- Community Home
- >
- Servers and Operating Systems
- >
- HPE BladeSystem
- >
- BladeSystem - General
- >
- Re: Spectre meltdown fixes on ProLiant BL460c Gen9...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-13-2018 01:45 PM
тАО09-13-2018 01:45 PM
Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server
Hello all.
We recently applied the June '18 Proliant Service Pack and latest RHEL patches to one of our ProLiant BL460c Gen9, RHEL 6.10 servers.
This was done to address the Spectre/Meltdown issue.
We then ran the latest Red Hat provided Spectre/Meltdown detection script.
Despite installing the latest service pack and OS patches, vulnerabilities were still found as shown below (please see Variant #2).
We ran some additional diagnostic steps provided by Red Hat as shown here:
# cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Vulnerable: Retpoline with unsafe module(s), IBPB
# awk '{module=$1; retpcheck="modinfo "module" | grep -c retpoline"; retpcheck | getline found; close(retpcheck); if (!found) {print "VULNERABLE - No Retpoline found - "module}}
' /proc/modules
ERROR: modinfo: could not find module fileaccess_mod
VULNERABLE - No Retpoline found - fileaccess_mod
ERROR: modinfo: could not find module mfeaack
VULNERABLE - No Retpoline found - mfeaack
VULNERABLE - No Retpoline found - bnx2i
VULNERABLE - No Retpoline found - cnic
VULNERABLE - No Retpoline found - lpfc
VULNERABLE - No Retpoline found - bnx2x
We're not sure at this point what additional updates are needed to clear all the detection script vulnerabilities.
Any assistance on this would be appreciated.
Thank you.
# spectre-meltdown--2018-07-20-1546.sh -v
Spectre/Meltdown Detection Script Ver. 2.8
This script is primarily designed to detect Spectre / Meltdown on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Detected CPU vendor: Intel
Running kernel: 2.6.32-754.3.5.el6.x86_64
Virtualization: None
Variant #1 (Spectre): Mitigation: Load fences
CVE-2017-5753 - speculative execution bounds-check bypass
- Kernel with mitigation patches: OK
Variant #2 (Spectre): Vulnerable: Retpoline with unsafe module(s), IBPB
CVE-2017-5715 - speculative execution branch target injection
- Kernel with mitigation patches: OK
- HW support / updated microcode: YES
- IBRS: Not disabled on kernel commandline
- IBPB: Not disabled on kernel commandline
- Retpolines: Not disabled on kernel commandline
Variant #3 (Meltdown): Mitigation: PTI
CVE-2017-5754 - speculative execution permission faults handling
- Kernel with mitigation patches: OK
- PTI: Not disabled on kernel commandline
Red Hat recommends that you:
For more information about the vulnerabilities see:
https://access.redhat.com/security/vulnerabilities/speculativeexecution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-19-2018 08:44 AM
тАО09-19-2018 08:44 AM
Re: Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server
Hello Tom Wolf_3,
Please engage both RedHat and HPE support on this issue.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-19-2018 08:52 AM
тАО09-19-2018 08:52 AM
Re: Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server
Hello.
Thanks for replying.
We are following up with both HP and Red Hat on this item.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2018 07:57 AM
тАО11-27-2018 07:57 AM
Re: Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server
Hi Tom,
I've just run up against a simiilar problem and wondered how this ended up? Our rhel 6.9 servers were running fine with the spectre/meltdown patches. We're trying to upgrade to 6.10 and get the same message from Red Hat's detector script about a couple of the device drivers (cnic, bnx2x) not being compiled with retpoline. I have a feeling we were using the IBRS mitigation for variant 2 in 6.9 and it changed, by default, in 6.10 to be retpoline.
Anyway, did Red Hat end up doing something or HP?
Thanks!
-Kim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2018 08:36 AM
тАО11-27-2018 08:36 AM
Re: Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server
Hello Kim.
HP released a customer advisory about this.
I confirmed with HP that the errors can be ignored as the code wasnтАЩt written with the flags to state it wasnтАЩt vulnerable.
So despite appearing as vulnerable, they actually are not vulnerable.
HP recommended periodically checking http://retpoline.linux.hpe.com/ for updated driver versions that will include the flag.
Hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2018 12:04 PM
тАО11-27-2018 12:04 PM
Re: Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server
Hi Tom,
Thanks so much for your response! I was starting to feel like I was looking for a needle in a haystack. You saved me hours of searching!
Thanks again and take care ...
-Kim