January saw the annoucement of a series of critical vulnerabilities called Spectre and Meltdown. The nature of these issues meant the solutions were complex and required fixing delicate code. The initial fix for Meltdown on x86 was KPTI, which was available almost immediately. Developing mitigations for Spectre was more complex. Other architectures had to look at their vulnerability status as well, and get mitigation in where it was needed. As a bit of time has passed, what is the exposure on Fedora now?
Meltdown and Spectre mitigation coverage
The mitigation coverage for Spectre and Meltdown is in a pretty good state. For the x86 architecture, KPTI mitigates the Meltdown vulnerability (CVE-2017-5754), and the retpoline fixes mitigate Spectre variant 2 (CVE-2017-5715). Spectre variant 1 (CVE-2017-5753) required patching specific vulnerable code bits, and known problem areas have been mitigated upstream as well. Additionally ARM coverage landed in the 4.15.4 kernel updates for Fedora. Power architectures have initial coverage in Fedora kernel version 4.14.15.
All of this coverage is still being fine tuned. Initial rounds of mitigation development aimed to plug the holes as quickly as possible so that users were not exposed. Once that happened, developers could pay more attention to fine tuning the mitigation for performance.
With mitigation where it currently stands, the Fedora Kernel Team has closed the tracking bugs for these CVEs. It is still important that you keep your kernels updated as initial mitigation is fine tuned. Optimizations to the initial mitigation are still rolling in, and probably will for the foreseeable future. As many of these mitigations are dependent on CPU microcode updates, it is a very good idea to keep firmware updated where possible.
Thank you for the update. As a follow-on to this, as of last week (week of March 12), some Intel OEMs ,such as Lenovo, are releasing revised firmware and microcode updates. This represents the ‘fixed’ versions of the firmware updates that had been previously withdrawn.
Here is the link to the Lenovo support site : https://support.lenovo.com/us/en/solutions/LEN-18282
(all comments my own; please follow your system vendor’s instructions for firmware updates)
For new users, do they need to do anything? As a new user to linux and fedora what I hear is, there were some bad stuff that happened and have alpha-numeric names and KPTI (not sure what that is yet) and retpoline (not sure what that is yet) fixes these bad stuff. The author also mentions keeping the kernel updated and firmware updated.
1. Will doing the following be enough to get the KPTI and repoline, kernel and firmware updated or is there an additional step I need to take?
2. Are there other steps I should be taking? If so, what?
3. Any other suggestions and considerations welcomed
dnf clean all
dnf upgrade –refresh
—code end —
*not sure what others are considered safe’r’, so I’ve stuck to these. Maybe more importantly, I’m not sure how to evaluate other repos for their safety.
I’ll work on figuring out some of the jargon I do not understand yet.
Thanks again for the updates and feedback.
Paul W. Frields
@Zac: Keeping your Fedora system updated regularly should be sufficient. That includes upgrading to the latest releases when they’re available (or no later than your current release goes end of life, which is announced here in the Magazine as well).
Thanks Paul for the response. I’m really liking being able to do one simple step and all the programs get updated. I don’t have to go around searching if an application has been updated, if its a new update and I need to wait for the kinks to get worked out. This is a large reason for my interest.