[ubuntu-hardened] 16.04 LTS (i386/x86): the lack of a kernel hardening patches and config options? (Meltdown and Spectre attacks).

Wed Jan 31 21:05:46 UTC 2018

Hello.

Recently, there was a plenty of patches and updates to fix Meltdown and
Spectre attacks. (Mostly 4.4, 4.9, and 4.14 kernels). In response to these
vulnerabilities, Google, among others, created a mitigation technique
called "Retpoline". In addition, 'Kernel Page Table Isolation' (KPTI)
technique was implemented and so on.

I'm sorry for this introduction, but I've talked with many people, that are
running Linux and they are confused, just like me. I would like to ask
about 16.04 LTS Release and i386/x86 architecture. This Release is running
Longterm Linux kernel v4.4. For example, LTS kernels should have the
"CONFIG_PAGE_TABLE_ISOLATION" build option to get complete protection,
right?

However, the lastest Linux kernel version - v4.4.0-112-generic does not
contain above option (see below). What is the reason? (I mean i386/x86
architecture.)

Also, the KPTI/KAISER patches should be easily reporting via 'dmesg', when
the functionality is enabled/disabled (see below). An official v4.4.100
kernel contains, among others, two interesting commits regarding the above
informations. The first one is about: "Make sure dmesg reports when KPTI is
enabled." (In my case there is not any result; see below). Second one:
"This renames CONFIG_KAISER to CONFIG_PAGE_TABLE_ISOLATION." Again, there
is not "PAGE_TABLE_ISOLATION" config in v4.4.0-112-generic kernel (arch.:
i386/x86).

For me, the strange thing is that an official Ubuntu Xenial-proposed list
for Linux v4.4.0-106.129 contains, for example: "[Config]:
CONFIG_KAISER=y", "KAISER: Kernel Address Isolation", "KPTI: Report when
enabled" etc.

Since some time '/sys/devices/system/cpu/vulnerabilities/*' is available.
Mr Greg Kroah-Hartman, on his website, have written, that: "If your kernel
does not have that sysfs directory or files, then obviously there is a
problem and you need to upgrade your kernel!" But there is no such a
directory in the latest 16.04 LTS Linux kernel - v4.4.0-112-generic. Will
this feature be backported?

$ cat /boot/config-4.4.0-112-generic |grep KAISER
$

$ cat /boot/config-4.4.0-112-generic |grep PAGE_TABLE_ISOLATION
$

$ sudo dmesg |grep "page tables"
$

The 'CONFIG_PAGE_TABLE_ISOLATION' build option should be enabled to get
complete protection, right? Why it is not available? It's about i386/x86
architecture. Of course, all these descriptions, are not all informations
because that's not the point.

I and my friends would like to know what about i386/x86 architecture? Will
the same protection mechanisms be ported as it's in amd64 architecture? I
apologize for such a naive questions, but there is so many confusing
informations on the web and we simply don't know what will be happen with
i386/x86 architecture. That's all.

By the way: what is happenig to the v4.4 kernel in 16.04 LTS Release? It's
still at v4.4.98 level since the latest v4.4 version released by Mr
Kroah-Hartman (released Wed. Jan. 31.; that's today) is v4.4.114! So, the
difference between these two kernels is... 16. What is the reason? What's
happens? Honestly, I'm getting nervous. Maybe, there could be some
Canonical statement about this situation?

Yes, I know that there are kernel security updates available in 16.04 LTS
and that's very good. But what about these 16. "big" updates?

I apologize for such a long e-mail, but we could not find some valuable
answers about Spectre/Meltdown hardening updates for i386/x86 architecture
etc.

So, what about i386/x86 architecture? Will there be available updates, just
like for x86_64?

Thanks, best regards.
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20180131/08c5e123/attachment.html>