Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
spectre_and_meltdown_fixes_-_release_dates_for_linux_distros [19.01.2018 16:27] – Pascal Suter | spectre_and_meltdown_fixes_-_release_dates_for_linux_distros [09.04.2018 16:39] – [Microcode Update - Yes it's necessary too!] Pascal Suter | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Spectre and Meltdown fixes ====== | ====== Spectre and Meltdown fixes ====== | ||
- | Unfortunately the [[https://meltdownattack.com|Meltdown | + | This page should give you a short overview of what is currently available to update your Intel based server or Workstation to get as good as possible patched against Spectre ( CVE 2017-5753 (Bounds Check Bypass |
+ | |||
+ | ===== What' | ||
+ | **this update will need a reboot of your server | ||
+ | |||
+ | in general you need to update your kernel to the latest versions provided | ||
+ | |||
+ | Here is how it' | ||
apt-get update && apt-get upgrade | apt-get update && apt-get upgrade | ||
- | in ubuntu and | + | ... in ubuntu and .. |
yum update | yum update | ||
- | in RedHat and CentOS distributions. | + | .. in RedHat and CentOS distributions. |
- | **this update | + | this will protect you against Variant 1 and Variant 3 vlunerabilities. In order to also protect against Variant 2, you further need to update |
- | However, now that the news is out, every OS vendor tries to be as fast as possible in pushing out patches, so possibly fixes will be released earlier. | + | ===== Different Distributions and their update status ===== |
- | here is a list of links with information about updates available from linux distributions | + | here is a list of links with information about updates available from linux distributions |
* [[https:// | * [[https:// | ||
* [[https:// | * [[https:// | ||
Line 19: | Line 26: | ||
for further information read those pages or check out the [[https:// | for further information read those pages or check out the [[https:// | ||
- | ===== Minimalistic Fix on CentOS 7.4 ===== | + | ===== Microcode Update - Yes it's necessary too! ===== |
- | usually all you need todo today is simply update your linux to the latest | + | After you have installed |
+ | There are three ways to get to the latest microcode updates: | ||
+ | ==== 1: Wait for your linux distribution to include it ==== | ||
+ | Usually the microcode package is also a package in your distributions repository and is updated during a normal os upgrade. However, there where some [[https:// | ||
+ | |||
+ | after that, intel pulled the microcode updates back from their own webpage as well and went back to alpha and beta testing. they have now released a bunch of updated microcodes for their cpu's. generally what we see is, that they start with the newest cpu's and work their way back. I would expect, that the final microcode releases will make it into the respective microcode packages in your linux distribution. the Easiest way is just to run updates regularly and eventually you should get the latest microcode update for your cpu that will enable the Variant 2 fix. | ||
+ | |||
+ | ==== 2: Download the latest microcode from intel and install it manually ==== | ||
+ | besides waiting for your distro to include the update for you, you can also manually download the latest microcode package from intel (includes microcodes for all intel cpus in one package) and install that on your computer manually. Here is, how that's done: | ||
+ | |||
+ | The latest officially released Microcodes can be found on the intel downloadcenter page. currently [[https:// | ||
+ | |||
+ | - download the package of your choice to your System: < | ||
+ | cd / | ||
+ | wget <url> | ||
+ | </ | ||
+ | - now move your existing microcode package to another location, so you can move it back in case you have these stability issues that some users had with the new ones. then unpack and load the new microcode: < | ||
+ | cd / | ||
+ | mv intel-ucode / | ||
+ | tar xvf / | ||
+ | echo 1 > / | ||
+ | </ | ||
+ | you can double check if your microcode was loaded using < | ||
+ | you should now be up to date with the latest patches for all three Variants of the Spectre & Meltdown vulnerability. | ||
+ | |||
+ | ==== 3: Update your BIOS ==== | ||
+ | Intel BIOS packages also include the latest microcode for the CPU upon release of the BIOS package. Usually you will get the microcode first in the microcode package mentioned in 2), and once the next BIOS is released after the microcode update has been released, the BIOS update should include the Microcode package as well. Because Linux only loads the microcode from its own package when it's newer than the version loaded by the bios, a BOIS upddate that gets you the new Microcode will work even with old Linux Versions that might be out of maintenance. However, if you are using such a Distro, you probably aren't worried too much about security anyway and your system is hopefully only running in a well protected internal network with trusted users.. in that case, don't worry about Meltdown :) | ||
+ | |||
+ | If you do worry about meltdown and want to upgrade the microcode through a new bios, you can find a list of the latest BIOS releases that contain Variant 2 fixes in their included microcode on this [[https:// | ||
+ | |||
+ | ==== Understanding the release notes ==== | ||
+ | Intel' | ||
+ | -- Updates upon 20171117 release -- | ||
+ | IVT C0 (06-3e-04: | ||
+ | SKL-U/Y D0 (06-4e-03: | ||
+ | BDW-U/Y E/ | ||
+ | HSW-ULT Cx/ | ||
+ | Crystalwell Cx (06-46-01: | ||
+ | BDW-H E/ | ||
+ | HSX-EX E0 (06-3f-04: | ||
+ | SKL-H/S R0 (06-5e-03: | ||
+ | HSW Cx/ | ||
+ | HSX C0 (06-3f-02: | ||
+ | BDX-DE V0/ | ||
+ | BDX-DE V2 (06-56-03: | ||
+ | KBL-U/Y H0 (06-8e-09: | ||
+ | KBL Y0 / CFL D0 (06-8e-0a: | ||
+ | KBL-H/S B0 (06-9e-09: | ||
+ | CFL U0 (06-9e-0a: | ||
+ | CFL B0 (06-9e-0b: | ||
+ | SKX H0 (06-55-04: | ||
+ | GLK B0 (06-7a-01: | ||
+ | </ | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | grep -P "^(cpu family)|(model\s*: | ||
+ | </ | ||
+ | * the last part '' | ||
+ | * by the way, '' | ||
+ | ===== Minimalistic Fix on CentOS 7.4 ===== | ||
Should you, for some reason, not be able or willing to run a full update, I have here a minimalistic fix for your centos: | Should you, for some reason, not be able or willing to run a full update, I have here a minimalistic fix for your centos: | ||
Line 48: | Line 116: | ||
reboot | reboot | ||
</ | </ | ||
- | |||
- | ===== Microcode Update - Yes it's necessary too! ===== | ||
- | |||
- | Your system should now be patched against Variant 1 and 3, in order to protect against Variant 2, you also need to install a newer microcode. Keep in mind however, that there where some stability issues with the microcodes released until today (18.1.18) so that for example RedHat removed them from their repos. however, this step can be reverted should you have issues with the new microcode (sudden reboots where reported), so if you can afford a few crashes at worst, you should still give it a try and only revert when the system gets too unstable for you to work with: | ||
- | - go to [[https:// | ||
- | - < | ||
- | cd / | ||
- | wget <url copied from downloadcenter> | ||
- | </ | ||
- | - now move your existing microcode package to another location, so you can move it back in case you have these stability issues that some users had with the new ones. then unpack and load the new microcode: < | ||
- | cd / | ||
- | mv intel-ucode / | ||
- | tar xvf / | ||
- | echo 1 > / | ||
- | </ | ||
- | you can double check if your microcode was laded using < | ||
- | you should now up to date with the latest patches for all three Variants of the Spectre & Meltdown vulnerability. | ||
===== Test-Tools ===== | ===== Test-Tools ===== |