CVE-2018-3640:KO False Positive for Intel(R) Celeron(R) CPU N3160?
cinderbdt opened this issue · 1 comments
Possibly similar to #302 and #310, I get:
output
user@host:~$ sudo /usr/bin/spectre-meltdown-checker --version
Spectre and Meltdown mitigation detection tool v0.43
selective copypasta from output with --explain:
- CPU microcode is known to cause stability problems: NO (model 0x4c family 0x6 stepping 0x4 ucode 0x411 cpuid 0x406c4)
- CPU microcode is the latest known available version: YES (latest version is 0x411 dated 2019/04/23 according to builtin firmwares DB v130.20191104+i20191027)
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
- CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
system details
user@host:~$ su root -c 'dmesg -t |grep -i "smpboot\: CPU0"'
Password:
smpboot: CPU0: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz (family: 0x6, model: 0x4c, stepping: 0x4)
user@host:~$ cat /proc/cpuinfo | grep -m 4 'family\|model\|stepping'
cpu family : 6
model : 76
model name : Intel(R) Celeron(R) CPU N3160 @ 1.60GHz
stepping : 4
user@host:~$ su root -c 'dmesg -t | grep -i microcode'
Password:
microcode: microcode updated early to revision 0x411, date = 2019-04-23
microcode: sig=0x406c4, pf=0x1, revision=0x411
microcode: Microcode Update Driver: v2.2.
user@host:~$ dpkg -l intel-microcode
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============-===========================-============-===========================================
ii intel-microcode 3.20210608.0ubuntu0.20.04.1 amd64 Processor microcode firmware for Intel CPUs
user@host:~$ uname --kernel-name --kernel-release --kernel-version --machine --processor --hardware-platform --operating-system
Linux 5.11.0-27-generic #29~20.04.1-Ubuntu SMP Wed Aug 11 15:58:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
question
I read Intel SA-00115, which shows "Apollo Lake" Intel® Celeron® Processor N Series only N3350, N3450 are vulnerable and have a microcode update. I read Affected Processors: Transient Execution Attacks & Related Security Issues by CPU, the 06_4CH processor (corresponding to family 6, model 76 and the dmesg output, if I understand correctly) only lists the Atom processors affected.
I checked ark.intel.com, and when I look at the full specs, I see that it is codename Braswell, which is part of "Cherry View", not "Apollo Lake".
user@host:~$ sudo /usr/sbin/iucode-tool -V
iucode_tool 2.3.1
Copyright (c) 2010-2018 by Henrique de Moraes Holschuh
Based on code from the Linux microcode_intel driver and from
the microcode.ctl package, copyright (c) 2000 by Simon Trimmer
and Tigran Aivazian.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE.
user@host:~$ sudo /usr/sbin/iucode-tool -S
/usr/sbin/iucode-tool: system has processor(s) with signature 0x000406c4
user@host:~$ od -N16 -t x4 /lib/firmware/intel-ucode/06-4c-04
0000000 00000001 00000411 04232019 000406c4
0000020
According to Microcode Update Guidance, in the above file header, 00000411 is the microcode version, 04232019 is the date on which the IPU was created, and 000406c4 is the family/model/stepping in the format returned by the CPUID instruction.
Is this a false positive, or does this processor require a microcode update that is not available? Maybe it falls into the pit outlined by the security advisory? "A listing of microcode updates that have been production qualified can be found here and will be updated as necessary. It is expected that remaining microcode updates, currently in beta, will be production qualified in the coming weeks."
Thank you for any guidance.
Intel replied to me in the forum Processors.
The official information about this topic is directly related to SA-00088:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00088.html
You can find the "Affected products" section there, the Celeron N3160 is not listed nor any Braswell processors, so this processor is not affected by the Spectre and Meltdown.
I'm trying to understand how this can be the case. I think that "is not affected" overstates the safety of using this processor.
Am I reading the output of the checker correctly, that "KO" is indicating that there is a vulnerability for the processor?
I recognize that my risk profile may be such that I don't need to worry about this vulnerability, but I'm still trying to understand what the checker is telling me.
Thanks for any suggestion.