How to determine which modules are responsible for spectre_v2 returning "Vulnerable: Retpoline with unsafe module(s)"?

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
- kernel package which include Retpoline-based mitigation

Issue

When we run the "Spectre And Meltdown Detector" lab app, it reports Vulnerable: Retpoline with unsafe module(s) similar to the output below. How do we find out which modules are unsafe?

Variant #2 (Spectre): Vulnerable: Retpoline with unsafe module(s)
CVE-2017-5715 - speculative execution branch target injection
   - Kernel with mitigation patches: OK
   - HW support / updated microcode: YES
   - IBRS: Not disabled on kernel commandline
   - IBPB: Not disabled on kernel commandline
   - Retpolines: Not disabled on kernel commandline

When checking for Spectre vulnerabilities, the /sys/devices/system/cpu/vulnerabilities/spectre_v2 file indicates the following. How do we find out which modules are responsible?

# cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Vulnerable: Retpoline with unsafe module(s)

Resolution

To determine which modules are responsible for the message being returned, the following script can be used:

$ awk '{module=$1; retpcheck="modinfo "module" | grep -c retpoline"; retpcheck | getline found;  close(retpcheck); if (!found) {print "VULNERABLE - No Retpoline found - "module}}' /proc/modules

The next steps in addressing the vulnerable module will vary depending on the module returned. If the module is provided by a 3rd party, it would be recommended to reach out to that group in order to verify next steps recommended. This may be as simple as updating to a newer revision of the module, one that was compiled using a Retpoline-capable compiler. In other instances, the vendor may request that the module be recompiled on the end system. The latter is quite common with compile-on-target technologies such as dkms and akmod packaging methods not provided by Red Hat Development Engineering.

For any module that is provided by Red Hat, it would be recommended to verify if there is a newer revision of the module available. If not, please reach out to Red Hat Support to verify next steps recommended.

How do I open and manage a support case on the Customer Portal? - Red Hat Customer Portal

Root Cause

The Retpoline mitigation technique, when applied to the kernel, is implemented at compile-time. All modules that are included within the base kernel RPM will have the mitigation present. However, for any module that is not within the kernel source tree at compilation time will be subject to an independent build-chain. As a result, the module itself may not have been compiled using a Retpoline capable compiler. Installation of a module version that has been compiled with a Retpoline capable compiler is recommended in order to allow full mitigation.

SBR

Kernel

Product(s)

Red Hat Enterprise Linux

Components

kernel

Category

Troubleshoot

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.