[ubuntu-hardened] 16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

Seth Arnold seth.arnold at canonical.com
Thu Feb 1 00:54:28 UTC 2018 

On Wed, Jan 31, 2018 at 09:05:46PM +0000, daniel curtis wrote:
> I'm sorry for this introduction, but I've talked with many people, that are
> running Linux and they are confused, just like me. I would like to ask
> about 16.04 LTS Release and i386/x86 architecture. This Release is running
> Longterm Linux kernel v4.4. For example, LTS kernels should have the
> "CONFIG_PAGE_TABLE_ISOLATION" build option to get complete protection,
> right?

Hello Daniel,

Take some solace from the fact that you're not the only one
confused. The industry's preferences on which mitigations to use for
which vulnerabilities has changed from day to day and the microcode
updates have been even more confusing.

We've prepared a wiki page to hold our most up-to-date information about
the issues:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Since the information changes rapidly enough, I won't address too many
specifics here, since I'm liable to be wrong in a few days or weeks or
months anyway.

> However, the lastest Linux kernel version - v4.4.0-112-generic does not
> contain above option (see below). What is the reason? (I mean i386/x86
> architecture.)

32-bit x86 might not receive mitigations for Meltdown.

Our friends at SUSE have prepared some preliminary patches to explore KPTI
on 32-bit x86 but I believe they have not received wide testing nor wide
feedback. These may or may not lead to something that we can deploy for
32-bit x86.

> Also, the KPTI/KAISER patches should be easily reporting via 'dmesg', when
> the functionality is enabled/disabled (see below). An official v4.4.100
> kernel contains, among others, two interesting commits regarding the above
> informations. The first one is about: "Make sure dmesg reports when KPTI is
> enabled." (In my case there is not any result; see below). Second one:
> "This renames CONFIG_KAISER to CONFIG_PAGE_TABLE_ISOLATION." Again, there
> is not "PAGE_TABLE_ISOLATION" config in v4.4.0-112-generic kernel (arch.:
> i386/x86).

My currently booted kernel on my x86-64 laptop reports this in early boot:
[    0.000000] Kernel/User page tables isolation: enabled

> Since some time '/sys/devices/system/cpu/vulnerabilities/*' is available.
> Mr Greg Kroah-Hartman, on his website, have written, that: "If your kernel
> does not have that sysfs directory or files, then obviously there is a
> problem and you need to upgrade your kernel!" But there is no such a
> directory in the latest 16.04 LTS Linux kernel - v4.4.0-112-generic. Will
> this feature be backported?

This feature might be backported. I understand it was posted to LKML
late in our recent update cycle and the value of hard-coded "vulnerable"
files seemed dubious at best. (Afterall the kernel receives hundreds of
security fixes every year. These might be different, in the sense that
they are hardware flaws, but still it feels awkward to me to encode the
mitigation used for these three flaws but not the hundreds of others in
the kernel. Because attacks never get worse, I'm even skeptical of the
value of any given mitigation that would flip the values of these files
from "vulnerable" to "mitigated". Maybe a week later someone would figure
out how to extend the exploits again.)

If these files are still in mainstream kernels in a few weeks I suspect
we'll eventually have them in our kernels too.

> By the way: what is happenig to the v4.4 kernel in 16.04 LTS Release? It's
> still at v4.4.98 level since the latest v4.4 version released by Mr
> Kroah-Hartman (released Wed. Jan. 31.; that's today) is v4.4.114! So, the
> difference between these two kernels is... 16. What is the reason? What's
> happens? Honestly, I'm getting nervous. Maybe, there could be some
> Canonical statement about this situation?

This makes sense, 4.4.98 was released in mid-November, when our kernel
team was working on Meltdown and Spectre mitigations. Since then their
efforts have been focused on these two. I expect they'll pull in newer
upstream releases in due time. If you're particularly affected by anything
specific, perhaps file a bug report with pointer to the upstream commits
you need. I can't predict when they'll have more bandwidth.

> So, what about i386/x86 architecture? Will there be available updates, just
> like for x86_64?

I can't promise anything one way or another. There's a chance we may not
be able to provide Meltdown mitigations for 32-bit x86.

There's currently a gcc in xenial-proposed that has retpoline support:
https://launchpad.net/ubuntu/+source/gcc-5/5.4.0-6ubuntu1~16.04.8

If this compiler appears to work well, I believe we'll be able to provide
Spectre-mitigated kernels for x86-32, but without Meltdown mitigations it
feels a bit acedemic to me.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20180131/4405d59a/attachment.sig>

More information about the ubuntu-hardened mailing list