如何减少CentOS 6.9上的谱变体2？

Question

据2018-03-12年发布的解决幽灵/熔毁问题的英特尔微码更新称，微码与CentOS 6不兼容。

因此，运行CentOS 6的系统仍然易受谱变体2的影响，因为CentOS维护人员将此修补程序的责任委托给上游供应商(又名英特尔)。

我们已经安装了所有可用的操作系统更新，这已经成功地修补了谱变体1和崩溃的CentOS 6系统。

运行https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh的输出：

Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 2.6.32-696.23.1.el6.x86_64 #1 SMP Tue Mar 13 22:44:18 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 58 stepping 9 ucode 31)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  NO
* Kernel has the Red Hat/Ubuntu patch:  YES
> STATUS:  NOT VULNERABLE  (Mitigation: Load fences)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  YES
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  UNKNOWN
> STATUS:  VULNERABLE  (Vulnerable: Retpoline with unsafe module(s))

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer

在运行CentOS 6.9的多个系统上也是如此。

如何将运行CentOS 6的系统与谱变体2进行修补？

Answer 1

说真的，你可以完全忽略英特尔下载中心的操作系统兼容性列表，至少对于微码发行版来说是这样。这是绝对没有价值的。

微码更新包与所有需要英特尔微码更新的软件兼容。这件事已经有十五年没有发生相关的变化了。

CentOS 6.9中的内核是否会使用微码更新带来的新特性是另一回事，即使没有，它也不会使它与微码更新不兼容。

因此，他们关于如何将微码上传到处理器的说明也是完全错误的(内核从未能够处理基于文本的格式)。

假设您不能从CentOS的其他分支获得intel-microcode更新的SRPM并重新构建，您可以只安装一个旧的，并将由RPM安装的微代码数据文件替换为intel tarball中的等效文件。不要忘记重新构建initramfs/initrd并重新启动以尽早应用更新。

或者您可以等待，CentOS最终会发布一个更新，其他人也一样。大多数(全部？)发行版已经在它们的不稳定或beta测试分支中有了这些更新，并且它们最终会迁移到稳定的发行版(时间取决于发行版)。