Protect your Fedora system against Meltdown

You may have heard about Meltdown, an exploit that can be used against modern processors (CPUs) to maliciously gain access to sensitive data in memory. This vulnerability is serious, and can expose your secret data such as passwords. Here’s how to protect your Fedora system against the attack.

Guarding against Meltdown

New kernel packages contain fixes for Fedora 26 and 27 (kernel version 4.14.11), as well as Rawhide (kernel 4.15 release candidate). The maintainers have submitted updates to the stable repos. They should show up within a day or so for most users.

To update your Fedora system, use this command once you configure sudo. Type your password at the prompt, if necessary.

sudo dnf --refresh update kernel

Fedora provides worldwide mirrors at many download sites to better serve users. Some sites refresh their mirrors at different rates. If you don’t get an update right away, wait until later in the day.

If your system is on Rawhide, run sudo dnf update to get the update.

Then reboot your system to use the latest kernel.

Fedora Atomic Host

The fixes for Fedora Atomic Host are in ostree version 27.47. To get the update, run this command:

atomic host upgrade

Then reboot your system. You can read more details on the Project Atomic blog.

A note on Spectre

Spectre is the common name for another serious vulnerability that exploits both processor and software design to maliciously expose secret data. Work is ongoing by upstream developers, vendors, and researchers to mitigate this vulnerability. The Fedora team will continue to monitor their progress and notify the public about updates as they become available.

New in Fedora

31 Comments

  1. Thank you very much for the information on these serious vulnerabilities.

  2. Augenauf

    4.14.11, not 4.11.14.

  3. Odysseo

    Yes, thank you VERY much for this information.

    Do typical preventive behaviors in browsing, email, etc. used to avoid malware also prevent infiltration by these vulnerabilities?

  4. Is the performance-hiting kernel separation enabled for Intel only or for all the x86(/64) or for all the archs?

  5. k

    GDM3 doesn’t start for me when booting 4.14.11 on F27 with nouveau drivers and NVIDIA Corporation MCP89 [GeForce 320M] (rev a2)
    (MacBook Pro mid 2010).
    Plymouth just hangs there. works fine booting 4.14.8

  6. k

    it seems to stop on “Starting switch root”

    • Jan

      It seems I have the same problem on a Ryzen system with F27 and nouveau drivers; It also hangs at ‘starting switch root’.

  7. David

    Does Fedora kernel build include the AMD patch to disable PTI since AMD CPUs are not vulnerable?

    • Ken

      I did look at one 4.14.11 Linux this morning and AMD was exempt. I have yet to look at the Ferdora source code but it’s unlikely to be different. You can override with the pti=on kernel command line in case it becomes necessary to activate page table isolation on any AMD CPUs.

    • Norbert J.

      According to the changelog on cdn.kernel.org the AMD patch is included in next upstream kernel 4.14.12.

  8. Lars

    You forgot to mention the reboot. Otherwise the upgrade is useless because the new kernel does not get loaded.

  9. sam

    I still have a F25 machine that I wont be able to update for a few weeks (yes I know this is bad). I assume there wont be an official fixed kernel for it. Has anyone tried installing the F26 kernel into F25?

    • Same situation here. Guess it’s time to upgrade 😛

    • Simon

      Upgrade your Fedora. It have any sense to maintaining a system that reached eof and force installation of the kernel only?

      • sam

        Its a week away from a project deadline, so it will have to wait. Machine just has a small number of trusted users so I guess it should be ok.

  10. Vlad

    This patch results in system slowing (~20% on my Xeon with 18×2 cores). Is any plan to prepare the next version of the patch but with no so strong slowing?

    • A. Lloyd Flanagan

      The slowdown (which will vary depending on a lot of factors) is an unavoidable side effect of the fix. Basically, the technique that was giving you that extra speed turned out to be vulnerable, so it had to be undone. I don’t expect there’s a way to fix that.

  11. LjL

    Why not suggest “sudo dnf –refresh –security update” instead of targeting the specific kernel package, at least for stable Fedora releases? Or if that’s too broad, the –cve option?

  12. Rainer

    GDM3 doesn’t boot with NVIDIA Card [GeForce GTX 1050 Ti].

  13. Thanks for the quick action. Does the kernel update also fixes Spectre or is it just for Meltdown?

  14. My desktop is mostly stable. I did not noticed any slow down. Thanks for patch 🙂

  15. Daniel Sobrinho

    Sorry, English…

    Need I do that?

    [dsobrinho@anunnaki ~]$ uname -a
    Linux anunnaki 4.14.11-300.fc27.x86_64 #1 SMP Wed Jan 3 13:52:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

  16. AndrésF

    Hi, after doing the update, the system does not start me. When I start the system it shows me:

    Minimal bash-line editing is supported …..
    grub>

    How can I repair that?
    Thank you very much and excuse my english.

  17. Sven

    Any timeframe for the needed microcode updates?

      • Gianluca

        Hello, if I’m not wrong the microcode_ctl rpm package provides only intel cpu microcode. The /usr/share/doc/microcode_ctl/README file provided with the package in fact says:

        What it does

        Deploy an Intel and AMD microcode. This tool is obsolete and the microcode
        is the subject to be distributed via kernel-firmware, however Intel still
        does not supply the microcode in a form consumable by the Linux’s microcode
        driver. So that this tool transform Intel’s microcode as well as deploy it.

        What about AMD cpus? On Ubuntu I see there is an amd64-microcode package, what about Fedora/CentOS based distros? I didn’t find any reference to kernel-firmware packages….
        Is it correct to say that it is instead into linux-firmware package?
        Inside it I see the file “/usr/lib/firmware/amd-ucode” path, but at the moment no updates for it, neither in testing repo for Fedora 26.
        Thanks for clarifying,
        Gianluca

      • andrej

        F27 stable, F26 testing
        https://bodhi.fedoraproject.org/updates/?packages=microcode_ctl
        any clue about F26 progress?

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions