In the post Checking the Ubuntu Linux kernel updates on Spectre and Meltdown we saw the initial support of countermeasures in the Ubuntu Linux kernel for Spectre and Meltdown.
Here is the output of the spectre-meltdown-checker script when I run it on 26th January 2018 (Ubuntu Linux kernel HWE 4.13.0.32),
Today there was a kernel update (USN-3581-2) and I tried it out. Then, I run the spectre-meltdown-checker.
$ git clone https://github.com/speed47/spectre-meltdown-checker Cloning into 'spectre-meltdown-checker'... remote: Counting objects: 613, done. remote: Compressing objects: 100% (21/21), done. remote: Total 613 (delta 16), reused 23 (delta 10), pack-reused 582 Receiving objects: 100% (613/613), 228.09 KiB | 0 bytes/s, done. Resolving deltas: 100% (372/372), done. Checking connectivity... done. $ cd spectre-meltdown-checker/ $ sudo ./spectre-meltdown-checker.sh
Here is the new output, on Ubuntu Linux HWE 4.13.0.36.
The Spectre Variant 2 is mitigated by retpoline.
The Linux kernel reports in /sysfs whether it is not vulnerable to these attacks. Let’s see what is says.
$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: OSB (observable speculation barrier, Intel v6) /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
It shows that there is mitigation for Meltdown and both variants of Spectre.
Update #1 (thanks to comment by Bryan Quigley): Retpoline is a software mitigation, and apart from the Linux kernel support, requires binaries to be re-compiled with a compiler that emits special instructions in the resulting binary. The compiler needs to have retpoline support in order to inoculate the programs. At the moment in Ubuntu, only the browsers have been updated with that retpoline support. Because those constitute the biggest attack surface. Perhaps newer versions of distributions will be fully retpoline compiled.
2 comments
Might be good to stress that the retpoline mitigation is just for the kernel. Other binaries would not be protected by the kernel’s retpoline.
See: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ#Retpoline
Author
Thanks for the tip. I added a note at the end of the post.