Wind River Support Network

HomeSecurity NoticesWind River Security Vulnerability Notice: Meltdown and Spectre Side-Channel Attacks - (CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715) for Wind River Linux and Pulsar
Recommended

Wind River Security Vulnerability Notice: Meltdown and Spectre Side-Channel Attacks - (CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715) for Wind River Linux and Pulsar

Released: Jan 3, 2018     Updated: Aug 27, 2018

Summary

Wind River Security Vulnerability Notice: Meltdown and Spectre Side-Channel Attacks - (CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715) for Wind River Linux and Pulsar


Product Version

Wind River Linux LTS 17, Pulsar Linux 8, Wind River Linux 9, Wind River Linux 5, Wind River Linux 6, Wind River Linux 7, Wind River Linux 8

Downloads


Description

Wind River® has been made aware of the Meltdown and Spectre exploits in modern processors. These security exploits potentially allow for the gathering of sensitive data improperly from computing devices. They could affect a variety of processors from different vendors.

There are 3 known CVEs related to this issue affecting different architectures.

  • Variant 1 CVE-2017-5753 is the bounds check bypass variant of Spectre.

  • Variant 2 CVE-2017-5715 is the branch target injection variant of Spectre.

  • Variant 3 CVE-2017-5754 is the rogue data cache load variant known as Meltdown.

Current State


New software features required to mitigate against Spectre and Meltdown are being developed in upstream Linux kernel and GCC source trees. Wind River is tracking these and will release updates when they are sufficiently stable to meet our customers' requirements for quality and stability.

Updates

A. Meltdown CVE 2017-5754 (variant 3)

1. KPTI changes to address for Intel Architecture

Mitigations are available for:
  • Wind River Linux LTS-17 RCPL 4 on 64-bit Intel Architecture processors
  • Wind River Linux 9 RCPL 14 on 64-bit Intel Architecture processors
  • Wind River Linux 8 RCPL 25 on 64-bit Intel Architecture processors
  • Wind River Linux 7 RCPL 28 on 64-bit Intel Architecture processors
  • Wind River Linux 6 RCPL 36 on 64-bit Intel Architecture processors


RCPL updates newer then indicated above will include these migrations. See the Installation Notes below for details on enabling this mitigation.

Customer specific patches for various profiles of Wind River Linux 5 are available; please contact your customer support representative for details.

Patches for 32-bit Intel Architecture kernels to mitigate CVE 2017-5754 are not available and may not be feasible. We advise any customers who require this mitigation, and leverage a 64-bit capable CPU to run the 64-bit Linux kernel.

2. Meltdown mitigations for other architectures

Mitigations are available for:
  • Wind River Linux LTS-17 RCPL 7 and newer for certain 64-bit ARM processors


Please contact your silicon vendor to determine if your models are affected.

Changes to the kernel will be considered if other supported architectures are found to be vulnerable to Meltdown CVE 2017-5754.

B. Spectre variants 1 and 2 (CVE 2017-5753 and CVE 2017-5715)


1. Implementation of "Retpoline" for Intel Architecture for variant 2 (CVE 2017-5715)


The new "retpoline" feature changes the return sequence to isolate indirect branches from speculative execution.

There are two components to this:

  • changes to GCC to change the assembler produced during indirect branches and ability to generate a new indirect return function, known as a "thunk"
  • changes to the kernel to address indirect branches within the kernel

    Retpoline thunk for Intel Architecture in GCC is included in:
  • Wind River Linux LTS-17 RCPL 5 and newer

    2. Implementation of speculative execution barriers in GCC for Spectre variant 1 (CVE 2017-5753)


    New instructions would be introduced that would allow programmers to restrict speculative execution optimization for certain code segments.

    Use of the new speculative execution barriers is available in:
  • Wind River Linux LTS-17 RCPL 6 and newer on Intel Architecture
  • Wind River Linux LTS-17 RCPL 7 and newer for applicable ARM64 architectures

    3. Removal of Spectre gadgets for Spectre variants 1 and 2 (CVE 2017-5753 and CVE 2017-5715)


    These are changes to the Linux kernel that would remove susceptible code patterns. This would deter attacking programs from accessing kernel address spaces.

    Removal of the Spectre gadgets is available in:
  • Wind River Linux LTS-17 RCPL 6 and newer for 64-bit Intel Architecture processors
  • Wind River Linux LTS-17 RCPL 7 and newer for ARM64 Architecture Processors
    Mitigations are available for:
  • Wind River Linux 9 on 64-bit Intel Architecture processors

    Wind River will continue to prepare updates for:
  • Wind River Linux 9 on CPUs other than 64-bit Intel Architecture
  • Wind River Linux 8, 7, 6, and 5.

    4. Spectre mitigations for other architectures


    Updates will be considered for PowerPC and MIPS as CPU vendors announce affected products and software updates are available.

    5. CPU microcode updates


    Updated OS loadable Intel Microcode (20180312) has been made available.

    Please contact your vendor for information on if a microcode update may be necessary, and for CPU microcode updates.

Additional References


https://meltdownattack.com/

Intel’s statement

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

Affected Intel-based platforms
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

ARM affected processor table
https://developer.arm.com/support/security-update

https://9to5mac.com/2018/01/02/intel-cpu-bug-fix-slowdown-for-macs/

The kernel patches of KPTI

https://lkml.org/lkml/2017/12/4/709


Changelog

5/21/2018: Revise advisory.  Update LTS-17 Spectre/Meltdown status.  Add Spectre/Meltdown RCPL information.  Add note on 32-bit IA support.

5/14/2018: Update "Mitigations are available for" and "Mitigations are being developed for".

5/11/2018: WRL 7/6 Meltdown mitigation available. 

5/7/2018: WRL 8 Meltdown mitigation patches set V2. Comparing V1, supplementing about 20 patches.

4/4/2018: WRL 8 Meltdown mitigation available.  Revise text.  Reference the OS Loadable microcode update.

3/27/2018: Fix typographic error

3/26/2018: Fixed missing attachment

3/20/2018: WRL 9 Meltdown and Spectre mitigation available

3/12/2018: The new version microcode-20180312.tgz has been uploaded in https://knowledge.windriver.com/Content_Lookup?id=K-511564

2/27/2018: WRL LTS-17 Meltdown mitigation available

2/2/2018: Fix grammatical error

1/24/2018: Revise description to give additional information about vulnerability and planned mitigations

1/11/2018: Move Intel microcode update patches to their own entry.  https://knowledge.windriver.com/Content_Lookup?id=K-511474

1/11/2018: Add the patches for each WRLinux version to upgrade the Intel microcode

1/10/2018: Add reference of affected processor information of X86 and ARM

1/3/2018: Initial

Installation Notes

Installation for WRL LTS-17/9/8/7/6/5

Please update to the latest RCPL for all products.

1) Wind River Linux LTS-17

The patch is only valid with Wind River Linux LTS-17
RCPL 4.

Note: RCPL 5 and newer already contain this mitigation.

Due to the nature and size of this patch, the 
linux-yocto-4.12 and yocto-kernel-cache repositories 
have to be updated.  This update will occur 
automatically when you refresh, or install a new 
project from Windshare.  Any update after 2018-02-23 
will include the necessary changes, however they are 
not enabled without following the steps below.

update or create a project, using setup.sh:
$ wrlinux-x/setup.sh --machine ... ...

download the patch to enable the mitigation and 
apply it using the following:
$ cd layers/wrlinux
$ git am --whitespace=nowarn WRLLTS17-CVE-2017-5754-x86-64-RCPL4.patch

Warning: If you re-run setup.sh after applying the 
patch using the steps above, the patch will be 
removed by the tools.  In this case, you will have 
to re-run the steps above to apply the 
WRLLTS17-CVE-2017-5754-x86-64-RCPL4.patch.

To verify this patch is installed and the mitigation 
is in place, the linux-yocto version being built 
should now be 4.12.20.  This can be verified from 
the build logs, or on the target by inspecting the 
kernel version, such as: 'cat /proc/version'

If an error occurs when configuring the linux-yocto, 
or the linux-yocto version is reported to be 
4.12.19, you may need to run setup.sh to update from 
Windshare and reapply the patch file. 


2) Wind River Linux 9

The patch is only valid with Wind River Linux 9 RCPL
14.

Note: RCPL 15 and newer already contain this mitigation.

Due to the nature and size of this patch, the
kernel-4.8.x and kernel-cache repositories have to
be updated.  This update will occur automatically
when you refresh, or install a new project from
Windshare.  Any update after 2018-03-19 will include
the necessary changes, however they are not enabled
without following the steps below.

To update or create a project, using setup.sh:

$ wrlinux-x/setup.sh --machine ... ...

Download the patch to enable the mitigation and
apply it using the following:

$ cd layers/wrlinux
$ git am --whitespace=nowarn WRL9-CVE-2017-5754-x86-64-RCPL14.patch

Warning: If you re-run setup.sh after applying the
patch using the steps above, the patch will be 
removed by the tools. In this case, you will have to 
re-run the steps above to apply the 
WRL9-CVE-2017-5754-x86-64-RCPL14.patch.

To verify this patch is installed and the update is 
in place, the linux-windiver version being built 
should now be 4.8.28. This can be verified from the 
build logs, or on the target by inspecting the 
kernel version, such as: 'cat /proc/version'.

If an error occurs when configuring the linux-yocto, 
or the linux-yocto version is reported to be 4.8.26, 
you may need to run setup.sh to update from 
Windshare and reapply the patch file.


3) Wind River Linux 8

The patch is only valid with Wind River Linux 8 RCPL
25.

Download the archive, WRL8-CVE-2017-5754-x86-64-RCPL25-patch-V2.tar.gz,
extract the archive to a temporary location, such as:

$ cd /tmp
$ mkdir WRL8
$ cd WRL8
$ tar xvfz .../WRL8-CVE-2017-5754-x86-64-RCPL25-patch-V2.tgz

In your configured Wind River Linux 8 project, do the
following:

$ make linux-windriver.patch
$ make kds
$ git am /tmp/WRL8/00*
$ exit
$ make bbs
$ bitbake -C configure linux-windriver
$ exit

Note: If you clean or otherwise reset the linux-windriver,
you will have to redo the steps above.


5) Wind River Linux 7

The patch is only valid with Wind River Linux 7 RCPL
28.

Download the archive, WRL7-CVE-2017-5754-x86-64-RCPL28-patch.tar.gz,
extract the archive to a temporary location, such as:

$ cd /tmp
$ mkdir WRL7
$ cd WRL7
$ tar xvfz .../WRL7-CVE-2017-5754-x86-64-RCPL28-patch.tgz

In your configured Wind River Linux 7 project, do the
following:

$ make linux-windriver.patch
$ make kds
$ git am /tmp/WRL7/00*
$ exit
$ make bbs
$ bitbake -C configure linux-windriver
$ exit

Note: If you clean or otherwise reset the linux-windriver,
you will have to redo the steps above.

6) Wind River Linux 6


The patch is only valid with Wind River Linux 6 RCPL
36.

Download the archive, WRL6-CVE-2017-5754-x86-64-RCPL36-patch.tar.gz,
extract the archive to a temporary location, such as:

$ cd /tmp
$ mkdir WRL6
$ cd WRL6
$ tar xvfz .../WRL6-CVE-2017-5754-x86-64-RCPL36-patch.tgz

In your configured Wind River Linux 6 project, do the
following:

$ make linux-windriver.patch
$ make kds
$ git am /tmp/WRL6/00*
$ exit
$ make bbs
$ bitbake -C configure linux-windriver
$ exit

Note: If you clean or otherwise reset the linux-windriver,
you will have to redo the steps above.

7) Wind River Linux 5

WRL5 is legacy product, please contact Wind River Support at +1-800-872-4977 or your local Wind River representative for the Wind River Linux 5 fix.

Live chat
Online