Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
spectre_and_meltdown_fixes_-_release_dates_for_linux_distros [23.01.2018 16:11] – [Microcode Update - Yes it's necessary too!] Pascal Suter | spectre_and_meltdown_fixes_-_release_dates_for_linux_distros [24.10.2018 21:40] (current) – [Performance Impact] Pascal Suter | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Spectre and Meltdown fixes ====== | ====== Spectre and Meltdown fixes ====== | ||
- | This page should give you a short overview of what is currently available to update your Intel based server or Workstation to get as good as possible patched against Spectre (Variant 1 and 2) and Meltdown (Variant 3). | + | This page should give you a short overview of what is currently available to update your Intel based server or Workstation to get as good as possible patched against Spectre ( CVE 2017-5753 (Bounds Check Bypass / Variant 1) and CVE 2017-5715 (Branch Target Injection / Variant |
===== What's needed? ===== | ===== What's needed? ===== | ||
Line 27: | Line 27: | ||
===== Microcode Update - Yes it's necessary too! ===== | ===== Microcode Update - Yes it's necessary too! ===== | ||
- | |||
After you have installed the latest OS updates, your system should be protected against Variant 1 and 3, in order to protect against Variant 2, you also need to install a newer microcode (firmware of the CPU). | After you have installed the latest OS updates, your system should be protected against Variant 1 and 3, in order to protect against Variant 2, you also need to install a newer microcode (firmware of the CPU). | ||
- | Usually the microcode package is also a package in your distributions repository and is updated during a normal os upgrade. However, there where some [[https:// | ||
- | So now you have two options: 1.) wait until a stable | + | There are three ways to get to the latest microcode updates: |
+ | ==== 1: Wait for your linux distribution to include it ==== | ||
+ | Usually the microcode | ||
- | Here is, how you can download | + | after that, intel pulled |
- | The latest officially released Microcodes can be found on the intel downloadcenter page. currently [[https:// | + | ==== 2: Download |
+ | besides waiting for your distro to include the update for you, you can also manually | ||
- | It seems however, that this package does not include the latest | + | The latest |
- download the package of your choice to your System: < | - download the package of your choice to your System: < | ||
Line 52: | Line 53: | ||
you should now be up to date with the latest patches for all three Variants of the Spectre & Meltdown vulnerability. | you should now be up to date with the latest patches for all three Variants of the Spectre & Meltdown vulnerability. | ||
- | ==== Understanding the release notes ==== | + | ==== 3: Update your BIOS ==== |
- | Intel' | + | BIOS packages from the mainboard vendor should also include the latest microcode for the CPU upon release of the BIOS package. sometimes you can get microcode updates earlier through a BIOS update than you can get them through the intel microcode package download. However, if your mainboard producer supplies no mor BIOS updates or if they have a slow release cycle, the intel package might be the faster solution for you. Because Linux only loads the microcode from its own package when it's newer than the version loaded by the bios, a BOIS update that gets you the new Microcode will work even with old Linux Versions that might be out of maintenance. However, if you are using such a Distro, you probably aren't worried too much about security anyway and your system is hopefully only running in a well protected internal network with trusted users.. in that case, don't worry about Meltdown :) |
+ | |||
+ | If you do worry about meltdown and want to upgrade the microcode through a new bios, you can find a list of the latest BIOS releases that contain Variant 2 fixes in their included microcode on this [[https:// | ||
+ | |||
+ | ===== Understanding the microcode | ||
+ | Intel' | ||
-- Updates upon 20171117 release -- | -- Updates upon 20171117 release -- | ||
IVT C0 (06-3e-04: | IVT C0 (06-3e-04: | ||
Line 80: | Line 86: | ||
* '' | * '' | ||
grep -P "^(cpu family)|(model\s*: | grep -P "^(cpu family)|(model\s*: | ||
- | </ | + | </ |
* the last part '' | * the last part '' | ||
* by the way, '' | * by the way, '' | ||
+ | * rather than browsing through the entire history of the release notes you can also check the version of a specific microcode file using this command: '' | ||
+ | |||
===== Minimalistic Fix on CentOS 7.4 ===== | ===== Minimalistic Fix on CentOS 7.4 ===== | ||
Should you, for some reason, not be able or willing to run a full update, I have here a minimalistic fix for your centos: | Should you, for some reason, not be able or willing to run a full update, I have here a minimalistic fix for your centos: | ||
Line 121: | Line 129: | ||
echo 0 > / | echo 0 > / | ||
echo 0 > / | echo 0 > / | ||
+ | echo 0 > / | ||
</ | </ | ||
by default all three fixes are enabled, if you want to disable them permanently (=on every boot) you can add these three options to your kernel command line: | by default all three fixes are enabled, if you want to disable them permanently (=on every boot) you can add these three options to your kernel command line: | ||
< | < | ||
- | noibrs noibpb nopti | + | noibrs noibpb nopti noretp spectre_v2=off |
</ | </ | ||
+ | the last '' |