Wind River Security Vulnerability Notice: Meltdown and Spectre Side-Channel Attacks - (CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715) for Wind River Linux and Pulsar
Wind River® has been made aware of the Meltdown and Spectre exploits in modern processors. These security exploits potentially allow for the gathering of sensitive data improperly from computing devices. They could affect a variety of processors from different vendors.
There are 3 known CVEs related to this issue affecting different architectures.
Variant 1 CVE-2017-5753 is the bounds check bypass variant of Spectre.
Variant 2 CVE-2017-5715 is the branch target injection variant of Spectre.
Variant 3 CVE-2017-5754 is the rogue data cache load variant known as Meltdown.
New software features required to mitigate against Spectre and Meltdown are being developed in upstream Linux kernel and GCC source trees. Wind River is tracking these and will release updates when they are sufficiently stable to meet our customers' requirements for quality and stability.
RCPL updates newer then indicated above will include these migrations. See the Installation Notes below for details on enabling this mitigation.
Customer specific patches for various profiles of Wind River Linux 5 are available; please contact your customer support representative for details.
Patches for 32-bit Intel Architecture kernels to mitigate CVE 2017-5754 are not available and may not be feasible. We advise any customers who require this mitigation, and leverage a 64-bit capable CPU to run the 64-bit Linux kernel.
Please contact your silicon vendor to determine if your models are affected.
Changes to the kernel will be considered if other supported architectures are found to be vulnerable to Meltdown CVE 2017-5754.
The new "retpoline" feature changes the return sequence to isolate indirect branches from speculative execution.
There are two components to this:
New instructions would be introduced that would allow programmers to restrict speculative execution optimization for certain code segments.
These are changes to the Linux kernel that would remove susceptible code patterns. This would deter attacking programs from accessing kernel address spaces.
Updates will be considered for PowerPC and MIPS as CPU vendors announce affected products and software updates are available.
Updated OS loadable Intel Microcode (20180312) has been made available.
Please contact your vendor for information on if a microcode update may be necessary, and for CPU microcode updates.
Intel’s statement
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
Affected Intel-based platforms
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
ARM affected processor table
https://developer.arm.com/support/security-update
https://9to5mac.com/2018/01/02/intel-cpu-bug-fix-slowdown-for-macs/
The kernel patches of KPTI
https://lkml.org/lkml/2017/12/4/709
3/4/2019: Added information about status of CVE-2017-5753 and WRL 8.
5/21/2018: Revise advisory. Update LTS-17 Spectre/Meltdown status. Add Spectre/Meltdown RCPL information. Add note on 32-bit IA support.
5/14/2018: Update "Mitigations are available for" and "Mitigations are being developed for".
5/11/2018: WRL 7/6 Meltdown mitigation available.
5/7/2018: WRL 8 Meltdown mitigation patches set V2. Comparing V1, supplementing about 20 patches.
4/4/2018: WRL 8 Meltdown mitigation available. Revise text. Reference the OS Loadable microcode update.
3/27/2018: Fix typographic error
3/26/2018: Fixed missing attachment
3/20/2018: WRL 9 Meltdown and Spectre mitigation available
3/12/2018: The new version microcode-20180312.tgz has been uploaded in https://knowledge.windriver.com/Content_Lookup?id=K-511564
2/27/2018: WRL LTS-17 Meltdown mitigation available
2/2/2018: Fix grammatical error
1/24/2018: Revise description to give additional information about vulnerability and planned mitigations
1/11/2018: Move Intel microcode update patches to their own entry. https://knowledge.windriver.com/Content_Lookup?id=K-511474
1/11/2018: Add the patches for each WRLinux version to upgrade the Intel microcode
1/10/2018: Add reference of affected processor information of X86 and ARM
1/3/2018: Initial
Please update to the latest RCPL for all products.
1) Wind River Linux LTS-17
The patch is only valid with Wind River Linux LTS-17
RCPL 4.
Note: RCPL 5 and newer already contain this mitigation.
Due to the nature and size of this patch, the
linux-yocto-4.12 and yocto-kernel-cache repositories
have to be updated. This update will occur
automatically when you refresh, or install a new
project from Windshare. Any update after 2018-02-23
will include the necessary changes, however they are
not enabled without following the steps below.
update or create a project, using setup.sh:
$ wrlinux-x/setup.sh --machine ... ...
download the patch to enable the mitigation and
apply it using the following:
$ cd layers/wrlinux
$ git am --whitespace=nowarn WRLLTS17-CVE-2017-5754-x86-64-RCPL4.patch
Warning: If you re-run setup.sh after applying the
patch using the steps above, the patch will be
removed by the tools. In this case, you will have
to re-run the steps above to apply the
WRLLTS17-CVE-2017-5754-x86-64-RCPL4.patch.
To verify this patch is installed and the mitigation
is in place, the linux-yocto version being built
should now be 4.12.20. This can be verified from
the build logs, or on the target by inspecting the
kernel version, such as: 'cat /proc/version'
If an error occurs when configuring the linux-yocto,
or the linux-yocto version is reported to be
4.12.19, you may need to run setup.sh to update from
Windshare and reapply the patch file.
2) Wind River Linux 9
The patch is only valid with Wind River Linux 9 RCPL
14.
Note: RCPL 15 and newer already contain this mitigation.
Due to the nature and size of this patch, the
kernel-4.8.x and kernel-cache repositories have to
be updated. This update will occur automatically
when you refresh, or install a new project from
Windshare. Any update after 2018-03-19 will include
the necessary changes, however they are not enabled
without following the steps below.
To update or create a project, using setup.sh:
$ wrlinux-x/setup.sh --machine ... ...
Download the patch to enable the mitigation and
apply it using the following:
$ cd layers/wrlinux
$ git am --whitespace=nowarn WRL9-CVE-2017-5754-x86-64-RCPL14.patch
Warning: If you re-run setup.sh after applying the
patch using the steps above, the patch will be
removed by the tools. In this case, you will have to
re-run the steps above to apply the
WRL9-CVE-2017-5754-x86-64-RCPL14.patch.
To verify this patch is installed and the update is
in place, the linux-windiver version being built
should now be 4.8.28. This can be verified from the
build logs, or on the target by inspecting the
kernel version, such as: 'cat /proc/version'.
If an error occurs when configuring the linux-yocto,
or the linux-yocto version is reported to be 4.8.26,
you may need to run setup.sh to update from
Windshare and reapply the patch file.
3) Wind River Linux 8
The patch is only valid with Wind River Linux 8 RCPL
25.
Download the archive, WRL8-CVE-2017-5754-x86-64-RCPL25-patch-V2.tar.gz,
extract the archive to a temporary location, such as:
$ cd /tmp
$ mkdir WRL8
$ cd WRL8
$ tar xvfz .../WRL8-CVE-2017-5754-x86-64-RCPL25-patch-V2.tgz
In your configured Wind River Linux 8 project, do the
following:
$ make linux-windriver.patch
$ make kds
$ git am /tmp/WRL8/00*
$ exit
$ make bbs
$ bitbake -C configure linux-windriver
$ exit
Note: If you clean or otherwise reset the linux-windriver,
you will have to redo the steps above.
5) Wind River Linux 7
The patch is only valid with Wind River Linux 7 RCPL
28.
Download the archive, WRL7-CVE-2017-5754-x86-64-RCPL28-patch.tar.gz,
extract the archive to a temporary location, such as:
$ cd /tmp
$ mkdir WRL7
$ cd WRL7
$ tar xvfz .../WRL7-CVE-2017-5754-x86-64-RCPL28-patch.tgz
In your configured Wind River Linux 7 project, do the
following:
$ make linux-windriver.patch
$ make kds
$ git am /tmp/WRL7/00*
$ exit
$ make bbs
$ bitbake -C configure linux-windriver
$ exit
Note: If you clean or otherwise reset the linux-windriver,
you will have to redo the steps above.
6) Wind River Linux 6
The patch is only valid with Wind River Linux 6 RCPL
36.
Download the archive, WRL6-CVE-2017-5754-x86-64-RCPL36-patch.tar.gz,
extract the archive to a temporary location, such as:
$ cd /tmp
$ mkdir WRL6
$ cd WRL6
$ tar xvfz .../WRL6-CVE-2017-5754-x86-64-RCPL36-patch.tgz
In your configured Wind River Linux 6 project, do the
following:
$ make linux-windriver.patch
$ make kds
$ git am /tmp/WRL6/00*
$ exit
$ make bbs
$ bitbake -C configure linux-windriver
$ exit
Note: If you clean or otherwise reset the linux-windriver,
you will have to redo the steps above.
7) Wind River Linux 5
WRL5 is legacy product, please contact Wind River Support at +1-800-872-4977 or your local Wind River representative for the Wind River Linux 5 fix.