Checking the Ubuntu Linux kernel updates on Spectre and Meltdown (22 February 2018)

In the post Checking the Ubuntu Linux kernel updates on Spectre and Meltdown we saw the initial support of countermeasures in the Ubuntu Linux kernel for Spectre and Meltdown.

Here is the output of the spectre-meltdown-checker script when I run it on 26th January 2018 (Ubuntu Linux kernel HWE 4.13.0.32),

Today there was a kernel update (USN-3581-2) and I tried it out. Then, I run the spectre-meltdown-checker.

$ git clone https://github.com/speed47/spectre-meltdown-checker
Cloning into 'spectre-meltdown-checker'...
remote: Counting objects: 613, done.
remote: Compressing objects: 100% (21/21), done.
remote: Total 613 (delta 16), reused 23 (delta 10), pack-reused 582
Receiving objects: 100% (613/613), 228.09 KiB | 0 bytes/s, done.
Resolving deltas: 100% (372/372), done.
Checking connectivity... done.

$ cd spectre-meltdown-checker/

$ sudo ./spectre-meltdown-checker.sh

Here is the new output, on Ubuntu Linux HWE 4.13.0.36.

The Spectre Variant 2 is mitigated by retpoline.

The Linux kernel reports in /sysfs whether it is not vulnerable to these attacks. Let’s see what is says.

$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: OSB (observable speculation barrier, Intel v6) /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline

It shows that there is mitigation for Meltdown and both variants of Spectre.

Update #1 (thanks to comment by Bryan Quigley): Retpoline is a software mitigation, and apart from the Linux kernel support, requires binaries to be re-compiled with a compiler that emits special instructions in the resulting binary. The compiler needs to have retpoline support in order to inoculate the programs. At the moment in Ubuntu, only the browsers have been updated with that retpoline support. Because those constitute the biggest attack surface. Perhaps newer versions of distributions will be fully retpoline compiled.

 

Permanent link to this article: https://blog.simos.info/checking-the-ubuntu-linux-kernel-updates-on-spectre-and-meltdown-22-february-2018/

2 comments

  1. Might be good to stress that the retpoline mitigation is just for the kernel. Other binaries would not be protected by the kernel’s retpoline.
    See: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ#Retpoline

    1. Thanks for the tip. I added a note at the end of the post.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.