Security Vulnerability: "Meltdown" and "Spectre" side channel attacks against CPUs with speculative execution.

This document (7022512) is provided subject to the disclaimer at the end of this document.

Environment

Based on research from various groups and individuals a new family of side channel attacks against CPUs with speculative execution were identified that can be used by attackers to read content of otherwise inaccessible memory.

To help mitigating this hardware implementation related flaws on the software layer, SUSE as an operating system vendor has released and is continuing to work on mitigations for these side channel attacks in the Linux kernel and other packages.

For details on the vulnerability, please check :  https://meltdownattack.com/

Situation

The following five attacks have been identified :
  • CVE-2017-5753: variant 1 - bounds check bypass 
Local attackers could use speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of  passwords, cryptographic keys and other secrets.

This problem is mitigated by fencing speculative execution on affected code paths throughout the Linux kernel and needs to be addressed for all SUSE Linux Enterprise processor architectures.

Fixes for this variant are contained in the SUSE Linux Kernel updates.

AMD/Intel x86-64, ARM Arch64, IBM Power and IBM Z have received mitigations.

As these mitigations need to be added to a lot of different places throughout the Linux Kernel and potentially even also other packages, future updates could be necessary.

  • CVE-2017-5715: variant 2 - branch target injection
Local attackers could use mis-predicted branches to speculatively execute code patterns that in turn could be made to leak otherwise non-readable content in the same address space, an attack similar to CVE-2017-5753.

There are two different approaches to mitigate this issue, both complement each other :

Approach 1 : Selectively restricting the indirect branch predictor

This first method is done by restricting predictive branches, depending on CPU architecture either by firmware updates and/or mitigations in the user-kernel privilege boundaries.

Terminologies used :
- IBPB: Indirect branch prediction barrier. Previous learned branch prediction targets are forgotten at this barrier, used when switching to a different privilege context.

- IBRS: Indirect branch restricted speculation. If set, indirect branches will not use previous speculation data from lower privilege levels.

- STIBP: Single thread indirect branch predictors prevents indirect branch predictions from being controlled by the sibling Hyperthread.
Further reading in this white paper from Intel: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf

Fixes needed in / by CPU architecture :
Intel x86_64 : Linux Kernel and CPU Microcode (Microcode delivered by SUSE or vendor)
AMD x86_64 : Linux Kernel and CPU Microcode (Microcode delivered by SUSE or vendor)
IBM Z : Linux Kernel and CPU Microcode (Microcode delivered by IBM)
IBM Power : CPU Microcode (Microcode delivered by IBM)
ARM Arch64 : Linux Kernel and CPU Microcode (Microcode delivered by SUSE or vendor)
This mitigation has a performance impact, and as such, this will be made configurable via the kernel command line option "nospec" in later releases. Please note that disabling it will disable the mitigation for CVE-2017-5715 and should only be done on systems with trusted users executing only trusted code (!).

Note on Intel CPU Microcode :

As Intel reported increased system instabilities after applying the 20180108 Intel CPU Microcode updates, we have retracted those from our update servers. We are in close contact with Intel and will be  releasing new microcode updates once Intel releases them.

A detailed technical Intel Microcode guidance document was published on :
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf

During the initial disclosure of this security issues we shipped unstable microcode versions, which got retracted and reverted afterwards.

On March 16 we shipped the 20180312 version of the Intel CPU Microcode updates.
Further Microcode deliveries will be shipped by SUSE over the next weeks when they are officially released by Intel.

Approach 2 : Rebuilding the kernel without indirect jumps by using "retpolines"

SUSE has released system compiler updates including "retpoline" support and Linux kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 2" using the "retpoline" method on x86_64.

On Skylake chipsets the Intel CPU Microcode is still needed, as the "retpoline" mitigation is not sufficient.

If updated Intel CPU Microcode is available, some additional branch prediction mitigations for some scenarios are used, so while "retpoline" mitigates a large part of the vulnerabilities, IBPB is needed still for cross-process or cross-VM indirect branch control.

  • CVE-2017-5754: variant 3 - rogue data cache load
Local attackers could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.

This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach described in the "KAISER" paper and called "Page Table Isolation" / "PTI".

We have released updates that implement this mitigation on the Intel x86_64, ARM and IBM Power architecture.

This problem does not affect the AMD x86_64 and IBM Z processor architecture. 

This mitigation can be enabled / disabled by the "pti=[on|off|auto]" or "nopti" command line options. More details can be found in the  "Additional information" section. Please note that disabling it will disable the mitigation for  this issue (!).

Resolution

  • SUSE has released kernel updates for all maintained SUSE products to mitigate the "Meltdown" attack.
  • SUSE has released kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 1" attack.
  • SUSE has released kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 2" attack, pending on availability of CPU Microcode updates.
  • SUSE has released CPU microcode updates for AMD Ryzen in the "ucode-amd" package on SLE 12 and "microcode_ctl" on SLE 11.
  • SUSE has released KVM and QEMU updates to allow passing through CPU flags and MSR registers to support controlling speculative branch handling.
  • SUSE has released system compiler updates including "retpoline" support.
  • SUSE has released kernel updates for all maintained SUSE products to mitigate the "Spectre Variant 2" using the "retpoline" method on x86_64.

Going forward :
  • SUSE will be releasing firmware updates for Intel x86_64 in the packages microcode_ctl on SUSE Linux Enterprise 11, ucode-intel on SUSE Linux Enterprise 12, once stable microcode updates from Intel are available.

The XEN Hypervisor also needs mitigations for the described problems, these are currently in development.
For further details on XEN, KVM and QEMU updates please review  TID 7022514.


Performance Impact

The performance impact of these patches is highly dependent on the actual workload, but also on CPU vendor and family. We recommend to always validate the performance impact prior to deploying these updates to production systems.

For more detail on the performance aspect, please read this SUSE blog here : https://www.suse.com/c/meltdown-spectre-performance/


SUSE has released the following updates :

SLES 12 SP3
  • kernel-default-4.4.120-94.17.1 released Friday, 23rd of March 2018
  • qemu-2.9.1-6.12.1 released Monday, 21st of March 2018
  • ucode-intel-20180312-13.17.1  released Friday, 16th of March 2018
  • kernel-default-4.4.114-94.14.1 released Tuesday, 20th of February 2018
  • kernel-default-4.4.114-94.11.3 released Wednesday, 7th of February 2018
  • kernel-default-4.4.103-94.6.1 (IBM Z Series ONLY) released Tuesday, 16th of January 2018
  • kernel-default-4.4.103-6.38.1 released Thursday, 4th of January 2018
  • ucode-amd-20170530-21.16.1 released Thursday, 4th of January 2018
  • (**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
  • (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
  • qemu-2.9.1-6.9.2 released Thursday, 4th of January 2018
SLES 12 SP3 Real Time
  • Original fixes were included in GA release. Future updates will be released via maintenance.
SLES 12 SP2
  • qemu-2.6.2-41.37.1 released Tuesday, 27th of March 2018
  • kernel-default-4.4.120-92.70.1, released Friday, 23rd of March 2018
  • ucode-intel-20180312-13.17.1 released Friday, 16th of March 2018
  • kernel-default-4.4.114-92.67.1 released Tuesday, 20th of February 2018
  • kernel-default-4.4.114-92.64.1 released Friday 9th of February 2018
  • kernel-default-4.4.103-92.59.1 (IBM Z Series ONLY) released Thursday, 11th of January 2018
  • kernel-default-4.4.103-92.56.1 released Thursday, 4th of January 2018
  • ucode-amd-20170530-21.16.1 released Thursday, 4th of January 2018
  • (**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
  • (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
SLES 12 SP2 Real Time
  • kernel-rt-4.4.114-27.1 released Monday, 19th of February 2018
  • kernel-rt-4.4.104-24.1 released Thursday, 25th of January 2018
SLES 12 SP1 - LTSS
  • kernel-default-3.12.74-60.64.85.1 released Thursday, 29th of March 2018
  • ucode-intel-20180312-13.17.1 released Friday, 16th of March 2018
  • kernel-default-3.12.74-60.64.82.1 released Thursday, 22nd of February 2018
  • kernel-default-3.12.74-60.64.72.1 (IBM Z Series ONLY) released Tuesday, 16th of January 2018
  • kernel-default-3.12.74-60.64.69.1 released Friday, 5th of January 2018
  • (**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
  • (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
  • qemu-2.3.1-33.6.1 released Tuesday, 9th of January 2018

[*SLE-12-SP1 ppc64le customers, please see  'note 2' below.]

SLES 12 - LTSS
  • kernel-default-3.12.61-52.125.1 released Monday, 28th of March 2018
  • ucode-intel-20180312-13.17.1 released Friday, 16th of March 2018
  • kernel-default-3.12.61-52.119.1 released Tuesday, 13th of February 2018
  • kernel-default-3.12.61-52.111.1 released Tuesday, 16th of January 2018
  • ucode-amd-20140807git-5.3.1 released Tuesday, 9th of January 2018
  • (**obsoleted**) ucode-intel-20180108-13.11.1 released Thursday,11th of January 2018
  • (**obsoleted**) ucode-intel-20170707-13.8.1 released Thursday, 4th of January 2018
SLES 11 SP4
  • microcode_ctl-1.17-102.83.15.1  released Friday, 16th of March 2018
  • kernel-default-3.0.101-108.35.1 released Tuesday, 27th of February 2018
  • kernel-default-3.0.101-108.24.1 (IBM Z Series ONLY) released Thursday, 18th of January 2018
  • kernel-default-3.0.101-108.21.1 released Thursday, 4th of January 2018
  • microcode_ctl-1.17-102.83.12.1 released Friday ,19th of January 2018
  • (**obsoleted**) microcode_ctl-1.17-102.83.9.1 released Thursday,11th of January 2018
  • (**obsoleted**) microcode_ctl-1.17-102.83.6.1 released Thursday, 4th of January 2018
SLES 11 SP4 Real Time
  • kernel-rt-3.0.101.rt130-69.21.1 released Thursday, 29th of March 2018
  • kernel-rt-3.0.101.rt130-69.14.1 released Thursday, 23th of January 2018
SLES 11 SP3 - LTSS
  • microcode_ctl-1.17-102.83.15.1  released Friday, 16th of March 2018
  • kernel-default-3.0.101-0.47.106.19.1 released Monday, 12nd of March 2018
  • kernel-default-3.0.101-0.47.106.14.1 released Monday, 22nd of January 2018
  • kernel-default-3.0.101-0.47.106.11.1 released Monday, 8th of January 2018
  • microcode_ctl-1.17-102.83.12.1 released Friday ,19th of January 2018
  • (**obsoleted**) microcode_ctl-1.17-102.83.9.1 released Thursday,11th of January 2018
  • (**obsoleted**) microcode_ctl-1.17-102.83.6.1 released Thursday, 4th of January 2018
SUSE CaaS Platform
  • qemu-2.9.1-6.12.1 released Monday, 21st of March 2018
  • kernel-default-4.4.114-94.11.3 released Wednesday, 7th of February 2018
  • ucode-amd-20170530-21.16.1  released Thursday, 4th of January 2018
  • qemu-2.9.1-6.9.2  released Thursday, 4th of January 2018


Note 1: Observing multiple microcode-ctl and/or ucode-intel releases for the same SLE version :
As firmware updates continue to become available for other CPU models, this will show as another new microcode-ctl and/or ucode-intel release with the date released.

The microcode listed as (**obsoleted**)where removed from our maintenance updates and SUSE patch finder location here due to quality issues reported by customers and community.
 
Note 2 : An LTSS channel for SLE-12-SP1 ppc64le does not exist.
The patches for Spectre & Meltdown are available in the SLES-12-SP1-SAP channel. This channel is supported until May 2018 (as per the SUSE Product Life Cycle page here).

Important note : A valid SLES for SAP subscriptions is required to access this repository.

Note 3 :  Continued Kernel updates.
As  Linux kernel updates will continuously be released by our maintenance team, to address new variants of these issues, other security vulnerabilities and/or improve system stability in general, please do consider the kernel versions listed in this TID as minimum kernel revisions required to mitigate the issues reported in this TID.

When newer and more recent kernel versions exist in our update repositories than are listed in this document here, it is recommended to update to the available kernel versions in these repositories.

Cause

CVE-2017-5753  (Spectre - variant 1) 
CVE-2017-5715  (Spectre - variant 2)
CVE-2017-5754  (Meltdown - variant 3)

Additional Information

Products running on top of SUSE Linux Enterprise Server, such as SUSE OpenStack Cloud, SUSE Enterprise Storage, SUSE Manager are not directly vulnerable. For these SUSE products, updating the the Host (running SUSE Linux Enterprise Server) with the updates detailed and listed here is sufficient.


Public Cloud:

SUSE has updated all (on-demand and BYOS) images that are actively maintained within the SUSE Public Cloud Image lifecycle guidelines. Image information can be retrieved with the "pint" tool.

All updated images have a timestamp of v20180104, i.e. January 4th 2018 or later.

For all running instances of SUSE images in production within public clouds, SUSE's advice to all customers is to apply all existing kernel updates available.


Enabling or Disabling Mitigations for Performance reasons

Mitigations that were applied can be selectively enabled or disabled.

SUSE Linux Enterprise chooses the default to be secure, meaning the mitigation's are enabled.

Spectre variant 2 kernel parameters :
For x86_64 architecture a new "spectre_v2" kernel commandline parameter has been added to control how the spectre variant 2 mitigations are enabled.
spectre_v2=<value>
<value> :
on     - unconditionally enable the mitigation
off   - unconditionally disable the mitigation
auto - kernel detects whether your CPU model is vulnerable
Selecting 'on' will, and 'auto' may, choose a mitigation method at run time according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler with which the kernel was built.
Specific mitigations can also be selected manually:
retpoline              - replace indirect branches
retpoline,generic - google's original retpoline
retpoline,amd       - AMD-specific minimal thunk
nospectre_v2 - this is the same as spectre_v2=off

Not specifying any option is equivalent to using : spectre_v2=auto.

For x86_64 we also support the option:
nospec
This option disables the CPU microcode based Spectre variant 2 mitigations.
The retpoline enablement is not controlled by this option.
For s390x architecture, the parameter is called "nobp", and has following values :
nobp=<value>
<value> :
on       - enable mitigation
off     - disable mitigation

PTI kernel parameter:

The default value for x86-64 is "auto", meaning enabled for processors deemed vulnerable or unknown, and disabled on those known to be unaffected (AMD). 
For ARM the default value is "off" for the time being as the "auto" trigger has not been implemented yet.
pti = auto
lets kernel decide, which means it turns PTI on when is's running on Intel and turns it off when running on AMD
pti = off
force-disable PTI even on Intel
pti = on
force-enables PTI even on AMD


Verifying if a system is protected :
Starting with our February kernel releases we also support the upstream reporting of the Meltdown and Spectre flaws using sysfs:
/sys/devices/system/cpu/vulnerabilities/meltdown
/sys/devices/system/cpu/vulnerabilities/spectre_v1
/sys/devices/system/cpu/vulnerabilities/spectre_v2
These files contain a one line description of the state of affectedness and if the mitigations are enabled.


Timeline for SUSE updates :

- Initial release of kernel, Qemu and CPU microcode updates (January 5th and following days) 
- Spectre v1 addressed using fences.
- Spectre v2 addressed by facilitating CPU microcode and branch prediction disablement.
- Meltdown address by PTI (Page Table Isolation) with help of PCID.
- Release of official Intel Microcode January release (January 11th)
- Retracted Intel January Microcode updates due to instability issues (January 19th)

- Second release of Linux kernel updates (beginning of February, ongoing)
- Spectre v1 mitigations enhanced performance wise by using upstream "array_index_mask_nospec" method.
- Spectre v2 mitigations now addressed by using "retpolines" method.
- Improved reporting of Meltdown and Spectre bug status using the same /sys/ values as used upstream.
- Release of March 2018 official Intel Microcode update (March 16th)


Related Security Vulnerability announcements :
  • TID 7022950 - Security Vulnerability : Spectre Variant 3a (Rogue Register Load) - CVE-2018-3640
  • TID 7022937 - Security Vulnerability : Spectre Variant 4 (Speculative Store Bypass) aka CVE-2018-3639
  • TID 7023076 - Security Vulnerability : Spectre side channel attack "Lazy FPU Save/Restore" aka CVE-2018-3665.
  • TID 7023075 - Security Vulnerability : Spectre side channel attack "Bounds Check Bypass Store" aka CVE-2018-3693.

Related Documentation :
  • TID 7022982 : Security Vulnerability: "Spectre V2" vulnerability re-introduced after installing kernel modules or drivers.

    p { margin-bottom: 0.1in; line-height: 115%; }a:link { }

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022512
  • Creation Date: 03-Jan-2018
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center