[elrepo] kernel-lt and kernel-ml updates for Meltdown and Spectre

Wed Jan 10 18:28:29 EST 2018

On 10/01/18 22:10, Sam McLeod wrote:
> On #Elrepo IRC at the moment, interesting to see my CPU + latest intel 
> microcode download + latest elrepo kernel-ml is significantly more 
> at-risk still:
> 

Yes, it would appear so. I'll do my best to try to explain below.

> 
> ~ [0] # uname -a
> Linux nas 4.14.12-1.el7.elrepo.x86_64 #1 SMP Fri Jan 5 13:28:56 EST 2018 
> x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> ~ [0] # dmesg | grep -i micro
> [    0.000000] microcode: microcode updated early to revision 0x23, date 
> = 2017-11-20
> [    0.494508] microcode: sig=0x306c3, pf=0x2, revision=0x23
> [    0.494918] microcode: Microcode Update Driver: v2.2.
> 
> ~ [0] # ./spectre-meltdown-checker.sh
> Spectre and Meltdown mitigation detection tool v0.24
> 
> Checking for vulnerabilities against live running kernel Linux 
> 4.14.12-1.el7.elrepo.x86_64 #1 SMP Fri Jan 5 13:28:56 EST 2018 x86_64
> 
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel:  NO  (only 37 opcodes 
> found, should be >= 70)
>  > STATUS:  VULNERABLE  (heuristic to be improved when official patches 
> become available)
> 

Please refer to Greg K-H's blog post:

http://www.kroah.com/log/blog/2018/01/06/meltdown-status/

As described by Greg, there are currently no Spectre patches in the 
upstream kernel.org kernels, hence why kernel-lt and kernel-ml packages 
show as vulnerable for Spectre.

Red Hat have merged patches that address this issue into the distro 
kernel before they have been officially accepted/merged into the 
upstream kernel.org kernel.

> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> *   Hardware (CPU microcode) support for mitigation:  YES
> *   Kernel support for IBRS:  NO
> *   IBRS enabled for Kernel space:  NO
> *   IBRS enabled for User space:  NO
> * Mitigation 2
> *   Kernel compiled with retpoline option:  NO
> *   Kernel compiled with a retpoline-aware compiler:  NO
>  > STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with 
> retpoline are needed to mitigate the vulnerability)
> 

Again, Red Hat have merged IBRS patches into the distro kernel before 
they have been officially accepted/merged into the upstream kernel.org 
kernel, hence why the distro kernel shows as not vulnerable, but only 
when the CPU microcode or BIOS has also been updated (Mitigation 1).

> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  YES
>  > STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
> 
> A false sense of security is worse than no security at all, see --disclaimer
> 

Both kernel-ml/kernel-lt and the RHEL distro kernels appear fixed / not 
vulnerable to Meltdown as they were fixed in the releases made on 
4th/5th January.

At this point kernel-ml and kernel-lt packages are still vulnerable to 
Spectre whereas the latest RHEL distro kernel contains patches for Spectre.

Hope that helps clarify things as they stand right now. As soon as 
Spectre is addressed upstream in the kernel.org kernels, the fixes 
should translate through to kernel-lt and kernel-ml packages.