Centos – [Centos6.5][Spectre] variant 2 not getting fixed

centos

My Guest os (CentOS 6.5 ,kernel version 2.6.32-696.18.7.el6.x86_64) is running in ESXI server (VMware ESXi 5.5.0 build-6480324,
patch ESXi550-201709001.zip was applied ) .
I installed all the packages mentioned in https://lists.centos.org/pipermail/centos-announce/2018-January/

The list of installed packages are

kernel-debug-devel-2.6.32-696.18.7.el6.i686
kernel-2.6.32-696.18.7.el6.x86_64
kernel-doc-2.6.32-696.18.7.el6.noarch
kernel-debug-2.6.32-696.18.7.el6.x86_64
kernel-devel-2.6.32-696.18.7.el6.x86_64
kernel-debug-devel-2.6.32-696.18.7.el6.x86_64
libreport-plugin-kerneloops-2.0.9-19.el6.centos.x86_64
abrt-addon-kerneloops-2.0.8-21.el6.centos.x86_64
dracut-kernel-004-409.el6_8.2.noarch
kernel-headers-2.6.32-696.18.7.el6.x86_64
kernel-firmware-2.6.32-696.18.7.el6.noarch
kernel-abi-whitelists-2.6.32-696.18.7.el6.noarch
dracut-004-409.el6_8.2.noarch
dracut-kernel-004-409.el6_8.2.noarch    
elfutils-libs-0.164-2.el6.x86_64
elfutils-0.164-2.el6.x86_64
elfutils-libelf-devel-0.164-2.el6.x86_64
elfutils-libelf-0.164-2.el6.x86_64
elfutils-devel-0.164-2.el6.x86_64
microcode_ctl-1.17-25.2.el6_9.x86_64
python-perf-2.6.32-696.18.7.el6.x86_64
perf-2.6.32-696.18.7.el6.x86_64

But /sys/kernel/debug/x86/ibrs_enabled is still set to 0 and if I execute 

echo 2 > /sys/kernel/debug/x86/ibrs_enabled"

then we are getting the error

"bash: echo: write error: No such device".

The content of /sys/kernel/debug/x86/ibpb_enabled is also 0 and 

echo 1 > /sys/kernel/debug/x86/ibpb_enabled

throws the same error

"bash: echo: write error: No such device" .

I used a tool https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh to
detect if meltdown and spectre got fixed . Spectre Variant 1 and Meltdown got fixed but not Variant 2 .

"CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES
*   Kernel support for IBRS:  YES
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)"

Best Answer

But /sys/kernel/debug/x86/ibrs_enabled is still set to 0 and if I execute echo 2 > /sys/kernel/debug/x86/ibrs_enabled then we are getting the error

"bash: echo: write error: No such device" .

The content of /sys/kernel/debug/x86/ibpb_enabled is also 0 and echo 1 > /sys/kernel/debug/x86/ibpb_enabled throws the error

"bash: echo: write error: No such device

On Centos 6 (unlike CentOS 7) to be able to write go those locations you need to mount the kernel debugfs

 mount -t debugfs nodev /sys/kernel/debug
Related Topic