NVIDIA Jetson Nanoの CPUの脆弱性 Spectreと Meltdownの脆弱性をチェックする方法

# お決まりの sudo apt-get updateで最新状態に更新する
sudo apt-get update

# Spectre and Meltdown Checkerをダウンロードする
cd
wget https://meltdown.ovh -O spectre-meltdown-checker.sh

# missing 'lzop' tool, please install it, usually it's in the 'lzop' package
sudo apt-get -y install lzop

# Spectre and Meltdown Checkerを実行する
chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh

user@user-desktop:~$ uname -a
Linux user-desktop 4.9.140-tegra #1 SMP PREEMPT Wed Mar 13 00:32:22 PDT 2019 aarch64 aarch64 aarch64 GNU/Linux

user@user-desktop:~$ sudo nvpmodel -m 0
user@user-desktop:~$ sudo nvpmodel -q
NV Power Mode: MAXN
0

user@user-desktop:~$ cat /proc/cpuinfo
processor       : 0
model name      : ARMv8 Processor rev 1 (v8l)
BogoMIPS        : 38.40
Features        : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant     : 0x1
CPU part        : 0xd07
CPU revision    : 1

processor       : 1
...

processor       : 2
...

processor       : 3
...

user@user-desktop:~$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.41

Checking for vulnerabilities on current system
Kernel is Linux 4.9.140-tegra #1 SMP PREEMPT Wed Mar 13 00:32:22 PDT 2019 aarch64
CPU is ARM v8 model 0xd07
Possible disrepancy between your running kernel '4.9.140-tegra' and the image 'Linux version  ()' we found (/boot/Image), results might be incorrect

Hardware check
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES
  * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES
  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  NO
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES
  * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES
  * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  NO
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  NO
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  NO
  * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)):  NO
  * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)):  NO
  * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)):  NO
  * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)):  NO

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Kernel has array_index_mask_nospec:  NO
* Kernel has the Red Hat/Ubuntu patch:  NO
* Kernel has mask_nospec64 (arm64):  NO
* Checking count of LFENCE instructions following a jump in kernel...  NO  (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  NO
  * Kernel is compiled with IBPB support:  NO
    * IBPB enabled and active:  NO
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  YES
  * Kernel compiled with retpoline option:  NO
> STATUS:  NOT VULNERABLE  (Branch predictor hardening mitigates the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Kernel supports Page Table Isolation (PTI):  NO
  * PTI enabled and active:  UNKNOWN  (dmesg truncated, please reboot and relaunch this script)
  * Reduced performance impact of PTI:  NO  (PCID/INVPCID not supported, performance impact of PTI will be significant)
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  NO
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  NO  (not vulnerable)
> STATUS:  VULNERABLE  (Your CPU doesn't support SSBD)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Kernel supports PTE inversion:  NO
* PTE inversion enabled and active:  UNKNOWN  (sysfs interface not available)
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* This system is a host running a hypervisor:  NO
* Mitigation 1 (KVM)
  * EPT is disabled:  N/A  (the kvm_intel module is not loaded)
* Mitigation 2
  * L1D flush is supported by kernel:  NO
  * L1D flush enabled:  UNKNOWN  (can't find or read /sys/devices/system/cpu/vulnerabilities/l1tf)
  * Hardware-backed L1D flush supported:  NO  (flush will be done in software, this is slower)
  * Hyper-Threading (SMT) is enabled:  UNKNOWN
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* CPU supports the MD_CLEAR functionality:  UNKNOWN  (is cpuid module loaded?)
* Kernel supports using MD_CLEAR mitigation:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* CPU supports the MD_CLEAR functionality:  UNKNOWN  (is cpuid module loaded?)
* Kernel supports using MD_CLEAR mitigation:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* CPU supports the MD_CLEAR functionality:  UNKNOWN  (is cpuid module loaded?)
* Kernel supports using MD_CLEAR mitigation:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* CPU supports the MD_CLEAR functionality:  UNKNOWN  (is cpuid module loaded?)
* Kernel supports using MD_CLEAR mitigation:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

> SUMMARY: CVE-2017-5753:KO CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK

CVE-2017-5753:KO
CVE-2018-3640:KO
CVE-2018-3639:KO

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer

# lzop package有り
sudo apt-get -y install lzop

user@user-desktop:~$ # Spectre and Meltdown Checkerを実行する
user@user-desktop:~$ chmod +x spectre-meltdown-checker.sh
user@user-desktop:~$ sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.40

Checking for vulnerabilities on current system
Kernel is Linux 4.9.140-tegra #1 SMP PREEMPT Wed Mar 13 00:32:22 PDT 2019 aarch64
CPU is ARM v8 model 0xd07
Possible disrepancy between your running kernel '4.9.140-tegra' and the image 'Linux version  ()' we found (/boot/Image), results might be incorrect

Hardware check
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES
  * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES
  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  NO
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES
  * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES
  * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  NO
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  NO
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  NO

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Kernel has array_index_mask_nospec:  NO
* Kernel has the Red Hat/Ubuntu patch:  NO
* Kernel has mask_nospec64 (arm64):  NO
* Checking count of LFENCE instructions following a jump in kernel...  NO  (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  NO
  * Kernel is compiled with IBPB support:  NO
    * IBPB enabled and active:  NO
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  YES
  * Kernel compiled with retpoline option:  NO
> STATUS:  NOT VULNERABLE  (Branch predictor hardening mitigates the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Kernel supports Page Table Isolation (PTI):  NO
  * PTI enabled and active:  NO
  * Reduced performance impact of PTI:  NO  (PCID/INVPCID not supported, performance impact of PTI will be significant)
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  NO
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  NO  (not vulnerable)
> STATUS:  VULNERABLE  (Your CPU doesn't support SSBD)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Kernel supports PTE inversion:  NO
* PTE inversion enabled and active:  UNKNOWN  (sysfs interface not available)
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* This system is a host running a hypervisor:  NO
* Mitigation 1 (KVM)
  * EPT is disabled:  N/A  (the kvm_intel module is not loaded)
* Mitigation 2
  * L1D flush is supported by kernel:  NO
  * L1D flush enabled:  UNKNOWN  (can't find or read /sys/devices/system/cpu/vulnerabilities/l1tf)
  * Hardware-backed L1D flush supported:  NO  (flush will be done in software, this is slower)
  * Hyper-Threading (SMT) is enabled:  UNKNOWN
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

> SUMMARY: CVE-2017-5753:KO CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK

CVE-2017-5753:KO
CVE-2018-3640:KO
CVE-2018-3639:KO

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer

# couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package
# lzop package無し

cd
wget https://meltdown.ovh -O spectre-meltdown-checker.sh

user@user-desktop:~$ chmod +x spectre-meltdown-checker.sh
user@user-desktop:~$ sudo ./spectre-meltdown-checker.sh
[sudo] password for user:
Spectre and Meltdown mitigation detection tool v0.40

Checking for vulnerabilities on current system
Kernel is Linux 4.9.140-tegra #1 SMP PREEMPT Wed Mar 13 00:32:22 PDT 2019 aarch64
CPU is ARM v8 model 0xd07

Hardware check
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES
  * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES
  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  NO
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES
  * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES
  * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  NO
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  NO
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  NO

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Kernel has array_index_mask_nospec:  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Kernel has the Red Hat/Ubuntu patch:  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Kernel has mask_nospec64 (arm64):  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Checking count of LFENCE instructions following a jump in kernel...  UNKNOWN  (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
> STATUS:  UNKNOWN  (Couldn't find kernel image or tools missing to execute the checks)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  NO
  * Kernel is compiled with IBPB support:  UNKNOWN  (in offline mode, we need the kernel image to be able to tell)
    * IBPB enabled and active:  NO
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  YES
  * Kernel compiled with retpoline option:  NO
> STATUS:  NOT VULNERABLE  (Branch predictor hardening mitigates the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Kernel supports Page Table Isolation (PTI):  NO
  * PTI enabled and active:  NO
  * Reduced performance impact of PTI:  NO  (PCID/INVPCID not supported, performance impact of PTI will be significant)
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  NO
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigate this vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  NO  (not vulnerable)
> STATUS:  VULNERABLE  (Your CPU doesn't support SSBD)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Kernel supports PTE inversion: strings: '': No such file
 NO
* PTE inversion enabled and active:  UNKNOWN  (sysfs interface not available)
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* This system is a host running a hypervisor:  NO
* Mitigation 1 (KVM)
  * EPT is disabled:  N/A  (the kvm_intel module is not loaded)
* Mitigation 2
  * L1D flush is supported by kernel:  UNKNOWN  (missing 'lzop' tool, please install it, usually it's in the 'lzop' package)
  * L1D flush enabled:  UNKNOWN  (can't find or read /sys/devices/system/cpu/vulnerabilities/l1tf)
  * Hardware-backed L1D flush supported:  NO  (flush will be done in software, this is slower)
  * Hyper-Threading (SMT) is enabled:  UNKNOWN
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

> SUMMARY: CVE-2017-5753:?? CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK

CVE-2018-3640:KO
CVE-2018-3639:KO

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer

【2020年版】NVIDIA Jetson Nano、Jetson Xavier NXの便利スクリプト

NVIDIA Jetson Nano 開発者キットを買ってみた。メモリ容量 4GB LPDDR4 RAM

NVIDIA Jetson Nano 開発者キットを Raspberry Pi 3と性能比較してみたベンチマークレビュー

NVIDIA Jetson Nano 開発者キットを動かすのに最低限必要な物の一覧、冷却ファン、NGFF 無線カード

NVIDIA Jetson Nano 開発者キットで使用する microSDカードに Ubuntu OSイメージを焼く方法を説明

NVIDIA Jetson Nano 開発者キットで SDカードで起動したら一番最初にする事

NVIDIA Jetson Nano Ubuntuのパッケージがアップデート可能な場合にアップデートする方法

NVIDIA Jetson Nanoで nvcc command not found build CUDA app Errorの対応方法

NVIDIA Jetson Nanoの GUI環境を無効にして CUI環境で動く様にしてフリーメモリエリアを広げる

NVIDIA Jetson Nano 開発者キットの Tips一覧、冷却ファンが動かない、20Wモードで動かす、動作温度を知る、他

NVIDIA Jetson Nano 開発者キットに Raspberry Pi Camera Module V2 RaspiCamを接続する方法

Raspberry Piで TensorFlow Deep Learning Frameworkを自己ビルドする方法

Raspberry Piに PyTorch Deep Learning Frameworkをソースコードからビルドする方法、DeepDreamでキモイ絵を作成

Raspberry Piで darkflowを動かしてリアルタイムでカメラ映像を画像物体検出する方法

Raspberry Piで Caffe Deep Learning Frameworkで物体認識を行なってみるテスト

Raspberry Piで Deep Learningフレームワーク Chainerをインストールしてみる

Raspberry Piで DeepBeliefSDKをビルドして画像認識フレームワークを動かす方法

【成功版】最新版の Darknetに digitalbrain79版の Darknet with NNPACKの NNPACK処理を適用する

【成功版】Raspberry Piで Darknet Neural Network Frameworkをビルドする方法

【成功版】Raspberry Piに TensorFlow Deep Learning Frameworkをインストールする方法

Raspberry Piに Jupyter Notebookをインストールして拡張子 ipynb形式の IPythonを動かす

Raspberry Piで Caffe2 Deep Learning Frameworkをソースコードからビルドする方法

【ビルド版】Raspberry Piで DeepDreamを動かしてキモイ絵をモリモリ量産 Caffe Deep Learning Framework

Raspberry Pi 3 Model Bで動画処理アプリ FFmpegをコンパイルする方法

Raspberry Pi 3 Model Bで動画処理アプリ libavをコンパイルする方法

Raspberry Piで NNPACKをビルドする方法

BLAS、ベクトルと行列に関する基本線型代数操作を実行する演算ライブラリ APIのまとめ

Raspberry Pi 3の Linuxコンソール上で使用する各種コマンドまとめ

PIP機能付きの 4K対応の 4入力 1出力の HDMIセレクターを買ってみた、HDMI機器が複数有る場合に便利

EDID保持機能付きの 4K対応の 4入力 2出力の マトリックス切り替え HDMIセレクター、液晶画面 2台と使用で最強