according to the test mentioned in the wiki
- Results here (before “intel-microcode”): (Test Done on Whonix 14 - Qubes)
Welcome to Whonix!
https://www.whonix.org
The programs included with the Whonix GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Whonix GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law. Whonix is a derivative of Debian GNU/Linux.
Whonix is based on Tor. Whonix is produced independently from the
Tor (r) anonymity software and carries no guarantee from The Tor Project
about quality, suitability or anything else.
Whonix is experimental software by means of concept and design.
Do not rely on it for strong anonymity.
Type: "whonix" <enter> for help.
uwt INFO: Stream isolation for some applications enabled. uwt / torsocks will be automatically prepended to some commands. What is that? See:
uwt INFO: https://www.whonix.org/wiki/Stream_Isolation/Easy
user@host:~$ sudo su -c "echo -e 'deb http://http.debian.net/debian stretch-backports main' > /etc/apt/sources.list.d/backports.list"
user@host:~$ sudo apt-get update
Hit:1 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
Hit:2 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch InRelease
Ign:3 tor+http://vwakviie2ienjx6t.onion/debian stretch InRelease
Hit:4 tor+http://vwakviie2ienjx6t.onion/debian stretch Release
Hit:7 http://deb.qubes-os.org/r4.0/vm stretch InRelease
Get:6 http://cdn-fastly.deb.debian.org/debian stretch-backports InRelease [91.8 kB]
Get:8 http://cdn-fastly.deb.debian.org/debian stretch-backports/main amd64 Packages [409 kB]
Get:9 http://cdn-fastly.deb.debian.org/debian stretch-backports/main Translation-en [301 kB]
Get:10 http://cdn-fastly.deb.debian.org/debian stretch-backports/main amd64 Contents (deb) [4,885 kB]
Fetched 5,686 kB in 36s (155 kB/s)
Reading package lists... Done
user@host:~$ sudo apt-get -t stretch-backports install spectre-meltdown-checker
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
spectre-meltdown-checker
0 upgraded, 1 newly installed, 0 to remove and 61 not upgraded.
Need to get 33.4 kB of archives.
After this operation, 139 kB of additional disk space will be used.
Get:1 http://cdn-fastly.deb.debian.org/debian stretch-backports/main amd64 spectre-meltdown-checker all 0.39-1~bpo9+1 [33.4 kB]
Fetched 33.4 kB in 1s (17.9 kB/s)
Selecting previously unselected package spectre-meltdown-checker.
(Reading database ... 80298 files and directories currently installed.)
Preparing to unpack .../spectre-meltdown-checker_0.39-1~bpo9+1_all.deb ...
Unpacking spectre-meltdown-checker (0.39-1~bpo9+1) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up spectre-meltdown-checker (0.39-1~bpo9+1) ...
user@host:~$ sudo spectre-meltdown-checker --paranoid ; echo $?
Spectre and Meltdown mitigation detection tool v0.39
Checking for vulnerabilities on current system
Kernel is Linux 4.14.57-1.pvops.qubes.x86_64 #1 SMP Mon Jul 23 16:28:54 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
We're missing some kernel info (see -v), accuracy might be reduced
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: YES
* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: YES
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: YES (Intel STIBP feature bit)
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
* CPU microcode is known to cause stability problems: NO (model 0x3c family 0x6 stepping 0x3 ucode 0x24 cpuid 0x306c3)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
* Vulnerable to Variant 3a: YES
* Vulnerable to Variant 4: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec: UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
* Kernel has the Red Hat/Ubuntu patch: UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
* Kernel has mask_nospec64 (arm64): UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
* Checking count of LFENCE instructions following a jump in kernel... UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for kernel and firmware code)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface: NO (Vulnerable)
* Kernel supports speculation store bypass: YES (found in /proc/self/status)
> STATUS: VULNERABLE (Your CPU doesn't support SSBD)
Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
2
user@host:~$
- Results after installing “intel-microcode”:
Welcome to Whonix!
https://www.whonix.org
The programs included with the Whonix GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Whonix GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law. Whonix is a derivative of Debian GNU/Linux.
Whonix is based on Tor. Whonix is produced independently from the
Tor (r) anonymity software and carries no guarantee from The Tor Project
about quality, suitability or anything else.
Whonix is experimental software by means of concept and design.
Do not rely on it for strong anonymity.
Type: "whonix" <enter> for help.
uwt INFO: Stream isolation for some applications enabled. uwt / torsocks will be automatically prepended to some commands. What is that? See:
uwt INFO: https://www.whonix.org/wiki/Stream_Isolation/Easy
user@host:~$ sudo apt-get install intel-microcode
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
initramfs-tools initramfs-tools-core iucode-tool klibc-utils libklibc linux-base
The following NEW packages will be installed:
initramfs-tools initramfs-tools-core intel-microcode iucode-tool klibc-utils libklibc linux-base
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,561 kB of archives.
After this operation, 2,564 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 tor+http://vwakviie2ienjx6t.onion/debian stretch/main amd64 libklibc amd64 2.0.4-9 [52.6 kB]
Get:2 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates/non-free amd64 intel-microcode amd64 3.20180703.2~deb9u1 [1,165 kB]
Get:3 tor+http://vwakviie2ienjx6t.onion/debian stretch/main amd64 klibc-utils amd64 2.0.4-9 [108 kB]
Get:4 tor+http://vwakviie2ienjx6t.onion/debian stretch/main amd64 initramfs-tools-core all 0.130 [97.0 kB]
Get:5 tor+http://vwakviie2ienjx6t.onion/debian stretch/main amd64 linux-base all 4.5 [19.1 kB]
Get:6 tor+http://vwakviie2ienjx6t.onion/debian stretch/main amd64 initramfs-tools all 0.130 [66.0 kB]
Get:7 tor+http://vwakviie2ienjx6t.onion/debian stretch/contrib amd64 iucode-tool amd64 2.1.1-1 [53.3 kB]
Fetched 1,561 kB in 7s (196 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libklibc.
(Reading database ... 80304 files and directories currently installed.)
Preparing to unpack .../0-libklibc_2.0.4-9_amd64.deb ...
Unpacking libklibc (2.0.4-9) ...
Selecting previously unselected package klibc-utils.
Preparing to unpack .../1-klibc-utils_2.0.4-9_amd64.deb ...
Adding 'diversion of /usr/share/initramfs-tools/hooks/klibc to /usr/share/initramfs-tools/hooks/klibc^i-t by klibc-utils'
Unpacking klibc-utils (2.0.4-9) ...
Selecting previously unselected package initramfs-tools-core.
Preparing to unpack .../2-initramfs-tools-core_0.130_all.deb ...
Unpacking initramfs-tools-core (0.130) ...
Selecting previously unselected package linux-base.
Preparing to unpack .../3-linux-base_4.5_all.deb ...
Unpacking linux-base (4.5) ...
Selecting previously unselected package initramfs-tools.
Preparing to unpack .../4-initramfs-tools_0.130_all.deb ...
Unpacking initramfs-tools (0.130) ...
Selecting previously unselected package iucode-tool.
Preparing to unpack .../5-iucode-tool_2.1.1-1_amd64.deb ...
Unpacking iucode-tool (2.1.1-1) ...
Selecting previously unselected package intel-microcode.
Preparing to unpack .../6-intel-microcode_3.20180703.2~deb9u1_amd64.deb ...
Unpacking intel-microcode (3.20180703.2~deb9u1) ...
Setting up libklibc (2.0.4-9) ...
Setting up linux-base (4.5) ...
Setting up iucode-tool (2.1.1-1) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up intel-microcode (3.20180703.2~deb9u1) ...
intel-microcode: initramfs support missing
Setting up klibc-utils (2.0.4-9) ...
Setting up initramfs-tools-core (0.130) ...
Setting up initramfs-tools (0.130) ...
update-initramfs: deferring update (trigger activated)
Processing triggers for initramfs-tools (0.130) ...
user@host:~$ sudo spectre-meltdown-checker --paranoid ; echo $?
Spectre and Meltdown mitigation detection tool v0.39
Checking for vulnerabilities on current system
Kernel is Linux 4.14.57-1.pvops.qubes.x86_64 #1 SMP Mon Jul 23 16:28:54 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
We're missing some kernel info (see -v), accuracy might be reduced
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: YES
* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: YES
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: YES (Intel STIBP feature bit)
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
* CPU microcode is known to cause stability problems: NO (model 0x3c family 0x6 stepping 0x3 ucode 0x24 cpuid 0x306c3)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
* Vulnerable to Variant 3a: YES
* Vulnerable to Variant 4: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec: UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
* Kernel has the Red Hat/Ubuntu patch: UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
* Kernel has mask_nospec64 (arm64): UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
* Checking count of LFENCE instructions following a jump in kernel... UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for kernel and firmware code)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability: NO
> STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability)
CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface: NO (Vulnerable)
* Kernel supports speculation store bypass: YES (found in /proc/self/status)
> STATUS: VULNERABLE (Your CPU doesn't support SSBD)
Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
2
user@host:~$
It has Zero effect.