Comment # 8
on bug 1218231
from ell1e
Can confirm the output makes more sense once actually launching a VM and then
lists mitigations as expected, here's the output after I launched a VM:
$ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 39 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0,1
Off-line CPU(s) list: 2,3
Vendor ID: GenuineIntel
Model name: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
CPU family: 6
Model: 78
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 1
Stepping: 3
CPU(s) scaling MHz: 96%
CPU max MHz: 2800.0000
CPU min MHz: 0.0000
BogoMIPS: 4801.00
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mc
a cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss
ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc
art
arch_perfmon pebs bts rep_good nopl xtopology
nonstop_
tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor
ds_cp
l vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid
sse4_1
sse4_2 x2apic movbe popcnt tsc_deadline_timer aes
xsav
e avx f16c rdrand lahf_lm abm 3dnowprefetch
cpuid_fault
epb pti ssbd ibrs ibpb stibp tpr_shadow flexpriority
e
pt vpid ept_ad fsgsbase tsc_adjust sgx bmi1 avx2 smep
b
mi2 erms invpcid mpx rdseed adx smap clflushopt
intel_p
t xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln
pt
s hwp hwp_notify hwp_act_window hwp_epp vnmi md_clear
f
lush_l1d arch_capabilities
Virtualization features:
Virtualization: VT-x
Caches (sum of all):
L1d: 64 KiB (2 instances)
L1i: 64 KiB (2 instances)
L2: 512 KiB (2 instances)
L3: 3 MiB (1 instance)
NUMA:
NUMA node(s): 1
NUMA node0 CPU(s): 0,1
Vulnerabilities:
Gather data sampling: Vulnerable: No microcode
Itlb multihit: KVM: Mitigation: Split huge pages
L1tf: Mitigation; PTE Inversion; VMX conditional cache
flushe
s, SMT disabled
Mds: Mitigation; Clear CPU buffers; SMT disabled
Meltdown: Mitigation; PTI
Mmio stale data: Mitigation; Clear CPU buffers; SMT disabled
Retbleed: Mitigation; IBRS
Spec rstack overflow: Not affected
Spec store bypass: Mitigation; Speculative Store Bypass disabled via
prctl
Spectre v1: Mitigation; usercopy/swapgs barriers and __user
pointer
sanitization
Spectre v2: Mitigation; IBRS, IBPB conditional, RSB filling,
PBRSB-
eIBRS Not affected
Srbds: Mitigation; Microcode
Tsx async abort: Not affected
There are two points that still confuse me:
1. The "gather data sampling" line looks surprising to me as well, doesn't
OpenSUSE ship microcode updates or are they lacking behind a little? Or did
intel just not care to address it?
1. Regarding this:
> I agree it's a bit confusing, but that's how it is right now. If we want
it
> differently, this should be changed in the kernel.
I think a less confusing wording would be "VMX unused" instead of "VMX
disabled", while no VM is running and no mitigation active.