On a Debian Stretch and testing/Buster system with a current kernel and installed microcode I still see meltdown and spectre listed as bugs in /proc/cpuinfo.
However, running the spectre-meltdown-checker shows not vulnerable.
So I'm wondering what /proc/cpuinfo does show. Are these just the vulnerabilities for this cpu and will those always be listed despite having a patched system?
Best Answer
The intent of the “bugs” field in
/proc/cpuinfois described in the commit message which introduced it:Previously, hardware bugs that the kernel detected were listed as separate features (e.g. the infamous F00F bug, which has its own
f00f_bugentry in/proc/cpuinfoon 32-bit x86 systems). The “bugs” entry was introduced to hold these in a single feature going forwards, in the same style as x86 CPU flags.As far as what the entries mean in practice, as you can see in the message, all that’s guaranteed is that the kernel detected a hardware bug. You’ll need to look elsewhere (boot messages, or specific
/procentries or/sysentries such as the files in/sys/devices/system/cpu/vulnerabilities/) to determine whether the issues are dealt with.The usefulness of the “bugs” entries is limited in two ways. The first is that true negatives can’t be distinguished from unknowns: if the field doesn’t specify “cpu_meltdown”, you can’t know (just from the field) whether that means that the kernel doesn’t know about Meltdown, or that your CPU isn’t affected by Meltdown. The second is that the detection can be too simplistic; it errs on the side of caution, so it might report that your CPU is vulnerable when it isn’t. Because the “detection” is table-driven, its accuracy depends on which version of the kernel you’re running.
In the case of Meltdown and Spectre bugs, the detection process which feeds the values in
/proc/cpuinfoworks as follows, on x86: