BladeSystem Server Blades

Re: Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server

 
Tom Wolf_3
Valued Contributor

Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server

Hello all.

We recently applied the June '18 Proliant Service Pack and latest RHEL patches to one of our ProLiant BL460c Gen9, RHEL 6.10 servers.

This was done to address the Spectre/Meltdown issue.

We then ran the latest Red Hat provided Spectre/Meltdown detection script.

Despite installing the latest service pack and OS patches, vulnerabilities were still found as shown below (please see Variant #2).

We ran some additional diagnostic steps provided by Red Hat as shown here:

# cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Vulnerable: Retpoline with unsafe module(s), IBPB


# awk '{module=$1; retpcheck="modinfo "module" | grep -c retpoline"; retpcheck | getline found;  close(retpcheck); if (!found) {print "VULNERABLE - No Retpoline found - "module}}
' /proc/modules
ERROR: modinfo: could not find module fileaccess_mod
VULNERABLE - No Retpoline found - fileaccess_mod
ERROR: modinfo: could not find module mfeaack
VULNERABLE - No Retpoline found - mfeaack
VULNERABLE - No Retpoline found - bnx2i
VULNERABLE - No Retpoline found - cnic
VULNERABLE - No Retpoline found - lpfc
VULNERABLE - No Retpoline found - bnx2x

 

We're not sure at this point what additional updates are needed to clear all the detection script vulnerabilities.

Any assistance on this would be appreciated.

Thank you.

 

 

 

 

#  spectre-meltdown--2018-07-20-1546.sh -v

Spectre/Meltdown Detection Script Ver. 2.8
This script is primarily designed to detect Spectre / Meltdown on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Detected CPU vendor: Intel
Running kernel: 2.6.32-754.3.5.el6.x86_64
Virtualization: None

Variant #1 (Spectre): Mitigation: Load fences
CVE-2017-5753 - speculative execution bounds-check bypass
   - Kernel with mitigation patches: OK

Variant #2 (Spectre): Vulnerable: Retpoline with unsafe module(s), IBPB
CVE-2017-5715 - speculative execution branch target injection
   - Kernel with mitigation patches: OK
   - HW support / updated microcode: YES
   - IBRS: Not disabled on kernel commandline
   - IBPB: Not disabled on kernel commandline
   - Retpolines: Not disabled on kernel commandline

Variant #3 (Meltdown): Mitigation: PTI
CVE-2017-5754 - speculative execution permission faults handling
   - Kernel with mitigation patches: OK
   - PTI: Not disabled on kernel commandline

Red Hat recommends that you:

For more information about the vulnerabilities see:
https://access.redhat.com/security/vulnerabilities/speculativeexecution

5 REPLIES 5
vms06
Occasional Visitor

Re: Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server

Hello Tom Wolf_3,

Please engage both RedHat and HPE support on this issue.

Thanks

I am an HPE Employee
Tom Wolf_3
Valued Contributor

Re: Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server

Hello.

Thanks for replying.

We are following up with both HP and Red Hat on this item.

Simba026
Occasional Visitor

Re: Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server

Hi Tom,

I've just run up against a simiilar problem and wondered how this ended up?      Our rhel 6.9 servers were running fine with the spectre/meltdown patches.     We're trying to upgrade to 6.10 and get the same message from Red Hat's detector script about a couple of the device drivers (cnic, bnx2x) not being compiled with retpoline.   I have a feeling we were using the IBRS mitigation for variant 2 in 6.9 and it changed, by default, in 6.10 to be retpoline.

Anyway, did Red Hat end up doing something or HP?  

 

Thanks!

-Kim

Tom Wolf_3
Valued Contributor

Re: Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server

Hello Kim.

HP released a customer advisory about this.

Advisory: Linux -After Installing HPE QLogic NX2 10/20 GbE Multifunction Drivers, Warning Messages "System May be Vulnerable to Spectre v2" and/or "Loading Module not Compiled with Retpoline Compiler" May Be Displayed (a00058533en_us)

I confirmed with HP that the errors can be ignored as the code wasn’t written with the flags to state it wasn’t vulnerable.

So despite appearing as vulnerable, they actually are not vulnerable.

HP recommended periodically checking http://retpoline.linux.hpe.com/ for updated driver versions that will include the flag.

 

Hope this helps.

Simba026
Occasional Visitor

Re: Spectre meltdown fixes on ProLiant BL460c Gen9 RHEL 6.10 server

Hi Tom,

Thanks so much for your response!     I was starting to feel like I was looking for a needle in a haystack.    You saved me hours of searching!

Thanks again and take care ...

-Kim