Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
spectre_and_meltdown_fixes_-_release_dates_for_linux_distros [19.01.2018 17:51] – Pascal Suter | spectre_and_meltdown_fixes_-_release_dates_for_linux_distros [24.01.2018 18:19] – [Spectre and Meltdown fixes] Pascal Suter | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Spectre and Meltdown fixes ====== | ====== Spectre and Meltdown fixes ====== | ||
- | This page should give you a short overview of what is currently available to update your Intel based server or Workstation to get as good as possible patched against Spectre (Variant 1 and 2) and Meltdown (Variant 3). | + | This page should give you a short overview of what is currently available to update your Intel based server or Workstation to get as good as possible patched against Spectre ( CVE 2017-5753 (Bounds Check Bypass / Variant 1) and CVE 2017-5715 (Branch Target Injection / Variant |
===== What's needed? ===== | ===== What's needed? ===== | ||
Line 27: | Line 27: | ||
===== Microcode Update - Yes it's necessary too! ===== | ===== Microcode Update - Yes it's necessary too! ===== | ||
+ | Update 22.1.2017: ** [[https:// | ||
After you have installed the latest OS updates, your system should be protected against Variant 1 and 3, in order to protect against Variant 2, you also need to install a newer microcode (firmware of the CPU). | After you have installed the latest OS updates, your system should be protected against Variant 1 and 3, in order to protect against Variant 2, you also need to install a newer microcode (firmware of the CPU). | ||
Line 33: | Line 34: | ||
So now you have two options: 1.) wait until a stable microcode update is available and stay vulnerable until then or 2.) install the currently available microcode update and risk having a less stable system. I have to mention, that intel says that only "some configurations" | So now you have two options: 1.) wait until a stable microcode update is available and stay vulnerable until then or 2.) install the currently available microcode update and risk having a less stable system. I have to mention, that intel says that only "some configurations" | ||
- | Here is, how you can download the microcode package (for all intel processors) | + | Here is, how you can download the microcode package (for all intel processors) and then insert this into your Linux installation for Linux to load the latest microcode. |
- | - go to [[https:// | + | |
- | - download | + | The latest officially released Microcodes can be found on the intel downloadcenter page. currently |
+ | |||
+ | **NOTE: see update above: Intel discurages the use of these microcodes as it seems that they can cause your system to be unstable. Intel in fact changed their recommendations as of Jan. 22 from "ask your vendor to get the latest microcote" | ||
+ | |||
+ | < | ||
+ | |||
+ | - download | ||
cd / | cd / | ||
- | wget < | + | wget <url> |
</ | </ | ||
- now move your existing microcode package to another location, so you can move it back in case you have these stability issues that some users had with the new ones. then unpack and load the new microcode: < | - now move your existing microcode package to another location, so you can move it back in case you have these stability issues that some users had with the new ones. then unpack and load the new microcode: < | ||
Line 48: | Line 55: | ||
you should now be up to date with the latest patches for all three Variants of the Spectre & Meltdown vulnerability. | you should now be up to date with the latest patches for all three Variants of the Spectre & Meltdown vulnerability. | ||
+ | ==== Understanding the release notes ==== | ||
+ | Intel' | ||
+ | -- Updates upon 20171117 release -- | ||
+ | IVT C0 (06-3e-04: | ||
+ | SKL-U/Y D0 (06-4e-03: | ||
+ | BDW-U/Y E/ | ||
+ | HSW-ULT Cx/ | ||
+ | Crystalwell Cx (06-46-01: | ||
+ | BDW-H E/ | ||
+ | HSX-EX E0 (06-3f-04: | ||
+ | SKL-H/S R0 (06-5e-03: | ||
+ | HSW Cx/ | ||
+ | HSX C0 (06-3f-02: | ||
+ | BDX-DE V0/ | ||
+ | BDX-DE V2 (06-56-03: | ||
+ | KBL-U/Y H0 (06-8e-09: | ||
+ | KBL Y0 / CFL D0 (06-8e-0a: | ||
+ | KBL-H/S B0 (06-9e-09: | ||
+ | CFL U0 (06-9e-0a: | ||
+ | CFL B0 (06-9e-0b: | ||
+ | SKX H0 (06-55-04: | ||
+ | GLK B0 (06-7a-01: | ||
+ | </ | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | grep -P "^(cpu family)|(model\s*: | ||
+ | </ | ||
+ | * the last part '' | ||
+ | * by the way, '' | ||
===== Minimalistic Fix on CentOS 7.4 ===== | ===== Minimalistic Fix on CentOS 7.4 ===== | ||
Should you, for some reason, not be able or willing to run a full update, I have here a minimalistic fix for your centos: | Should you, for some reason, not be able or willing to run a full update, I have here a minimalistic fix for your centos: |