Skip to content

rmeichsner/meltdownspectre-patches

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 

Repository files navigation

meltdownspectre-patches

Summary of the patch status for Meltdown / Spectre

What?

Meltdown and Spectre are hardware design vulnerabilities in all modern CPUs based on speculative execution. Background infos:

The bug is in the hardware, but mitigations in operating systems are possible and are getting shipped now. I'm collecting notes on the patch status in various software products. This will change rapidly and may contain errors. If you have better info please send pull requests.

Linux upstream kernel

Kernel Page Table Isolation is a mitigation in the Linux Kernel, originally named KAISER.

minipli patches

minipli is an unofficial fork of the former grsecurity patches (original grsecurity is no longer publicly available). minipli is based on the longterm kernel 4.9, which supports KPTI since 4.9.75, yet the patchset isn't ported yet.

Android

Windows

Apple

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. In the coming days they plan to release mitigations in Safari to help defend against Spectre. They continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

The security patch released on December 6, 2017 includes Meltdown mitigation also for Sierra and El Capitan

Linux distributions

FreeBSD

Virtualization

Browsers

Cloud Providers

Chip Manufacturers / HW Vendors

CERTs

CPU microcode

Latest Intel microcode update is 20171117. It is unclear whether microcode updates are needed and which version contains them. The microcode update does not contain any changelog.
If it will become necessary to update Intel (or AMD) microcode under Windows, before the release of official OS-level patches, this VMware Labs fling - though formally experimental - can serve the purpose, at least temporarily.

Update - Thu 4 Jan 2018, 15:30 UTC

It seems that the new Intel’s microcode archive (2017-12-15) provided with the latest Red Hat’s microcode_ctl update includes three new files: 06-3f-02, 06-4f-01, 06-55-04.

Based on what we know:

  1. it adds one new CPUID and two MSR for the variant of Spectre that uses indirect branches
  2. it forces LFENCE to terminate the execution of all previous instructions, thus having the desired effect for the variant of Spectre that uses conditional branches (out-of-bounds-bypass)

Those IDs belong to the following processor microarchitectures: Haswell, Broadwell, Skylake (official reference)

Update - Thu 4 Jan 2018, 16:30 UTC

Regarding AMD's microcode update: it seems to be only for EPYC (maybe Ryzen, not sure!) and it only adds one of the two MSRs (IA32_PRED_CMD). It uses a different bit than Intel's in the CPUID. It is also for Spectre with indirect branches. Previous microprocessors resolved it with a chicken bit. Please note that the same solution implemented at kernel level works for both Intel and AMD.

Antiviruses

Some Antiviruses do things that break when installing the Windows patches, therefore Microsoft doesn't automatically install the patches on those systems.

Vendor overview: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

RDBMS

Embedded Devices

Compilers

About

Summary of the patch status for Meltdown / Spectre

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published