Wind River Support Network

Summary

Wind River Security Vulnerability Notice: Special Register Buffer Data Sampling Advisory (CVE-2020-0543) for Wind River Linux

---

Affected Product Versions

Wind River Linux 6, Wind River Linux 7, Wind River Linux 8, Wind River Linux LTS 19, Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 5, Wind River Linux 4

---

Downloads

---

Description

A potential security vulnerability in some Intel® Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability. Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

Affected Windriver Linux releases:

All releases including Wind River Linux LTS 19, Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 8, Wind River Linux 7, Wind River Linux 6, Wind River Linux 5, Wind River Linux 4

Affected software components:

Linux kernel. Please note, the one that mitigate this CVE issue is the new release microcode, not linux kernel. Linux kernel can only show you if this CVE issue effect on your system, the status of the mitigation, and a softawitch to let administrator to disable the mitigation in runtime system.

Affected hardware:

here is the full affect CPU list: https://software.intel.com/security-software-guidance/processors-affected-transient-execution-attack-mitigation-product-cpu-model

Mitigation

Check this CPU list to see if it contains the CPU you are using. Contact your BIOS vendor to upgrade CPU microcode. The newset microcode can be accessed here.

With the new microcde, this CVE issue will be mitegated by default. If you want to disable it, contact your BIOS vendor to downgrade the microcode, or Integrate kernel source patch once available.

NOTE: Linux kernel can'r mitigate this CVE issue, it can only show you its status and give you a method to disable the mitigation in runtime.

Note: For the microcode upgrading, we will update our recipe to align with Intel. But to make a full mitigation, the new microcode should be loaded in BIOS. So please contact your BIOS vendor for it.

Additional References

CVE-2020-0543

SRBDS Whitepaper

Special Register Buffer Data Sampling Advisory

We will port all necessary kernel patches on all our supporting releases, at the same time, fetching and upgrading the microcode recipe. We will continue to update this web page and once we have any progress you can get it here.

For any questions or requirements, please contact your local WR support team, or mail to security-alert@windriver.com directly.

Changelog

• 6/11/2020: Add hot patch for LTS-1018
  
• 6/10/2020: Initial
  

---

Installation Notes

Please refer to your BIOS vendor to upgrade the microcode.

For linux kernel, we will fetch and integrate kernel patches once available.

LTS1019

1) Download the hotpatch locally and unpackage it:

# sha256sum LTS1019-x86_srbds_fixes.tar.bz2

f7cf3e3b6e4f67db330aea9f418bfcbb7cff3488c1b446096c02d1aa48ad95d3 LTS1019-x86_srbds_fixes.tar.bz2

# cd /PATH_2_hotpatches/

# tar jxvf LTS1019-x86_srbds_fixes.tar.bz2

2) Integrate them and rebuild the kernel image

# bitbake linux-yocto -c devshell

# git am /PATH_2_hotpatches/*patch

# make bzImage

...

---