Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?

To: debian-user@lists.debian.org
Subject: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?
From: Andy Smith <andy@strugglers.net>
Date: Tue, 20 Feb 2018 04:52:45 +0000
Message-id: <[🔎] 20180220045245.GF3124@bitfolk.com>
In-reply-to: <[🔎] CANc=Sd0bD-Z6qHY=ebbsVE4Jy_g1KR6UpeJTNU6nkejiPs1dUA@mail.gmail.com>
References: <[🔎] CANnei0F3OU1S1A7cFhP9kC=s6SpLktkFvQdvCf106X02xc=Cdg@mail.gmail.com> <[🔎] CANc=Sd0bD-Z6qHY=ebbsVE4Jy_g1KR6UpeJTNU6nkejiPs1dUA@mail.gmail.com>

Hello,

> On 19 February 2018 at 13:13, Turritopsis Dohrnii Teo En Ming <
> tdteoenming@gmail.com> wrote:
> 
> > What are the patches that I can download and install to be protected
> > against the Meltdown and Spectre security vulnerabilities?

The linux-kernel-* packages in Debian stable already have the KPTI
feature which protects you against Meltdown.

For variant 2 of Spectre you need a kernel with the so-called
retpoline feature that was also compiled with a compiler that
supports that feature. At the moment I think that the only packaged
kernel which has this (has feature and is compiled with new enough
gcc) is the one in unstable:

    <https://packages.debian.org/sid/linux-image-4.14.0-3-amd64>

Versions of gcc that have the retpoline feature backported into them
have already hit stable and oldstable (and maybe others; haven't
checked), so another alternative would be to compile your own
upstream kernel package using that gcc. Since Debian stable uses the
4.9.x long term stable kernel releases, you could use the latest
upstream of those. Anything past 4.9.77 has the retpoline feature.

Or just wait a bit longer for a kernel package that is compiled with
a newer gcc to arrive as a stable security update. This is probably
the most reasonable approach for the average user of Debian.

Patches for variant 1 of Spectre are still in development in the
upstream kernel, and in other software. You will also need updated
CPU microcode and possibly a new BIOS.

It is likely that there will be further exploit techniques
discovered in this general area, that will require different fixes.

There are some other considerations if your machine is not running
on bare metal. In that case you should check with your
virtualisation provider about that.

On Mon, Feb 19, 2018 at 01:23:25PM +0000, Michael Fothergill wrote:
> Checkout the debian backports suite (kindly resourcefully suggested by
> Andy Smith)

Please note that I provided these details to Michael Fothergill as
part of Michael's general query about how a user could obtain a
newer kernel package, not as an answer to how to obtain a kernel
that was secured against any particular thing.

Backports is not the correct answer for security purposes. Security
support in the backports suite is done by the package uploaders and
not the security team. Although, updates for the kernel packages do
tend to arrive pretty quickly so I personally would not feel too bad
about short term use of a backports kernel.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply to:

Follow-Ups:
- Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?
  - From: Greg Wooledge <wooledg@eeg.ccf.org>

References:
- Is Debian Linux protected against the Meltdown and Spectre security flaws?
  - From: Turritopsis Dohrnii Teo En Ming <tdteoenming@gmail.com>
- Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?
  - From: Michael Fothergill <michael.fothergill@gmail.com>

Prev by Date: Re: USB key and lost space
Next by Date: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?
Previous by thread: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?
Next by thread: Re: Is Debian Linux protected against the Meltdown and Spectre security flaws?
Index(es):
- Date
- Thread