Security Vulnerability: "Spectre V2" vulnerability re-introduced after installing kernel modules or drivers.

This document (7022982) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)

Situation

To help mitigate the hardware implementation causing Spectre Variant 2 vulnerability, SUSE as an operating system vendor has released and is continuing to work on mitigations for these side channel attacks in the Linux kernel and other packages.
 
One of the mitigations against the Spectre Variant 2 vulnerability is to compile code without use of indirect jumps. This method is known as "Retpoline". Many of the latest SUSE kernel updates have been built using the retpoline methods. For this mitigation to be fully effective, all running kernel object code, including loadable kernel modules, needs to be compiled using the retpoline methods. That requires all third party, externally delivered kernel modules to be built in a retpoline manner.
 
On SLE 12 SP2 and greater, when using the latest update kernels, a warning is shown when loading a module not flagged as being built with retpoline support:
[   19.503350] Spectre V2 : System may be vulnerable to spectre v2
 
Note this issue is also present on SLE 11 SP4 but will not show the warning message.
 
Seeing this message means that your system may have been re-introduced to the Spectre Variant 2 vulnerability.  

Resolution

The SUSE SolidDriver team will begin rolling out updates to the Installation Kits, Driver Kits and DUDs hosted on drivers.suse.com to provide retpoline built modules.  We will focus on OS versions that are currently shipping and in support, specifically SLE 12 SP3, SLE 12 SP2 and SLE 11 SP4.  We will systematically go through and re-build/re-post these kits and let corresponding partners know when they have been made available.
 
For partners who need to re-build their own retpoline ready kernel modules and drivers, instructions can be found on our SolidDriver website here:
 

Cause

CVE-2017-5715  (Spectre - variant 2)

Additional Information

For more information about SUSE’s approach to the Spectre Meltdown issues see the following:

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022982
  • Creation Date: 18-May-2018
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center