Updating to kernel 4.4.120-45.1 leads to "System may be vulnerable to spectre v2"

With previous kernel I get:

~]: cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTI
Mitigation: Barriers
Mitigation: Full generic retpoline + IBPB
~]: 
~]: dmesg | grep -i spectre
    0.018786] Spectre V2 mitigation: Mitigation: Full generic retpoline
    0.018787] Spectre V2 mitigation: Retpolines enabled, force-disabling IBRS due to !SKL-era core
~]: uname -a
Linux i7 4.4.114-42-default #1 SMP Tue Feb 6 10:58:10 UTC 2018 (b6ee9ae) x86_64 x86_64 x86_64 GNU/Linux

After running ‘zypper up’ which updated to kernel 4.4.120-45.1 and rebooting I get:

~]: dmesg
...
    1.717166] NVRM: loading NVIDIA UNIX x86_64 Kernel Module  390.42  Sat Mar  3 04:10:22 PST 2018 (using threaded interrupts)
    1.719392] Spectre V2 : System may be vulnerable to spectre v2
    1.719397] nvidia_uvm: loading module not compiled with retpoline compiler.
    1.722085] nvidia-uvm: Loaded the UVM driver in 8 mode, major device number 248
    1.751061] Spectre V2 : System may be vulnerable to spectre v2
    1.751063] nvidia_modeset: loading module not compiled with retpoline compiler.
    1.751867] nvidia-modeset: Loading NVIDIA Kernel Mode Setting Driver for UNIX platforms  390.42  Sat Mar  3 03:30:48 PST 2018
    1.752014] Spectre V2 : System may be vulnerable to spectre v2
    1.752015] nvidia_drm: loading module not compiled with retpoline compiler.
    1.752725] [drm] [nvidia-drm] [GPU ID 0x00000100] Loading driver
...
    0.018769] Spectre V2 : Mitigation: Full generic retpoline
    0.018770] Spectre V2 : Retpolines enabled, force-disabling IBRS due to !SKL-era core
...

~]: cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTI
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline + IBPB - vulnerable module loaded

Not sure what the implications of that may be but just wanted to share it.

Same happened to my system after updating to 4.4.120-45 today (22nd March). Could anyone please confirm if this is a serious warning and if the mitigations are properly working after the kernel update? What does “vulnerable module loaded” exactly means? Thanks in advance.

Mine, with no proprietary software, is a bit different:

# cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTI
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline - vulnerable module loaded

# dmesg | grep -i spectre
    0.000000] Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL
    0.035111] Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL
    0.036072] Spectre V2 : Mitigation: Full generic retpoline
    0.036074] Spectre V2 : Filling RSB on context switch
    0.103212] Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL
    0.106461] Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL
    0.109710] Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL
    1.106289] Spectre V2 : System may be vulnerable to spectre v2
    1.110066] Spectre V2 : System may be vulnerable to spectre v2
    1.113143] Spectre V2 : System may be vulnerable to spectre v2

# uname -a
Linux gb250 4.4.120-45-default #1 SMP Wed Mar 14 20:51:49 UTC 2018 (623211f) x86_64 x86_64 x86_64 GNU/Linux

Please post:

zypper se -s ucode

S  | Name             | Type       | Version                        | Arch   | Repository
---+------------------+------------+--------------------------------+--------+-----------
   | iucode-tool      | package    | 2.1.2-1.1                      | x86_64 | OSS
   | ucode-amd        | package    | 20170530-17.1                  | noarch | Update
   | ucode-amd        | package    | 20170530-14.1                  | noarch | Update
   | ucode-amd        | package    | 20170530-11.1                  | noarch | Update
   | ucode-amd        | package    | 20170530-9.1                   | noarch | OSS
i+ | ucode-intel      | package    | 20180312-22.1                  | x86_64 | Update
v  | ucode-intel      | package    | 20180108.revertto20170707-19.1 | x86_64 | Update
v  | ucode-intel      | package    | 20170707-10.1                  | x86_64 | Update
v  | ucode-intel      | package    | 20170511-8.1                   | x86_64 | OSS
   | ucode-intel      | srcpackage | 20180312-22.1                  | noarch | Update
   | ucode-intel      | srcpackage | 20180108.revertto20170707-19.1 | noarch | Update
   | ucode-intel      | srcpackage | 20170707-10.1                  | noarch | Update
   | ucode-intel-blob | package    | 20180312-22.1                  | x86_64 | Update
   | ucode-intel-blob | package    | 20180108.revertto20170707-19.1 | x86_64 | Update
   | ucode-intel-blob | package    | 20170707-10.1                  | x86_64 | Update
   | ucode-intel-blob | package    | 20170511-8.1                   | x86_64 | OSS

The installed 2018 version is apparently because I had installed a TW 4.15 kernel and a 15.0b 4.12 kernel for troubleshooting kernel disengaging NUMLOCK at every opportunity (works as expected with newer kernels).

after reading https://www.suse.com/support/kb/doc/?id=7022512 tried to add kernel_parameter spectre_v2=on and retpoline but didnt work. It looks like ucode is broken and we have to wait for update

There is no generic fix for Spectre - each affected code must be changed to use some mitigation technique provided. What it tells you that you loaded module that was not compiled to use mitigation available (or at least does not tell that it was compiled with it). So this module may be vulnerable. I won’t claim it is nVidia but it most likely is the module that it complains about.

I applied the kernel update yesterday and also get the aforementioned Spectre V2 warnings on boot.

Some data:

uname -a
Linux linux-3wjh.site 4.4.120-45-default #1 SMP Wed Mar 14 20:51:49 UTC 2018 (623211f) x86_64 x86_64 x86_64 GNU/Linux

zypper se -s ucode
Loading repository data…
Reading installed packages…

S | Name | Type | Version | Arch | Repository
—±-----------------±-----------±-------------------------------±-------±----------------------
| iucode-tool | package | 2.1.2-1.1 | x86_64 | Main Repository (OSS)
i+ | ucode-amd | package | 20170530-17.1 | noarch | Main Update Repository
v | ucode-amd | package | 20170530-14.1 | noarch | Main Update Repository
v | ucode-amd | package | 20170530-11.1 | noarch | Main Update Repository
v | ucode-amd | package | 20170530-9.1 | noarch | Main Repository (OSS)
i | ucode-intel | package | 20180312-22.1 | x86_64 | Main Update Repository
v | ucode-intel | package | 20180108.revertto20170707-19.1 | x86_64 | Main Update Repository
v | ucode-intel | package | 20170707-10.1 | x86_64 | Main Update Repository
v | ucode-intel | package | 20170511-8.1 | x86_64 | Main Repository (OSS)
| ucode-intel | srcpackage | 20180312-22.1 | noarch | Main Update Repository
| ucode-intel | srcpackage | 20180108.revertto20170707-19.1 | noarch | Main Update Repository
| ucode-intel | srcpackage | 20170707-10.1 | noarch | Main Update Repository
| ucode-intel-blob | package | 20180312-22.1 | x86_64 | Main Update Repository
| ucode-intel-blob | package | 20180108.revertto20170707-19.1 | x86_64 | Main Update Repository
| ucode-intel-blob | package | 20170707-10.1 | x86_64 | Main Update Repository
| ucode-intel-blob | package | 20170511-8.1 | x86_64 | Main Repository (OSS)

cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTI
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline - vulnerable module loaded

I got some feedback from bugzilla:

https://bugzilla.suse.com/show_bug.cgi?id=1068032#c232

It has been confirmed that it is just a warning and a rebuild of NVIDIA KMP is necessary.

Forcefully updating the NVIDIA driver from YaST and rebooting removed the warnings:

~]: cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTI
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline + IBPB
~]: dmesg | grep -i spectre
    0.018765] Spectre V2 : Mitigation: Full generic retpoline
    0.018765] Spectre V2 : Retpolines enabled, force-disabling IBRS due to !SKL-era core
~]: cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTI
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline + IBPB
~]: 

I suppose that has resulted in ‘rebuild’.

https://github.com/speed47/spectre-meltdown-checker/ reports potential hardware vulnerabilities for my AMD system but mitigations of Spectre V1 and V2 and Meltdown sufficient to consider the system not vulnerable.

There is a reason why to this tool a message was added informing that a false sense of security is worse than knowing a system is insecure. Today I tested this Spectre PoC on my patched Leap installation and the exploit worked.

You seem to completely misunderstand the nature of Spectre. It cannot be fixed externally once and for all. Each potential victim code must be changed to use mitigation technique to avoid being exploited. So of course code that explicitly avoids mitigation will continue to be vulnerable. If your example contained victim function that used one of available mitigation then it would be real problem.

Maybe I am wrong but what I understand about Spectre is that is a hardware flaw so that never will be completely patched by software.

Just because I pointed out the same which you explain through a practical example doesn’t mean I don’t understand. There is no fix for Spectre through software, it needs new hardware. Perhaps a good analogy would be: All the mitigations are just like putting hosts in a blacklist one by one while having everything else whitelisted.

Strangely there are still people who argue that it is safe to enable browser JavaScript just because their kernel and/or browser is patched.

You are not wrong.

For those folks who steer clear of Intel and NVIDIA products, an AMD system looks like this:

 > uname -a
Linux XXX 4.4.120-45-default #1 SMP Wed Mar 14 20:51:49 UTC 2018 (623211f) x86_64 x86_64 x86_64 GNU/Linux
 > 
 > find /sys/devices/system/cpu/vulnerabilities/ -type f -print -exec /usr/bin/cat '{}' \;
/sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full AMD retpoline - vulnerable module loaded
/sys/devices/system/cpu/vulnerabilities/meltdown
Not affected
 > 

 # journalctl --this-boot | grep -iE 'Spectre|Melt'
Mär 24 13:02:05 XXX kernel: Spectre V2 : Mitigation: Full AMD retpoline
Mär 24 13:02:05 XXX kernel: Spectre V2 : Filling RSB on context switch
Mär 24 13:02:11 XXX kernel: Spectre V2 : System may be vulnerable to spectre v2
Mär 24 13:02:11 XXX kernel: Spectre V2 : System may be vulnerable to spectre v2
Mär 24 13:02:11 XXX kernel: Spectre V2 : System may be vulnerable to spectre v2
Mär 24 13:02:11 XXX kernel: Spectre V2 : System may be vulnerable to spectre v2
 # 

I saw that on one system. Since it was VM used for testing, I didn’t worry too much.

I noticed that there were more updates. I applied them and rebooted. And I have not seen that message since.

I think it was due to a bad update (probably an incomplete update). There were possibly two packages that needed updating together, and I managed to get in when only one of those was available.

I wonder, do you know why / how you ended up with both ucode-amd and ucode-intel installed? I’m asking because I having the same warning at boot and I also have ucode-amd installed even though I have an intel, and I’m pretty sure I did not install it myself…

Hi all,

after getting the same warning, I checked what versions of ucode I had installed and found out that I had both ucode-amd and ucode-intel. I remove ucode-amd and rebooted, and the warning is not showing anymore.
Maybe that will help some of you!

In brief:

zypper se -s ucode
zypper rm ucode-amd
reboot

Cheers