[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

current status of spectre/meltdown



Hi,

Trying to do a recap here to update the wiki page correctly:

https://wiki.debian.org/DebianSecurity/SpectreMeltdown

See if you can fill in the blanks I've found...

Spectre v2
----------

My understanding of retpoline is that it was designed to fix spectre v2
(CVE-2017-5715), yet it's not clear to me the fix is actually complete
without firmware updates. Do we have a clear status on that?

On Ubuntu's side, they claim it requires cpu-level firmware updates,
even though they seem to be in the process of rebuilding kernels and
userspace (at least in 18.04LTS and parts of the other releases) with
retpoline, so I'm not sure where we stand with this:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown#Current_Status

We seem to have retpoline backported for GCC 4.9 now and work being done
to backport that or the patches back into wheezy. But what about
stretch/buster? Are we expecting an archive rebuild with retpoline? Is
so, which suites and when?

Spectre v1
----------

And what about Specret v1? It's currently marked as unfixed in the
kernel:

https://security-tracker.debian.org/tracker/CVE-2017-5753

What are the expected mitigations here? I see that 4.15.4-1 is marked as
fixed for that, but it's unclear to me if that trickles down to all
userspace, considering the scope...

Ubuntu fixed this in according to this advisory, but it's unclear to me
what exactly they did, I lost track, to be honest:

https://usn.ubuntu.com/usn/usn-3541-1/

Meltdown
--------

We currently say that only amd64 is mitigated for Meltdown in the wiki -
is there work being done in the kernel to try and fix this in other
architectures? Or is the intersection of "vulnerable design + exotic
architecture" too small to bother?

It does seem like only *some* ARM Cortex cores are vulnerable, and that
ARM seems to be pretty diligent about their firmware updates:

https://developer.arm.com/support/security-update

It looks like they recommend retpoline + kpti as mitigations for variant
1 and variant 2/3, respectively, which seems contrary to information
I've found elsewhere, e.g. Google, which says basically:

 * variant 1: "per binary basis"
 * variant 2: "retpoline"
 * variant 3: "KPTI"

https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html

Overall
-------

Overall, I think our page has improved significantly over what was there
before, which was... well, nothing. :) But there's still work to do in
documentation (on top of mitigation itself of course). In particular, I
wonder why we are not tracking userland packages like xen, qemu,
firefox, chromium, libvirt and others, like Ubuntu has been doing.

Furthermore, do we want to add a timeline of activities so that people
can get a quick glance at what was fixed when? We could regroup, for
example, issues that are currently unrelated like gcc-4.9's
DSA-4117-1...

Thanks!

-- 
Music gives a soul to the universe, wings to the mind, flight to the
imagination and life to everything
                         - Plato


Reply to: