1 |
> |
2 |
> This appears to be OK on my CPU but want to ask to be sure. Here's some |
3 |
> info, sort of taking cues from what you posted above. |
4 |
> |
5 |
> |
6 |
> root@fireball / # uname -a |
7 |
> Linux fireball 4.18.12-gentoo #1 SMP PREEMPT Sun Oct 14 23:45:12 CDT 2018 |
8 |
> x86_64 AMD FX(tm)-8350 Eight-Core Processor AuthenticAMD GNU/Linux |
9 |
> root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/ |
10 |
> l1tf meltdown spec_store_bypass |
11 |
> spectre_v1 spectre_v2 |
12 |
> root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/meltdown |
13 |
> Not affected |
14 |
> root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/l1tf |
15 |
> Not affected |
16 |
> root@fireball / # cat |
17 |
> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass |
18 |
> Mitigation: Speculative Store Bypass disabled via prctl and seccomp |
19 |
> root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/spectre_v1 |
20 |
> Mitigation: __user pointer sanitization |
21 |
> root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 |
22 |
> Mitigation: Full AMD retpoline |
23 |
> root@fireball / # |
24 |
> |
25 |
|
26 |
You're missing the /sys/devices/system/cpu/vulnerabilities/mds file because |
27 |
only the latest kernels from 2019-05-14 have that check. The 4.18 line has |
28 |
gone away so you'd have to go to 4.19.43 to get it. Since you're an AMD |
29 |
cpu, you don't need to worry about mds, but if I were you i'd move to |
30 |
4.19.43 anyway as you want to stay on a supported version. 4.19 is |
31 |
"longterm" (https://www.kernel.org/) so its a good option. Then if |
32 |
something serious comes up, an update from 4.19.x to 4.19.y is much less |
33 |
trouble than 4.18 to 4.19. |
34 |
|
35 |
Am I correct to think that "Mitigation" is good enough or does that mean it |
36 |
> could be affected in some other way or is risky? |
37 |
> |
38 |
|
39 |
I accept Mitigation as good enough. The kernel devs seem to choose a good |
40 |
balance between secure and fast. Anything that says 'vulnerable' is a |
41 |
problem, but you may have to live with it until a new microcode or kernel |
42 |
update arrives. Or if the CPU vendor is not making a microcode update for |
43 |
an old CPU, just live with it or upgrade the hardware. On my skylake box I |
44 |
need to think about disabling Hyperthreading or not, disabled is secure but |
45 |
halves the core count.. |
46 |
|
47 |
|
48 |
> Also, since the problem that this thread is about isn't listed, mine isn't |
49 |
> affected correct? |
50 |
> |
51 |
|
52 |
Covered above. |
53 |
|
54 |
|
55 |
> I'm guessing "Not affected" means all is good. ;-) |
56 |
> |
57 |
|
58 |
Indeed! |