Intel published new CPU microcodes + Linux Kernel 5.1.2 is adding countermeasures.
[ 0.000000] microcode: microcode updated early to revision 0x27, date = 2019-02-26
[ 0.892095] microcode: sig=0x306c3, pf=0x2, revision=0x27
[ 0.892443] microcode: Microcode Update Driver: v2.2.
+
Linux 5.1.2 #1 SMP Wed May 15 12:07:07 CEST 2019 x86_64 GNU/Linux
After a reboot with a fresh kernel + microcodes, we're good again!
CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'* Mitigated according to the /sys interface:
YES (Mitigation: Clear CPU buffers; SMT vulnerable)
* CPU supports the MD_CLEAR functionality:
YES* Kernel supports using MD_CLEAR mitigation:
YES (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:
YES* SMT is either mitigated or disabled:
NO> STATUS:
NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable)
CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'* Mitigated according to the /sys interface:
YES (Mitigation: Clear CPU buffers; SMT vulnerable)
* CPU supports the MD_CLEAR functionality:
YES* Kernel supports using MD_CLEAR mitigation:
YES (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:
YES* SMT is either mitigated or disabled:
NO> STATUS:
NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable)
CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'* Mitigated according to the /sys interface:
YES (Mitigation: Clear CPU buffers; SMT vulnerable)
* CPU supports the MD_CLEAR functionality:
YES* Kernel supports using MD_CLEAR mitigation:
YES (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:
YES* SMT is either mitigated or disabled:
NO> STATUS:
NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable)
CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'* Mitigated according to the /sys interface:
YES (Mitigation: Clear CPU buffers; SMT vulnerable)
* CPU supports the MD_CLEAR functionality:
YES* Kernel supports using MD_CLEAR mitigation:
YES (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:
YES* SMT is either mitigated or disabled:
NO> STATUS:
NOT VULNERABLE (Mitigation: Clear CPU buffers; SMT vulnerable)
Julien