New install: RETBleed Vulnerable?

Okay, I just installed MicroOS to check it out - might replace TW if MicroOS proves to be worthy :slight_smile:

It’s running as a VirtualBox VM for testing.

However … I get the following error during very early boot-up. I’ve done some searching in this forum, with no hits. Search hits, internet wise, arent very revealing …

ANY THOUGHTS ?? New download and Reinstall ?
Use a different mirror ?

[    0.060881] Last level dTLB entries: 4KB 64, 2MB 0, 4MB 0, 1GB 4
[    0.060887] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[    0.060891] Spectre V2 : Mitigation: Retpolines
[    0.060892] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[    0.060893] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT

..... THIS:
[    0.060894] RETBleed: WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!
[    0.060901] RETBleed: Vulnerable
[    0.060902] Speculative Store Bypass: Vulnerable

[    0.060912] MDS: Mitigation: Clear CPU buffers
[    0.060913] MMIO Stale Data: Mitigation: Clear CPU buffers

@aggie Hi, what does the output on the host say for Vulnerabilities with the command lscpu and mitigations for cat /proc/cmdline?

1 Like

wow @malcolmlewis … is your thought my laptop is compromised ?

I will mention this, then provide your request - I downloaded MicroOS again today, from a well known mirror, ran checksum (as i did yesterday) … installed it … I see the same boot {error?) messages, but it runs fine.

okay, here’s you’re request … this is all from the laptop, not inside VM.

# lscpu

Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         39 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  8
  On-line CPU(s) list:   0-7
Vendor ID:               GenuineIntel
  BIOS Vendor ID:        Intel(R) Corporation
  Model name:            Intel(R) Core(TM) i5-8365U CPU @ 1.60GHz
    BIOS Model name:     Intel(R) Core(TM) i5-8365U CPU @ 1.60GHz   CPU @ 3.1GHz
    BIOS CPU family:     205
    CPU family:          6
    Model:               142
    Thread(s) per core:  2
    Core(s) per socket:  4
    Socket(s):           1
    Stepping:            12
    CPU(s) scaling MHz:  34%
    CPU max MHz:         4100.0000
    CPU min MHz:         400.0000
    BogoMIPS:            3799.90
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss 
                         ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_
                         tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid ss
                         e4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_f
                         ault epb invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsba
                         se tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1
                          xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities
Virtualization features: 
  Virtualization:        VT-x
Caches (sum of all):     
  L1d:                   128 KiB (4 instances)
  L1i:                   128 KiB (4 instances)
  L2:                    1 MiB (4 instances)
  L3:                    6 MiB (1 instance)
  NUMA node(s):          1
  NUMA node0 CPU(s):     0-7
  Itlb multihit:         KVM: Mitigation: VMX disabled
  L1tf:                  Not affected
  Mds:                   Not affected
  Meltdown:              Not affected
  Mmio stale data:       Mitigation; Clear CPU buffers; SMT vulnerable
  Retbleed:              Mitigation; Enhanced IBRS
  Spec store bypass:     Mitigation; Speculative Store Bypass disabled via prctl
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Enhanced / Automatic IBRS, IBPB conditional, RSB filling, PBRSB-eIBRS SW sequence
  Srbds:                 Mitigation; Microcode
  Tsx async abort:       Mitigation; TSX disabled

and then …

# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.3.9-1-default root=UUID=89ca84b9-cbef-4705-8705-06745b6bc089 splash=silent mitigations=auto quiet security=apparmor


thanks @arvidjaar !!! … obviously, my “internet search” logic is flawed :slight_smile:

I think I probably did a “opensuse retbleed” search, or similar. Anyway …

Since my most recent reply, I’ve booted into the BIOS and checked the version and then went to the Dell site for BIOS version history (Dell Latitude 5500 laptop) , I see there are four newer “critical” updates since my “2022 BIOS” version. I haven’t read thru them yet, if any of those updates are related to retbleed, so will read them tomorrow.

One thing I’m not too happy about - the BIOS updates are only provided as “*.exe” file, for a DOS or Windows environment, This laptop does not have Win or DOS on it … only Tumbleweed. So now I have to figure out how to install / run the *.exe file :hot_face:

And back to the link you provided @arvidjaar … I will apply the suggested:
“VBoxManage modifyvm “VM name” --spec-ctrl on”
… and see how it goes … then I will figure out how to do the BIOS update :+1:

On my Dell Latitude E5450 I just copy this file to EFI partition (/boot/efi) and select BIOS Update from BIOS boot menu, then chose this file (the boot option name is from memory). If you are booting in legacy BIOS mode - you can create FreeDOS USB stick.

1 Like

Okay, I executed:
“VBoxManage modifyvm “VM name” --spec-ctrl on”
… at a CLI as my regular user, and the retbleed message is not displayed upon boot-up. Thanks! I also booted my “one day newer” install of MicroOS (install #2) and it boots without the message.

In a little while, I will try the “copy BIOS update exe file to EFI partition” and see how that goes. If not, I will create FreeDOS USB stick.
Thanks again !!

Thanks again to @arvidjaar

The BIOS update went fine - copied the .exe file to /boot/efi (while in TW) and rebooted to the Dell boot options (F12?) and selected BIOS Update, and when I clicked Select File, it opened right up at /boot/efi :+1: (I didnt know the BIOS executes the .exe, why I thought I need DOS or Win)

The “retbleed” message still shows after BIOS update, so I set
“VBoxManage modifyvm “VM name” --spec-ctrl on” and all is good.