[ubuntu-hardened] 16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

[daniel curtis]

Hello Seth.

An updated 'intel-microcode' (3.20180312.0~ubuntu16.04.1) package is
already available. However, I would like to ask a question about
installing such package. There is a table on Security Team wiki page
with kernel mitigations available in various Ubuntu releases and
architectures etc. (please see 1.)

If it's about i386/x86 architecture and "Spectre_V2"
('intel-microcode' package, provide IBRS/IBPB/STIBP microcode support
and  mitigation for this variant), we can see, that there is "R" only.
It means: "Kernel compiled with Retpoline, please see the FAQ around
Retpoline (...)". On the other side, amd64 contains both "R" and "F".
In this case updated firmware/microcode  is required. Generaly, it
looks this way:

Spectre variant 2. mitigation available:

● i386: R
      ✓ Kernel compiled with Retpoline (...)
● amd64: F,R
      ✓ Updates have been published to mitigate the issue but require updated
          firmware/microcode
      ✓ Kernel compiled with Retpoline (...)

So, should I install 'intel-microcode' package? According to the
Security Team wiki and mentioned table, the answer is: no. But maybe
I'm wrong and I should install this package? By the way: there is a
processor, that I'm using on this computer, on Intel download page
(please see 2.)

Seth, what do You think? Should I install 'intel-microcode' package
even if this mitigation is not mentioned in table mentioned above?

Thanks, best regards.
__________________
1. https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown#Kernel_Mitigations
2. https://downloadcenter.intel.com/download/27591/Linux-Processor-Microcode-Data-File