Processors
Intel® Processors, Tools, and Utilities
14819 Discussions

Downfall, how to read the "Affected processors" page?

odinb
Novice
5,592 Views

Hi!

 

Trying to find out if the CPUs we use are affected by Downfall (https://downfall.page/) or not, but believe the chart is a bit ambiguous.

https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

 

Have the following 2 CPUs:

# sudo dmidecode -t 4 | grep -i family
        Family: Xeon
        Signature: Type 0, Family 6, Model 85, Stepping 4
        Family: Xeon
        Signature: Type 0, Family 6, Model 85, Stepping 4

# sudo dmidecode -t 4 | grep -i family
        Family: Xeon
        Signature: Type 0, Family 6, Model 85, Stepping 7
        Family: Xeon
        Signature: Type 0, Family 6, Model 85, Stepping 7

 

Using the guide and convert to CPUID, it would be 65504 & 65507 (does one remove leading 0 or not?).

First way to look at it is looking at family. If so, then 65504/Skylake is affected, but for 65507/Skylake the Skylake is not mentioned in the "Code Names" table. Following this, first, and possibly both are affected?

Second way is to look at CPUID only and the CPUID column, if doing this, none of those CPUIDs are found, so not affected?

How does one read this table, and are the CPUs affected or not?

0 Kudos
1 Solution
Allan_A_Intel
Moderator
5,032 Views

Hello Odin,

 

Thank you for your patience. To identify the CPUID, please follow these steps:

 

  1. Visit the table of affected processors at this link: https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html.
  2. Utilize the following commands in your Linux environment with the information you already gathered regarding Family, Model and Stepping:
    $ printf "%x\n" 6 // output: 6 = Family
    $ printf "%x\n" 85 // output: 55 = Model
    $ printf "%x\n" 4 // output: 4 = Stepping​
  3. The above commands will lead you to the CPUID 50654 (sixth column) by matching "06_55" in the first column and "4" in the second column. You can also refer to the attached illustration for clarity.

 

I acknowledge that this method might not be the most straightforward way to determine the CPUID of any Intel processor. However, it can still provide guidance in assessing if an Intel processor is affected by potential vulnerabilities. If you have any further questions or need additional assistance, please don't hesitate to ask. Your diligence in seeking information is appreciated, and I'm here to help.

 

Best regards,

 

Allan A.

Intel Customer Support

 

View solution in original post

0 Kudos
16 Replies
Allan_A_Intel
Moderator
5,553 Views

Hello odinb,


Thank you for reaching out and sharing your concerns about the CPU vulnerability. I understand that the information you've come across can be a bit unclear, and I appreciate your thorough exploration to find a resolution.


You've outlined two distinct ways of interpreting the information, and you're absolutely right that this can lead to different conclusions. The ambiguity in the chart can make it challenging to determine whether your CPUs are affected by the Downfall vulnerability.


To provide you with the most accurate and definitive answer, I'm going to consult internally with our experts. They'll carefully review the details of your CPUs and the vulnerability, ensuring that you receive precise guidance.


I understand how important it is to have a clear understanding of the potential impact on your systems. I'll work diligently to get back to you as soon as I have a concrete answer. Your patience and diligence in seeking the right information are truly appreciated.


Please feel free to reach out if you have any further questions or if there's anything else I can assist you with. Your satisfaction is our priority, and I'm committed to providing you with the guidance you need.


Warm regards,


Allan A.

Intel Customer Support


Allan_A_Intel
Moderator
5,537 Views

Hello odinb,


Thank you for your patience. I appreciate your effort in providing the codes you've gathered. However, upon further review, it seems that these codes are actually microcodes of the processors, not CPUIDs. To accurately search for your processors in the table, we would need the correct CPUIDs.


To gather the necessary CPU information, you can use any of the following commands:

  • `lscpu` command: This command will display detailed information about your CPU's architecture.
  • `x86info` command: This command provides diagnostics for x86 CPUs.
  • `cpuid` command: Using this command will allow you to retrieve CPUID information for each individual CPU.


On a positive note, I'm glad to confirm that if a specific CPUID is not listed in the table, it indicates that the processor is not affected by the vulnerability.


Thank you for your understanding, and please feel free to reach out if you have any more questions or need further assistance.


Best regards,


Allan A.

Intel Customer Support


0 Kudos
odinb
Novice
5,520 Views

Hi Allan!

Here is the asked for info:
$ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 96
On-line CPU(s) list: 0-95
Thread(s) per core: 2
Core(s) per socket: 24
Socket(s): 2
NUMA node(s): 2
Vendor ID: GenuineIntel
CPU family: 6
Model: 85
Model name: Intel(R) Xeon(R) Platinum 8168 CPU @ 2.70GHz
Stepping: 4
CPU MHz: 3102.099
CPU max MHz: 3700.0000
CPU min MHz: 1200.0000
BogoMIPS: 5400.00
Virtualization: VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache: 1024K
L3 cache: 33792K
NUMA node0 CPU(s): 0-23,48-71
NUMA node1 CPU(s): 24-47,72-95
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb cat_l3 cdp_l3 invpcid_single intel_ppin intel_pt ssbd mba ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cqm mpx rdt_a avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts hwp hwp_act_window hwp_pkg_req pku ospke md_clear spec_ctrl intel_stibp flush_l1d arch_capabilities
$

and for the second one:
$ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 96
On-line CPU(s) list: 0-95
Thread(s) per core: 2
Core(s) per socket: 24
Socket(s): 2
NUMA node(s): 4
Vendor ID: GenuineIntel
CPU family: 6
Model: 85
Model name: Intel(R) Xeon(R) Gold 6248R CPU @ 3.00GHz
Stepping: 7
CPU MHz: 3000.000
BogoMIPS: 6000.00
Virtualization: VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache: 1024K
L3 cache: 36608K
NUMA node0 CPU(s): 0-11,48-59
NUMA node1 CPU(s): 12-23,60-71
NUMA node2 CPU(s): 24-35,72-83
NUMA node3 CPU(s): 36-47,84-95
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 cdp_l3 invpcid_single intel_ppin ssbd mba ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid cqm mpx rdt_a avx512f avx512dq rdseed adx smap clflushopt clwb intel_pt avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts pku ospke avx512_vnni md_clear flush_l1d arch_capabilities
$

 

Regards,

//Odin

0 Kudos
odinb
Novice
5,517 Views

Hi Allan!

My understanding was that the signature information is used to derive the CPUID:
Signature: Type 0, Family 6, Model 85, Stepping 4
Signature: Type 0, Family 6, Model 85, Stepping 7

And then it is converted to hex, giving (as stated above): 65504 & 65507 (does one remove leading 0 or not?).

If this is not the correct way to do it, then please let me know how to get/calculate the CPUID from above info!

 

Regards,

//Odin

0 Kudos
Allan_A_Intel
Moderator
5,493 Views

Hello Odin,


Thank you for providing the model details of your processors; it helped me locate their CPUIDs. Here's the information you're looking for:

  • The CPUID of the Intel® Xeon® Platinum 8168 Processor is 50654.
  • The CPUID of the Intel® Xeon® Gold 6248R Processor is 50657.


In the vulnerability chart, focus on the column titled "Gather Data Sampling (GDS/Downfall) CVE-2022-40982 INTEL-SA-00828".


If you search for CPUID 50654, you'll find that it's not affected by Downfall.


However, if you search for CPUID 50657, it indicates that Downfall does affect your Intel Xeon Gold 6248R Processor. For more detailed recommendations, you can refer to the 2023.3 IPU - Intel® Processor Advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html.


If you have any further questions or need assistance, feel free to ask. Your security and understanding are our top priorities.


Best regards,


Allan A.

Intel Customer Support


0 Kudos
odinb
Novice
5,486 Views

Thanks for the response!

 

But again, how does one get to the CPUID?

The webpage: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/loading-microcode-os.html

 

Specifies:

The following example demystifies Family-Model-Stepping by using the lscpu instruction.

  1. $ lscpu // look for Family/Model/Stepping
    CPU family:            6
    Model:                 85
    Stepping:              4
  2. Convert decimal to hex:
    $ printf "%x\n" 6      // output: 6
    $ printf "%x\n" 85    // output: 55
    $ printf "%x\n" 4      // output:4
  3. Concatenate those three values into a single signature.

In the above example, the system has the 06-55-04 (Family-Model-Stepping) CPUID signature.

 

So, how are you getting to 50654?

 

Thanks!

 

Regards,

 

//Odin

0 Kudos
MBro
Beginner
5,444 Views

Hi Odinb, 

 

Is 2015 Macbook with below CPU affected ? 

Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz

 

-Thx

0 Kudos
AlHill
Super User
5,404 Views

No, only 6th gen to 11th gen.  

Doc (not an Intel employee or contractor)
[Maybe Windows 12 will be better]

0 Kudos
MBro
Beginner
5,444 Views

Hi Odinb, 

 

Is 2015 Macbook Pro with below CPU affected with Downfall or other vulnerabilities ? and if so, what would be the solution ?

Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz

 

-Thx

0 Kudos
odinb
Novice
5,366 Views

Hi!

Probably not, see this: https://9to5mac.com/2023/08/10/downfall-vulnerability-mac/#:~:text=If%20you%20have%20an%20Intel,Macs%20are%20sort%20of%20unique.

"If you have an Intel Mac from 2016 onward (or a late-2015 iMac), then the flaw is present in your CPU.

However, as Macworld notes, this doesn’t necessarily mean that the vulnerability can actually be exploited on Macs."

 

To get the information about your CPU on MacOS you can run:

% system_profiler SPHardwareDataType

and

% sysctl -a | grep machdep.cpu

 

But back to my original question on how to get the CPUID would be nice!

 

Any updates on that, Allan?

 

//Odin

0 Kudos
Allan_A_Intel
Moderator
5,199 Views

Hello Odin,


Absolutely, I'm here to help! To obtain the CPUID on Windows*, you can refer to the article "CPUID Information for Intel® Processors" available at this link: https://www.intel.com/content/www/us/en/support/articles/000006831/processors/processor-utilities-and-programs.html.


As for Linux*, I'm currently researching alternative methods to obtain the CPUID. I appreciate your patience, and I'll make sure to provide you with the information you need as soon as I find it. Thank you for your understanding!


Best regards,


Allan A.

Intel Customer Support


Allan_A_Intel
Moderator
5,033 Views

Hello Odin,

 

Thank you for your patience. To identify the CPUID, please follow these steps:

 

  1. Visit the table of affected processors at this link: https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html.
  2. Utilize the following commands in your Linux environment with the information you already gathered regarding Family, Model and Stepping:
    $ printf "%x\n" 6 // output: 6 = Family
    $ printf "%x\n" 85 // output: 55 = Model
    $ printf "%x\n" 4 // output: 4 = Stepping​
  3. The above commands will lead you to the CPUID 50654 (sixth column) by matching "06_55" in the first column and "4" in the second column. You can also refer to the attached illustration for clarity.

 

I acknowledge that this method might not be the most straightforward way to determine the CPUID of any Intel processor. However, it can still provide guidance in assessing if an Intel processor is affected by potential vulnerabilities. If you have any further questions or need additional assistance, please don't hesitate to ask. Your diligence in seeking information is appreciated, and I'm here to help.

 

Best regards,

 

Allan A.

Intel Customer Support

 

0 Kudos
odinb
Novice
5,022 Views

Hi Allan!

 

So, you are basically saying you cannot get the CPUID on Linux without a translator table?

The method you are describing was referenced by me in the initial post, and spelled out in one of my later posts, but I never realized you needed a translator table to get the CPUID using it.

 

Thanks for the information!

 

Regards,

 

//Odin

0 Kudos
Allan_A_Intel
Moderator
5,006 Views

Hello Odin,

 

Thank you for reaching out. I apologize for any confusion. To clarify, there isn't a direct command on Linux that provides the CPUID in a human-readable format. The method I mentioned involves using the microcode information to deduce the CPUID, but it's not as straightforward as having a direct "get CPUID" command.

 

I appreciate your understanding and patience as we explored different approaches. If you have any more questions or need further assistance, please don't hesitate to ask.

 

Best regards,

 

Allan A.

Intel Customer Support

 

0 Kudos
Allan_A_Intel
Moderator
4,872 Views

Hello Odin,


Thank you for marking this thread as "Solved." If you have any further questions or need additional information, please don't hesitate to reach out. However, please keep in mind that this thread will no longer be actively monitored. If you require assistance in the future, please feel free to submit a new question, and we'll be glad to help. Your satisfaction is important to us, and we're here to support you whenever you need it.


Best regards,


Allan A.

Intel Customer Support


0 Kudos
Reply