在SpectreMeltdown ubuntu内核3.13.0-141-泛型更新之后仍然容易受到攻击？

Question

我已经用ubuntu14.04更新我的服务器到最新的内核：

3.13.0-141-generic

据我所知，这是spectreMeltdown漏洞暴露后的第二个版本。

但在运行幽灵和熔毁漏洞检查程序时：

https://github.com/speed47/spectre-meltdown-checker

我的系统似乎仍然很脆弱：

Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities on current system
Kernel is Linux 3.13.0-141-generic #190-Ubuntu SMP Fri Jan 19 12:52:38 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2630L v2 @ 2.40GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  YES
> STATUS:  NOT VULNERABLE  (99 opcodes found, which is >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO  (echo 1 > /proc/sys/kernel/ibrs_enabled)
    * IBRS enabled for User space:  NO  (echo 2 > /proc/sys/kernel/ibrs_enabled)
    * IBPB enabled:  NO  (echo 1 > /proc/sys/kernel/ibpb_enabled)
* Mitigation 2
  * Kernel compiled with retpoline option:  NO
  * Kernel compiled with a retpoline-aware compiler:  NO
  * Retpoline enabled:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

我能做些什么来减轻这些威胁吗，或者这只是目前的状况吗？

提前感谢！

Answer 1

关于Ubuntu特有的熔毁和幽灵缓解的最佳信息来源是他们的安全知识库中的专用页面。那里的信息与你看到的是一致的：

• 您的CPU还没有更新以支持IBRS/IBPB，因此谱变体2的缓解措施没有功能；
• 熔毁和幽灵变体1被缓解。

关于您的CPU，有更新的微码包，但这导致了回归和重归。您的主板制造商可能有一个固件更新，以解决这个问题；安装将使谱变体2缓解。

Retpoline的支持还没有包括在内，但可能会稍后出现，以解决谱变体2。

作为Rui 指出，这些更新不应该使您陷入安全性错误，可能还有其他类似的漏洞有待发现(如果它们还没有被发现的话！)无论如何，你应该一直认为计算机是不可信的.

Answer 2

如果启用了PTI，您可以通过运行“dmesg\grep隔离”来检查任何发行版的“熔毁”，如果启用了PTI，那么输出应该是：“内核/用户页表隔离:已启用”，在Devuan I上必须这样做:检查您的供应商是否为您的内核安装了PTI！"grep -i“隔离”/boot/config-*“如果它显示"CONFIG_PAGE_TABLE_ISOLATION=y”，那么您是幸运的！通过在内核引导参数中设置"pti=on“来启用PTI :将"pti=on”添加到"/etc/default/grub“中的"GRUB_CMDLINE_LINUX_DEFAULT”中，然后运行：“update”重新启动并再次检查！为了减少所有Intel CPU的错误，必须像前面在文章中提到的那样更新微码。我的i3笔记本电脑已经8岁了！任何固件更新的机会:-/