How to check for MDS vulnerability?

Question

I'm running Debian Buster (10.3) on a ThinkPad T420 (i5-2520M), current intel-microcode package is installed. To check for known CPU vulnerabilities I used the spectre-meltdown-checker script (https://github.com/speed47/spectre-meltdown-checker) which resulted in this output:

According to the script all CVEs related to the Microarchitectural Data Sampling (MDS) vulnerability (which are specified in The Linux kernel user’s and administrator’s guide at: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html) are fixed on my system.

What makes me think is that cat /sys/devices/system/cpu/vulnerabilities/mds leads to Mitigation: Clear CPU buffers; SMT vulnerable which means that "The processor is vulnerable and the CPU buffer clearing mitigation is enabled." and "SMT is enabled".

How should the outputs of the tools be interpreted, or better asked, which tool can I trust?

EDIT: This is the output with --paranoid option enabled:

Answer 1

Both tools agree; by default, spectre-meltdown-checker flags vulnerabilities as fixed even when SMT is an issue. If you add the --paranoid flag you should see a number of green boxes change to red.

On your setup, all the available fixes are applied on your system, apart from disabling SMT which is your decision to make. See also Do I need to take action regarding my Microarchitectural Data Sampling (MDS) status?

Which tool you trust most depends on how recent the tests are; pulling the latest spectre-meltdown-checker will usually ensure up-to-date tests there.