Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

 

Overview

This article describes how to enable or disable the Meltdown and Spectre patches for Linux images.

 

Detail

Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

The Meltdown and Spectre vulnerabilities exist in the Intel processor chip security vulnerabilities. These vulnerabilities are caused by the design flaws of the chip hardware, which can lead to issues such as the leakage of operating system kernel information and unauthorized access to kernel data by applications. For more information about the vulnerability numbers, visit the CVE website.

  • CVE-2017-5753
  • CVE-2017-5715
  • CVE-2017-5754

 

Alibaba Cloud released a Security Vulnerability Bulletin on January 20, 2018, containing the risk details and impact scope. This topic describes how to configure security patches for the GuestOS image and how to configure the operating system accordingly. The default security policy is as follows.

  • To protect against the Meltdown vulnerability, PTI ON(Page Table Isolation) is enabled by default.
  • To protect against the Spectre vulnerability, NOIBRS(No Indirect Branch Restricted Speculation) is disabled by default, and Reptpoline and IBPB(Indirect Branch Restricted Speculation) are Indirect Branch Prediction Barriers.

 

How to enable or disable the Meltdown patch

The following images are public images that have enabled the Meltdown patch (PTI ON) and will be changed with the updates of Alibaba Cloud public images.

  • CentOS 7.5/7.6
  • Debian 9.6/8.10
  • Red Hat 7.5/7.6
  • SUSE Linux 15
  • Ubuntu 18.04
  • CoreOS 1911.3.0
  • FreeBSD 11.2
  • OpenSUSE 15

 

If you find enabling PTI impacts your instance performance, or you have other protective measures, you can disable PTI by following the steps below.

Note: for how to add or modify kernel parameter, see the official website of each Linux distribution.

  1. Connect to the Linux instance.
  2. Select the following steps based on the on-site conditions.
    • CentOS, Debian, OpenSUSE, Red Hat, SUSE Linux, and Ubuntu: add kernel parameter nopti.
    • In CoreOS, run the following command to add pti=off to the grub.cfg configuration file.
    • In the FreeBSD system, run the vi/boot/loader.conf command and add vm.pmap.pti=0 to the configuration file.
  3. You can call this operation to restart an instance.

 

How to enable or disable the Spectre patch

Alibaba Cloud currently supports IBRS and IBPB. By default, public images are protected against Spectre through Reptpoline and IBPB (Indirect Branch Prediction Barriers). IBPB is disabled through the noibrs parameter. The following types of public images are involved and will change with the updates of Alibaba Cloud public images.

  • CentOS 7.5/7.6
  • Debian 9.6/8.10
  • Red Hat 7.5/7.6
  • SUSE Linux 15
  • Ubuntu 18.04
  • CoreOS 1911.3.0
  • FreeBSD 11.2
  • OpenSUSE 15

 

If you need to restore the default settings of your operating system, or you find that the current settings affect your instance performance, you can use the following steps to disable the Spectre patch for other protective measures.

Note: for how to add or modify kernel parameter, see the official website of each Linux distribution.

  1. Connect to the Linux instance.
  2. Select the following operations based on the on-site conditions.
     
    Linux distribution How to restore the default settings of Alibaba Cloud images How to restore the default settings of the operating system How to disable the Spectre patch
    CentOS Add the noibrs kernel parameter. Remove the noibrs kernel parameter. Add the spectre_v2 kernel parameter and set it to off.
    Red Hat
    CoreOS Run hive to add the kernel parameter spectre_v2=off to the grub.cfg configuration file. Remove the disabled spectre_v2 kernel parameter.
    OpenSUSE Add the spectre_v2 kernel parameter and set it to off.
    Debian Retpoline and IBPB are enabled by default. No modification is required.
    Ubuntu
    SUSE Linux Retpoline is enabled by default.
    FreeBSD Add the hw.ibrs_disable kernel parameter. Remove the hw.ibrs_disable kernel parameter. Add the hw.ibrs_disable kernel parameter.
    ( Kernel parameter noibrs on OpenSUSE and CoreOS operating system is invalid, you must set spectre_v2=off add protective measures.
  3. You can call this operation to restart an instance.

 

How to check whether the Meltdown or Spectre patch is enabled

  1. Connect to the Linux instance.
  2. Obtain the spectre-meltdown-checker.sh script from GitHub spectre-meltdown-checker Repo.
  3. Run the following commands in sequence to add execution permissions and run the script:
    chmod +x spectre-meltdown-checker.sh sudo bash spectre-meltdown-checker.sh
  4. Determine whether the Meltdown or Spectre patch is enabled based on the script prompts.

 

Reference

For the following operating systems, you can go to their website for more information.

  • Red Hat
  • SUSE Linux
  • Ubuntu

 

Application scope

  • ECS