DevHeads.net

variant 2 not getting fixed

Dear team
My Guest os (CentOS 6.5 ,kernel version 2.6.32-696.18.7.el6.x86_64) is
running in ESXI server (VMware ESXi 5.5.0 build-6480324,
patch ESXi550-201709001.zip was applied ) .
I installed all the packages mention in <a href="https://lists.centos.org/" title="https://lists.centos.org/">https://lists.centos.org/</a>
pipermail/centos-announce/2018-January/
The list of installed packages are ->
kernel-debug-devel-2.6.32-696.18.7.el6.i686
kernel-2.6.32-696.18.7.el6.x86_64
kernel-doc-2.6.32-696.18.7.el6.noarch
kernel-debug-2.6.32-696.18.7.el6.x86_64
kernel-devel-2.6.32-696.18.7.el6.x86_64
kernel-debug-devel-2.6.32-696.18.7.el6.x86_64
libreport-plugin-kerneloops-2.0.9-19.el6.centos.x86_64
abrt-addon-kerneloops-2.0.8-21.el6.centos.x86_64
dracut-kernel-004-409.el6_8.2.noarch
kernel-headers-2.6.32-696.18.7.el6.x86_64
kernel-firmware-2.6.32-696.18.7.el6.noarch
kernel-abi-whitelists-2.6.32-696.18.7.el6.noarch
dracut-004-409.el6_8.2.noarch
dracut-kernel-004-409.el6_8.2.noarch
elfutils-libs-0.164-2.el6.x86_64
elfutils-0.164-2.el6.x86_64
elfutils-libelf-devel-0.164-2.el6.x86_64
elfutils-libelf-0.164-2.el6.x86_64
elfutils-devel-0.164-2.el6.x86_64
microcode_ctl-1.17-25.2.el6_9.x86_64
python-perf-2.6.32-696.18.7.el6.x86_64
perf-2.6.32-696.18.7.el6.x86_64
*But /sys/kernel/debug/x86/ibrs_enabled is still set to 0 and if I execute
"echo 2 > /sys/kernel/debug/x86/ibrs_enabled"*
* then we are getting the error "bash: echo: write error: No such device" .*
* The content of /sys/kernel/debug/x86/ibpb_enabled is also 0 and echo 1 >
/sys/kernel/debug/x86/ibpb_enabled throws the*
* error "bash: echo: write error: No such device" .*
I used a tool <a href="https://raw.githubusercontent.com/speed47/spectre-meltdown-" title="https://raw.githubusercontent.com/speed47/spectre-meltdown-">https://raw.githubusercontent.com/speed47/spectre-meltdown-</a>
checker/master/spectre-meltdown-checker.sh to
detect if meltdown and spectre got fixed . Spectre Variant 1 and Meltdown
got fixed but not Variant 2 .
"CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO

Comments

Re: [Centos6.5][Spectre]variant 2 not getting fix

By Simon Matter at 01/11/2018 - 02:13

Hi,

I think it's because you're running it as a guest so the fixes are not
needed, they are needed on the virtual host then.

Running an updated CentOS 7 KVM guest on a CentOS 6 host, I see all three
options set to 0.

Regards,
Simon