Could have some advice please on whether the whonix-ws and whonix-gw are properly patched?
whonix-ws spectre-meltdown-checker output:
WHONIX-WS
Spectre and Meltdown mitigation detection tool v0.44
Checking for vulnerabilities on current system
Kernel is Linux 6.1.62-1.qubes.fc32.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Nov 14 07:11:33 CET 2023 x86_64
CPU is Intel(R) Core™ i7-3520M CPU @ 2.90GHz
We’re missing some kernel info (see -v), accuracy might be reduced
Hardware check
- Hardware support (CPU microcode) for mitigation techniques
- Indirect Branch Restricted Speculation (IBRS)
- SPEC_CTRL MSR is available: YES
- CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
- Indirect Branch Prediction Barrier (IBPB)
- PRED_CMD MSR is available: YES
- CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
- Single Thread Indirect Branch Predictors (STIBP)
- SPEC_CTRL MSR is available: YES
- CPU indicates STIBP capability: YES (Intel STIBP feature bit)
- Speculative Store Bypass Disable (SSBD)
- CPU indicates SSBD capability: YES (Intel SSBD)
- L1 data cache invalidation
- FLUSH_CMD MSR is available: YES
- CPU indicates L1D flush capability: YES (L1D flush feature bit)
- Microarchitectural Data Sampling
- VERW instruction is available: YES (MD_CLEAR feature bit)
- Enhanced IBRS (IBRS_ALL)
- CPU indicates ARCH_CAPABILITIES MSR availability: YES
- ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
- CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
- CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
- CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
- Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
- CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
- CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
- CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
- CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
- CPU supports Transactional Synchronization Extensions (TSX): NO
- CPU supports Software Guard Extensions (SGX): NO
- CPU supports Special Register Buffer Data Sampling (SRBDS): NO
- CPU microcode is known to cause stability problems: NO (family 0x6 model 0x3a stepping 0x9 ucode 0x21 cpuid 0x306a9)
- CPU microcode is the latest known available version: YES (latest version is 0x21 dated 2019/02/13 according to builtin firmwares DB v165.20201021+i20200616)
- Indirect Branch Restricted Speculation (IBRS)
- CPU vulnerability to the speculative execution attack variants
- Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
- Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
- Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
- Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
- Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
- Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
- Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
- Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
- Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
- Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
- Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
- Vulnerable to CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): YES
CVE-2017-5753 aka ‘Spectre Variant 1, bounds check bypass’
- Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
- Kernel has array_index_mask_nospec: UNKNOWN (couldn’t check (couldn’t find your kernel image in /boot, if you used netboot, this is normal))
- Kernel has the Red Hat/Ubuntu patch: UNKNOWN (couldn’t check (couldn’t find your kernel image in /boot, if you used netboot, this is normal))
- Kernel has mask_nospec64 (arm64): UNKNOWN (couldn’t check (couldn’t find your kernel image in /boot, if you used netboot, this is normal))
- Kernel has array_index_nospec (arm64): UNKNOWN (couldn’t check (couldn’t find your kernel image in /boot, if you used netboot, this is normal))
- Checking count of LFENCE instructions following a jump in kernel… UNKNOWN (couldn’t check (couldn’t find your kernel image in /boot, if you used netboot, this is normal))
STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’
- Mitigated according to the /sys interface: YES (Mitigation: Retpolines, IBPB: conditional, IBRS_FW, RSB filling, PBRSB-eIBRS: Not affected)
- Mitigation 1
- Kernel is compiled with IBRS support: YES
- IBRS enabled and active: YES (for firmware code only)
- Kernel is compiled with IBPB support: YES
- IBPB enabled and active: YES
- Kernel is compiled with IBRS support: YES
- Mitigation 2
- Kernel has branch predictor hardening (arm): NO
- Kernel compiled with retpoline option: YES
STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)
CVE-2017-5754 aka ‘Variant 3, Meltdown, rogue data cache load’
- Mitigated according to the /sys interface: YES (Mitigation: PTI)
- Kernel supports Page Table Isolation (PTI): YES
- PTI enabled and active: YES
- Reduced performance impact of PTI: YES (CPU supports PCID, performance impact of PTI will be reduced)
- Running as a Xen PV DomU: NO
STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 aka ‘Variant 3a, rogue system register read’
- CPU microcode mitigates the vulnerability: YES
STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
CVE-2018-3639 aka ‘Variant 4, speculative store bypass’
- Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl)
- Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
- SSB mitigation is enabled and active: YES (per-thread through prctl)
- SSB mitigation currently active for selected processes: NO (no process found using SSB mitigation through prctl)
STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl)
CVE-2018-3615 aka ‘Foreshadow (SGX), L1 terminal fault’
- CPU microcode mitigates the vulnerability: N/A
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-3620 aka ‘Foreshadow-NG (OS), L1 terminal fault’
- Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion)
- Kernel supports PTE inversion: UNKNOWN (couldn’t find your kernel image in /boot, if you used netboot, this is normal)
- PTE inversion enabled and active: YES
STATUS: NOT VULNERABLE (Mitigation: PTE Inversion)
CVE-2018-3646 aka ‘Foreshadow-NG (VMM), L1 terminal fault’
- Information from the /sys interface: Mitigation: PTE Inversion
- This system is a host running a hypervisor: YES (paranoid mode)
- Mitigation 1 (KVM)
- EPT is disabled: N/A (the kvm_intel module is not loaded)
- Mitigation 2
- L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
- L1D flush enabled: UNKNOWN (unrecognized mode)
- Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
- Hyper-Threading (SMT) is enabled: NO
STATUS: VULNERABLE (L1D unconditional flushing should be enabled to fully mitigate the vulnerability)
CVE-2018-12126 aka ‘Fallout, microarchitectural store buffer data sampling (MSBDS)’
- Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT Host state unknown)
- Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- Kernel mitigation is enabled and active: YES
- SMT is either mitigated or disabled: NO
STATUS: VULNERABLE (Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation)
CVE-2018-12130 aka ‘ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)’
- Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT Host state unknown)
- Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- Kernel mitigation is enabled and active: YES
- SMT is either mitigated or disabled: NO
STATUS: VULNERABLE (Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation)
CVE-2018-12127 aka ‘RIDL, microarchitectural load port data sampling (MLPDS)’
- Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT Host state unknown)
- Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- Kernel mitigation is enabled and active: YES
- SMT is either mitigated or disabled: NO
STATUS: VULNERABLE (Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation)
CVE-2019-11091 aka ‘RIDL, microarchitectural data sampling uncacheable memory (MDSUM)’
- Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT Host state unknown)
- Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- Kernel mitigation is enabled and active: YES
- SMT is either mitigated or disabled: NO
STATUS: VULNERABLE (Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation)
CVE-2019-11135 aka ‘ZombieLoad V2, TSX Asynchronous Abort (TAA)’
- Mitigated according to the /sys interface: YES (Not affected)
- TAA mitigation is supported by kernel: UNKNOWN (couldn’t find your kernel image in /boot, if you used netboot, this is normal)
- TAA mitigation enabled and active: NO
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12207 aka ‘No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)’
- Mitigated according to the /sys interface: YES (KVM: Mitigation: VMX unsupported)
- This system is a host running a hypervisor: YES (paranoid mode)
- iTLB Multihit mitigation is supported by kernel: UNKNOWN (couldn’t find your kernel image in /boot, if you used netboot, this is normal)
- iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: VMX unsupported)
STATUS: NOT VULNERABLE (KVM: Mitigation: VMX unsupported)
CVE-2020-0543 aka ‘Special Register Buffer Data Sampling (SRBDS)’
- Mitigated according to the /sys interface: YES (Not affected)
- SRBDS mitigation control is supported by the kernel: UNKNOWN (couldn’t find your kernel image in /boot, if you used netboot, this is normal)
- SRBDS mitigation control is enabled and active: NO
STATUS: VULNERABLE (Your CPU microcode may need to be updated to mitigate the vulnerability)
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:KO CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:KO
We’re missing some kernel info (see -v), accuracy might be reduced
Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
2 (exit code)
whonix-gw:
WHONIX-GW
Spectre and Meltdown mitigation detection tool v0.44
Checking for vulnerabilities on current system
Kernel is Linux 6.1.62-1.qubes.fc32.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Nov 14 07:11:33 CET 2023 x86_64
CPU is Intel(R) Core™ i7-3520M CPU @ 2.90GHz
We’re missing some kernel info (see -v), accuracy might be reduced
Hardware check
- Hardware support (CPU microcode) for mitigation techniques
- Indirect Branch Restricted Speculation (IBRS)
- SPEC_CTRL MSR is available: YES
- CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
- Indirect Branch Prediction Barrier (IBPB)
- PRED_CMD MSR is available: YES
- CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
- Single Thread Indirect Branch Predictors (STIBP)
- SPEC_CTRL MSR is available: YES
- CPU indicates STIBP capability: YES (Intel STIBP feature bit)
- Speculative Store Bypass Disable (SSBD)
- CPU indicates SSBD capability: YES (Intel SSBD)
- L1 data cache invalidation
- FLUSH_CMD MSR is available: YES
- CPU indicates L1D flush capability: YES (L1D flush feature bit)
- Microarchitectural Data Sampling
- VERW instruction is available: YES (MD_CLEAR feature bit)
- Enhanced IBRS (IBRS_ALL)
- CPU indicates ARCH_CAPABILITIES MSR availability: YES
- ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
- CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
- CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
- CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
- Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
- CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
- CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO): NO
- CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO): NO
- CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR): NO
- CPU supports Transactional Synchronization Extensions (TSX): NO
- CPU supports Software Guard Extensions (SGX): NO
- CPU supports Special Register Buffer Data Sampling (SRBDS): NO
- CPU microcode is known to cause stability problems: NO (family 0x6 model 0x3a stepping 0x9 ucode 0x21 cpuid 0x306a9)
- CPU microcode is the latest known available version: YES (latest version is 0x21 dated 2019/02/13 according to builtin firmwares DB v165.20201021+i20200616)
- Indirect Branch Restricted Speculation (IBRS)
- CPU vulnerability to the speculative execution attack variants
- Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
- Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
- Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
- Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
- Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
- Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
- Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
- Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
- Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
- Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
- Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
- Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
- Vulnerable to CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
- Vulnerable to CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): YES
- Vulnerable to CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): YES
CVE-2017-5753 aka ‘Spectre Variant 1, bounds check bypass’
- Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
- Kernel has array_index_mask_nospec: UNKNOWN (couldn’t check (couldn’t find your kernel image in /boot, if you used netboot, this is normal))
- Kernel has the Red Hat/Ubuntu patch: UNKNOWN (couldn’t check (couldn’t find your kernel image in /boot, if you used netboot, this is normal))
- Kernel has mask_nospec64 (arm64): UNKNOWN (couldn’t check (couldn’t find your kernel image in /boot, if you used netboot, this is normal))
- Kernel has array_index_nospec (arm64): UNKNOWN (couldn’t check (couldn’t find your kernel image in /boot, if you used netboot, this is normal))
- Checking count of LFENCE instructions following a jump in kernel… UNKNOWN (couldn’t check (couldn’t find your kernel image in /boot, if you used netboot, this is normal))
STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
CVE-2017-5715 aka ‘Spectre Variant 2, branch target injection’
- Mitigated according to the /sys interface: YES (Mitigation: Retpolines, IBPB: conditional, IBRS_FW, RSB filling, PBRSB-eIBRS: Not affected)
- Mitigation 1
- Kernel is compiled with IBRS support: YES
- IBRS enabled and active: YES (for firmware code only)
- Kernel is compiled with IBPB support: YES
- IBPB enabled and active: YES
- Kernel is compiled with IBRS support: YES
- Mitigation 2
- Kernel has branch predictor hardening (arm): NO
- Kernel compiled with retpoline option: YES
STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)
CVE-2017-5754 aka ‘Variant 3, Meltdown, rogue data cache load’
- Mitigated according to the /sys interface: YES (Mitigation: PTI)
- Kernel supports Page Table Isolation (PTI): YES
- PTI enabled and active: YES
- Reduced performance impact of PTI: YES (CPU supports PCID, performance impact of PTI will be reduced)
- Running as a Xen PV DomU: NO
STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 aka ‘Variant 3a, rogue system register read’
- CPU microcode mitigates the vulnerability: YES
STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
CVE-2018-3639 aka ‘Variant 4, speculative store bypass’
- Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl)
- Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
- SSB mitigation is enabled and active: YES (per-thread through prctl)
- SSB mitigation currently active for selected processes: NO (no process found using SSB mitigation through prctl)
STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl)
CVE-2018-3615 aka ‘Foreshadow (SGX), L1 terminal fault’
- CPU microcode mitigates the vulnerability: N/A
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-3620 aka ‘Foreshadow-NG (OS), L1 terminal fault’
- Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion)
- Kernel supports PTE inversion: UNKNOWN (couldn’t find your kernel image in /boot, if you used netboot, this is normal)
- PTE inversion enabled and active: YES
STATUS: NOT VULNERABLE (Mitigation: PTE Inversion)
CVE-2018-3646 aka ‘Foreshadow-NG (VMM), L1 terminal fault’
- Information from the /sys interface: Mitigation: PTE Inversion
- This system is a host running a hypervisor: YES (paranoid mode)
- Mitigation 1 (KVM)
- EPT is disabled: N/A (the kvm_intel module is not loaded)
- Mitigation 2
- L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
- L1D flush enabled: UNKNOWN (unrecognized mode)
- Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
- Hyper-Threading (SMT) is enabled: NO
STATUS: VULNERABLE (L1D unconditional flushing should be enabled to fully mitigate the vulnerability)
CVE-2018-12126 aka ‘Fallout, microarchitectural store buffer data sampling (MSBDS)’
- Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT Host state unknown)
- Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- Kernel mitigation is enabled and active: YES
- SMT is either mitigated or disabled: NO
STATUS: VULNERABLE (Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation)
CVE-2018-12130 aka ‘ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)’
- Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT Host state unknown)
- Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- Kernel mitigation is enabled and active: YES
- SMT is either mitigated or disabled: NO
STATUS: VULNERABLE (Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation)
CVE-2018-12127 aka ‘RIDL, microarchitectural load port data sampling (MLPDS)’
- Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT Host state unknown)
- Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- Kernel mitigation is enabled and active: YES
- SMT is either mitigated or disabled: NO
STATUS: VULNERABLE (Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation)
CVE-2019-11091 aka ‘RIDL, microarchitectural data sampling uncacheable memory (MDSUM)’
- Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT Host state unknown)
- Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
- Kernel mitigation is enabled and active: YES
- SMT is either mitigated or disabled: NO
STATUS: VULNERABLE (Your microcode and kernel are both up to date for this mitigation, but you must disable SMT (Hyper-Threading) for a complete mitigation)
CVE-2019-11135 aka ‘ZombieLoad V2, TSX Asynchronous Abort (TAA)’
- Mitigated according to the /sys interface: YES (Not affected)
- TAA mitigation is supported by kernel: UNKNOWN (couldn’t find your kernel image in /boot, if you used netboot, this is normal)
- TAA mitigation enabled and active: NO
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12207 aka ‘No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)’
- Mitigated according to the /sys interface: YES (KVM: Mitigation: VMX unsupported)
- This system is a host running a hypervisor: YES (paranoid mode)
- iTLB Multihit mitigation is supported by kernel: UNKNOWN (couldn’t find your kernel image in /boot, if you used netboot, this is normal)
- iTLB Multihit mitigation enabled and active: YES (KVM: Mitigation: VMX unsupported)
STATUS: NOT VULNERABLE (KVM: Mitigation: VMX unsupported)
CVE-2020-0543 aka ‘Special Register Buffer Data Sampling (SRBDS)’
- Mitigated according to the /sys interface: YES (Not affected)
- SRBDS mitigation control is supported by the kernel: UNKNOWN (couldn’t find your kernel image in /boot, if you used netboot, this is normal)
- SRBDS mitigation control is enabled and active: NO
STATUS: VULNERABLE (Your CPU microcode may need to be updated to mitigate the vulnerability)
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:KO CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:KO
We’re missing some kernel info (see -v), accuracy might be reduced
Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
2 (exit code)