This topic describes how Alibaba Cloud ECS responds to the Meltdown and Spectre vulnerabilities and how to protect ECS instances against these vulnerabilities.

Background information

The Meltdown and Spectre vulnerabilities were exposed in Intel processor chips. These vulnerabilities are caused by design flaws at the chip hardware layer. Exploitation of these vulnerabilities can result in security problems such as kernel data leaks of operating systems and unauthorized access to system kernel data by applications. You can go to the CVE website to check the vulnerability IDs:

On January 20, 2018, Alibaba Cloud released a vulnerability notice to describe the details and impacts of the vulnerabilities.

This topic describes the Alibaba Cloud public images that have been patched against these vulnerabilities and how to configure the operating system. The default security policy is as follows:

  • To protect against the Meltdown vulnerability, Page Table Isolation (PTI) is enabled.
  • To protect against the Spectre vulnerability, No Indirect Branch Restricted Speculation (NOIBRS) is enabled and is integrated with Retpoline and Indirect Branch Prediction Barriers (IBPB).

How to enable or disable the Meltdown patch

The following public images have the Meltdown patch enabled (PTI On):

  • CentOS 7.5/7.6
  • Debian 9.6/8.10
  • Red Hat 7.5/7.6
  • SUSE Linux 15
  • Ubuntu 18.04
  • CoreOS 1911.3.0
  • FreeBSD 11.2
  • OpenSUSE 15

The preceding list is subject to change due to updates to Alibaba Cloud public images.

If you find that enabling PTI affects the performance of your instances, or if you have other protective measures, you can take the following steps to disable PTI:

  1. Connect to your instance.
  2. Perform one of the following operations based on your Linux distribution:
    • CentOS, Debian, OpenSUSE, Red Hat, SUSE Linux, and Ubuntu: Add the nopti kernel parameter.
    • CoreOS: Run the vi /usr/share/oem/grub.cfg command, add the pti parameter to the GRUB configuration file, and set the parameter to off.
    • FreeBSD: Run the vi /boot/loader.conf command, add the vm.pmap.pti parameter to the configuration file, and set the parameter to 0.
  3. Restart the instance.

How to enable or disable the Spectre patch

Alibaba Cloud currently allows you to configure Indirect Branch Restricted Speculation (IBRS) and IBPB. By default, public images are protected against the Spectre vulnerability through Reptpoline and IBPB. You can disable IBRS by using the noibrs parameter. The following public images have the Spectre patch enabled:

  • CentOS 7.5/7.6
  • Debian 9.6/8.10
  • Red Hat 7.5/7.6
  • SUSE Linux 15
  • Ubuntu 18.04
  • CoreOS 1911.3.0
  • FreeBSD 11.2
  • OpenSUSE 15

The preceding list is subject to change due to updates to Alibaba Cloud public images.

If you want to restore the default settings of your operating system, find that the current setting affects the performance of your instances, or want to implement other protective measures, you can take the following steps to disable the Spectre patch:

  1. Connect to your instance.
  2. Perform one of the following operations based on your Linux distribution as described in the following table.
    Linux distribution How to restore the default settings of Alibaba Cloud images How to restore the default settings of the operating system How to disable the Spectre patch
    CentOS Add the noibrs kernel parameter. Remove the noibrs kernel parameter. Add the spectre_v2 kernel parameter and set it to off.
    Red Hat
    CoreOS Run the vi /usr/oem/share/grub.cfg command, add the spectre_v2 kernel parameter to the GRUB configuration file, and set the parameter to off. Remove the disabled spectre_v2 kernel parameter.
    OpenSUSE Add the spectre_v2 kernel parameter and set it to off.
    Debian Retpoline and IBPB are enabled by default. No modification is required.
    Ubuntu
    SUSE Linux Retpoline is enabled by default.
    FreeBSD Add the hw.ibrs_disable kernel parameter. Remove the hw.ibrs_disable kernel parameter. Add the hw.ibrs_disable kernel parameter.
    Note The noibrs kernel parameter does not work for OpenSUSE and CoreOS. You must set the spectre_v2 parameter to off for them.
  3. Restart the instance.

How to check whether the Meltdown or Spectre patch is enabled

  1. Connect to your instance.
  2. Obtain the spectre-meltdown-checker.sh script from GitHub spectre-meltdown-checker Repo.
  3. Run the following commands in your instance:
    chmod +x spectre-meltdown-checker.sh
    sudo bash spectre-meltdown-checker.sh
  4. Determine whether the Meltdown or Spectre patch is enabled based on the script prompts.

References

For the following operating systems, you can go to their official websites for more details: