CentOS 7 시스템을 업데이트했습니다. Meltdown / Spectre가 부분적으로 만 완화되는 이유는 무엇입니까?

우리와 마찬가지로, 어제 멜트 다운 및 스펙터 공격 을 완화하기 위해 많은 시스템을 업데이트했습니다 . 이해 한대로 두 개의 패키지를 설치하고 재부팅해야합니다.

kernel-3.10.0-693.11.6.el7.x86_64
microcode_ctl-2.1-22.2.el7.x86_64

이 패키지를 설치하고 재부팅 한 CentOS 7 시스템이 2 대 있습니다.

Red Hat에 따르면 이러한 sysctls를 확인하고 모두 1인지 확인하여 완화 상태를 확인할 수 있습니다 . 그러나 이러한 시스템에서는 모두 1이 아닙니다.

# cat /sys/kernel/debug/x86/pti_enabled
1
# cat /sys/kernel/debug/x86/ibpb_enabled
0
# cat /sys/kernel/debug/x86/ibrs_enabled
0

그리고 나는 그것들을 1로 설정할 수 없습니다 :

# echo 1 > /sys/kernel/debug/x86/ibpb_enabled
-bash: echo: write error: No such device
# echo 1 > /sys/kernel/debug/x86/ibrs_enabled
-bash: echo: write error: No such device

부팅시 인텔 마이크로 코드가로드 된 것으로 확인되었습니다.

# systemctl status microcode -l
● microcode.service - Load CPU microcode update
   Loaded: loaded (/usr/lib/systemd/system/microcode.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Fri 2018-01-05 16:42:25 UTC; 9min ago
  Process: 30383 ExecStart=/usr/bin/bash -c grep -l GenuineIntel /proc/cpuinfo | xargs grep -l -E "model[[:space:]]*: 79$" > /dev/null || echo 1 > /sys/devices/system/cpu/microcode/reload (code=exited, status=0/SUCCESS)
 Main PID: 30383 (code=exited, status=0/SUCCESS)

Jan 05 16:42:25 makrura systemd[1]: Starting Load CPU microcode update...
Jan 05 16:42:25 makrura systemd[1]: Started Load CPU microcode update.

심지어 dmesg그것을 확인한 것 같습니다 :

[    3.245580] microcode: CPU0 sig=0x50662, pf=0x10, revision=0xf
[    3.245627] microcode: CPU1 sig=0x50662, pf=0x10, revision=0xf
[    3.245674] microcode: CPU2 sig=0x50662, pf=0x10, revision=0xf
[    3.245722] microcode: CPU3 sig=0x50662, pf=0x10, revision=0xf
[    3.245768] microcode: CPU4 sig=0x50662, pf=0x10, revision=0xf
[    3.245816] microcode: CPU5 sig=0x50662, pf=0x10, revision=0xf
[    3.245869] microcode: CPU6 sig=0x50662, pf=0x10, revision=0xf
[    3.245880] microcode: CPU7 sig=0x50662, pf=0x10, revision=0xf
[    3.245924] microcode: CPU8 sig=0x50662, pf=0x10, revision=0xf
[    3.245972] microcode: CPU9 sig=0x50662, pf=0x10, revision=0xf
[    3.245989] microcode: CPU10 sig=0x50662, pf=0x10, revision=0xf
[    3.246036] microcode: CPU11 sig=0x50662, pf=0x10, revision=0xf
[    3.246083] microcode: CPU12 sig=0x50662, pf=0x10, revision=0xf
[    3.246131] microcode: CPU13 sig=0x50662, pf=0x10, revision=0xf
[    3.246179] microcode: CPU14 sig=0x50662, pf=0x10, revision=0xf
[    3.246194] microcode: CPU15 sig=0x50662, pf=0x10, revision=0xf
[    3.246273] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba

Broadwell이라는 인텔 CPU 코드가 있습니다.

processor       : 15
vendor_id       : GenuineIntel
cpu family      : 6
model           : 86
model name      : Intel(R) Xeon(R) CPU D-1540 @ 2.00GHz
stepping        : 2
microcode       : 0xf
cpu MHz         : 2499.921
cache size      : 12288 KB
physical id     : 0
siblings        : 16
core id         : 7
cpu cores       : 8
apicid          : 15
initial apicid  : 15
fpu             : yes
fpu_exception   : yes
cpuid level     : 20
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb cat_l3 invpcid_single intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cqm rdt_a rdseed adx smap xsaveopt cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts
bogomips        : 3999.90
clflush size    : 64
cache_alignment : 64
address sizes   : 46 bits physical, 48 bits virtual
power management:

이 cpuid유틸리티는 다음을보고합니다.

# cpuid -1
Disclaimer: cpuid may not support decoding of all cpuid registers.
CPU:
   vendor_id = "GenuineIntel"
   version information (1/eax):
      processor type  = primary processor (0)
      family          = Intel Pentium Pro/II/III/Celeron/Core/Core 2/Atom, AMD Athlon/Duron, Cyrix M2, VIA C3 (6)
      model           = 0x6 (6)
      stepping id     = 0x2 (2)
      extended family = 0x0 (0)
      extended model  = 0x5 (5)
      (simple synth)  = Intel Xeon D-1500 (Broadwell-DE V1), 14nm
   miscellaneous (1/ebx):
      process local APIC physical ID = 0x9 (9)
      cpu count                      = 0x10 (16)
      CLFLUSH line size              = 0x8 (8)
      brand index                    = 0x0 (0)
   brand id = 0x00 (0): unknown
   feature information (1/edx):
      x87 FPU on chip                        = true
      virtual-8086 mode enhancement          = true
      debugging extensions                   = true
      page size extensions                   = true
      time stamp counter                     = true
      RDMSR and WRMSR support                = true
      physical address extensions            = true
      machine check exception                = true
      CMPXCHG8B inst.                        = true
      APIC on chip                           = true
      SYSENTER and SYSEXIT                   = true
      memory type range registers            = true
      PTE global bit                         = true
      machine check architecture             = true
      conditional move/compare instruction   = true
      page attribute table                   = true
      page size extension                    = true
      processor serial number                = false
      CLFLUSH instruction                    = true
      debug store                            = true
      thermal monitor and clock ctrl         = true
      MMX Technology                         = true
      FXSAVE/FXRSTOR                         = true
      SSE extensions                         = true
      SSE2 extensions                        = true
      self snoop                             = true
      hyper-threading / multi-core supported = true
      therm. monitor                         = true
      IA64                                   = false
      pending break event                    = true
   feature information (1/ecx):
      PNI/SSE3: Prescott New Instructions     = true
      PCLMULDQ instruction                    = true
      64-bit debug store                      = true
      MONITOR/MWAIT                           = true
      CPL-qualified debug store               = true
      VMX: virtual machine extensions         = true
      SMX: safer mode extensions              = true
      Enhanced Intel SpeedStep Technology     = true
      thermal monitor 2                       = true
      SSSE3 extensions                        = true
      context ID: adaptive or shared L1 data  = false
      FMA instruction                         = true
      CMPXCHG16B instruction                  = true
      xTPR disable                            = true
      perfmon and debug                       = true
      process context identifiers             = true
      direct cache access                     = true
      SSE4.1 extensions                       = true
      SSE4.2 extensions                       = true
      extended xAPIC support                  = true
      MOVBE instruction                       = true
      POPCNT instruction                      = true
      time stamp counter deadline             = true
      AES instruction                         = true
      XSAVE/XSTOR states                      = true
      OS-enabled XSAVE/XSTOR                  = true
      AVX: advanced vector extensions         = true
      F16C half-precision convert instruction = true
      RDRAND instruction                      = true
      hypervisor guest status                 = false
   cache and TLB information (2):
      0x63: data TLB: 1G pages, 4-way, 4 entries
      0x03: data TLB: 4K pages, 4-way, 64 entries
      0x76: instruction TLB: 2M/4M pages, fully, 8 entries
      0xff: cache data is in CPUID 4
      0xb5: instruction TLB: 4K, 8-way, 64 entries
      0xf0: 64 byte prefetching
      0xc3: L2 TLB: 4K/2M pages, 6-way, 1536 entries
   processor serial number: 0005-0662-0000-0000-0000-0000
   deterministic cache parameters (4):
      --- cache 0 ---
      cache type                           = data cache (1)
      cache level                          = 0x1 (1)
      self-initializing cache level        = true
      fully associative cache              = false
      extra threads sharing this cache     = 0x1 (1)
      extra processor cores on this die    = 0x7 (7)
      system coherency line size           = 0x3f (63)
      physical line partitions             = 0x0 (0)
      ways of associativity                = 0x7 (7)
      ways of associativity                = 0x0 (0)
      WBINVD/INVD behavior on lower caches = false
      inclusive to lower caches            = false
      complex cache indexing               = false
      number of sets - 1 (s)               = 63
      --- cache 1 ---
      cache type                           = instruction cache (2)
      cache level                          = 0x1 (1)
      self-initializing cache level        = true
      fully associative cache              = false
      extra threads sharing this cache     = 0x1 (1)
      extra processor cores on this die    = 0x7 (7)
      system coherency line size           = 0x3f (63)
      physical line partitions             = 0x0 (0)
      ways of associativity                = 0x7 (7)
      ways of associativity                = 0x0 (0)
      WBINVD/INVD behavior on lower caches = false
      inclusive to lower caches            = false
      complex cache indexing               = false
      number of sets - 1 (s)               = 63
      --- cache 2 ---
      cache type                           = unified cache (3)
      cache level                          = 0x2 (2)
      self-initializing cache level        = true
      fully associative cache              = false
      extra threads sharing this cache     = 0x1 (1)
      extra processor cores on this die    = 0x7 (7)
      system coherency line size           = 0x3f (63)
      physical line partitions             = 0x0 (0)
      ways of associativity                = 0x7 (7)
      ways of associativity                = 0x0 (0)
      WBINVD/INVD behavior on lower caches = false
      inclusive to lower caches            = false
      complex cache indexing               = false
      number of sets - 1 (s)               = 511
      --- cache 3 ---
      cache type                           = unified cache (3)
      cache level                          = 0x3 (3)
      self-initializing cache level        = true
      fully associative cache              = false
      extra threads sharing this cache     = 0xf (15)
      extra processor cores on this die    = 0x7 (7)
      system coherency line size           = 0x3f (63)
      physical line partitions             = 0x0 (0)
      ways of associativity                = 0xb (11)
      ways of associativity                = 0x6 (6)
      WBINVD/INVD behavior on lower caches = false
      inclusive to lower caches            = true
      complex cache indexing               = true
      number of sets - 1 (s)               = 16383
   MONITOR/MWAIT (5):
      smallest monitor-line size (bytes)       = 0x40 (64)
      largest monitor-line size (bytes)        = 0x40 (64)
      enum of Monitor-MWAIT exts supported     = true
      supports intrs as break-event for MWAIT  = true
      number of C0 sub C-states using MWAIT    = 0x0 (0)
      number of C1 sub C-states using MWAIT    = 0x2 (2)
      number of C2 sub C-states using MWAIT    = 0x1 (1)
      number of C3 sub C-states using MWAIT    = 0x2 (2)
      number of C4 sub C-states using MWAIT    = 0x0 (0)
      number of C5 sub C-states using MWAIT    = 0x0 (0)
      number of C6 sub C-states using MWAIT    = 0x0 (0)
      number of C7 sub C-states using MWAIT    = 0x0 (0)
   Thermal and Power Management Features (6):
      digital thermometer                     = true
      Intel Turbo Boost Technology            = true
      ARAT always running APIC timer          = true
      PLN power limit notification            = true
      ECMD extended clock modulation duty     = true
      PTM package thermal management          = true
      HWP base registers                      = false
      HWP notification                        = false
      HWP activity window                     = false
      HWP energy performance preference       = false
      HWP package level request               = false
      HDC base registers                      = false
      digital thermometer thresholds          = 0x2 (2)
      ACNT/MCNT supported performance measure = true
      ACNT2 available                         = false
      performance-energy bias capability      = true
   extended feature flags (7):
      FSGSBASE instructions                    = true
      IA32_TSC_ADJUST MSR supported            = true
      SGX: Software Guard Extensions supported = false
      BMI instruction                          = true
      HLE hardware lock elision                = true
      AVX2: advanced vector extensions 2       = true
      FDP_EXCPTN_ONLY                          = false
      SMEP supervisor mode exec protection     = true
      BMI2 instructions                        = true
      enhanced REP MOVSB/STOSB                 = true
      INVPCID instruction                      = true
      RTM: restricted transactional memory     = true
      QM: quality of service monitoring        = true
      deprecated FPU CS/DS                     = true
      intel memory protection extensions       = false
      PQE: platform quality of service enforce = true
      AVX512F: AVX-512 foundation instructions = false
      AVX512DQ: double & quadword instructions = false
      RDSEED instruction                       = true
      ADX instructions                         = true
      SMAP: supervisor mode access prevention  = true
      AVX512IFMA: fused multiply add           = false
      CLFLUSHOPT instruction                   = false
      CLWB instruction                         = false
      Intel processor trace                    = true
      AVX512PF: prefetch instructions          = false
      AVX512ER: exponent & reciprocal instrs   = false
      AVX512CD: conflict detection instrs      = false
      SHA instructions                         = false
      AVX512BW: byte & word instructions       = false
      AVX512VL: vector length                  = false
      PREFETCHWT1                              = false
      AVX512VBMI: vector byte manipulation     = false
      UMIP: user-mode instruction prevention   = false
      PKU protection keys for user-mode        = false
      OSPKE CR4.PKE and RDPKRU/WRPKRU          = false
      BNDLDX/BNDSTX MAWAU value in 64-bit mode = 0x0 (0)
      RDPID: read processor D supported        = false
      SGX_LC: SGX launch config supported      = false
      AVX512_4VNNIW: neural network instrs     = false
      AVX512_4FMAPS: multiply acc single prec  = false
   Direct Cache Access Parameters (9):
      PLATFORM_DCA_CAP MSR bits = 1
   Architecture Performance Monitoring Features (0xa/eax):
      version ID                               = 0x3 (3)
      number of counters per logical processor = 0x4 (4)
      bit width of counter                     = 0x30 (48)
      length of EBX bit vector                 = 0x7 (7)
   Architecture Performance Monitoring Features (0xa/ebx):
      core cycle event not available           = false
      instruction retired event not available  = false
      reference cycles event not available     = false
      last-level cache ref event not available = false
      last-level cache miss event not avail    = false
      branch inst retired event not available  = false
      branch mispred retired event not avail   = false
   Architecture Performance Monitoring Features (0xa/edx):
      number of fixed counters    = 0x3 (3)
      bit width of fixed counters = 0x30 (48)
   x2APIC features / processor topology (0xb):
      --- level 0 (thread) ---
      bits to shift APIC ID to get next = 0x1 (1)
      logical processors at this level  = 0x2 (2)
      level number                      = 0x0 (0)
      level type                        = thread (1)
      extended APIC ID                  = 9
      --- level 1 (core) ---
      bits to shift APIC ID to get next = 0x4 (4)
      logical processors at this level  = 0x10 (16)
      level number                      = 0x1 (1)
      level type                        = core (2)
      extended APIC ID                  = 9
   XSAVE features (0xd/0):
      XCR0 lower 32 bits valid bit field mask = 0x00000007
      XCR0 upper 32 bits valid bit field mask = 0x00000000
         XCR0 supported: x87 state            = true
         XCR0 supported: SSE state            = true
         XCR0 supported: AVX state            = true
         XCR0 supported: MPX BNDREGS          = false
         XCR0 supported: MPX BNDCSR           = false
         XCR0 supported: AVX-512 opmask       = false
         XCR0 supported: AVX-512 ZMM_Hi256    = false
         XCR0 supported: AVX-512 Hi16_ZMM     = false
         IA32_XSS supported: PT state         = false
         XCR0 supported: PKRU state           = false
      bytes required by fields in XCR0        = 0x00000340 (832)
      bytes required by XSAVE/XRSTOR area     = 0x00000340 (832)
   XSAVE features (0xd/1):
      XSAVEOPT instruction                        = true
      XSAVEC instruction                          = false
      XGETBV instruction                          = false
      XSAVES/XRSTORS instructions                 = false
      SAVE area size in bytes                     = 0x00000000 (0)
      IA32_XSS lower 32 bits valid bit field mask = 0x00000000
      IA32_XSS upper 32 bits valid bit field mask = 0x00000000
   AVX/YMM features (0xd/2):
      AVX/YMM save state byte size             = 0x00000100 (256)
      AVX/YMM save state byte offset           = 0x00000240 (576)
      supported in IA32_XSS or XCR0            = XCR0 (user state)
      64-byte alignment in compacted XSAVE     = false
   Quality of Service Monitoring Resource Type (0xf/0):
      Maximum range of RMID = 63
      supports L3 cache QoS monitoring = false
   L3 Cache Quality of Service Monitoring (0xf/1):
      Conversion factor from IA32_QM_CTR to bytes = 32768
      Maximum range of RMID                       = 63
      supports L3 occupancy monitoring       = true
      supports L3 total bandwidth monitoring = true
      supports L3 local bandwidth monitoring = true
   Resource Director Technology allocation (0x10/0):
      L3 cache allocation technology supported = true
      L2 cache allocation technology supported = false
   L3 Cache Allocation Technology (0x10/1):
      length of capacity bit mask - 1 = 0xb (11)
      Bit-granular map of isolation/contention    = 0x00000c00
      infrequent updates of COS              = true
      code and data prioritization supported = false
      highest COS number supported = 0xb (11)
   0x00000011 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00000000
   SGX capability (0x12/0):
      SGX1 supported                         = false
      SGX2 supported                         = false
      MISCSELECT.EXINFO supported: #PF & #GP = false
      MaxEnclaveSize_Not64 (log2)            = 0x0 (0)
      MaxEnclaveSize_64 (log2)               = 0x0 (0)
   0x00000013 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00000000
   Intel Processor Trace (0x14):
      IA32_RTIT_CR3_MATCH is accessible      = true
      configurable PSB & cycle-accurate      = false
      IP & TraceStop filtering; PT preserve  = false
      MTC timing packet; suppress COFI-based = false
      PTWRITE support                        = false
      power event trace support              = false
      IA32_RTIT_CTL can enable tracing  = true
      ToPA can hold many output entries = false
      single-range output scheme        = false
      output to trace transport         = false
      IP payloads have LIP values & CS  = false
   extended feature flags (0x80000001/edx):
      SYSCALL and SYSRET instructions        = true
      execution disable                      = true
      1-GB large page support                = true
      RDTSCP                                 = true
      64-bit extensions technology available = true
   Intel feature flags (0x80000001/ecx):
      LAHF/SAHF supported in 64-bit mode     = true
      LZCNT advanced bit manipulation        = true
      3DNow! PREFETCH/PREFETCHW instructions = true
   brand = "Intel(R) Xeon(R) CPU D-1540 @ 2.00GHz"
   L1 TLB/cache information: 2M/4M pages & L1 TLB (0x80000005/eax):
      instruction # entries     = 0x0 (0)
      instruction associativity = 0x0 (0)
      data # entries            = 0x0 (0)
      data associativity        = 0x0 (0)
   L1 TLB/cache information: 4K pages & L1 TLB (0x80000005/ebx):
      instruction # entries     = 0x0 (0)
      instruction associativity = 0x0 (0)
      data # entries            = 0x0 (0)
      data associativity        = 0x0 (0)
   L1 data cache information (0x80000005/ecx):
      line size (bytes) = 0x0 (0)
      lines per tag     = 0x0 (0)
      associativity     = 0x0 (0)
      size (KB)         = 0x0 (0)
   L1 instruction cache information (0x80000005/edx):
      line size (bytes) = 0x0 (0)
      lines per tag     = 0x0 (0)
      associativity     = 0x0 (0)
      size (KB)         = 0x0 (0)
   L2 TLB/cache information: 2M/4M pages & L2 TLB (0x80000006/eax):
      instruction # entries     = 0x0 (0)
      instruction associativity = L2 off (0)
      data # entries            = 0x0 (0)
      data associativity        = L2 off (0)
   L2 TLB/cache information: 4K pages & L2 TLB (0x80000006/ebx):
      instruction # entries     = 0x0 (0)
      instruction associativity = L2 off (0)
      data # entries            = 0x0 (0)
      data associativity        = L2 off (0)
   L2 unified cache information (0x80000006/ecx):
      line size (bytes) = 0x40 (64)
      lines per tag     = 0x0 (0)
      associativity     = 8-way (6)
      size (KB)         = 0x100 (256)
   L3 cache information (0x80000006/edx):
      line size (bytes)     = 0x0 (0)
      lines per tag         = 0x0 (0)
      associativity         = L2 off (0)
      size (in 512KB units) = 0x0 (0)
   Advanced Power Management Features (0x80000007/edx):
      temperature sensing diode      = false
      frequency ID (FID) control     = false
      voltage ID (VID) control       = false
      thermal trip (TTP)             = false
      thermal monitor (TM)           = false
      software thermal control (STC) = false
      100 MHz multiplier control     = false
      hardware P-State control       = false
      TscInvariant                   = true
   Physical Address and Linear Address Size (0x80000008/eax):
      maximum physical address bits         = 0x2e (46)
      maximum linear (virtual) address bits = 0x30 (48)
      maximum guest physical address bits   = 0x0 (0)
   Logical CPU cores (0x80000008/ecx):
      number of CPU cores - 1 = 0x0 (0)
      ApicIdCoreIdSize        = 0x0 (0)
   (multi-processing synth): multi-core (c=8), hyper-threaded (t=2)
   (multi-processing method): Intel leaf 0xb
   (APIC widths synth): CORE_width=4 SMT_width=1
   (APIC synth): PKG_ID=0 CORE_ID=4 SMT_ID=1
   (synth) = Intel Xeon D-1500 (Broadwell-DE V1), 14nm

시스템이 완전히 최신 상태입니다.

# yum upgrade
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.mirror.colo-serv.net
 * epel: mirror.steadfast.net
 * extras: centos.mirror.colo-serv.net
 * updates: centos.mirror.colo-serv.net
No packages marked for update

중요한 것을 놓친 것 같은 느낌이 들지만이 시점에서 나는 그것이 무엇인지 알 수 없습니다. 무슨 일이야? 시스템을 완전히 완화하려면 어떻게해야합니까?

Fedora 27 워크 스테이션, Core i7-3770 CPU가 장착 된 데스크탑 및 Core i7-7500U가 장착 된 랩탑에서도 동일한 동작을보고 있습니다.

https://access.redhat.com/articles/3311301에 명시된 바와 같이

CVE-2017-5715 (변형 # 2 / 스펙터)는 데이터 유출로 이어질 수있는 간접 분기 중독 공격입니다. 이 공격을 통해 가상화 된 게스트가 호스트 시스템에서 메모리를 읽을 수 있습니다. 이 문제는 게스트 및 호스트 가상화 소프트웨어에 대한 커널 및 가상화 업데이트와 함께 마이크로 코드로 수정되었습니다. 이 취약점을 해결하려면 업데이트 된 마이크로 코드 및 커널 패치가 모두 필요합니다. 변형 # 2 동작은 마이크로 코드와 함께 작동하는 ibrs 및 ibpb 튜너 블 (noibrs / ibrs_enabled 및 noibpb / ibpb_enabled)에 의해 제어됩니다.

...

언급 한대로 하드웨어 공급 업체에서 제공 한 경우 변형 2를 방지하려면 하드웨어 용 마이크로 코드 업데이트를 설치해야합니다. 마이크로 코드 업데이트는 하드웨어 공급 업체에 문의하십시오.

CVE-2017-5715에 대한 완화 기능을 사용하려면 BIOS 업데이트도 필요합니다.

나는 이것을 너무 일찍 읽었지만 지금은 참조를 찾을 수 없습니다.

업데이트 : OS 업데이트와 함께 출시 된 마이크로 코드 업데이트는 완전한 마이크로 코드 교체가 아닌 실행중인 마이크로 코드에 대한 바이너리 패치 인 것 같습니다 . 즉, BIOS / 프로세서에 패치를 적용하려면 특정 기본 ucode 버전이 필요합니다. 이러한 이유로, 내가 보유한 모든 컴퓨터에서 BIOS / 펌웨어 업데이트가 필요하며,이 BIOS 업데이트는 이미 패치 된 마이크로 코드를 내장하고 있습니다. 참고로, DELL은 14/13/12 세대 PowerEdge 서버에 필요한 펌웨어 업데이트를 릴리스했으며 11 세대 서버에 대한 수정 사항은 이달 말에 릴리스됩니다.

TL; DR : 마이크로 코드 업데이트가 매우 급한 것 같습니다 . 올바른 프로세서를받을 프로세서 / 스테핑 / 모델 / SKU를 완전히 이해 / 발견하기 위해 며칠 / 주를 기다려야한다고 생각합니다.

긴 버전 : 3 개의 업데이트 된 시스템 중 단일 시스템 ( 이전 시스템 )이 새 마이크로 코드를 올바르게로드하고 관련 완화 기능을 활성화했습니다.

• Ryzen 상자에서 "패치 불일치"오류로로드에 실패했습니다.
• Clarkdale (Core i5) 랩톱에서 새로운 마이크로 코드가로드되지 않았지만 올바른 파일이 설치되었습니다 /lib/firmware/
• 아주 오래된 PhenomII 올바르게 새로운 마이크로 코드를로드있는 상자가 및 모든 적절한 완화 할 수 있었다.

나는 많은 커널 및 플랫폼 변형을 다루고 있기 때문에 Specter Meltdown Checker 스크립트를 사용하여 물리적 및 가상 시스템의 상태를 신속하게 설명했습니다.

참조 : https://github.com/speed47/spectre-meltdown-checker

결과는 하이퍼 바이저 호스트 및 베어 메탈 서버에서 BIOS 업데이트가 필요함을 보여줍니다. 이것은 내가 다루는 시스템의 공급 업체 문제입니다. RHEL / CentOS의 마이크로 코드 패치에 의존하지 않습니다.

아래에 언급 된 소스에서 수집 한 정보에 따라 공유 한 dmesg 출력에 부팅시 CPU의 마이크로 코드 업데이트를 나타내는 출력이 누락되었습니다.

CentOS / RedHat에서 이것에 대한 문서를 찾을 수 없지만 다음은 ArchLinux와 Debian의 두 가지 소스입니다.

[1] https://wiki.archlinux.org/index.php/microcode#Verifying_that_microcode_got_updated_on_boot

[2] https://wiki.debian.org/Microcode#Checking_the_microcode_version_of_your_CPU

둘 다 마이크로 코드 업데이트에 성공하면 다음과 같은 내용의 출력이 표시되어야합니다.

microcode updated early to

성공적인 마이크로 코드 업데이트에서 이와 유사한 것을 볼 수있는 [1]에서 제공하는 완전한 출력 라인은 다음과 같습니다.

[    0.000000] CPU0 microcode updated early to revision 0x1b, date = 2014-05-29

제공 한 것은 [1] 상태와 일치하며 CPU에 대한 마이크로 코드 업데이트가 없을 때 확인해야합니다.

위의 다른 의견과 답변 에서이 시점에서 놀라운 것은 아니지만 dmesg 출력과 완화 결과 사이의 연결을 지적하는 것이 도움이 될 것이라고 생각했습니다.