タイトル通り

Introduction

流石に仕事で全部無謀にすることがあるのか、と思いますがネットワークから完全に隔離されているマシンとかならありではと思わなくも無い。

How to do?

親切な方の記事は下記。

HackMD
LinuxでSpectreの遅くなる脆弱性対策を無効化する - HackMD
https://hackmd.io/@GKcnNngaSBe9qCYV54wL8g/HykmqcS-N
###### tags: `Linux` LinuxでSpectreの遅くなる脆弱性対策を無効化する === Linuxは、**カーネルパラメータ**に脆弱性対策を無効化するオプションを渡すといい

各パラメータの意味は自分で調べました。

  • nopti
    • Page Table Isolation を無効
  • noibpb
    • Indirect Branch Prediction Barriers を無効
  • noibrs
    • Indirect Branch Restricted Speculation を無効
  • nospectre_v2
    • Spectre バリアント 2 (Indirect Branch Speculation) 脆弱性に対する緩和策をすべて無効
  • nospec_store_bypass_disable
    • 投機的ストアバイパス脆弱性に関する軽減策をすべて無効

面倒なので全部無効にします (白目)
手順は下記。

/etc/default/grubGRUB_CMDLINE_LINUX にこれらの引数を追加してします。
なおこの設定は永続的になります。
下記は全部の脆弱性に対する全ての緩和対策(つまり脆弱性を受ける可能性の低減)を無効にします。

1
2
- GRUB_CMDLINE_LINUX=""
+ GRUB_CMDLINE_LINUX="mitigations=off"

個別に無効にするなら下記のように、上述のパラメータを半角で区切ります。

1
2
- GRUB_CMDLINE_LINUX=""
+ GRUB_CMDLINE_LINUX="nopti noibrs noibpb nospectre_v2 nospec_store_bypass_disable"

編集後、sudo update-grub して再起動が必要です。

脆弱性対策が無効にされたかどうかは下記のよう、スクリプトをダウンロードして実行するとわかります。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
# chmod +x spectre-meltdown-checker.sh
# sudo sh ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.43

Note that you should launch this script with root privileges to get accurate information.
We'll proceed but you might see permission denied errors.
To run it as root, you can try the following command: sudo ./spectre-meltdown-checker.sh

Checking for vulnerabilities on current system
Kernel is Linux 5.3.0-53-generic #47~18.04.1-Ubuntu SMP Thu May 7 13:10:50 UTC 2020 x86_64
CPU is Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied
./spectre-meltdown-checker.sh: 1235: ./spectre-meltdown-checker.sh: cannot open /boot/vmlinuz-5.3.0-53-generic: Permission denied

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates IBRS capability:  UNKNOWN  (is cpuid kernel module available?)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates IBPB capability:  UNKNOWN  (is cpuid kernel module available?)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates STIBP capability:  UNKNOWN  (is cpuid kernel module available?)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  UNKNOWN  (is cpuid kernel module available?)
  * L1 data cache invalidation
    * FLUSH_CMD MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates L1D flush capability:  UNKNOWN  (is cpuid kernel module available?)
  * Microarchitectural Data Sampling
    * VERW instruction is available:  UNKNOWN  (is cpuid kernel module available?)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  UNKNOWN  (is cpuid kernel module available?)
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  UNKNOWN 
  * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO):  UNKNOWN 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  UNKNOWN 
  * CPU/Hypervisor indicates L1D flushing is not necessary on this system:  UNKNOWN 
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  UNKNOWN 
  * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO):  UNKNOWN 
  * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO):  UNKNOWN 
  * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO):  UNKNOWN 
  * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR):  UNKNOWN 
  * CPU supports Transactional Synchronization Extensions (TSX):  UNKNOWN  (is cpuid kernel module available?)
  * CPU supports Software Guard Extensions (SGX):  UNKNOWN  (is cpuid kernel module available?)
  * CPU microcode is known to cause stability problems:  NO  (family 0x6 model 0x9e stepping 0xa ucode 0xca cpuid 0x0)
  * CPU microcode is the latest known available version:  UNKNOWN  (couldn't get your cpuid)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES 
  * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES 
  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  YES 
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES 
  * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES 
  * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)):  YES 
  * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)):  YES 
  * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)):  YES 
  * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)):  YES 
  * Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)):  YES 
  * Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)):  YES 

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface:  NO  (Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers)
* Kernel has array_index_mask_nospec:  UNKNOWN  (couldn't check (kernel compression format is unknown or image is invalid))
* Kernel has the Red Hat/Ubuntu patch:  UNKNOWN  (couldn't check (kernel compression format is unknown or image is invalid))
* Kernel has mask_nospec64 (arm64):  UNKNOWN  (couldn't check (kernel compression format is unknown or image is invalid))
* Checking count of LFENCE instructions following a jump in kernel...  UNKNOWN  (couldn't check (kernel compression format is unknown or image is invalid))
> STATUS:  VULNERABLE  (Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  NO  (Vulnerable, IBPB: disabled, STIBP: disabled)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  UNKNOWN 
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
  * Kernel supports RSB filling:  UNKNOWN  (couldn't check (kernel compression format is unknown or image is invalid))
> STATUS:  VULNERABLE  (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  NO 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  NO 
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  NO 
> STATUS:  VULNERABLE  (Your CPU doesn't support SSBD)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A 
> STATUS:  VULNERABLE  (your CPU supports SGX and the microcode is not up to date)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion; VMX: vulnerable)
* Kernel supports PTE inversion:  UNKNOWN  (kernel compression format is unknown or image is invalid)
* PTE inversion enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion; VMX: vulnerable)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: vulnerable
* This system is a host running a hypervisor:  NO 
* Mitigation 1 (KVM)
  * EPT is disabled:  NO 
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  NO 
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  YES 
> STATUS:  NOT VULNERABLE  (this system is not running a hypervisor)

CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Mitigated according to the /sys interface:  NO  (Vulnerable; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  NO 
> STATUS:  VULNERABLE  (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)

CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Mitigated according to the /sys interface:  NO  (Vulnerable; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  NO 
> STATUS:  VULNERABLE  (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)

CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Mitigated according to the /sys interface:  NO  (Vulnerable; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  NO 
> STATUS:  VULNERABLE  (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)

CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Mitigated according to the /sys interface:  NO  (Vulnerable; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  NO 
> STATUS:  VULNERABLE  (Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability)

CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* TAA mitigation is supported by kernel:  UNKNOWN  (kernel compression format is unknown or image is invalid)
* TAA mitigation enabled and active:  NO 
> STATUS:  VULNERABLE  (Vulnerable)

CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
* Mitigated according to the /sys interface:  UNKNOWN  (KVM: Vulnerable)
* This system is a host running a hypervisor:  NO 
* iTLB Multihit mitigation is supported by kernel:  UNKNOWN  (kernel compression format is unknown or image is invalid)
* iTLB Multihit mitigation enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (this system is not running a hypervisor)

> SUMMARY: CVE-2017-5753:KO CVE-2017-5715:KO CVE-2017-5754:KO CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:KO CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO CVE-2019-11135:KO CVE-2018-12207:OK

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer