Issue
Patches are available for the Spectre and Meltdown vulnerabilities that Cumulus Networks announced previously. They remedy the following vulnerabilities:
- CVE-2017-5753: Bounds check bypass (Spectre variant 1)
- CVE-2017-5715: Branch target injection (Spectre variant 2)
- CVE-2017-5754: Rogue data cache load (Meltdown)
Note: This issue was announced on the Cumulus Networks security announcement mailing list on April 3, 2019.
Verified Platforms
Cumulus Networks has verified that the patches are available for the following platforms:
- Dell Z9100-ON
- Dell Z9264F-ON
- Edgecore AS6712-32X
- Edgecore AS5712-54X
- HPE Altoline 6940
- HPE Altoline 6920
Resolution
The patches have been applied to the Cumulus Linux 3.7.4 kernel and later releases, but are disabled by default. They are disabled because, although we have done extensive testing, this fix includes a number of kernel changes and may impact switch performance. If you wish, you can leave this fix disabled.
You enable the patches by configuring some kernel command line options in GRUB configuration files, rebooting the switch, then updating your switch BIOS.
The command line option is in the /etc/default/grub.d/00-spectre-meltdown.cfg
file. If you installed Cumulus Linux 3.7.4 from the binary installation image, the command line option also appears in /etc/default/grub
.
To apply the patches, do the following:
- Edit the
/etc/default/grub.d/00-spectre-meltdown.cfg
file as follows:
cumulus@switch:~$ sed -i "s/GRUB_CMDLINE_LINUX_DEFAULT/#GRUB_CMDLINE_LINUX_DEFAULT/" /etc/default/grub.d/00-spectre-meltdown.cfg
- If you did a binary install of Cumulus Linux 3.7.4 or later, you also must edit
/etc/default/grub
as follows:
cumulus@switch:~$ sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet noibrs noibpb nolfence spectre_v2=off nopti"/#GRUB_CMDLINE_LINUX_DEFAULT="quiet noibrs noibpb nolfence spectre_v2=off nopti"\
GRUB_CMDLINE_LINUX_DEFAULT="quiet"/' /etc/default/grub - Run
update-grub
:
cumulus@switch:~$ update-grub
- Reboot the switch.
- Update the BIOS on your switch. For information on how to do this, contact your switch manufacturer.
- Verify that the GRUB option was successfully enabled, check
/proc/cmdline
to make sure the following does not exist:
cumulus@switch:~$ grep "noibrs noibpb nolfence spectre_v2=off nopti" /proc/cmdline
You can also verify that the GRUB option was successfully enabled by checking:
cumulus@switch:~$
cumulus@switch:~$ rgrep . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: lfence
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: IBRS IBPB
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
cumulus@switch:~$
Comments