16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

daniel curtis
Hello Seth.

An updated 'intel-microcode' (3.20180312.0~ubuntu16.04.1) package is
already available. However, I would like to ask a question about
installing such package. There is a table on Security Team wiki page
with kernel mitigations available in various Ubuntu releases and
architectures etc. (please see 1.)

If it's about i386/x86 architecture and "Spectre_V2"
('intel-microcode' package, provide IBRS/IBPB/STIBP microcode support
and  mitigation for this variant), we can see, that there is "R" only.
It means: "Kernel compiled with Retpoline, please see the FAQ around
Retpoline (...)". On the other side, amd64 contains both "R" and "F".
In this case updated firmware/microcode  is required. Generaly, it
looks this way:

Spectre variant 2. mitigation available:

● i386: R
      ✓ Kernel compiled with Retpoline (...)
● amd64: F,R
      ✓ Updates have been published to mitigate the issue but require updated
          firmware/microcode
      ✓ Kernel compiled with Retpoline (...)

So, should I install 'intel-microcode' package? According to the
Security Team wiki and mentioned table, the answer is: no. But maybe
I'm wrong and I should install this package? By the way: there is a
processor, that I'm using on this computer, on Intel download page
(please see 2.)

Seth, what do You think? Should I install 'intel-microcode' package
even if this mitigation is not mentioned in table mentioned above?

Thanks, best regards.
__________________
1. https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown#Kernel_Mitigations
2. https://downloadcenter.intel.com/download/27591/Linux-Processor-Microcode-Data-File

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: 16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

Seth Arnold
On Thu, Mar 29, 2018 at 04:55:15PM +0000, daniel curtis wrote:
> Seth, what do You think? Should I install 'intel-microcode' package
> even if this mitigation is not mentioned in table mentioned above?

Hello Daniel,

I can't tell you if you should install the package or not. Intel does not
provide detailed changelogs on what is fixed for which processors in which
microcode updates. We've had unusual visibility in what they have added to
recent microcode updates only because they need compiler support or kernel
support or hypervisor support in order to enable the features.

I suggest installing the package because the updates might address issues.
There's no way to know.

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (484 bytes) Download Attachment