@ozsouth
I have only just seen this and I don't pretend to understand it. I have ucode.cpio that came with BookwormPup 10.0.6 which is contained in a separate ext4 partition on an hdd. I also have Linux Mint 21.3 installed on this hdd. BookwormPup is booted from the version of grub that came with Linux Mint. I believe ucode.cpio is loading at boot up. Below is the output from running dmesg | grep microcode
in a terminal.
Code: Select all
# dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0x2f, date = 2019-02-17
[ 2.045322] microcode: sig=0x206a7, pf=0x10, revision=0x2f
[ 2.045367] microcode: Microcode Update Driver: v2.2
There is a test script to see if early loading microcode is working
I have tried this and I attach the last part of a very long terminal output below.
Code: Select all
* GDS is mitigated by microcode: NO
* Kernel supports software mitigation by disabling AVX: UNKNOWN (couldn't find your kernel image in /boot, if you used netboot, this is normal)
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2023-20569 aka 'Inception, return address security (RAS)'
* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports mitigation: UNKNOWN (couldn't find your kernel image in /boot, if you used netboot, this is normal)
* Kernel compiled with SRSO support: YES
* Kernel compiled with IBPB_ENTRY support: YES
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
CVE-2023-23583 aka 'Reptar, redundant prefix issue'
STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not affected)
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK CVE-2022-40982:OK CVE-2023-20569:OK CVE-2023-23583:OK
Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
#
All green at the bottom is the desired result.
All of the "SUMMARY" is in green. Nothing in the full output is red. Some comments are in a dark yellow e.g. in the last part of the terminal output shown there is the following line.
Code: Select all
Kernel supports mitigation: UNKNOWN
UNKNOWN is in dark yellow. I also attach some details of my CPU
Code: Select all
Processor Name Intel(R) Pentium(R) CPU B960 @ 2.20GHz
Signature Type 0, Family 6, Model 42, Stepping 7
External Clock 1333 MHz
BogoMips 4390.23
Min/Max Speed 800/2200 MHz
Current Speed Core 0:1360 MHz, 1:2041 MHz
Core Count 2
Thread Count 2
64-bit capable Yes
From this information can you please tell a user like me (who does not really understand what is required here) whether my system is protected with the current ucode.cpio
(from the output of the test I think it might be) or whether I have to update it.
Regards,
Ken,