> > This appears to be OK on my CPU but want to ask to be sure. Here's some > info, sort of taking cues from what you posted above. > > > root@fireball / # uname -a > Linux fireball 4.18.12-gentoo #1 SMP PREEMPT Sun Oct 14 23:45:12 CDT 2018 > x86_64 AMD FX(tm)-8350 Eight-Core Processor AuthenticAMD GNU/Linux > root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/ > l1tf meltdown spec_store_bypass > spectre_v1 spectre_v2 > root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/meltdown > Not affected > root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/l1tf > Not affected > root@fireball / # cat > /sys/devices/system/cpu/vulnerabilities/spec_store_bypass > Mitigation: Speculative Store Bypass disabled via prctl and seccomp > root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/spectre_v1 > Mitigation: __user pointer sanitization > root@fireball / # cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 > Mitigation: Full AMD retpoline > root@fireball / # >
You're missing the /sys/devices/system/cpu/vulnerabilities/mds file because only the latest kernels from 2019-05-14 have that check. The 4.18 line has gone away so you'd have to go to 4.19.43 to get it. Since you're an AMD cpu, you don't need to worry about mds, but if I were you i'd move to 4.19.43 anyway as you want to stay on a supported version. 4.19 is "longterm" (https://www.kernel.org/) so its a good option. Then if something serious comes up, an update from 4.19.x to 4.19.y is much less trouble than 4.18 to 4.19. Am I correct to think that "Mitigation" is good enough or does that mean it > could be affected in some other way or is risky? > I accept Mitigation as good enough. The kernel devs seem to choose a good balance between secure and fast. Anything that says 'vulnerable' is a problem, but you may have to live with it until a new microcode or kernel update arrives. Or if the CPU vendor is not making a microcode update for an old CPU, just live with it or upgrade the hardware. On my skylake box I need to think about disabling Hyperthreading or not, disabled is secure but halves the core count.. > Also, since the problem that this thread is about isn't listed, mine isn't > affected correct? > Covered above. > I'm guessing "Not affected" means all is good. ;-) > Indeed!
