How to enable IBRS support?
by metageek from LinuxQuestions.org on (#50R0M)
I have had to compile kernel 4.19.107 to be able to have support for all my hardware. I have this installed with otherwise fully patched Slackware64 14.2. I've just added early loading of the updated intel microcode and was testing the spectre vulnerabilities when I found out that one is still vulnerable:
Code:CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: UNKNOWN
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel supports RSB filling: YES
> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RBS filling, is needed to mitigate the vulnerability)
> How to fix: To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. You also need a recent-enough kernel that supports RSB filling if you plan to use retpoline. For Skylake+ CPUs, the IBRS + IBPB approach is generally preferred as it guarantees complete protection, and the performance impact is not as high as with older CPUs in comparison with retpoline. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches.
> How to fix: Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this.The good news is that I have full support for IBRS, but it is not enabled. I've been searching this forum and elsewhere on how to enable it, but so far I have not been successful. The closest I've come to a solution was a suggestion from an Ubuntu forum to do:
Code:echo 1 > /proc/sys/kernel/ibrs_enabledbut this results in:
Code:/proc/sys/kernel/ibrs_enabled: No such file or directoryI am sure I must be missing something obvious; can someone help?
Code:CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: UNKNOWN
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel supports RSB filling: YES
> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RBS filling, is needed to mitigate the vulnerability)
> How to fix: To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. You also need a recent-enough kernel that supports RSB filling if you plan to use retpoline. For Skylake+ CPUs, the IBRS + IBPB approach is generally preferred as it guarantees complete protection, and the performance impact is not as high as with older CPUs in comparison with retpoline. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches.
> How to fix: Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this.The good news is that I have full support for IBRS, but it is not enabled. I've been searching this forum and elsewhere on how to enable it, but so far I have not been successful. The closest I've come to a solution was a suggestion from an Ubuntu forum to do:
Code:echo 1 > /proc/sys/kernel/ibrs_enabledbut this results in:
Code:/proc/sys/kernel/ibrs_enabled: No such file or directoryI am sure I must be missing something obvious; can someone help?