Is Ubuntu Linux protected against the Meltdown and Spectre security flaws?

Ralf Mardorf silver.bullet at zoho.com
Mon Feb 19 18:51:46 UTC 2018 

On Mon, 19 Feb 2018 20:11:05 +0800, Turritopsis Dohrnii Teo En Ming wrote:
>What are the patches that I can download and install to be protected
>against the Meltdown and Spectre security vulnerabilities?

Hi,

at least the kaiser patch set is applied. I'm not booted to my Ubuntu
install, so I provided some informaton how to check if mitigation is
enabled, after logging out the systemd-nspawn container, by my Arch
Linux install:

[root at archlinux rocketmouse]# systemd-nspawn -qD /mnt/moonstudio 
[root at moonstudio ~]# lsb_release -rc
Release:	16.04
Codename:	xenial
[root at moonstudio ~]# apt changelog linux-image-4.4.0.112-lowlatency 2>/dev/null | grep -i kaiser
    - SAUCE: kaiser: fix perf crashes - fix to original commit
    - kaiser: Set _PAGE_NX only if supported
    - KAISER: Kernel Address Isolation
    - kaiser: merged update
    - kaiser: do not set _PAGE_NX on pgd_none
    - kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE
    - kaiser: fix build and FIXME in alloc_ldt_struct()
    - kaiser: KAISER depends on SMP
    - kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER
    - kaiser: fix perf crashes
    - kaiser: ENOMEM if kaiser_pagetable_walk() NULL
    - kaiser: tidied up asm/kaiser.h somewhat
    - kaiser: tidied up kaiser_add/remove_mapping slightly
    - kaiser: kaiser_remove_mapping() move along the pgd
    - kaiser: cleanups while trying for gold link
    - kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET
    - kaiser: delete KAISER_REAL_SWITCH option
    - kaiser: vmstat show NR_KAISERTABLE as nr_overhead
    - kaiser: enhanced by kernel and user PCIDs
    - kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user
    - kaiser: PCID 0 for kernel and 128 for user
    - kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user
    - kaiser: paranoid_entry pass cr3 need to paranoid_exit
    - kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls
    - kaiser: fix unlikely error in alloc_ldt_struct()
    - kaiser: add "nokaiser" boot option, using ALTERNATIVE
    - x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling
    - x86/kaiser: Check boottime cmdline params
    - kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush
    - kaiser: drop is_atomic arg to kaiser_pagetable_walk()
    - kaiser: asm/tlbflush.h handle noPGE at lower level
    - kaiser: kaiser_flush_tlb_on_return_to_user() check PCID
    - x86/kaiser: Reenable PARAVIRT
    - kaiser: disabled on Xen PV
    - x86/kaiser: Move feature detection up
    - [Config]: CONFIG_KAISER=y
[root at moonstudio ~]# apt changelog linux-image-4.4.0.112-lowlatency 2>/dev/null | grep "KPTI: Report when enabled" -B10 -A10
    - x86/mm: Disable PCID on 32-bit kernels

 -- Marcelo Henrique Cerri <marcelo.cerri at canonical.com>  Sun, 07 Jan 2018 11:46:05 -0200

linux (4.4.0-107.130) xenial; urgency=low

  * linux: 4.4.0-107.130 -proposed tracker (LP: #1741643)

  * CVE-2017-5754
    - Revert "UBUNTU: SAUCE: arch/x86/entry/vdso: temporarily disable vdso"
    - KPTI: Report when enabled
    - x86, vdso, pvclock: Simplify and speed up the vdso pvclock reader
    - x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap
    - x86/kasan: Clear kasan_zero_page after TLB flush
    - kaiser: Set _PAGE_NX only if supported

 -- Kleber Sacilotto de Souza <kleber.souza at canonical.com>  Sat, 06 Jan 2018 17:13:03 +0100

linux (4.4.0-106.129) xenial; urgency=low

  * linux: 4.4.0-106.129 -proposed tracker (LP: #1741528)
[root at moonstudio ~]# logout
[root at archlinux rocketmouse]# dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x23, date = 2017-11-20
[    0.000000] Intel Spectre v2 broken microcode detected; disabling Speculation Control
[    0.326377] microcode: sig=0x306c3, pf=0x2, revision=0x23
[    0.326507] microcode: Microcode Update Driver: v2.2.
[root at archlinux rocketmouse]# ls -hAl /sys/devices/system/cpu/vulnerabilities/
total 0
-r--r--r-- 1 root root 4.0K Feb 19 19:44 meltdown
-r--r--r-- 1 root root 4.0K Feb 19 19:44 spectre_v1
-r--r--r-- 1 root root 4.0K Feb 19 19:44 spectre_v2
[root at archlinux rocketmouse]# cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTI
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline
[root at archlinux rocketmouse]# lsb_release -r
Release:	rolling

If I boot with nopti, the output looks like this:

[rocketmouse at archlinux ~]$ cat /sys/devices/system/cpu/vulnerabilities/*
Vulnerable
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline

Regards,
Ralf

More information about the ubuntu-users mailing list