This is an old revision of the document!
Spectre and Meltdown fixes
This page should give you a short overview of what is currently available to update your Intel based server or Workstation to get as good as possible patched against Spectre (Variant 1 and 2) and Meltdown (Variant 3).
What's needed?
this update will need a reboot of your server for sure, don't just update and continue to work without rebooting
in general you need to update your kernel to the latest versions provided by your distribution of choice. by now, pretty much any distribution should have released patches.
Here is how it's done…
apt-get update && apt-get upgrade
… in ubuntu and ..
yum update
.. in RedHat and CentOS distributions.
this will protect you against Variant 1 and Variant 3 vlunerabilities. In order to also protect against Variant 2, you further need to update the CPU's microcode (basically the CPU's firmware). Instructions on how to do that follow further down on this page
Different Distributions and their update status
here is a list of links with information about updates available from linux distributions I care most about:
- Debian stretch is fixed as of kernel version 4.9.65-3+deb9u2
- Ubuntu (fixes for all maintained versions available as of Jan. 9th)
- Proxmox VE debian based virtualization environment, fixed for Version 4 and 5 as explained in the linked forum post.
- CentOS (started syncing to mirrors on Jan 4) kernel-3.10.0-693.11.6.el7.x86_64.rpm and related packages fix the bug
- RedHat Enterprise Linux RHEL 7 (released 3.Jan)
for further information read those pages or check out the meltdown webpage link section
Microcode Update - Yes it's necessary too!
After you have installed the latest OS updates, your system should be protected against Variant 1 and 3, in order to protect against Variant 2, you also need to install a newer microcode (firmware of the CPU). Usually the microcode package is also a package in your distributions repository and is updated during a normal os upgrade. However, there where some stability issues with the microcodes released by Intel until today (18.1.18) so that for example RedHat removed them from their repos.
So now you have two options: 1.) wait until a stable microcode update is available and stay vulnerable until then or 2.) install the currently available microcode update and risk having a less stable system. I have to mention, that intel says that only “some configurations” are affected without furhter specifying which configurations they are. I would therefore recommend. to simply try the new microcode and if it does indeed make your system unstable, revert to the currently used microcode.
Here is, how you can download the microcode package (for all intel processors) from Intel directly and then insert this into your Linux installation for Linux to load the latest microcode:
- go to the intel download center and get the download link for the latest microcode package.
- download it to your System:
cd /root/ wget <url copied from downloadcenter>
- now move your existing microcode package to another location, so you can move it back in case you have these stability issues that some users had with the new ones. then unpack and load the new microcode:
cd /lib/firmware/ mv intel-ucode /root/intel-ucode.old tar xvf /root/microcode-20180108.tgz echo 1 > /sys/devices/system/cpu/microcode/reload
you can double check if your microcode was loaded using
dmesg | grep microcode
. you should now be up to date with the latest patches for all three Variants of the Spectre & Meltdown vulnerability.
Minimalistic Fix on CentOS 7.4
Should you, for some reason, not be able or willing to run a full update, I have here a minimalistic fix for your centos:
- download the necessary update packages
mkdir -p /opt/meltdown cd /opt/meltdown for p in kernel-abi-whitelists-3.10.0-693.11.6.el7.noarch.rpm kernel-debug-3.10.0-693.11.6.el7.x86_64.rpm kernel-debug-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-devel-3.10.0-693.11.6.el7.x86_64.rpm kernel-doc-3.10.0-693.11.6.el7.noarch.rpm kernel-headers-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-3.10.0-693.11.6.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-693.11.6.el7.x86_64.rpm perf-3.10.0-693.11.6.el7.x86_64.rpm python-perf-3.10.0-693.11.6.el7.x86_64.rpm kernel-3.10.0-693.11.6.el7.src.rpm kernel-3.10.0-693.11.6.el7.x86_64.rpm; do wget http://mirror.centos.org/centos/7.4.1708/updates/x86_64/Packages/$p; done
- create a repository:
createrepo .
- add your repository to yum
mydir=`pwd` cat > /etc/yum.repos.d/CentOS-meltdown.repo <<EOF # CentOS-meltdown.repo # # contains minimalistic update to fix meltdown and spectre [meltdown-updates] name=CentOS-$releasever - Meltdown-Updates baseurl=file://$mydir gpgcheck=0 enabled=1 EOF
- run the update and reboot the machine:
yum update reboot
Test-Tools
Performance Impact
the fix for all this works in a way that it may affect the system performance negatively. Different sources claim different results reaching from no impact at all up to a 30% slowdown. As always, Benchmarks are probably not too representative for your realworld experience. In order to find out what the difference in performance is, you can simply disable the workaround on a patched kernel to run your workload once with and once without the patch.
In CentOS (and probably other linux distributions as well) the workarounds can be enabled or disabled without a reboot using these commands:
echo 0 > /sys/kernel/debug/x86/pti_enabled echo 0 > /sys/kernel/debug/x86/ibpb_enabled echo 0 > /sys/kernel/debug/x86/ibrs_enabled
by default all three fixes are enabled, if you want to disable them permanently (=on every boot) you can add these three options to your kernel command line:
noibrs noibpb nopti