Project:Security/Vulnerabilities/Meltdown and Spectre

= "Meltdown" and "Spectre" — Side channel attacks against modern CPUs =

Introduction
Based on research from various groups and individuals, Google's security team has identified a family of side channel attacks against modern CPUs that can be used by attackers to read memory content of otherwise inaccessible memory.

To help mitigating this hardware implementation related flaw on the software layer, Gentoo is preparing mitigations for these side channel attacks in the Linux kernel and various packages.

To learn more about this vulnerability, please go to:
 * https://meltdownattack.com/
 * https://spectreattack.com/

Situation
Following three attacks have been identified:

CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipe-lining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets.

This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. All Gentoo supported processor architectures, Intel and AMD x86_64, IBM Power, IBM zSeries and 64-bit ARM are affected.

CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mis-predicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753.

This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries.

Mitigation is done with help of Linux Kernel fixes on the Intel/AMD x86_64 and IBM zSeries architectures. On x86_64, this requires also updates of the CPU microcode packages, delivered in separate updates.

For IBM Power and zSeries the required firmware updates are supplied over regular channels by IBM.

As this feature can have a performance impact, it can be disabled using the "nospec" kernel command line option on x86_64 and "nobp" on IBM zSeries.

CVE-2017-5754: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.

This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach described in the "KAISER" paper.

The terms used here are "KAISER" / "Kernel Address Isolation" and "PTI" / "Page Table Isolation".

The update does this on the Intel x86_64 and IBM Power architecture. Updates are also necessary for the ARM architecture, but will be delivered in the second round of updates.

This feature can be enabled / disabled by the "pti=[on|off|auto]" or "nopti" command line options.

Resolution
Gentoo will be releasing updated sys-kernel/gentoo-sources packages for all supported kernels to mitigate these issues. If you are using a non security-supported kernel package you have to check on your own.

Gentoo will also be releasing firmware updates for AMD (via sys-kernel/linux-firmware package) and Intel (via sys-firmware/intel-microcode package).

As the fixes for CVE-2017-5715 will also need adjustments in the QEMU virtualization host to pass through CPUID flags and MSRs from host to guest system, Gentoo will also be providing QEMU / KVM updates.

Note that the XEN Hypervisor also needs mitigations for the described problems, the XEN team is currently developing a fix.

Gentoo has released the following updates:

sys-kernel/gentoo-sources:

tbd

sys-kernel/linux-firmware:

tbd

sys-firmware/intel-microcode:

tbd