[Centos6.5][Spectre]variant 2 not getting fixed - devel

11 Jan 2018


      Dear team
    My Guest os (CentOS 6.5 ,kernel version 2.6.32-696.18.7.el6.x86_64) is
running in ESXI server (VMware ESXi 5.5.0 build-6480324,
patch ESXi550-201709001.zip was applied ) .
    I installed all the packages mention in https://lists.centos.org/
pipermail/centos-announce/2018-January/
    The list of installed packages are ->
kernel-debug-devel-2.6.32-696.18.7.el6.i686
    kernel-2.6.32-696.18.7.el6.x86_64
kernel-doc-2.6.32-696.18.7.el6.noarch
kernel-debug-2.6.32-696.18.7.el6.x86_64
kernel-devel-2.6.32-696.18.7.el6.x86_64
kernel-debug-devel-2.6.32-696.18.7.el6.x86_64
libreport-plugin-kerneloops-2.0.9-19.el6.centos.x86_64
abrt-addon-kerneloops-2.0.8-21.el6.centos.x86_64
dracut-kernel-004-409.el6_8.2.noarch
kernel-headers-2.6.32-696.18.7.el6.x86_64
kernel-firmware-2.6.32-696.18.7.el6.noarch
kernel-abi-whitelists-2.6.32-696.18.7.el6.noarch
    dracut-004-409.el6_8.2.noarch
    dracut-kernel-004-409.el6_8.2.noarch
elfutils-libs-0.164-2.el6.x86_64
elfutils-0.164-2.el6.x86_64
elfutils-libelf-devel-0.164-2.el6.x86_64
elfutils-libelf-0.164-2.el6.x86_64
elfutils-devel-0.164-2.el6.x86_64
microcode_ctl-1.17-25.2.el6_9.x86_64
python-perf-2.6.32-696.18.7.el6.x86_64
perf-2.6.32-696.18.7.el6.x86_64
*But /sys/kernel/debug/x86/ibrs_enabled is still set to 0 and if I execute
"echo 2 > /sys/kernel/debug/x86/ibrs_enabled"*
* then we are getting the error "bash: echo: write error: No such device" .*
* The content of /sys/kernel/debug/x86/ibpb_enabled is also 0  and echo 1 >
/sys/kernel/debug/x86/ibpb_enabled  throws the*
* error "bash: echo: write error: No such device" .*
I used a tool https://raw.githubusercontent.com/speed47/spectre-meltdown-
checker/master/spectre-meltdown-checker.sh to
detect if meltdown and spectre got fixed . Spectre Variant 1 and Meltdown
got fixed but not Variant 2 .
"CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES
*   Kernel support for IBRS:  YES
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
...
STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with
retpoline are needed to mitigate the vulnerability)"
Thanks in advance
Thanks and regards
       AKSHAR