Last week, a series of critical vulnerabilities called Spectre and Meltdown were announced. Because of the nature of these issues, the solutions are complex and requires fixing delicate code. The fixes for Meltdown are mostly underway. The Meltdown fix for x86 is KPTI. KPTI has been merged into the mainline Linux tree and many stable trees, including the ones Fedora uses. Fixes for other arches are close to being done and should be available soon. Fixing Spectre is more difficult and requires fixes across multiple areas.

Similarly to Meltdown, Spectre takes advantage of speculation done by CPUs. Part of the fix for Spectre is disallowing the CPU to speculate in particular vulnerable sequences. One solution developed by Google and others is to introduce “retpolines” which do not allow speculation. A sequence of code that might allow dangerous speculation is replaced with a “retpoline” which will not speculate. The difficult part of this solution is that the compiler needs to be aware of where to place a retpoline. This means a complete solution involves the compiler as well.

The first part of the work necessary for retpoline is now done. This should be completely merged in the next few days and available in Fedora stable releases shortly. These patches by themselves do provide a degree of protection against Spectre attacks but more work is needed to be a complete solution. The compiler support to provide further protection are still under review by upstream developers. Support for other arches is ongoing.

An alternative to the retpoline patches involves exposing some hardware features to more tightly control speculation. Some CPUs have a feature called Indirect Branch Restricted Speculation (IBRS). When this feature is enabled, userspace programs are further restricted in how they are able to speculatively execute instructions. Fully supporting this feature requires microcode updates, some of which are available now with others available shortly. IBRS provides a more complete solution without the need for compiler support but at a higher performance cost. The IBRS patches are still under review and should be merged eventually but will not be available in time for 4.15. When the IBRS patches are available, we will be backporting them to Fedora stable branches.

Both IBRS and retpoline cover the “variant 2” version of Spectre. The “variant 1” version of Spectre doesn’t have a solution with a quick and catchy name. The solution for variant 1 involves scanning the code for sequences that may be problematic. The method for scanning the code tends to produce many false positives (sequences that are not actually vulnerable) so upstream developers are trying to narrow down which parts of the code actually need fixing. Fixes for sequences which are known to be vulnerable have been merged.

Although Spectre is an important security issue, just as important is careful review of fixes to make sure the solution is maintainable. Rushing a fix could cause more problems in the future. The Fedora team is continually monitoring Spectre fixes to bring them to you when they are ready.