SpectreAndMeltdown

Differences between revisions 30 and 116 (spanning 86 versions)
Revision 30 as of 2018-01-14 21:38:41
Size: 7073
Editor: jdstrand
Comment:
Revision 116 as of 2018-05-21 21:44:59
Size: 17032
Editor: bryanquigley
Comment: seperate original from new may one
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
== Information Leak via speculative execution side channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 aka Spectre and Meltdown) == ||<tablebgcolor="#f1f1ed" tablewidth="20%" tablestyle="margin: 0pt 0pt 1em 1em; float: right; font-size: 0.9em;"style="padding: 0.5em;"><<TableOfContents>>||
Line 3: Line 3:
It was [[https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html | discovered]] that a new class of side channel attacks impact most processors, including processors from Intel, AMD, and ARM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory. To address the issue, updates to the Ubuntu kernel and processor microcode will be needed. These updates will be announced in future [[https://usn.ubuntu.com/usn/|Ubuntu Security Notices]] once they are available. = Information leak via speculative execution side channel attacks =
Line 5: Line 5:
==== Status ==== In January 2018, [[https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html|security researchers announced]] a new class of side channel attacks that impact most processors, including processors from Intel, AMD, ARM and IBM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory.
Line 7: Line 7:
Mitigations have been released for the following packages:
|| Firefox || [[https://usn.ubuntu.com/usn/usn-3516-1/|USN-3516-1]] ||
|| WebKitGTK+ || [[https://usn.ubuntu.com/usn/usn-3530-1/|USN-3530-1]] ||
|| NVIDIA graphics drivers || [[https://usn.ubuntu.com/usn/usn-3521-1/|USN-3521-1 ]] ||
|| intel-microcode || [[https://usn.ubuntu.com/usn/usn-3531-1/|USN-3531-1 ]] || [[https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/|Potential for regressions]] ||
To address the issue in Ubuntu, updates to the kernel, processor microcode, hypervisor, and various other userspace packages will be needed. These updates are being announced in [[https://usn.ubuntu.com/usn/|Ubuntu Security Notices]] as they are available.
Line 13: Line 9:
'''Meltdown''' (CVE-2017-5754) kernel fixes have landed for the amd64 architecture:
|| Ubuntu version || Kernel Version || Variant || USN ||
|| 17.10 || 4.13 || generic/lowlatency || [[https://usn.ubuntu.com/usn/usn-3523-1/|USN-3523-1]] ||
|| 16.04 LTS || 4.13 HWE || generic/lowlatency/gke/gcp/oem/azure/lpae || [[https://usn.ubuntu.com/usn/usn-3523-2|USN-3523-2]] ||
|| 16.04 LTS || 4.4 || generic/lowlatency/euclid/aws/kvm || [[https://usn.ubuntu.com/usn/usn-3522-3|USN-3522-3]] ||
|| 14.04 LTS || 4.4 HWE || generic/lowlatency/aws || [[https://usn.ubuntu.com/usn/usn-3522-4/|USN-3522-4]] ||
|| 14.04 LTS || 3.13 || generic/lowlatency || [[https://usn.ubuntu.com/usn/usn-3524-1/|USN-3524-1]] ||
|| 12.04 ESM || 3.13 HWE || generic || [[https://usn.ubuntu.com/usn/usn-3524-2/|USN-3524-2]] ||
|| 12.04 ESM || 3.2 || generic || [[https://usn.ubuntu.com/usn/usn-3525-1/|USN-3525-1]] ||
There were three original vulnerabilities involved, with one new related disclosing in May, 2018:
|| '''Group''' || '''Name''' || '''Variant''' || '''Description''' || '''Ubuntu CVE Tracker''' ||
|| Jan 2018 || Spectre || Variant 1 || Bounds Check Bypass || [[https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html | CVE-2017-5753]] ||
|| Jan 2018 || Spectre || Variant 2 || Branch Target Injection || [[https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html | CVE-2017-5715]] ||
|| Jan 2018 || Meltdown || Variant 3 || Rogue Data Cache Load || [[https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html | CVE-2017-5754]] ||
|| May 2018 || || [[../Variant4| Variant 4]] || Speculative Store Bypass || [[https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3639.html | CVE-2018-3639]] [[../Variant4| More details in Separate KB]] ||
<<BR>>
Line 23: Line 17:
'''Spectre''' (CVE-2017-5715, CVE-2017-5753) fixes have not been released yet. The Spectre and Meltdown vulnerabilities have varying impacts in different environments, and the mitigations available can be difficult to understand. We've prepared a [[/TechFAQ|Technical FAQ]] to help answer many common questions.
Line 25: Line 19:
==== Timeline ==== ''This article will be updated periodically with new information as it becomes available, until the issues have been resolved.''

== Current Status ==

From a guest and non-hypervisor bare-metal perspective, as of the Feb 21 kernel updates, as far as we are aware, the mitigations for Spectre and Meltdown on 64-bit amd64, ppc64el and s390x are feature-complete as long as all microcode, firmware and hypervisor updates underneath the system are done. However:

 * Ubuntu kernels have been rebuilt using retpolines on i386 and amd64 for Ubuntu 17.10, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS (linux-lts-xenial aka Hardware Enablment kernel) only. We are investigating selective rebuilds of Ubuntu userspace packages to make use of retpoline.
 * Microcode updates for AMD are not yet upstream. The amd-microcode package will be updated for supported releases when the microcode is publicly available. Microcode for AMD systems is shipping via BIOS updates at this time, so check with your system manufacturer for updates.

Additionally:

 * No fix is currently available for Meltdown on 32-bit x86; moving to a 64-bit kernel is the currently recommended mitigation.
 * No fixes are yet available for ARM platforms. Note that a relatively small number of standard ARM cores [[https://developer.arm.com/support/security-update|are known to be affected]].
 * For Ubuntu hypervisors, further work will be required to expose the Spectre variant 2 mitigations to guests running on top of Ubuntu, including a qemu update and some additional kernel updates.

=== Kernel Mitigations ===

Ubuntu enables available kernel mitigations to provide a secure-by-default experience. It should be noted that the security features to mitigate these vulnerabilities can lead to a decrease in system performance. Reputable reports of [[/PublishedApplicationData| published application performance data]] can aide in understanding the impact in various environments. Environments which do not execute untrusted code may benefit from toggling the [[/MitigationControls|mitigation controls]] to disable some or all of the kernel mitigations.

The current kernel mitigation status is as follows:
||<|2> '''Ubuntu''' ||<|2> '''Kernel''' ||<-3> '''i386''' ||<-3> '''amd64''' ||<-3> '''ppc64el''' ||<-2> '''s390x''' ||<-3> '''armhf''' ||<-3> '''arm64''' ||<|2> '''Latest USN''' ||
|| S1 || S2 || M || S1 || S2 || M || S1 || S2 || M || S1 || S2 || S1 || S2 || M || S1 || S2 || M ||
|| 17.10 || 4.13 || Y || R || - || Y || F,R || Y || Y || F || F || Y || F || - || - || - || - || - || - || [[https://usn.ubuntu.com/usn/usn-3581-1/|USN-3581-1 on 2018-02-22]] ||
||<|2> 16.04 LTS || 4.13 HWE || Y || R || - || Y || F,R || Y || Y || F || F || Y || F || - || - || - || - || - || - || [[https://usn.ubuntu.com/usn/usn-3581-2/|USN-3581-2 on 2018-02-22]] ||
|| 4.4 || Y || R || - || Y || F,R || Y || Y || F || F || Y || F || - || - || - || - || - || - || [[https://usn.ubuntu.com/usn/usn-3582-1/|USN-3582-1 on 2018-02-22]] ||
||<|2> 14.04 LTS || 4.4 HWE || Y || R || - || Y || F,R || Y || Y || F || F ||||<-2|2> U || - || - || - ||<-3|2> U || [[https://usn.ubuntu.com/usn/usn-3582-2/|USN-3582-2 on 2018-02-22]] ||
|| 3.13 || Y || R || - || Y || F,R || Y || - || - || F || - || - || - || [[https://usn.ubuntu.com/usn/usn-3583-1/|USN-3583-1 on 2018-02-22]] ||
||<|2> 12.04 ESM || 3.13 HWE ||<|2-3> U || Y || F || Y ||||<|2-11> U || [[https://usn.ubuntu.com/usn/usn-3542-2/|USN-3542-2 on 2018-01-22]] ||
|| 3.2 || Y || F || Y || [[https://usn.ubuntu.com/usn/usn-3580-1/|USN-3580-1 on 2018-02-21]] ||

<<BR>>
|| '''Key ''' || '''Meaning''' ||
|| S1 || Spectre / Variant 1 / CVE-2017-5753 ||
|| S2 || Spectre / Variant 2 / CVE-2017-5715 ||
|| M || Meltdown / Variant 3 / CVE-2017-5754 ||
|| Y || Updates have been published to mitigate the issue ||
|| F || Updates have been published to mitigate the issue but require updated firmware/microcode ||
|| R || Kernel compiled with Retpoline, please see the [[/TechFAQ#Retpoline|FAQ around Retpoline]] to better understand the extent of this mitigation ||
|| - || Updates are not yet available ||
|| U || Architecture is unsupported ||
<<BR>>

=== Processor Firmware Availability ===
|| Ubuntu Architectures || Vendor Statements || Firmware Status || Notes ||
|| i386, amd64 || [[https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr|Intel]], [[https://www.amd.com/en/corporate/speculative-execution|AMD]] || Available, see [[https://usn.ubuntu.com/usn/usn-3531-3/|USN-3531-3]] || Note that some users are experiencing [[https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1759920|lockups]] ||
|| ppc64el || [[https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/ | IBM]] || Available from IBM || ||
|| s390x || [[https://www.ibm.com/blogs/psirt/potential-cpu-security-issue/ | IBM ]] || Available from IBM || ||
|| armhf, arm64 || [[https://developer.arm.com/support/security-update| ARM]] || || A relatively small number of standard ARM cores are known to be affected ||

=== Userspace Mitigations ===

Mitigations have been released for the following non-kernel packages:

|| Package || USN || Notes ||
|| Firefox || [[https://usn.ubuntu.com/usn/usn-3516-1/|USN-3516-1]] || [[https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/|Reduces resolution of timers, disables a mechanism that could be used to build a timer]]||
|| WebKitGTK+ || [[https://usn.ubuntu.com/usn/usn-3530-1/|USN-3530-1]] || [[https://webkitgtk.org/2018/01/10/webkitgtk2.18.5-released.html|Reduces resolution of timers, disables a mechanism that could be used to build a timer]]||
|| NVIDIA graphics drivers || [[https://usn.ubuntu.com/usn/usn-3521-1/|USN-3521-1 ]] || ||
|| QEMU || [[https://usn.ubuntu.com/usn/usn-3560-1/|USN-3560-1]] || Exposes Spectre variant 2 mitigations, added by microcode/firmware updates, to guests (i386, amd64, and s390x only) ||
|| libvirt || [[https://usn.ubuntu.com/usn/usn-3561-1/|USN-3561-1]] || Exposes Spectre variant 2 mitigations, added by microcode/firmware updates, to guests (i386 and amd64 only) ||

=== Cloud Images ===
Cloud images which address CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown) are available for [[download|https://cloud-images.ubuntu.com]] from for the following releases:

|| '''Release''' || '''Serial''' ||
|| trusty || [[https://cloud-images.ubuntu.com/releases/trusty/release-20180122/ | 20180122]] ||
|| xenial || [[https://cloud-images.ubuntu.com/releases/xenial/release-20180222/ | 20180222]] ||
|| artful || [[https://cloud-images.ubuntu.com/releases/artful/release-20180222/ | 20180222]] ||
<<BR>>
'''Important notes'''
 * As release images are published in clouds many are indexed @ https://cloud-images.ubuntu.com/locator/ This tool can be used to find images with the above serials, or later, with applicable fixes.
 * Previously released cloud images (serial 20180109 for xenial and artful and serial 20180110 for trusty) only mitigated Meltdown
 * Note: A small number of systems running linux 4.4.0-108.131 were affected by LP: #Bug:1741934 which was fixed in 4.4.0-109.132. Cloud instances were not affected by the bug. Cloud images created using 4.4.0-108.131 and its derivatives (for example, linux-aws 4.4.0-1047.56) have the mitigations for Meltdown.
 * Kernels compiled with retpoline enabled compiler flags on amd64 and i386 are only available for Ubuntu 16.04 LTS and Ubuntu 17.10 (serial 20180222 for both).

=== Ubuntu Core images ===
Canonical officially supports reference kernel snaps for amd64 (pc-kernel), i386 (pc-kernel), rpi2/rpi3 (pi2-kernel) and dragonboard (dragonboard-kernel). Updates for affected architectures for Meltdown are available:

|| '''Kernel''' || '''Snap revision''' || '''Ubuntu Core image''' ||
|| pc-kernel (amd64) || 98 || http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/ubuntu-core-16-amd64.img.xz ||
|| pc-kernel (i386) || 99 || http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/ubuntu-core-16-i386.img.xz ||
<<BR>>
Early Raspberry Pi 2 boards use the [[https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2836/README.md|Cortex-A7]] processor and later versions use the [[https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2837/README.md|Cortex-A53]] processor. Raspberry Pi 3 boards use the [[https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2837/README.md|Cortex-A53 processor]]. 96boards Dragonboard 410c boards use the [[https://www.96boards.org/product/dragonboard410c/|Cortex-A53]].
[[https://developer.arm.com/support/security-update|According to ARM]], none of these devices support speculative execution and are therefore unaffected by Spectre and Meltdown.

=== Pre-release Updates Available For Testing ===

None at this time.

== Timeline ==
Line 33: Line 115:
 * 2018 Jan 07: Candidate kernels are beginning to be made available for testing at [[https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/pti/ | ppa:canonical-kernel-team/pti]]. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds. Kernels currently available are as follows. We will continue to update this table as more become available:
 
 || Package || Version || Series ||
 || linux || 4.4.0-108.131 || Xenial 16.04 ||
 || linux || 4.13.0-25.29 || Artful 17.10 ||
 || linux-aws || 4.4.0-1048.57 || Xenial 16.04 ||
 || linux-aws || 4.4.0-1010.10 || Trusty 14.04 ||
 || linux-azure || 4.13.0-1005.7 || Xenial 16.04 ||
 || linux-euclid || 4.4.0-9022.23 || Xenial 16.04 ||
 || linux-gcp || 4.13.0-1006.9 || Xenial 16.04 ||
 || linux-hwe-edge || 4.13.0-25.29~16.04.1 || Xenial 16.04 ||
 || linux-kvm || 4.4.0-1015.20 || Xenial 16.04 ||
 || linux-lts-xenial || 4.4.0-108.131~14.04.1 || Trusty 14.04 ||
 || linux-oem || 4.13.0-1015.16 || Xenial 16.04 ||
 * 2018 Jan 07: Candidate kernels are beginning to be made available for testing at [[https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/pti/ | ppa:canonical-kernel-team/pti]]. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds.
Line 51: Line 119:
 * 2018 Jan 10: Updates for the pc-kernel and dragonboard-kernel snaps are released to the stable channel. Updates for the rpi2-kernel are released to the candidate channel.  * 2018 Jan 10: Updates for the pc-kernel snaps for Meltdown are released to the stable channel
Line 53: Line 121:
  * '''Note:''' These updates were reverted on ''2018 Jan 22''
 * 2018 Jan 11: Core image updates for amd64 and i386 are [[http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/|published]]
Line 54: Line 124:
 * 2018 Jan 11: Core image updates for amd64 and i386 are [[http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/|published]]

==== Cloud Images ====
 * Cloud images which address CVE-2017-5754 are available for download from http://cloud-images.ubuntu.com for the following releases:
 || '''Release''' || '''Serial''' ||
 || trusty || [[https://cloud-images.ubuntu.com/releases/trusty/release-20180110/ | 20180110]] ||
 || xenial || [[https://cloud-images.ubuntu.com/releases/xenial/release-20180109/ | 20180109]] ||
 || artful || [[https://cloud-images.ubuntu.com/releases/artful/release-20180109/ | 20180109]] ||
   * As release images are published in clouds many are indexed @ https://cloud-images.ubuntu.com/locator/ This tool can be used to find images with the above serials, or later, with applicable fixes.


==== CVE Tracker ====
 * [[https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html | Spectre - CVE-2017-5715]]
 * [[https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html | Spectre - CVE-2017-5753]]
 * [[https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html | Meltdown - CVE-2017-5754]]

==== Note ====
This article will be updated periodically with new information as it becomes available until the issue has been resolved.

==== Ubuntu 17.04 and 4.10 HWE early end of life ====
 * Ubuntu 17.04's [[https://lists.ubuntu.com/archives/ubuntu-announce/2018-January/000227.html | note that it will not be getting the Meltdown/Spectre fixes]].
 * The Rolling HWE kernel for Ubuntu 16.04 will go to 4.13 early, instead of also fixing 4.10 HWE kernel.
 * 2018 Jan 16: [[https://launchpad.net/ubuntu/+source/linux | Linux kernel]] version 4.4.0-111.134 for 16.04 and 3.13.0-140.189 for 14.04 with Spectre mitigations is available in the respective -proposed pocket for testing.
 * 2018 Jan 17: [[https://launchpad.net/ubuntu/+source/linux | Linux kernel]] version 4.13.0-30.33 for Ubuntu Bionic with Spectre mitigations is available in the bionic-proposed pocket for testing.
 * 2018 Jan 22: Previous updates to the intel-microcode package were reverted at Intel's request, see [[https://usn.ubuntu.com/usn/usn-3531-2/| USN-3531-2]]
 * 2018 Jan 22: Ubuntu kernel updates addressing all three vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) across amd64, ppc64el and s390x are released in [[https://usn.ubuntu.com/usn/usn-3541-1/|USN-3541-1 (Ubuntu 17.10)]], [[https://usn.ubuntu.com/usn/usn-3540-1/|USN-3540-1 (Ubuntu 16.04 LTS)]], [[https://usn.ubuntu.com/usn/usn-3541-2/|USN-3541-2 (Ubuntu 16.04 LTS (HWE))]], [[https://usn.ubuntu.com/usn/usn-3542-1/|USN-3542-1 (Ubuntu 14.04 LTS)]] and [[https://usn.ubuntu.com/usn/usn-3540-2/|USN-3540-2 (Ubuntu 14.04 LTS (HWE))]].
 * 2018 Jan 22: Ubuntu Cloud Images have been released with Spectre kernel mitigations
 * 2018 Feb 07: QEMU and libvirt security updates published to expose Spectre variant 2 mitigations to guests
 * 2018 Feb 21: Ubuntu kernel update addressing Spectre for x86 for Ubuntu 12.04 ESM in [[https://usn.ubuntu.com/usn/usn-3580-1/ | USN 3580-1]]
 * 2018 Feb 21: Ubuntu kernel updates built with retpoline compiler options for x86 to mitigate Spectre v2 are released [[https://usn.ubuntu.com/usn/usn-3581-1/|USN 3581-1 (Ubuntu 17.10)]], [[https://usn.ubuntu.com/usn/usn-3582-1/|USN 3582-1 (Ubuntu 16.04 LTS)]], [[https://usn.ubuntu.com/usn/usn-3581-2/|USN 3581-2 (Ubuntu 16.04 LTS (HWE))]], [[https://usn.ubuntu.com/usn/usn-3582-2/|USN 3582-2 (Ubuntu 14.04 LTS (HWE))]]
 * 2018 Feb 21: gcc packages supporting retpoline options for x86 published to [[ https://launchpad.net/ubuntu/+source/gcc-7/7.2.0-8ubuntu3.2 | Ubuntu 17.10]], [[ https://launchpad.net/ubuntu/+source/gcc-5/5.4.0-6ubuntu1~16.04.9 | Ubuntu 16.04 LTS]], and [[ https://launchpad.net/ubuntu/+source/gcc-4.8/4.8.4-2ubuntu1~14.04.4 | Ubuntu 14.04 LTS]]
 * 2018 Feb 21: Ubuntu kernel update addressing meltdown for ppc64el for Ubuntu 14.04 LTS in [[https://usn.ubuntu.com/usn/usn-3583-1/|USN 3583-1]]
 * 2018 Feb 22: Ubuntu Cloud Images have been released with retpoline compiled kernels for amd64 and i386 for Ubuntu 17.10 and Ubuntu 16.04 LTS
 * 2018 Mar 9: Ubuntu kernel update addressing spectre for amd64 and i386 Ubuntu 14.04 LTS in [[https://usn.ubuntu.com/3594-1/|USN 3594-1]]
 * 2018 Mar 13: intel-microcode 20180312 updates are made available in the [[https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa|ubuntu-security-proposed PPA]] and uploaded to Ubuntu Bionic
 * 2018 Mar 29: intel-microcode 20180312 released, see [[https://usn.ubuntu.com/usn/usn-3531-3/|USN-3531-3]]

Information leak via speculative execution side channel attacks

In January 2018, security researchers announced a new class of side channel attacks that impact most processors, including processors from Intel, AMD, ARM and IBM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory.

To address the issue in Ubuntu, updates to the kernel, processor microcode, hypervisor, and various other userspace packages will be needed. These updates are being announced in Ubuntu Security Notices as they are available.

There were three original vulnerabilities involved, with one new related disclosing in May, 2018:

Group

Name

Variant

Description

Ubuntu CVE Tracker

Jan 2018

Spectre

Variant 1

Bounds Check Bypass

CVE-2017-5753

Jan 2018

Spectre

Variant 2

Branch Target Injection

CVE-2017-5715

Jan 2018

Meltdown

Variant 3

Rogue Data Cache Load

CVE-2017-5754

May 2018

Variant 4

Speculative Store Bypass

CVE-2018-3639 More details in Separate KB


The Spectre and Meltdown vulnerabilities have varying impacts in different environments, and the mitigations available can be difficult to understand. We've prepared a Technical FAQ to help answer many common questions.

This article will be updated periodically with new information as it becomes available, until the issues have been resolved.

Current Status

From a guest and non-hypervisor bare-metal perspective, as of the Feb 21 kernel updates, as far as we are aware, the mitigations for Spectre and Meltdown on 64-bit amd64, ppc64el and s390x are feature-complete as long as all microcode, firmware and hypervisor updates underneath the system are done. However:

  • Ubuntu kernels have been rebuilt using retpolines on i386 and amd64 for Ubuntu 17.10, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS (linux-lts-xenial aka Hardware Enablment kernel) only. We are investigating selective rebuilds of Ubuntu userspace packages to make use of retpoline.
  • Microcode updates for AMD are not yet upstream. The amd-microcode package will be updated for supported releases when the microcode is publicly available. Microcode for AMD systems is shipping via BIOS updates at this time, so check with your system manufacturer for updates.

Additionally:

  • No fix is currently available for Meltdown on 32-bit x86; moving to a 64-bit kernel is the currently recommended mitigation.
  • No fixes are yet available for ARM platforms. Note that a relatively small number of standard ARM cores are known to be affected.

  • For Ubuntu hypervisors, further work will be required to expose the Spectre variant 2 mitigations to guests running on top of Ubuntu, including a qemu update and some additional kernel updates.

Kernel Mitigations

Ubuntu enables available kernel mitigations to provide a secure-by-default experience. It should be noted that the security features to mitigate these vulnerabilities can lead to a decrease in system performance. Reputable reports of published application performance data can aide in understanding the impact in various environments. Environments which do not execute untrusted code may benefit from toggling the mitigation controls to disable some or all of the kernel mitigations.

The current kernel mitigation status is as follows:

Ubuntu

Kernel

i386

amd64

ppc64el

s390x

armhf

arm64

Latest USN

S1

S2

M

S1

S2

M

S1

S2

M

S1

S2

S1

S2

M

S1

S2

M

17.10

4.13

Y

R

-

Y

F,R

Y

Y

F

F

Y

F

-

-

-

-

-

-

USN-3581-1 on 2018-02-22

16.04 LTS

4.13 HWE

Y

R

-

Y

F,R

Y

Y

F

F

Y

F

-

-

-

-

-

-

USN-3581-2 on 2018-02-22

4.4

Y

R

-

Y

F,R

Y

Y

F

F

Y

F

-

-

-

-

-

-

USN-3582-1 on 2018-02-22

14.04 LTS

4.4 HWE

Y

R

-

Y

F,R

Y

Y

F

F

U

-

-

-

U

USN-3582-2 on 2018-02-22

3.13

Y

R

-

Y

F,R

Y

-

-

F

-

-

-

USN-3583-1 on 2018-02-22

12.04 ESM

3.13 HWE

U

Y

F

Y

U

USN-3542-2 on 2018-01-22

3.2

Y

F

Y

USN-3580-1 on 2018-02-21


Key

Meaning

S1

Spectre / Variant 1 / CVE-2017-5753

S2

Spectre / Variant 2 / CVE-2017-5715

M

Meltdown / Variant 3 / CVE-2017-5754

Y

Updates have been published to mitigate the issue

F

Updates have been published to mitigate the issue but require updated firmware/microcode

R

Kernel compiled with Retpoline, please see the FAQ around Retpoline to better understand the extent of this mitigation

-

Updates are not yet available

U

Architecture is unsupported


Processor Firmware Availability

Ubuntu Architectures

Vendor Statements

Firmware Status

Notes

i386, amd64

Intel, AMD

Available, see USN-3531-3

Note that some users are experiencing lockups

ppc64el

IBM

Available from IBM

s390x

IBM

Available from IBM

armhf, arm64

ARM

A relatively small number of standard ARM cores are known to be affected

Userspace Mitigations

Mitigations have been released for the following non-kernel packages:

Package

USN

Notes

Firefox

USN-3516-1

Reduces resolution of timers, disables a mechanism that could be used to build a timer

WebKitGTK+

USN-3530-1

Reduces resolution of timers, disables a mechanism that could be used to build a timer

NVIDIA graphics drivers

USN-3521-1

QEMU

USN-3560-1

Exposes Spectre variant 2 mitigations, added by microcode/firmware updates, to guests (i386, amd64, and s390x only)

libvirt

USN-3561-1

Exposes Spectre variant 2 mitigations, added by microcode/firmware updates, to guests (i386 and amd64 only)

Cloud Images

Cloud images which address CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown) are available for https://cloud-images.ubuntu.com from for the following releases:

Release

Serial

trusty

20180122

xenial

20180222

artful

20180222


Important notes

  • As release images are published in clouds many are indexed @ https://cloud-images.ubuntu.com/locator/ This tool can be used to find images with the above serials, or later, with applicable fixes.

  • Previously released cloud images (serial 20180109 for xenial and artful and serial 20180110 for trusty) only mitigated Meltdown
  • Note: A small number of systems running linux 4.4.0-108.131 were affected by LP: #1741934 which was fixed in 4.4.0-109.132. Cloud instances were not affected by the bug. Cloud images created using 4.4.0-108.131 and its derivatives (for example, linux-aws 4.4.0-1047.56) have the mitigations for Meltdown.

  • Kernels compiled with retpoline enabled compiler flags on amd64 and i386 are only available for Ubuntu 16.04 LTS and Ubuntu 17.10 (serial 20180222 for both).

Ubuntu Core images

Canonical officially supports reference kernel snaps for amd64 (pc-kernel), i386 (pc-kernel), rpi2/rpi3 (pi2-kernel) and dragonboard (dragonboard-kernel). Updates for affected architectures for Meltdown are available:


Early Raspberry Pi 2 boards use the Cortex-A7 processor and later versions use the Cortex-A53 processor. Raspberry Pi 3 boards use the Cortex-A53 processor. 96boards Dragonboard 410c boards use the Cortex-A53. According to ARM, none of these devices support speculative execution and are therefore unaffected by Spectre and Meltdown.

Pre-release Updates Available For Testing

None at this time.

Timeline

  • 2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA
  • 2017 Nov 20: the CRD is established as 2018-01-09
  • 2017 Dec: the Ubuntu Security team receives notifications from additional silicon vendors about the impact to their products
  • 2018 Jan 03: issue becomes public a few days before the CRD

  • 2018 Jan 04: Canonical publicly communicates the planned update schedule

  • 2018 Jan 04: Mozilla releases timing attack mitigations

  • 2018 Jan 05: Ubuntu Firefox updates are made available in USN 3516-1

  • 2018 Jan 07: Candidate kernels are beginning to be made available for testing at ppa:canonical-kernel-team/pti. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds.

  • 2018 Jan 09: NVIDIA driver updates published, see USN-3521-1

  • 2018 Jan 09: Ubuntu kernel updates are made available in USN 3522-1 (Ubuntu 16.04 LTS), USN 3523-1 (Ubuntu 17.10), USN 3522-2 (Ubuntu 14.04 LTS (HWE)), and USN-3524-1 (Ubuntu 14.04 LTS).

  • 2018 Jan 09: Notification issued for livepatch users to reboot after applying kernel update.

  • 2018 Jan 10: Updates for the pc-kernel snaps for Meltdown are released to the stable channel
  • 2018 Jan 11: Updates to the intel-microcode package were released, see USN-3531-1

    • Note: These updates were reverted on 2018 Jan 22

  • 2018 Jan 11: Core image updates for amd64 and i386 are published

  • 2018 Jan 12: Linux kernel version 4.13.0-29.32 for Artful 17.10 with Spectre mitigations is available in artful-proposed for testing.

  • 2018 Jan 16: Linux kernel version 4.4.0-111.134 for 16.04 and 3.13.0-140.189 for 14.04 with Spectre mitigations is available in the respective -proposed pocket for testing.

  • 2018 Jan 17: Linux kernel version 4.13.0-30.33 for Ubuntu Bionic with Spectre mitigations is available in the bionic-proposed pocket for testing.

  • 2018 Jan 22: Previous updates to the intel-microcode package were reverted at Intel's request, see USN-3531-2

  • 2018 Jan 22: Ubuntu kernel updates addressing all three vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) across amd64, ppc64el and s390x are released in USN-3541-1 (Ubuntu 17.10), USN-3540-1 (Ubuntu 16.04 LTS), USN-3541-2 (Ubuntu 16.04 LTS (HWE)), USN-3542-1 (Ubuntu 14.04 LTS) and USN-3540-2 (Ubuntu 14.04 LTS (HWE)).

  • 2018 Jan 22: Ubuntu Cloud Images have been released with Spectre kernel mitigations
  • 2018 Feb 07: QEMU and libvirt security updates published to expose Spectre variant 2 mitigations to guests
  • 2018 Feb 21: Ubuntu kernel update addressing Spectre for x86 for Ubuntu 12.04 ESM in USN 3580-1

  • 2018 Feb 21: Ubuntu kernel updates built with retpoline compiler options for x86 to mitigate Spectre v2 are released USN 3581-1 (Ubuntu 17.10), USN 3582-1 (Ubuntu 16.04 LTS), USN 3581-2 (Ubuntu 16.04 LTS (HWE)), USN 3582-2 (Ubuntu 14.04 LTS (HWE))

  • 2018 Feb 21: gcc packages supporting retpoline options for x86 published to Ubuntu 17.10, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS

  • 2018 Feb 21: Ubuntu kernel update addressing meltdown for ppc64el for Ubuntu 14.04 LTS in USN 3583-1

  • 2018 Feb 22: Ubuntu Cloud Images have been released with retpoline compiled kernels for amd64 and i386 for Ubuntu 17.10 and Ubuntu 16.04 LTS
  • 2018 Mar 9: Ubuntu kernel update addressing spectre for amd64 and i386 Ubuntu 14.04 LTS in USN 3594-1

  • 2018 Mar 13: intel-microcode 20180312 updates are made available in the ubuntu-security-proposed PPA and uploaded to Ubuntu Bionic

  • 2018 Mar 29: intel-microcode 20180312 released, see USN-3531-3

SecurityTeam/KnowledgeBase/SpectreAndMeltdown (last edited 2019-10-15 22:59:54 by dannf)