Project:Security/Vulnerabilities/Meltdown and Spectre

This document describes the Gentoo Security Project's plan of mitigation against the 'Meltdown' and 'Spectre' side channel attacks against modern CPUs.

Introduction

Based on research from various groups and individuals, Google's security team has identified a family of side channel attacks against modern CPUs that can be used by attackers to read memory content of otherwise inaccessible memory.

To help defend against this hardware implementation related flaw on the software layer, Gentoo is preparing mitigations for these side channel attacks in the Linux kernel and various packages.

To learn more about the vulnerabilities themselves, visit:

• https://meltdownattack.com/
• https://spectreattack.com/

Situation

Following three attacks have been identified:

CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipe-lining could use attacker controllable speculative execution over code patterns in the Linux kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys, and other secrets.

This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. The following in Gentoo supported processor architectures are affected: Intel and AMD x86/amd64, IBM Power (ppc64), IBM zSeries (S390) and 64-bit ARM (arm64).

CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mis-predicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753.

This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries.

Mitigation is done with help of Linux kernel fixes on the Intel/AMD x86/amd64 and IBM zSeries S390 architectures. On x86/amd64, this requires also updates of the CPU microcode packages, delivered in separate updates.

For IBM Power (ppc64) and zSeries (S390) the required firmware updates are supplied over regular channels by IBM.

As this feature can have a performance impact, it can be disabled using the nospec kernel command-line option on x86/amd64 and nobp on IBM zSeries.

CVE-2017-5754: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.

This problem is mitigated by unmapping the Linux kernel from the user address space during user code execution, following a approach described in the "KAISER" paper.

The terms used here are "KAISER" / "Kernel Address Isolation" and "PTI" / "Page Table Isolation".

The update does this on the Intel x86/amd64 and IBM Power architecture. Updates are also necessary for the ARM architecture, but will be delivered in the second round of updates.

This feature can be enabled / disabled by the pti=[on|off|auto] or nopti kernel command-line options.

Resolution

Gentoo released updated sys-kernel/gentoo-sources packages to mitigate these issues. If you are using a non security-supported kernel package you have to check on your own.

Gentoo will also be releasing firmware updates for AMD (via sys-kernel/linux-firmware package) and Intel (via sys-firmware/intel-microcode package).

As the fixes for CVE-2017-5715 will also need adjustments in the QEMU virtualization host to pass through CPUID flags and MSRs from host to guest system, Gentoo will also be providing an updated app-emulation/qemu package once available. You can subscribe to bug #643432 to get notified or wait for the GLSA release.

Note that the XEN Hypervisor also needs mitigations for the described problems, the XEN team is currently developing a fix. You can subscribe to bug #643350 to get notified or wait for the GLSA release.

Currently, the KPTI patch-set is only available for 64-bit Gentoo operating systems. Some 32-bit operating systems (for example if you are using 4gb/4gb memory split) are immune because they use separate memory maps for kernel and userspace.

Gentoo has released the following updates:

sys-kernel/gentoo-sources

You can subscribe to bug bug #643352 to get notified.

¹ From Meltdown point of view but not from GA QA aspect.

The gentoo-sources with the KPTI-patch are as now:

sys-kernel/linux-firmware

A CPU microcode update was added which will disables branch prediction on AMD family 17h processors (800F12 only). The updated microcode is included in >=sys-kernel/linux-firmware-20180103-r1 which is currently being stabilized in bug #643476.

Please keep in mind that the new microcode requires a kernel patch due to its size which is included in:

• >=sys-kernel/gentoo-sources-4.4.110
• >=sys-kernel/gentoo-sources-4.9.75
• >=sys-kernel/gentoo-sources-4.14.12

Once you have updated the package make sure you also apply the microcode update. For how to apply CPU microcode updates in Gentoo please refer to our dedicated Wiki page. Once updated and loaded you should see the following versions or newer:

sys-firmware/intel-microcode

The CPU microcode for Intel Haswell-X, Skylake-X and Broadwell-X chipsets was updated to report both branch prediction control via CPUID flag and ability to control branch prediction via an MSR register. The updated microcodes are included in >=sys-firmware/intel-microcode-20171117_p20171215 which is currently being stabilized in bug #643430.

Once you have updated the package make sure you also apply the microcode update. For how to apply CPU microcode updates in Gentoo please refer to our dedicated Wiki page. Once updated and loaded you should see the following versions or newer:

Get your CPUID by installing sys-apps/cpuid and running the following command

   cpuid -1 | sed -n '/processor.serial.number:/{s,.*:,,g;s,-,,;s,-.*,,g;p}'

References

• CVE-2017-5753
• CVE-2017-5715
• CVE-2017-5754