🔍 See Original Answer on Unix & Linux 🔗
How to mitigate the Spectre and Meltdown vulnerabilities on Linux systems?
January 8, 2018
Edited: January 27, 2018
November 24, 2022
Copy to clipboard: false
January 27, 2018 Intel Microcode breaks some systems
The Intel Microcode Update 2018-01-08 to address speculative execution branching security holes broke some systems. This effected many Ubuntu systems from January 8th to January 21st. On January 22, 2018 Ubuntu released an update that puts back older Microcode from 2017-07-07.
If you experienced problems with updates, reinstalled Ubuntu and turned off updates between 2018-01-08 and 2018-01-22 you may want to try Ubuntu automatic updates again.
Table of Contents
- January 27, 2018 Intel Microcode breaks some systems
- January 16, 2018 update Spectre in 4.14.14 and 4.9.77
- January 12, 2018 update
- January 7, 2018 update
- Linux Kernels 4.14.11, 4.9.74, 4.4.109, 3.16.52, and 3.2.97 Patch Meltdown Flaw
- 4.14.12 - What a difference a day makes
January 16, 2018 update Spectre in 4.14.14 and 4.9.77
If you are already running Kernel versions 4.14.13 or 4.9.76 like I am it’s a no-brainer to install
4.9.77 when they come out in a couple of days to mitigate the Spectre security hole. The name of this fix is Retpoline and doesn’t have the severe performance hit previously speculated:
Greg Kroah-Hartman has sent out the latest patches for the Linux 4.9
and 4.14 point releases, which now include the Retpoline support.
This X86_FEATURE_RETPOLINE is enabled for all AMD/Intel CPUs. For full
support you also need to be building the kernel with a newer GCC
compiler containing -mindirect-branch=thunk-extern support. The GCC
changes landed in GCC 8.0 yesterday and is in the process of
potentially being back-ported to GCC 7.3.
Those wanting to disable the Retpoline support can boot the patched
kernels with noretpoline.
January 12, 2018 update
Initial protection from Spectre is here and will be improved in weeks and months to come.
Linux Kernels 4.14.13, 4.9.76 LTS, and 4.4.111 LTS
From this Softpedia article:
Linux kernels 4.14.13, 4.9.76 LTS, and 4.4.111 LTS are now available
for download from kernel.org, and they include more fixes against the
Spectre security vulnerability, as well as some regressions from the
Linux 4.14.12, 4.9.75 LTS, and 4.4.110 LTS kernels released last week,
as some reported minor issues.
These issues appear to be fixed now, so it’s safe to update your
Linux-based operating systems to the new kernel versions released
today, which include more x86 updates, some PA-RISC, s390, and PowerPC
(PPC) fixes, various improvements to drivers (Intel i915, crypto,
IOMMU, MTD), and the usual mm and core kernel changes.
Many users had problems with Ubuntu LTS updates on January 4, 2018 and January 10, 2018. I’ve been using
4.14.13 for a couple of days without any problems however YMMV.
January 7, 2018 update
Greg Kroah-Hartman wrote a status update on the Meltdown and Spectre Linux Kernel security holes yesterday. Some may call him the second most powerful man in the Linux world right next to Linus. The article addresses stable kernels (discussed below) and LTS kernels which the majority of Ubuntu users have.
Linux Kernels 4.14.11, 4.9.74, 4.4.109, 3.16.52, and 3.2.97 Patch Meltdown Flaw
From this article:
Users are urged to update their systems immediately
Jan 4, 2018 01:42 GMT · By Marius Nestor
Linux kernel maintainers Greg Kroah-Hartman and Ben Hutchings have released new versions of the Linux 4.14, 4.9, 4.4, 3.16, 3.18, and 3.12 LTS (Long Term Support) kernel series that apparently patch one of the two critical security flaws affecting most modern processors.
The Linux 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91, and 3.2.97 kernels are now available to download from the kernel.org website, and users are urged to update their GNU/Linux distributions to these new versions if they run any of those kernel series immediately. Why update? Because they apparently patch a critical vulnerability called Meltdown.
As reported earlier, Meltdown and Spectre are two exploits that affect nearly all devices powered by modern processors (CPUs) released in the past 25 years. Yes, that means almost all mobile phones and personal computers. Meltdown can be exploited by an unprivileged attacker to maliciously obtain sensitive information stored in kernel memory.
Patch for Spectre vulnerability still in the works
While Meltdown is a serious vulnerability which can expose your secret data, including passwords and encryption keys, Spectre is even worse, and it’s not easy to fix. Security researchers say it will haunt us for quite some time. Spectre is known to exploit the speculative execution technique used by modern CPUs to optimize performance.
Until the Spectre bug is patched too, it is strongly recommended that you at least update your GNU/Linux distributions to any of the newly released Linux kernel versions. So search the software repositories of your favorite distro for the new kernel update and install it as soon as possible. Don’t wait until it’s too late, do it now!
I had been using Kernel 4.14.10 for a week so downloading and booting Ubuntu Mainline Kernel version 4.14.11 wasn’t too much of a concern for me.
Ubuntu 16.04 users might be more comfortable with 4.4.109 or 4.9.74 kernel versions which were released at the same time as 4.14.11.
If your regular updates do not install the Kernel version you desire you can do it manually following this Ask Ubuntu answer: https://askubuntu.com/questions/879888/how-do-i-update-kernel-to-the-latest-mainline-version/879920#879920
4.14.12 - What a difference a day makes
Less than 24 hours after my initial answer a patch was released to fix 4.14.11 kernel version that they may have rushed out. Upgrading to 4.14.12 is recommended for all 4.14.11 users. Greg-KH says:
I’m announcing the release of the 4.14.12 kernel.
All users of the 4.14 kernel series must upgrade.
There are a few minor issues still known with this release that people
have run into. Hopefully they will be resolved this weekend, as the
patches have not landed in Linus’s tree.
For now, as always, please test your in environment.
Looking at this update not very many lines of source code were changed.