You may have heard about Meltdown, an exploit that can be used against modern processors (CPUs) to maliciously gain access to sensitive data in memory. This vulnerability is serious, and can expose your secret data such as passwords. Here’s how to protect your Fedora system against the attack.
Guarding against Meltdown
New kernel packages contain fixes for Fedora 26 and 27 (kernel version 4.14.11), as well as Rawhide (kernel 4.15 release candidate). The maintainers have submitted updates to the stable repos. They should show up within a day or so for most users.
To update your Fedora system, use this command once you configure sudo. Type your password at the prompt, if necessary.
sudo dnf --refresh update kernel
Fedora provides worldwide mirrors at many download sites to better serve users. Some sites refresh their mirrors at different rates. If you don’t get an update right away, wait until later in the day.
If your system is on Rawhide, run sudo dnf update to get the update.
Then reboot your system to use the latest kernel.
Fedora Atomic Host
The fixes for Fedora Atomic Host are in ostree version 27.47. To get the update, run this command:
atomic host upgrade
Then reboot your system. You can read more details on the Project Atomic blog.
A note on Spectre
Spectre is the common name for another serious vulnerability that exploits both processor and software design to maliciously expose secret data. Work is ongoing by upstream developers, vendors, and researchers to mitigate this vulnerability. The Fedora team will continue to monitor their progress and notify the public about updates as they become available.
Casey Latham
Thank you very much for the information on these serious vulnerabilities.
Augenauf
4.14.11, not 4.11.14.
Paul W. Frields
Typo was fixed, thanks.
Odysseo
Yes, thank you VERY much for this information.
Do typical preventive behaviors in browsing, email, etc. used to avoid malware also prevent infiltration by these vulnerabilities?
Ondra 'Satai' Nekola
Is the performance-hiting kernel separation enabled for Intel only or for all the x86(/64) or for all the archs?
k
GDM3 doesn’t start for me when booting 4.14.11 on F27 with nouveau drivers and NVIDIA Corporation MCP89 [GeForce 320M] (rev a2)
(MacBook Pro mid 2010).
Plymouth just hangs there. works fine booting 4.14.8
k
it seems to stop on “Starting switch root”
Jan
It seems I have the same problem on a Ryzen system with F27 and nouveau drivers; It also hangs at ‘starting switch root’.
Paul W. Frields
Please file a bug. The Magazine isn’t the right place to report failures on arbitrary hardware.
David
Does Fedora kernel build include the AMD patch to disable PTI since AMD CPUs are not vulnerable?
Ken
I did look at one 4.14.11 Linux this morning and AMD was exempt. I have yet to look at the Ferdora source code but it’s unlikely to be different. You can override with the pti=on kernel command line in case it becomes necessary to activate page table isolation on any AMD CPUs.
Norbert J.
According to the changelog on cdn.kernel.org the AMD patch is included in next upstream kernel 4.14.12.
Lars
You forgot to mention the reboot. Otherwise the upgrade is useless because the new kernel does not get loaded.
sam
I still have a F25 machine that I wont be able to update for a few weeks (yes I know this is bad). I assume there wont be an official fixed kernel for it. Has anyone tried installing the F26 kernel into F25?
sigg3
Same situation here. Guess it’s time to upgrade 😛
Simon
Upgrade your Fedora. It have any sense to maintaining a system that reached eof and force installation of the kernel only?
sam
Its a week away from a project deadline, so it will have to wait. Machine just has a small number of trusted users so I guess it should be ok.
Vlad
This patch results in system slowing (~20% on my Xeon with 18×2 cores). Is any plan to prepare the next version of the patch but with no so strong slowing?
A. Lloyd Flanagan
The slowdown (which will vary depending on a lot of factors) is an unavoidable side effect of the fix. Basically, the technique that was giving you that extra speed turned out to be vulnerable, so it had to be undone. I don’t expect there’s a way to fix that.
LjL
Why not suggest “sudo dnf –refresh –security update” instead of targeting the specific kernel package, at least for stable Fedora releases? Or if that’s too broad, the –cve option?
Rainer
GDM3 doesn’t boot with NVIDIA Card [GeForce GTX 1050 Ti].
Paul W. Frields
Please file a bug. The Magazine isn’t the right place to report failures on arbitrary hardware.
Linux User
Thanks for the quick action. Does the kernel update also fixes Spectre or is it just for Meltdown?
Paul W. Frields
Please refer to the last paragraph of the article. This fix helps mitigate Meltdown.
nixcraft
My desktop is mostly stable. I did not noticed any slow down. Thanks for patch 🙂
Daniel Sobrinho
Sorry, English…
Need I do that?
[dsobrinho@anunnaki ~]$ uname -a
Linux anunnaki 4.14.11-300.fc27.x86_64 #1 SMP Wed Jan 3 13:52:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
AndrésF
Hi, after doing the update, the system does not start me. When I start the system it shows me:
Minimal bash-line editing is supported …..
grub>
How can I repair that?
Thank you very much and excuse my english.
Sven
Any timeframe for the needed microcode updates?
Matthew Miller
In testing:
F27: https://bodhi.fedoraproject.org/updates/FEDORA-2018-7e17849364
F26: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6b319763ab
Gianluca
Hello, if I’m not wrong the microcode_ctl rpm package provides only intel cpu microcode. The /usr/share/doc/microcode_ctl/README file provided with the package in fact says:
”
Deploy an Intel and AMD microcode. This tool is obsolete and the microcode
is the subject to be distributed via kernel-firmware, however Intel still
does not supply the microcode in a form consumable by the Linux’s microcode
driver. So that this tool transform Intel’s microcode as well as deploy it.
”
What about AMD cpus? On Ubuntu I see there is an amd64-microcode package, what about Fedora/CentOS based distros? I didn’t find any reference to kernel-firmware packages….
Is it correct to say that it is instead into linux-firmware package?
Inside it I see the file “/usr/lib/firmware/amd-ucode” path, but at the moment no updates for it, neither in testing repo for Fedora 26.
Thanks for clarifying,
Gianluca
andrej
F27 stable, F26 testing
https://bodhi.fedoraproject.org/updates/?packages=microcode_ctl
any clue about F26 progress?