我安装了 intel-microcode,但是当我使用 ./spectre-meltdown-checker.sh 时我得到了这个
CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Mitigated according to the /sys interface: NO (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
* Kernel supports using MD_CLEAR mitigation: YES (found md_clear implementation evidence in kernel image)
* Kernel mitigation is enabled and active: NO
* SMT is either mitigated or disabled: YES
> STATUS: VULNERABLE (Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled)
我如何解决它 ?我不明白
sudo ./spectre-meltdown-checker.sh | grep 'CPU microcode is'
[sudo] password for user:
* CPU microcode is known to cause stability problems: NO (model 0x2d family 0x6 stepping 0x7 ucode 0x710 cpuid 0x206d7)
* CPU microcode is the latest known available version: NO (latest version is 0x714 dated 2018/05/08 according to builtin MCExtractor DB v112 - 2019/05/22)
IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
但这是最新的
sudo apt install intel-microcode
Reading package lists... Done
Building dependency tree
Reading state information... Done
intel-microcode is already the newest version (3.20180807a.2~deb9u1).
答案1
您是否在 /etc/apt/sources.list 中的安全存储库中启用了非免费功能?
deb http://security.debian.org/ stretch/updates main contrib non-free
如果没有,请启用非免费的 apt-get update,然后再次安装 intel-microcode。它将安装一个新包。重新启动并再次尝试 spectre-meltdown-checker。
答案2
你的CPU需要微码0x718来修复Fallout和RIDL;这被添加intel-microcode到20190618 更新,当您上次更新时,它在您配置的存储库中不可用。
现在已经有了已作为 Debian 9 的安全更新推送,并且您应该在下次运行时获得升级
apt update && apt upgrade
(作为根)。对应的软件包版本为3.20190618.1~deb9u1。
您需要重新启动才能应用微代码更新。