Ubuntu: Spectre Variant 2 Mitigation?
Clash Royale CLAN TAG#URR8PPP up vote
0
down vote
favorite
The Ubuntu Security knowledge base regarding Meltdown&Spectre still saying:
- No microcode updates are currently available for AMD or Intel, which means Spectre v2 is still unmitigated out of the box on Ubuntu on x86 CPUs for userspace.
KnowlegdeBase:
SecurityTeam / KnowledgeBase / SpectreAndMeltdown | Ubuntu Wiki
Is that really true? Anyone can help with this? This topic became complex with too many patches & reverts in meanwhile.
If the above is true, that means Ubuntu is currently only mitigated against Meltdown and Spectre Variant 1?
We are using AWS Cloud and Ubuntu servers.
Best,
Fadi
security
edited Mar 22 at 13:37
Drakonoved
7421515
asked Mar 22 at 10:18
Fadi Serhan
31
add a comment |Â
up vote
0
down vote
favorite
The Ubuntu Security knowledge base regarding Meltdown&Spectre still saying:
- No microcode updates are currently available for AMD or Intel, which means Spectre v2 is still unmitigated out of the box on Ubuntu on x86 CPUs for userspace.
KnowlegdeBase:
SecurityTeam / KnowledgeBase / SpectreAndMeltdown | Ubuntu Wiki
Is that really true? Anyone can help with this? This topic became complex with too many patches & reverts in meanwhile.
If the above is true, that means Ubuntu is currently only mitigated against Meltdown and Spectre Variant 1?
We are using AWS Cloud and Ubuntu servers.
Best,
Fadi
security
edited Mar 22 at 13:37
Drakonoved
7421515
asked Mar 22 at 10:18
Fadi Serhan
31
There are mitigations available in the kernel, but i386 and amd64 need updated firmware patches which are not yet available for everything to work. There are no stable processor microcode firmware patches from Intel or AMD yet for 64-bit processors.
– Thomas Ward♦
Mar 22 at 13:48
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
The Ubuntu Security knowledge base regarding Meltdown&Spectre still saying:
- No microcode updates are currently available for AMD or Intel, which means Spectre v2 is still unmitigated out of the box on Ubuntu on x86 CPUs for userspace.
KnowlegdeBase:
SecurityTeam / KnowledgeBase / SpectreAndMeltdown | Ubuntu Wiki
Is that really true? Anyone can help with this? This topic became complex with too many patches & reverts in meanwhile.
If the above is true, that means Ubuntu is currently only mitigated against Meltdown and Spectre Variant 1?
We are using AWS Cloud and Ubuntu servers.
Best,
Fadi
security
edited Mar 22 at 13:37
Drakonoved
7421515
asked Mar 22 at 10:18
Fadi Serhan
31
The Ubuntu Security knowledge base regarding Meltdown&Spectre still saying:
- No microcode updates are currently available for AMD or Intel, which means Spectre v2 is still unmitigated out of the box on Ubuntu on x86 CPUs for userspace.
KnowlegdeBase:
SecurityTeam / KnowledgeBase / SpectreAndMeltdown | Ubuntu Wiki
Is that really true? Anyone can help with this? This topic became complex with too many patches & reverts in meanwhile.
If the above is true, that means Ubuntu is currently only mitigated against Meltdown and Spectre Variant 1?
We are using AWS Cloud and Ubuntu servers.
Best,
Fadi
security
security
edited Mar 22 at 13:37
Drakonoved
7421515
asked Mar 22 at 10:18
Fadi Serhan
31
edited Mar 22 at 13:37
Drakonoved
7421515
asked Mar 22 at 10:18
Fadi Serhan
31
edited Mar 22 at 13:37
Drakonoved
7421515
edited Mar 22 at 13:37
Drakonoved
7421515
edited Mar 22 at 13:37
Drakonoved
7421515
7421515
asked Mar 22 at 10:18
Fadi Serhan
31
asked Mar 22 at 10:18
Fadi Serhan
31
asked Mar 22 at 10:18
Fadi Serhan
31
31
There are mitigations available in the kernel, but i386 and amd64 need updated firmware patches which are not yet available for everything to work. There are no stable processor microcode firmware patches from Intel or AMD yet for 64-bit processors.
– Thomas Ward♦
Mar 22 at 13:48
add a comment |Â
There are mitigations available in the kernel, but i386 and amd64 need updated firmware patches which are not yet available for everything to work. There are no stable processor microcode firmware patches from Intel or AMD yet for 64-bit processors.
– Thomas Ward♦
Mar 22 at 13:48
There are mitigations available in the kernel, but i386 and amd64 need updated firmware patches which are not yet available for everything to work. There are no stable processor microcode firmware patches from Intel or AMD yet for 64-bit processors.
– Thomas Ward♦
Mar 22 at 13:48
There are mitigations available in the kernel, but i386 and amd64 need updated firmware patches which are not yet available for everything to work. There are no stable processor microcode firmware patches from Intel or AMD yet for 64-bit processors.
– Thomas Ward♦
Mar 22 at 13:48
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
This is a complex topic that is hard to give a true "Patched" or "Not patched" answer. So, I will provide you the very inaccurate and useless short answer, and a less brief summary that summarizes the rest of the info I provide.
The very inaccurate short answer is "Yes and no", but it doesn't give you a clear idea of what the actual situation is.
I'm not sure what architecture AWS uses, but my guess is that it's an i386 or amd64 architecture. Patches for Spectre variant 1 and Meltdown are in the kernel. But Spectre Variant 2 requires updated stable firmware / microcode from the manufacturers - both Intel and AMD. Therefore, though the kernel contains mitigations against the issues, the actual CPU firmwares need updated. And therefore, Spectre variant 2 is not completely patched.
However, the above summary is not really an accurate portrayal of the current state of patching against these issues - it's just a very basic summary.
So, for that reason, I'm taking the data provided from the Security Team's knowledge base, and making it a human-understandable summary of the page as it was on March 22, 2018 at 09:48AM UTC-4. I also am only focusing on 14.04 and later versions, because Precise is End of Life unless you pay Canonical for the Ubuntu Advantage for 12.04 Precise systems, and is mostly irrelevant for people running Precise without this paid support.
Note that for the Spectre and Meltdown issues to be properly addressed in all releases, both the Kernel and the CPU Microcode sections must have mitigations and updates released and incorporated. This is why Spectre Variant 2 is not really 'patched' yet, per-se.
Kernel:
- Patched for Spectre Variant 1.
- Patched for Meltdown.
- Spectre Variant 2:
- Kernel contains mitigations
- Kernel mitigations alone aren't enough, CPU firmware/microcode updates are needed.
CPU Firmware/Microcode:
ppc64elands390xprocessor architectures patched, updates available from IBM.armhfandarm64are mostly unaffected, there are only a very small number of chips affected by this.i386andamd64do not have stable releases to their microcode addressing this issue.- Intel had released microcode updates, but these were reverted due to the introduction of system instability issues, details in USN-3531-2.
- AMD released a statement on March 20th that they are in the process of developing and staging mitigations for Spectre and Meltdown, but has not yet released a stable version of microcode.
- Summary: No stable release of microcode updates has been made containing the Spectre and/or Meltdown code updates.
Userspace Mitigations:
Some programs and libraries have mitigations against Spectre and Meltdown built-into their code to prevent exploitation of the issues by the programs or libraries themselves:
- Firefox
- WebKitGTK+
- NVIDIA graphics drivers
- QEMU
libvirt
Cloud Images (this might not include AWS, and I have not checked):
Trusty, Xenial, and Artful cloud images after 20180122 as their serial include patches in the images. Per the above other sections, though, as Cloud Images still have to obey the rest of the patch rules and such from above.
This answer was last updated on: March 22, 2018 10:02AM
answered Mar 22 at 14:02
Thomas Ward♦
41.5k23112166
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
This is a complex topic that is hard to give a true "Patched" or "Not patched" answer. So, I will provide you the very inaccurate and useless short answer, and a less brief summary that summarizes the rest of the info I provide.
The very inaccurate short answer is "Yes and no", but it doesn't give you a clear idea of what the actual situation is.
I'm not sure what architecture AWS uses, but my guess is that it's an i386 or amd64 architecture. Patches for Spectre variant 1 and Meltdown are in the kernel. But Spectre Variant 2 requires updated stable firmware / microcode from the manufacturers - both Intel and AMD. Therefore, though the kernel contains mitigations against the issues, the actual CPU firmwares need updated. And therefore, Spectre variant 2 is not completely patched.
However, the above summary is not really an accurate portrayal of the current state of patching against these issues - it's just a very basic summary.
So, for that reason, I'm taking the data provided from the Security Team's knowledge base, and making it a human-understandable summary of the page as it was on March 22, 2018 at 09:48AM UTC-4. I also am only focusing on 14.04 and later versions, because Precise is End of Life unless you pay Canonical for the Ubuntu Advantage for 12.04 Precise systems, and is mostly irrelevant for people running Precise without this paid support.
Note that for the Spectre and Meltdown issues to be properly addressed in all releases, both the Kernel and the CPU Microcode sections must have mitigations and updates released and incorporated. This is why Spectre Variant 2 is not really 'patched' yet, per-se.
Kernel:
- Patched for Spectre Variant 1.
- Patched for Meltdown.
- Spectre Variant 2:
- Kernel contains mitigations
- Kernel mitigations alone aren't enough, CPU firmware/microcode updates are needed.
CPU Firmware/Microcode:
ppc64elands390xprocessor architectures patched, updates available from IBM.armhfandarm64are mostly unaffected, there are only a very small number of chips affected by this.i386andamd64do not have stable releases to their microcode addressing this issue.- Intel had released microcode updates, but these were reverted due to the introduction of system instability issues, details in USN-3531-2.
- AMD released a statement on March 20th that they are in the process of developing and staging mitigations for Spectre and Meltdown, but has not yet released a stable version of microcode.
- Summary: No stable release of microcode updates has been made containing the Spectre and/or Meltdown code updates.
Userspace Mitigations:
Some programs and libraries have mitigations against Spectre and Meltdown built-into their code to prevent exploitation of the issues by the programs or libraries themselves:
- Firefox
- WebKitGTK+
- NVIDIA graphics drivers
- QEMU
libvirt
Cloud Images (this might not include AWS, and I have not checked):
Trusty, Xenial, and Artful cloud images after 20180122 as their serial include patches in the images. Per the above other sections, though, as Cloud Images still have to obey the rest of the patch rules and such from above.
This answer was last updated on: March 22, 2018 10:02AM
answered Mar 22 at 14:02
Thomas Ward♦
41.5k23112166
add a comment |Â
up vote
1
down vote
accepted
This is a complex topic that is hard to give a true "Patched" or "Not patched" answer. So, I will provide you the very inaccurate and useless short answer, and a less brief summary that summarizes the rest of the info I provide.
The very inaccurate short answer is "Yes and no", but it doesn't give you a clear idea of what the actual situation is.
I'm not sure what architecture AWS uses, but my guess is that it's an i386 or amd64 architecture. Patches for Spectre variant 1 and Meltdown are in the kernel. But Spectre Variant 2 requires updated stable firmware / microcode from the manufacturers - both Intel and AMD. Therefore, though the kernel contains mitigations against the issues, the actual CPU firmwares need updated. And therefore, Spectre variant 2 is not completely patched.
However, the above summary is not really an accurate portrayal of the current state of patching against these issues - it's just a very basic summary.
So, for that reason, I'm taking the data provided from the Security Team's knowledge base, and making it a human-understandable summary of the page as it was on March 22, 2018 at 09:48AM UTC-4. I also am only focusing on 14.04 and later versions, because Precise is End of Life unless you pay Canonical for the Ubuntu Advantage for 12.04 Precise systems, and is mostly irrelevant for people running Precise without this paid support.
Note that for the Spectre and Meltdown issues to be properly addressed in all releases, both the Kernel and the CPU Microcode sections must have mitigations and updates released and incorporated. This is why Spectre Variant 2 is not really 'patched' yet, per-se.
Kernel:
- Patched for Spectre Variant 1.
- Patched for Meltdown.
- Spectre Variant 2:
- Kernel contains mitigations
- Kernel mitigations alone aren't enough, CPU firmware/microcode updates are needed.
CPU Firmware/Microcode:
ppc64elands390xprocessor architectures patched, updates available from IBM.armhfandarm64are mostly unaffected, there are only a very small number of chips affected by this.i386andamd64do not have stable releases to their microcode addressing this issue.- Intel had released microcode updates, but these were reverted due to the introduction of system instability issues, details in USN-3531-2.
- AMD released a statement on March 20th that they are in the process of developing and staging mitigations for Spectre and Meltdown, but has not yet released a stable version of microcode.
- Summary: No stable release of microcode updates has been made containing the Spectre and/or Meltdown code updates.
Userspace Mitigations:
Some programs and libraries have mitigations against Spectre and Meltdown built-into their code to prevent exploitation of the issues by the programs or libraries themselves:
- Firefox
- WebKitGTK+
- NVIDIA graphics drivers
- QEMU
libvirt
Cloud Images (this might not include AWS, and I have not checked):
Trusty, Xenial, and Artful cloud images after 20180122 as their serial include patches in the images. Per the above other sections, though, as Cloud Images still have to obey the rest of the patch rules and such from above.
This answer was last updated on: March 22, 2018 10:02AM
answered Mar 22 at 14:02
Thomas Ward♦
41.5k23112166
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
This is a complex topic that is hard to give a true "Patched" or "Not patched" answer. So, I will provide you the very inaccurate and useless short answer, and a less brief summary that summarizes the rest of the info I provide.
The very inaccurate short answer is "Yes and no", but it doesn't give you a clear idea of what the actual situation is.
I'm not sure what architecture AWS uses, but my guess is that it's an i386 or amd64 architecture. Patches for Spectre variant 1 and Meltdown are in the kernel. But Spectre Variant 2 requires updated stable firmware / microcode from the manufacturers - both Intel and AMD. Therefore, though the kernel contains mitigations against the issues, the actual CPU firmwares need updated. And therefore, Spectre variant 2 is not completely patched.
However, the above summary is not really an accurate portrayal of the current state of patching against these issues - it's just a very basic summary.
So, for that reason, I'm taking the data provided from the Security Team's knowledge base, and making it a human-understandable summary of the page as it was on March 22, 2018 at 09:48AM UTC-4. I also am only focusing on 14.04 and later versions, because Precise is End of Life unless you pay Canonical for the Ubuntu Advantage for 12.04 Precise systems, and is mostly irrelevant for people running Precise without this paid support.
Note that for the Spectre and Meltdown issues to be properly addressed in all releases, both the Kernel and the CPU Microcode sections must have mitigations and updates released and incorporated. This is why Spectre Variant 2 is not really 'patched' yet, per-se.
Kernel:
- Patched for Spectre Variant 1.
- Patched for Meltdown.
- Spectre Variant 2:
- Kernel contains mitigations
- Kernel mitigations alone aren't enough, CPU firmware/microcode updates are needed.
CPU Firmware/Microcode:
ppc64elands390xprocessor architectures patched, updates available from IBM.armhfandarm64are mostly unaffected, there are only a very small number of chips affected by this.i386andamd64do not have stable releases to their microcode addressing this issue.- Intel had released microcode updates, but these were reverted due to the introduction of system instability issues, details in USN-3531-2.
- AMD released a statement on March 20th that they are in the process of developing and staging mitigations for Spectre and Meltdown, but has not yet released a stable version of microcode.
- Summary: No stable release of microcode updates has been made containing the Spectre and/or Meltdown code updates.
Userspace Mitigations:
Some programs and libraries have mitigations against Spectre and Meltdown built-into their code to prevent exploitation of the issues by the programs or libraries themselves:
- Firefox
- WebKitGTK+
- NVIDIA graphics drivers
- QEMU
libvirt
Cloud Images (this might not include AWS, and I have not checked):
Trusty, Xenial, and Artful cloud images after 20180122 as their serial include patches in the images. Per the above other sections, though, as Cloud Images still have to obey the rest of the patch rules and such from above.
This answer was last updated on: March 22, 2018 10:02AM
answered Mar 22 at 14:02
Thomas Ward♦
41.5k23112166
This is a complex topic that is hard to give a true "Patched" or "Not patched" answer. So, I will provide you the very inaccurate and useless short answer, and a less brief summary that summarizes the rest of the info I provide.
The very inaccurate short answer is "Yes and no", but it doesn't give you a clear idea of what the actual situation is.
I'm not sure what architecture AWS uses, but my guess is that it's an i386 or amd64 architecture. Patches for Spectre variant 1 and Meltdown are in the kernel. But Spectre Variant 2 requires updated stable firmware / microcode from the manufacturers - both Intel and AMD. Therefore, though the kernel contains mitigations against the issues, the actual CPU firmwares need updated. And therefore, Spectre variant 2 is not completely patched.
However, the above summary is not really an accurate portrayal of the current state of patching against these issues - it's just a very basic summary.
So, for that reason, I'm taking the data provided from the Security Team's knowledge base, and making it a human-understandable summary of the page as it was on March 22, 2018 at 09:48AM UTC-4. I also am only focusing on 14.04 and later versions, because Precise is End of Life unless you pay Canonical for the Ubuntu Advantage for 12.04 Precise systems, and is mostly irrelevant for people running Precise without this paid support.
Note that for the Spectre and Meltdown issues to be properly addressed in all releases, both the Kernel and the CPU Microcode sections must have mitigations and updates released and incorporated. This is why Spectre Variant 2 is not really 'patched' yet, per-se.
Kernel:
- Patched for Spectre Variant 1.
- Patched for Meltdown.
- Spectre Variant 2:
- Kernel contains mitigations
- Kernel mitigations alone aren't enough, CPU firmware/microcode updates are needed.
CPU Firmware/Microcode:
ppc64elands390xprocessor architectures patched, updates available from IBM.armhfandarm64are mostly unaffected, there are only a very small number of chips affected by this.i386andamd64do not have stable releases to their microcode addressing this issue.- Intel had released microcode updates, but these were reverted due to the introduction of system instability issues, details in USN-3531-2.
- AMD released a statement on March 20th that they are in the process of developing and staging mitigations for Spectre and Meltdown, but has not yet released a stable version of microcode.
- Summary: No stable release of microcode updates has been made containing the Spectre and/or Meltdown code updates.
Userspace Mitigations:
Some programs and libraries have mitigations against Spectre and Meltdown built-into their code to prevent exploitation of the issues by the programs or libraries themselves:
- Firefox
- WebKitGTK+
- NVIDIA graphics drivers
- QEMU
libvirt
Cloud Images (this might not include AWS, and I have not checked):
Trusty, Xenial, and Artful cloud images after 20180122 as their serial include patches in the images. Per the above other sections, though, as Cloud Images still have to obey the rest of the patch rules and such from above.
This answer was last updated on: March 22, 2018 10:02AM
answered Mar 22 at 14:02
Thomas Ward♦
41.5k23112166
edited Mar 22 at 15:01
answered Mar 22 at 14:02
Thomas Ward♦
41.5k23112166
answered Mar 22 at 14:02
Thomas Ward♦
41.5k23112166
answered Mar 22 at 14:02
Thomas Ward♦
41.5k23112166
41.5k23112166
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1018202%2fubuntu-spectre-variant-2-mitigation%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
var $window = $(window),
onScroll = function(e)
var $elem = $('.new-login-left'),
docViewTop = $window.scrollTop(),
docViewBottom = docViewTop + $window.height(),
elemTop = $elem.offset().top,
elemBottom = elemTop + $elem.height();
if ((docViewTop elemBottom))
StackExchange.using('gps', function() StackExchange.gps.track('embedded_signup_form.view', location: 'question_page' ); );
$window.unbind('scroll', onScroll);
;
$window.on('scroll', onScroll);
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
There are mitigations available in the kernel, but i386 and amd64 need updated firmware patches which are not yet available for everything to work. There are no stable processor microcode firmware patches from Intel or AMD yet for 64-bit processors.
– Thomas Ward♦
Mar 22 at 13:48