You could manually install the latest package, according to
https://forum.proxmox.com/threads/meltdown-and-spectre-for-newbie.39183/#post-194316
Depending on cpu, it could work or not. I have tried on both Jessie and Stretch, but not production servers and without performance benchmarks.
WORKING
Code:
# dpkg -l | grep intel-microcode
ii intel-microcode 3.20180108.1 amd64 Processor microcode firmware for Intel CPUs
#dmesg | grep microcode
[ 0.000000] microcode: CPU0 microcode updated early to revision 0xc2, date = 2017-11-16
# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29
Checking for vulnerabilities against running kernel Linux 4.4.98-4-pve #1 SMP PVE 4.4.98-104 (Mon, 15 Jan 2018 09:34:49 +0100) x86_64
CPU is Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz
....
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: YES
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability)
....
NOT WORKING
Code:
# dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31
Checking for vulnerabilities against running kernel Linux 4.13.13-5-pve #1 SMP PVE 4.13.13-36 (Mon, 15 Jan 2018 12:36:49 +0100) x86_64
CPU is Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz
VE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
NOT WORKING
Code:
# dpkg -l | grep microcode
ii intel-microcode 3.20180108.1 amd64 Processor microcode firmware for Intel CPUs
# dmesg | grep microcode
[ 0.000000] microcode: CPU0 microcode updated early to revision 0x19, date = 2013-06-21
# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29
Checking for vulnerabilities against running kernel Linux 4.4.98-4-pve #1 SMP PVE 4.4.98-104 (Mon, 15 Jan 2018 09:34:49 +0100) x86_64
CPU is Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz
...
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
But, I repeat, those are not production servers, they have booted all right, I didn't notice obvious issues. But, everybody says they are unstable, and are waiting for retpoline mitigation.