Meltdown, Spectre, and what they mean for Linux users
Meltdown
Meltdown [6] breaks the security barriers between userspace programs and the kernel. A process prepared by the attacker can cause the CPU to speculatively load data and then access the kernel area directly by levering out access control – for example, using untrusted JavaScript code executed via a web browser.
The problem is that many CPUs do not check access rights when accessing memory during speculative execution. Attackers can therefore load data into the cache that should not actually be accessible. There is no direct way to read the data from the cache; however, differences in the execution times of data in the cache and out of it can be used to read individual bits in memory. By repeating the procedure, malicious code can read the memory at a rate of up to 1.5KBps – fast enough to access passwords and other security-relevant data stored there.
To prevent this attack, the developers of Kernel 4.15 and higher separate the page tables formerly shared by the kernel and user space into two completely separate sets. Thanks to kernel page table isolation (KPTI), after you apply the appropriate patches, a process can only see the memory area assigned to it; no longer can it see the memory of the operating system kernel [7]. This restriction prevents an unprivileged process from accessing the kernel space memory area.
AMD in Luck
The Meltdown gap has plagued almost all Intel processors since 1995, with the exception of the Itanium architecture, the Atom processors produced before 2013, and some ARM64 chips based on the Cortex A75. AMD CPUs, on the other hand, are not affected by Meltdown. The Linux kernel already benefited from Meltdown patches at the end of the year, so that protection has existed as of Linux 4.15-rc7, from January 6.
The developers then backported the fix to the LTS 4.4 and 4.9 kernels, as well as Linux 4.14.12; Kernel 4.16 protects affected ARM64 CPUs and the s390 port for Linux on IBMs Z-systems and LinuxONE servers. The 3.18, 4.4, and 4.9 branches of the Android Common Kernel were patched. Kernel 4.15 offers fundamental protection against Meltdown, although it is still vulnerable to Spectre v1 (Figure 3). Kernel 4.15.4 from February 16 closes the Spectre v1 vulnerability (Figure 4). This is by no means the end, as 4.17 and beyond will further stabilize and expand the existing patches.
![](/var/linux_magazin/storage/images/issues/2018/211/meltdown-and-spectre/figure-3/726532-1-eng-US/Figure-3_large.png)
![](/var/linux_magazin/storage/images/issues/2018/211/meltdown-and-spectre/figure-4/726535-1-eng-US/Figure-4_large.png)
Spectre
Defensive measures against Spectre [8] cause considerably more work than defenses that target Meltdown. Spectre also affects AMD processors and the PowerPC platform. Initial patches for Spectre v2 were available in kernel 4.15; they are successively extended and perfected in Kernel 4.16.
The two variants of the Spectre vulnerability can only be prevented by the interaction of a patched kernel, an adapted compiler, and microcode from Intel or AMD. In addition, many thousands of applications have to be patched separately; Firefox 57.0.4, Chrome 64, and other web browsers already have updates.
Linux uses a software construct from Google to combat Spectre, which the developers named Retpoline ("Return Trampoline") [9]. This fix allows indirect branches to be excluded from speculative execution via an endless loop. Retpoline needs an adapted compiler, which is now available in the form of GCC 7.3.
At the same time, Intel released new microcode to contain Spectre v2 with the Indirect Branch Prediction Barrier (IBPB), Single Thread Indirect Branch Predictors (STIBP), and Indirect Branch Restricted Speculation (IBRS) measures. These changes are what unleashed Linus Torvalds' criticism. He expressed the opinion that the changes were "absolute rubbish" and a "dirty hack" that would result in severe performance loss. Intel indirectly proved him right by hastily withdrawing the microcode and discouraging its use. The updates led to crashes and spontaneous reboots on Broadwell and Haswell CPUs.
The kernel community, on the other hand, relies on Google's Retpoline fix, which does not compromise performance. The only potential addition to the Linux kernel fix is Intel's IBPB, which serves as a barrier for context changes to prevent the CPU from reusing already known branch targets. However, before the kernel community can integrate IBPB, CPU manufacturers must first make revised microcode available.
The last of the three vulnerabilities the kernel developers need to patch is Spectre v1. On February 4, the first basic patches designed to contain Spectre v1 were submitted; they have already been included in Kernel 4.15.4. Further improvements will follow for kernel 4.16, expected at the beginning of April, and later kernel versions. These code patches affect both the x86 platform and ARM64.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.