Referred to:
If there are unmitigated vulnerabilities but recognized by IPFire,
leaving SMT disabled (as set by default), are you equally completely safe?
Thank you in advance.
No. Disabling SMT only helps for some vulnerabilities and the page reports “SMT disabled” as status in this case.
2 Likes
Thank you very much @arne_f
In my case, does “SMT disabled”, solve the yellow vulnerability problem (see image) that I have been carrying around for a long time?
Or, if it would have solved, did the “stripe” have to be blue?
Most of these answer could be provided through some searches.
Source: Processor MMIO Stale Data Vulnerabilities — The Linux Kernel documentation
Mitigation for these vulnerabilities includes a combination of microcode update and software changes, depending on the platform and usage model. Some of these mitigations are similar to those used to mitigate Microarchitectural Data Sampling (MDS) or those used to mitigate Special Register Buffer Data Sampling (SRBDS).
Statements of Intel about the vulnerability
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html
Processor list from intel about affected CPUs
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/processors-affected-srbds.html
According to your Fireinfo, your installation seems to be on a BeeLink box (and an USB card?).
Summarizing my opinion on this situation, according with data retrieved: your CPU seem not affected by this specific vulnerability. However, i cannot say why this is the answer from the vulnerability panel of IPFire
2 Likes
The Braswell family is not listed in that document but that could also mean that Intel have not checked if it is vulnerable or not for older cpu families.
I have seen in the past (can’t find the reference now) that both Intel and AMD only evauate their hardware vulnerabilities back to a certain stage in their cpu families. Anything earlier than that is not known if it is vulnerable or not and therefore the mitigation can not be confirmed to fix or not.
All kernel software changes and microcode updates are applied as soon as available, as seen from the Core Update 178 release for the latest Hardware Vulnerabilities.
4 Likes
I think I understand everything well. So, in my case, “IPFire doesn’t know whether that is a vulnerability or not.” So it is highlighted in yellow “as an unknown.” SMT disabled may not even solve it. Is what I have understood correct?
That is my belief but I am not 100% sure of that.
There is also an addon Spectre-Meltdown-Checker
https://wiki.ipfire.org/addons/spectre-meltdown-checker
but looking at the wiki page it looks like it is only covering the vulnerabilities that are based on Speculative Execution which probably does not cover the MIMO Stale Data vulnerability but you could always install it, run it and read the output for was found and what has been mitigated or is not affected.
2 Likes
I have had a look through the vulnerabilities.cgi code.
IPFire gets the status of the vulnerabilities for your system from
/sys/devices/system/cpu/vulnerabilities/
In there are all the statuses for each vulnerability.
This directory is part of the sysfs pseudo file system which is provided by the kernel.
From my understanding when booting one of the early things the kernel does is look for what hardware is on the system. Part of this also looks at the cpu and from the info the kernel has it decides which vulnerabilities are present and can therefore mark as Nor Affected if that is the status for that cpu.
It also checks what microcode versions have been applied and if those have the right version then the vulnerability status is marked as Mitigated.
Therefore the message Unknown: No mitigations has come from the kernel, which means it has no idea about that cpu for that vulnerability.
So probably the cpu manufacturer has not provided any input to the kernel about that cpu family.
The above is my interpretation of looking up about the sysfs and the vulnerabilities section of it.
It would be good if @arne_f could confirm or correct my conclusions.
3 Likes
Just found a thread from last year on the MIMO Stale Data issue and it has the link about old cpu’s not being updated on vulnerabilities.
https://community.ipfire.org/t/mmio-stale-data-vulnerability/8810/2
2 Likes
Thanks @bonnietwin for your researches.
As usual, Santa Clara care more of money of tomorrow than money perceived yesterday…
Thank you very much @bonnietwin . Yes, I remember creating some time back, the thread you reported, right after the IPFire update, when I became aware of this vulnerability. I had speculated now that perhaps disabling SMT might have fixed the problem, but it seems that the situation has not changed since then (for my case).
Intel and AMD are the organisations that have the knowledge to be able to determine what vulnerabilities affect which CPU.
If they don’t decide to investigate earlier CPU’s to determine which vulnerabilities affect them then nothing will change.
At least now the entry is shown as
Unknown: No mitigations
Originally Intel were providing the input that caused all non-investigated CPU’s to give the message
Not Affected
2 Likes
It makes me wonder if this could be worse. In the sense that, if I read “Not Affected,” it makes me think that Intel or AMD have investigated and they believe that that CPU is not affected by that vulnerability. Is that a deception or am I wrong?
I would also have interpreted Not Affected in that way.
I suspect that when that interpretation was discovered there was push back to Intel as they submitted a patch to the kernel to mark it as Unknown when an older CPU is used. That has been ported back to older kernel versions so everything should show it with Unknown now.
According to the linked article in that earlier thread the Unknown State for the MIMO Stale Data vulnerability means
“The processor vulnerability status is unknown because it is out of Servicing period. Mitigation is not attempted.”
The Intel Service periods are described as
Servicing period: The process of providing functional and security updates to Intel processors or platforms, utilizing the Intel Platform Update (IPU) process or other similar mechanisms.
End of Servicing Updates (ESU): ESU is the date at which Intel will no longer provide Servicing, such as through IPU or other similar update processes. ESU dates will typically be aligned to end of quarter.
The ESU for the J3160 was June 30th 2022. When the MIMO Stale Data vulnerability was identified in June 2022 it was right on the boundary of that ESU.
2 Likes
Yes, as with anything, when the item or software goes out of production, no more updates or hardware checks come out. So there will always come a point where it will be mandatory to update the hardware as well.
3 Likes
evil blue…
Unknown: No mitigations as a matter of fact is not intuitive but true: it’s unknown if the device is subsceptible to the vulnerability and describe that no mitigation has been applied for that.
Maybe some description in the vulnerability page would ease part of the possible misunderstanding?
2 Likes
Yes, I have thought about that as well.
In any case, I think only Intel(CPU Intel) or AMD(CPU AMD) can do it, as I understand it.
Added the Unknown: No mitigations status into the IPFire wiki page for vulnerabilities.
https://wiki.ipfire.org/configuration/system/vulnerabilities
@casabenedetti can you post a copy of your vulnerabilities image without the red arrow. That can then be added to the wiki page to also show that specific status.
2 Likes