开机显示幽灵 CPU 漏洞的警告

alphabet · 2023-04-01 13:33:57

电脑开机顶行显示了一段警告：

RETBleed: WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!

大概是说幽灵漏洞会导致数据泄漏，这段警告应该早前几个 linux 版本更新后就出现了，只是开机一闪而过，没有专门留意；这次特别截了图，查了下网上的资料，linux 内核开发者应该也早就发布过隔离补丁了。

所以问下大佬：普通用户还需要做什么吗？

依云 · 2023-04-01 14:16:51

普通用户除了换 CPU，啥也做不了。lscpu 能看到有哪些已知的问题，以及是否应用了缓解方案。

alphabet · 2023-04-01 16:10:33

依云说：

普通用户除了换 CPU，啥也做不了。lscpu 能看到有哪些已知的问题，以及是否应用了缓解方案。

Vulnerabilities:
  Itlb multihit:         KVM: Mitigation: VMX disabled
  L1tf:                  Mitigation; PTE Inversion; VMX conditional cache flushes, SMT disabled
  Mds:                   Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
  Meltdown:              Mitigation; PTI
  Mmio stale data:       Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
  Retbleed:              Vulnerable
  Spec store bypass:     Vulnerable
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected
  Srbds:                 Vulnerable: No microcode
  Tsx async abort:       Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled

大佬，能帮忙分析下这段信息

VMX disabled：表示最好能禁用虚拟机？
SMT disabled：禁用 cpu 的多线程？
Clear CPU buffers attempted：关闭或重启计算机，就可以清理一波缓存是吗
No microcode：为什么是没有微码，我用的是 systemd-boot，配置信息如下：

 title   Arch Linux
 linux   /vmlinuz-linux
 initrd  /initramfs-linux.img
 initrd  /intel-ucode.img
 options root=PARTUUID= ...

其他的专有名词看不懂 ...

依云 · 2023-04-01 16:49:02

journalctl -k | grep -i microcode 看看？

alphabet · 2023-04-01 17:48:31

依云说：

journalctl -k | grep -i microcode 看看？

Apr 01 17:40:42 archlinux kernel: microcode: microcode updated early to revision 0xf0, date = 2021-11-12
Apr 01 17:40:42 archlinux kernel: SRBDS: Mitigation: Microcode
Apr 01 17:40:42 archlinux kernel: microcode: Microcode Update Driver: v2.2.

我把 /intel-ucode.img 这行放到 /initramfs-linux.img 这行上面就好了，现在打印 lscpu 是这样的：

Vulnerabilities:
  Itlb multihit:         KVM: Mitigation: VMX disabled
  L1tf:                  Mitigation; PTE Inversion; VMX conditional cache flushes, SMT disabled
  Mds:                   Mitigation; Clear CPU buffers; SMT disabled
  Meltdown:              Mitigation; PTI
  Mmio stale data:       Mitigation; Clear CPU buffers; SMT disabled
  Retbleed:              Mitigation; IBRS
  Spec store bypass:     Mitigation; Speculative Store Bypass disabled via prctl
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; IBRS, IBPB conditional, STIBP disabled, RSB filling, PBRSB-eIBRS Not affected
  Srbds:                 Mitigation; Microcode
  Tsx async abort:       Mitigation; TSX disabled

依云 · 2023-04-01 18:37:11

修好啦～

alphabet · 2023-04-01 19:58:01

依云说：

修好啦～

这样就可以了是吧，OK～～～谢谢仙子的帮助

Arch Linux

#1 2023-04-01 13:33:57

开机显示幽灵 CPU 漏洞的警告

#2 2023-04-01 14:16:51

Re: 开机显示幽灵 CPU 漏洞的警告

#3 2023-04-01 16:10:33

Re: 开机显示幽灵 CPU 漏洞的警告

#4 2023-04-01 16:49:02

Re: 开机显示幽灵 CPU 漏洞的警告

#5 2023-04-01 17:48:31

Re: 开机显示幽灵 CPU 漏洞的警告

#6 2023-04-01 18:37:11

Re: 开机显示幽灵 CPU 漏洞的警告

#7 2023-04-01 19:58:01

Re: 开机显示幽灵 CPU 漏洞的警告

页脚