| 1 |
> |
| 2 |
> This appears to be OK on my CPU but want to ask to be sure. Here's some |
| 3 |
> info, sort of taking cues from what you posted above. |
| 4 |
> |
| 5 |
> |
| 6 |
> root@fireball / # uname -a |
| 7 |
> Linux fireball 4.18.12-gentoo #1 SMP PREEMPT Sun Oct 14 23:45:12 CDT 2018 |
| 8 |
> x86_64 AMD FX(tm)-8350 Eight-Core Processor AuthenticAMD GNU/Linux |
| 9 |
> root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/ |
| 10 |
> l1tf meltdown spec_store_bypass |
| 11 |
> spectre_v1 spectre_v2 |
| 12 |
> root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/meltdown |
| 13 |
> Not affected |
| 14 |
> root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/l1tf |
| 15 |
> Not affected |
| 16 |
> root@fireball / # cat |
| 17 |
> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass |
| 18 |
> Mitigation: Speculative Store Bypass disabled via prctl and seccomp |
| 19 |
> root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/spectre_v1 |
| 20 |
> Mitigation: __user pointer sanitization |
| 21 |
> root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 |
| 22 |
> Mitigation: Full AMD retpoline |
| 23 |
> root@fireball / # |
| 24 |
> |
| 25 |
|
| 26 |
You're missing the /sys/devices/system/cpu/vulnerabilities/mds file because |
| 27 |
only the latest kernels from 2019-05-14 have that check. The 4.18 line has |
| 28 |
gone away so you'd have to go to 4.19.43 to get it. Since you're an AMD |
| 29 |
cpu, you don't need to worry about mds, but if I were you i'd move to |
| 30 |
4.19.43 anyway as you want to stay on a supported version. 4.19 is |
| 31 |
"longterm" (https://www.kernel.org/) so its a good option. Then if |
| 32 |
something serious comes up, an update from 4.19.x to 4.19.y is much less |
| 33 |
trouble than 4.18 to 4.19. |
| 34 |
|
| 35 |
Am I correct to think that "Mitigation" is good enough or does that mean it |
| 36 |
> could be affected in some other way or is risky? |
| 37 |
> |
| 38 |
|
| 39 |
I accept Mitigation as good enough. The kernel devs seem to choose a good |
| 40 |
balance between secure and fast. Anything that says 'vulnerable' is a |
| 41 |
problem, but you may have to live with it until a new microcode or kernel |
| 42 |
update arrives. Or if the CPU vendor is not making a microcode update for |
| 43 |
an old CPU, just live with it or upgrade the hardware. On my skylake box I |
| 44 |
need to think about disabling Hyperthreading or not, disabled is secure but |
| 45 |
halves the core count.. |
| 46 |
|
| 47 |
|
| 48 |
> Also, since the problem that this thread is about isn't listed, mine isn't |
| 49 |
> affected correct? |
| 50 |
> |
| 51 |
|
| 52 |
Covered above. |
| 53 |
|
| 54 |
|
| 55 |
> I'm guessing "Not affected" means all is good. ;-) |
| 56 |
> |
| 57 |
|
| 58 |
Indeed! |
Archives