(... I suppose you are using latest firmware...)

That is correct.

Phil

Here's mine:

# grep -R . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: EPT disabled
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

Doesn't look good.

Phil

(... I suppose you are using latest firmware...)

# grep -R . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: EPT disabled
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

Doesn't look good.

Phil

boycottsystemd wrote:

I've booted ASCII kernel with noht parameter.

The parameter you want is nosmt.

You also need the 2019-05-14 version of the intel-microcode package and the most recent kernel version (4.9.168-1+deb9u2, install the linux-image-amd64 metapackage to get this).

EDIT: you already have the kernel.

Use this to check vulnerabilities:

grep -R . /sys/devices/system/cpu/vulnerabilities

The zombieload vulnerability corresponds to MDS in the /sys checklist.

Thank you and apology for delay.

# grep -R . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT disabled
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

I've booted ASCII kernel with noht parameter.

The parameter you want is nosmt.

You also need the 2019-05-14 version of the intel-microcode package and the most recent kernel version (4.9.168-1+deb9u2, install the linux-image-amd64 metapackage to get this).

EDIT: you already have the kernel.

Use this to check vulnerabilities:

grep -R . /sys/devices/system/cpu/vulnerabilities

The zombieload vulnerability corresponds to MDS in the /sys checklist.

There is anoher intel vulnerability which uses hyperthreading.

Similar vulnerabilities, especially from Intel, will keep coming.  2018 was the year of microcode exploits.  Until Intel releases a mass-recall to fix their hardware (they won't), just sit back and enjoy the show.

It's good practice to find research whether or not the CVE has been resolved:
https://www.debian.org/security/2019/dsa-4444

I've booted ASCII kernel with noht parameter.

I've tried to disable hyperthreading:

sudo -i && echo 0 > /sys/devices/system/cpu/online

but

# cat /sys/devices/system/cpu/online 
0-3

Any idea pls ?

$ uname -a
4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64 GNU/Linux