This is an old revision of the document!
Spectre and Meltdown fixes - release dates for linux distros
Unfortunately the Meltdown and Spectre vulnerabilities became Public too early. So now we are all keen on getting updates for our servers to work around the respective design issues in modern CPU's ASAP. Originally, the official announcement was planned for Jan. 9, so we can expect that by then most OS's including most Linux Distributions will have a fix in their repos which can simply be installed by running whatever your regular update routine is. That's
apt-get update && apt-get upgrade
in ubuntu and
yum update
in RedHat and CentOS distributions.
this update will need a reboot of your server for sure, don't just update and continue to work without rebooting
However, now that the news is out, every OS vendor tries to be as fast as possible in pushing out patches, so possibly fixes will be released earlier. here is a list of links with information about updates available from linux distributions i care about:
- Debian stretch is fixed as of kernel version 4.9.65-3+deb9u2
- Ubuntu (fixes for all maintained versions available as of Jan. 9th)
- Proxmox VE debian based virtualization environment, fixed for Version 4 and 5 as explained in the linked forum post.
- CentOS (started syncing to mirrors on Jan 4) kernel-3.10.0-693.11.6.el7.x86_64.rpm and related packages fix the bug
- RedHat Enterprise Linux RHEL 7 (released 3.Jan)
for further information read those pages or check out the meltdown webpage link section
Minimalistic Fix on CentOS 7.4
usually all you need todo today is simply update your linux to the latest patch level and you should be good. as of now (18.1.18) you might need to update the microcode (firmware) for your CPU manually, as some distributions (RHEL for example) have removet the intel firmware from their repos for the moment, due to some stability issues.
Should you, for some reason, not be able or willing to run a full update, I have here a minimalistic fix for your centos:
- download the necessary update packages
mkdir -p /opt/meltdown cd /opt/meltdown for p in kernel-abi-whitelists-3.10.0-693.11.6.el7.noarch.rpm kernel-debug-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-doc-3.10.0-693.11.6.el7.noarch.rpm kernel-headers-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-693.11.6.el7.x86_64.rpm perf-3.10.0-693.11.6.el7.x86_64.rpm python-perf-3.10.0-693.11.6.el7.x86_64.rpm kernel-3.10.0-693.11.6.el7.src.rpm kernel-3.10.0-693.11.6.el7.x86_64.rpm; do wget http://mirror.centos.org/centos/7.4.1708/updates/x86_64/Packages/$p; done
- create a repository:
createrepo .
- add your repository to yum
mydir=`pwd` cat > /etc/yum.repos.d/CentOS-meltdown.repo <<EOF # CentOS-meltdown.repo # # contains minimalistic update to fix meltdown and spectre [meltdown-updates] name=CentOS-$releasever - Meltdown-Updates baseurl=file://$mydir gpgcheck=0 enabled=1 EOF
- run the update and reboot the machine:
yum update reboot
Microcode Update - Yes it's necessary too!
Your system should now be patched against Variant 1 and 3, in order to protect against Variant 2, you also need to install a newer microcode. Keep in mind however, that there where some stability issues with the microcodes released until today (18.1.18) so that for example RedHat removed them from their repos. however, this step can be reverted should you have issues with the new microcode (sudden reboots where reported), so if you can afford a few crashes at worst, you should still give it a try and only revert when the system gets too unstable for you to work with:
- go to the intel download center and download the latest microcode package.
cd /root/ wget <url copied from downloadcenter>
- now move your existing microcode package to another location, so you can move it back in case you have these stability issues that some users had with the new ones. then unpack and load the new microcode:
cd /lib/firmware/ mv intel-ucode /root/intel-ucode.old tar xvf /root/microcode-20180108.tgz echo 1 > /sys/devices/system/cpu/microcode/reload
you can double check if your microcode was laded using
dmesg | grep microcode
. you should now up to date with the latest patches for all three Variants of the Spectre & Meltdown vulnerability.
Test-Tools
Performance Impact
the fix for all this works in a way that it may affect the system performance negatively. Different sources claim different results reaching from no impact at all up to a 30% slowdown. As always, Benchmarks are probably not too representative for your realworld experience. In order to find out what the difference in performance is, you can simply disable the workaround on a patched kernel to run your workload once with and once without the patch.
In CentOS (and probably other linux distributions as well) the workarounds can be enabled or disabled without a reboot using these commands:
echo 0 > /sys/kernel/debug/x86/pti_enabled echo 0 > /sys/kernel/debug/x86/ibpb_enabled echo 0 > /sys/kernel/debug/x86/ibrs_enabled
by default all three fixes are enabled, if you want to disable them permanently (=on every boot) you can add these three options to your kernel command line:
noibrs noibpb nopti