Project:Security/Vulnerabilities/Meltdown and Spectre

From Gentoo Wiki
Jump to: navigation, search

This document describes the Gentoo Security Project's plan of mitigation against the 'Meltdown' and 'Spectre' side channel attacks against modern CPUs.

Introduction

Based on research from various groups and individuals, Google's security team has identified a family of side channel attacks against modern CPUs that can be used by attackers to read memory content of otherwise inaccessible memory.

To help defend against this hardware implementation related flaw on the software layer, Gentoo is preparing mitigations for these side channel attacks in the Linux kernel and various packages.

To learn more about the vulnerabilities themselves, visit:

Situation

Following three attacks have been identified:

CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipe-lining could use attacker controllable speculative execution over code patterns in the Linux kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys, and other secrets.

This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. The following in Gentoo supported processor architectures are affected: Intel and AMD x86/amd64, IBM Power (ppc64), IBM zSeries (S390) and 64-bit ARM (arm64).

CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mis-predicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753.

This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries.

Mitigation is done with help of Linux kernel fixes on the Intel/AMD x86/amd64 and IBM zSeries S390 architectures. On x86/amd64, this requires also updates of the CPU microcode packages, delivered in separate updates.

For IBM Power (ppc64) and zSeries (S390) the required firmware updates are supplied over regular channels by IBM.

As this feature can have a performance impact, it can be disabled using the nospec kernel command-line option on x86/amd64 and nobp on IBM zSeries.

CVE-2017-5754: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.

This problem is mitigated by unmapping the Linux kernel from the user address space during user code execution, following a approach described in the "KAISER" paper.

The terms used here are "KAISER" / "Kernel Address Isolation" and "PTI" / "Page Table Isolation".

The update does this on the Intel x86/amd64 and IBM Power architecture. Updates are also necessary for the ARM architecture, but will be delivered in the second round of updates.

This feature can be enabled / disabled by the pti=[on|off|auto] or nopti kernel command-line options.

Resolution

Gentoo released updated sys-kernel/gentoo-sources packages to mitigate these issues. If you are using a non security-supported kernel package you have to check on your own.

Gentoo will also be releasing firmware updates for AMD (via sys-kernel/linux-firmware package) and Intel (via sys-firmware/intel-microcode package).

As the fixes for CVE-2017-5715 will also need adjustments in the QEMU virtualization host to pass through CPUID flags and MSRs from host to guest system, Gentoo will also be providing an updated app-emulation/qemu package once available. You can subscribe to bug #643432 to get notified or wait for the GLSA release.

Note that the XEN Hypervisor also needs mitigations for the described problems, the XEN team is currently developing a fix. You can subscribe to bug #643350 to get notified or wait for the GLSA release.

Currently, the KPTI patch-set is only available for 64-bit Gentoo operating systems. Some 32-bit operating systems (for example if you are using 4gb/4gb memory split) are immune because they use separate memory maps for kernel and userspace.

Gentoo has released the following updates:

sys-kernel/gentoo-sources

Warning
These packages are currently mitigating only meltdown not spectre!

You can subscribe to bug bug #643352 to get notified.

LTS branch Recommended stable version with complete KPTI patch set Recommended version (stabilization candidate)
3.10 Still vulnerable EOL - Please migrate to 4.9 branch once a patched kernel becomes available
4.1 Still vulnerable EOL - Please migrate to 4.9 branch once a patched kernel becomes available
4.4 >=sys-kernel/gentoo-sources-4.4.111-r1 sys-kernel/gentoo-sources-4.4.111-r1
4.9 >=sys-kernel/gentoo-sources-4.9.76-r1 sys-kernel/gentoo-sources-4.9.76-r1
4.14 - sys-kernel/gentoo-sources-4.14.14

¹ From Meltdown point of view but not from GA QA aspect.


The gentoo-sources with the KPTI-patch are as now:

version KPTI patch set
4.14.11 Incomplete patchset enabling KPTI for all CPU architecture
4.14.11-r1 Reducted patchset KPTI only for intel x86 architecture but missing dumpstack and Define cpu_tss_rw in same section as declaration
4.14.11-r2 Complete KPTI patchset
4.14.12 Complete KPTI patchset + amd support for fam17h microcode loading
4.9.75 Complete KPTI patchset + amd support for fam17h microcode loading
4.4.110 Complete KPTI patchset + amd support for fam17h microcode loading

sys-kernel/linux-firmware

A CPU microcode update was added which will disables branch prediction on AMD family 17h processors (800F12 only). The updated microcode is included in >=sys-kernel/linux-firmware-20180103-r1 which is currently being stabilized in bug #643476.

Please keep in mind that the new microcode requires a kernel patch due to its size which is included in:


Once you have updated the package make sure you also apply the microcode update. For how to apply CPU microcode updates in Gentoo please refer to our dedicated Wiki page. Once updated and loaded you should see the following versions or newer:

Family Revision
AMD family 17h processors <unknown - please update>

sys-firmware/intel-microcode

The CPU microcode for Intel Haswell-X, Skylake-X and Broadwell-X chipsets was updated to report both branch prediction control via CPUID flag and ability to control branch prediction via an MSR register. The updated microcodes are included in >=sys-firmware/intel-microcode-20171117_p20171215 which is currently being stabilized in bug #643430.

Once you have updated the package make sure you also apply the microcode update. For how to apply CPU microcode updates in Gentoo please refer to our dedicated Wiki page. Once updated and loaded you should see the following versions or newer:

Get your CPUID by installing sys-apps/cpuid and running the following command

   cpuid -1 | sed -n '/processor.serial.number:/{s,.*:,,g;s,-,,;s,-.*,,g;p}'
Family CPUID Revision
Broadwell E, EP, EP4S, EX 000406F1 0xb000025
Haswell 000306C3 0x23
Haswell E, EP 000306F2 0x3b
Haswell Perf Halo 00040661 0x18
Haswell ULT 00040651 0x21
Skylake H/S 000506E3 0xc2
Skylake Server 00050653 0x100013e
Skylake Server 00050654 0x200003a
Skylake U/Y, U23e 000406E3 0xc2
Broadwell H 43e 00040671 0x1b
Broadwell U/Y 000306D4 0x28
Denverton (GLM) 000506F1 0x20
Coffee Lake H/S (S 6+2) 000906EA 0x7c
Coffee Lake S (4+2) 000906EB 0x7c
Coffee Lake U43e, KBL-R U 000806EA 0x7c
Kaby Lake H/S/X, Xeon E3 000906E9 0x7c
Kaby Lake U/Y, U23e 000806E9 0x7c
Apollo Lake 000506C9 0x2e
Apollo Lake 000506CA 0x8
Ivy Bridge E, EN, EP 000306E4 0x42a
Haswell EX 000306F4 0x10

References

  • CVE-2017-5753
  • CVE-2017-5715
  • CVE-2017-5754