUC8i3BEH systems.

intel-microcode contains a lot of microcodes, for many Intel chips. From
your mail, it seems that Intel forgot to include microcode for some CPUs
(it happened in past).

Could you check in dmesg, if microcode is applied on your CPU, and which version was applied?

In any case, according Intel, microcode should be updated by BIOS, and
not by OS, so you may need to check your BIOS provider for updates, to
mitigate vulnerability until we get all microcodes from Intel.

ciao
cate

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Jan 12, 2021 at 05:25:23PM +0100, Giacomo Catenazzi wrote:

In any case, according Intel, microcode should be updated by BIOS

I wonder if anyone from intel can manage to say that with a straight face.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 13.01.21 17:15, Michael Stone wrote:

On Tue, Jan 12, 2021 at 05:25:23PM +0100, Giacomo Catenazzi wrote:

In any case, according Intel, microcode should be updated by BIOS

I wonder if anyone from intel can manage to say that with a straight
face.

This is the dmesg | grep microcode output for the i5 gen3:

[    0.000000] microcode: microcode updated early to revision 0x21, date
= 2019-02-13
[    0.222193] SRBDS: Vulnerable: No microcode
[    1.067686] microcode: sig=0x306a9, pf=0x10, revision=0x21
[    1.067856] microcode: Microcode Update Driver: v2.2.

and here the one for the E3 v5:

[    0.000000] microcode: microcode updated early to revision 0xd6, date
= 2019-10-03
[    0.379026] SRBDS: Vulnerable: No microcode
[    1.625090] microcode: sig=0x506e3, pf=0x2, revision=0xd6
[    1.625215] microcode: Microcode Update Driver: v2.2.

Seems like the microcode is applied to my CPUs. This is also supported
by numerous other CVEs getting mitigated after intel-microcode
installation.

I also tried the latest meltdown-spectre-checker (v0.44), the results
are the same (plus another red 2020 CVE).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 13, 2021 at 09:49:43PM +0100, Christoph Pflügler wrote:

[    0.000000] microcode: microcode updated early to revision 0xd6,
date = 2019-10-03
[    0.379026] SRBDS: Vulnerable: No microcode
[    1.625090] microcode: sig=0x506e3, pf=0x2, revision=0xd6
[    1.625215] microcode: Microcode Update Driver: v2.2.

Seems like the microcode is applied to my CPUs. This is also supported
by numerous other CVEs getting mitigated after intel-microcode
installation.

That's exactly the same signature I was testing with different results: microcode: sig=0x506e3, pf=0x2, revision=0xd6

The only way I can get your results is to run unprivileged, but you said
you weren't doing that. The checks for 3640 and 3615 are basically just
looking for SSBD; in the top section the line that says "CPU indicates
SSBD capability" presumably says something other than "YES (Intel SSBD)"?

I also tried the latest meltdown-spectre-checker (v0.44), the results
are the same (plus another red 2020 CVE).

This is presumably CVE-2020-0543; if you look at the changelog for intel-microcode it discusses that issue. You can install the backports
version which should fix that at the risk of a boot failure.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 13.01.21 23:49, Michael Stone wrote:

On Wed, Jan 13, 2021 at 09:49:43PM +0100, Christoph Pflügler wrote:

[    0.000000] microcode: microcode updated early to revision 0xd6,
date = 2019-10-03
[    0.379026] SRBDS: Vulnerable: No microcode
[    1.625090] microcode: sig=0x506e3, pf=0x2, revision=0xd6
[    1.625215] microcode: Microcode Update Driver: v2.2.

Seems like the microcode is applied to my CPUs. This is also
supported by numerous other CVEs getting mitigated after
intel-microcode installation.

That's exactly the same signature I was testing with different results: microcode: sig=0x506e3, pf=0x2, revision=0xd6

The only way I can get your results is to run unprivileged, but you
said you weren't doing that. The checks for 3640 and 3615 are
basically just looking for SSBD; in the top section the line that says
"CPU indicates SSBD capability" presumably says something other than
"YES (Intel SSBD)"?

I also tried the latest meltdown-spectre-checker (v0.44), the results
are the same (plus another red 2020 CVE).

This is presumably CVE-2020-0543; if you look at the changelog for intel-microcode it discusses that issue. You can install the backports version which should fix that at the risk of a boot failure.

You are absolutely right, the SSBD lines say the following (when
executed as root):

  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  UNKNOWN  (is cpuid kernel module available?)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)