Summary

In January 2018, security researchers announced a new class of side channel attacks that impact most processors, including processors from Intel, AMD, ARM, IBM, and MIPS. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory.

To address the issue in Debian, updates to the kernel, processor microcode, hypervisor, and various other userspace packages will be needed. These updates are being announced in Debian Security Announcements and Debian LTS Announcements as they become available.

There are three separate vulnerabilities involved:

The Spectre and Meltdown vulnerabilities have varying impacts in different environments, and the mitigations available can be difficult to understand.

This article will be updated periodically with new information as it becomes available, until the issues have been resolved.

Current Status

Kernel updates have been shipped for Debian stable/stretch and later.

The gcc compiler toolchain was updated in Debian buster/unstable (gcc 7.3), stretch (gcc 6) through DSA-4121 and jessie (gcc 4.9) through DSA-4117. No archive rebuild is planned at this point so user-space fixes (particularly for Spectre v1) vary according to the affected binary package, as the fix is basically per-program. The compiler updates were still required to provide fixes for the Linux kernel.

Spectre Variant 2 can be exploited both locally (within the same OS) and through the virtualization guest boundary. Fixes require CPU microcode/firmware to activate. Subscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor. In particular, qemu and other hypervisors need to pass through certain CPU features to allow guest operating systems to correctly configuration mitigation mechanisms.

64-bit PC (amd64)

AMD processors are believed not to be affected by Meltdown, and no mitigation is applied to them by default.

Release

Linux version

Spectre 1

Spectre 2

Meltdown

Jessie/oldstable

3.16

DSA-4187-1

DSA-4187-1, DLA-1422-1

DSA-4082-1

Stretch/stable

4.9

DSA-4120-1

DSA-4120-1

DSA-4078-1

Buster/testing/unstable

4.14+

4.15.4-1 and later

4.14.17-1 and later

4.14.13-1 and later

Caveats:

32-bit PC (i386)

The recommended mitigation for Meltdown for i386 users is to enable amd64 as an additional architecture (see Multiarch/HOWTO) and install a 64-bit kernel. Work is in progress to backport the meltdown patches to i386 to the kernel.

AMD processors are believed not to be affected by Meltdown.

Release

Linux version

Spectre 1

Spectre 2

Meltdown

Jessie/oldstable

3.16

DSA-4187-1

DSA-4187-1, DLA-1422-1

not fixed

Stretch/stable

4.9

DSA-4120-1

DSA-4120-1

not fixed

Buster/testing/unstable

4.14+

4.15.4-1 and later

4.14.17-1 and later

not fixed

Caveats:

64-bit ARM (arm64)

A small number of ARM Cortex-A cores are known to be affected by Meltdown, as are Cavium ThunderX 2 and Qualcomm Falkor. All ARM Cortex-A, Cavium ThunderX and Qualcomm Falkor cores are affected by Spectre. It is not known whether other vendors' cores are affected by these issues.

Work is in progress to backport Meltdown patches to arm64.

Release

Linux version

Spectre 1

Spectre 2

Meltdown

Stretch/stable

4.9

DSA-4120-1

not fixed

not fixed

Buster/testing/unstable

4.14+

4.15.4-1 and later

not fixed

4.16~rc5-1~exp1 and later

32-bit ARM (armel, armhf)

No 32-bit ARM Cortex-A cores are known to be affected by Meltdown. All ARM Cortex-A cores are affected by Spectre. It is not known whether Intel XScale or Marvell Sheeva cores are affected by these issues, but it seems unlikely.

Release

Linux version

Spectre 1

Spectre 2

Meltdown

Jessie/oldstable

3.16

not fixed

not fixed

not affected

Stretch/stable

4.9

DSA-4120-1

not fixed

not affected

Buster/testing/unstable

4.14+

4.15.4-1 and later

4.18~rc3-1~exp1 and later

not affected

Caveats:

PowerPC (powerpc, ppc64el)

Release

Linux version

Spectre 1

Spectre 2

Meltdown

Stretch/stable

4.9

DSA-4120-1

not fixed

DSA-4120-1

Buster/testing/unstable

4.14+

4.15.4-1 and later

not fixed

4.14.17-1 and later

Caveats:

System z (s390x)

Limited public information is available for this architecture.

Release

Linux version

Spectre 1

Spectre 2

Meltdown

Stretch/stable

4.9

DSA-4120-1

4.9.110-1 and later

not affected

Buster/testing/unstable

4.14+

4.15.4-1 and later

4.17~rc7-1~exp1 and later

not affected

MIPS (mips, mipsel, mips64el)

MIPS Technology claims that none of their Debian-supported cores are affected by these issues. It is likely that Loongson cores are affected by some of these issues. It is not known whether other vendors' cores are affected by these issues.

Release

Linux version

Spectre 1

Spectre 2

Meltdown

Stretch/stable

4.9

DSA-4120-1

unknown

unknown

Buster/testing/unstable

4.14+

4.15.4-1 and later

unknown

unknown

Checking status

In stretch-backports, buster and sid there is a package spectre-meltdown-checker which can be used to help determine ones vulnerability status.

sudo apt install -t stretch-backports spectre-meltdown-checker
sudo spectre-meltdown-checker

Furthermore, kernel-level mitigation strategies are visible from userspace in the /sys/devices/system/cpu/vulnerabilities/ directory. For example, this is the output after a successful kernel update in Debian stretch:

$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline

Red Hat has released good information that describe the issue further. Most information in this article is applicable to Debian as well.

Xen project has made an advisory on how to handle these issues in a Xen virtualization environment.

Ubuntu has a similar page for those using that Debian derivative.