Are there any plans how to patch OpenWRT against these attacks?
Update
Kernel 4.14.11+ is patched against this attach. Turris Omnia returns me now this version
uname -romi
4.4.106-1e4a549d177ab3da12b2052fba6a4dd5-3 armv7l unknown n
Kernel 4.4.109 should contain a fix for Meltdown and I’m hoping (and guessing) that will be a part of the next release (which I’m also hoping will be released sooner rather than later).
omnia-nightly has .109 already.
It seems that this vulnerability affects only Intel processors (according to paper). Turris Omnia has ARMv7 processor and Turris 1.x has PowerPC.
UPDATE
There are 2 vulnerabilities
- Meltdown CVE-2017-5754
- Only Intel processors are affected
- UPDATE: Some ARMs are also affected, but not A9 used in Omnia
- Spectre CVE-2017-5753 and CVE-2017-5715
- Some ARM processors are also affected (including A9 in Omnia)
- UPDATE: It is probable that PowerPC processors are also affected
It seems that Spectre vulnerability affects Turris Routers. We are investigating more details.
Anyway the potential attacker need to have local access to the system. It means
- Buggy software
- Malware installed
- SSH access
- Applications, software and ssh access in LXC containers
So if you
- have Updater enabled
- have third party software not installed
- not give SSH access to any user
you should be safe
5 Likes
@RadoslavCap and @HomerSp can you post any references to information about patched kernel versions please?
@RadoslavCap 4.4.11 was released in May 2016. I think that it can not contain patches from December 2017.
@HomerSp I see that version 4.4.109 was released Jan 2nd 2018 so it should include these patches but I can not find them in changelog.
Anyway Meltdown does not affect Turris routers and introduced patches protect only from Meltdown. Spectre is not patched in Linux kernel upstream yet so we can not do much more for it right now. This is a global-wide problem.
1 Like
Indeed, there was some confusion about what exactly these two vulnerabilities meant for us. As you say, the turris won’t be affected by Meltdown since it is limited to x86 Intel processors.
Spectre is/will be a problem on the omnia, yes, but as far as I know there have been no real (proof of concept) exploits yet - it’s all just documented as actually taking advantage of it seems to be difficult. I don’t think there have been any patches released that will fix this latter exploit yet.
Not according to https://developer.arm.com/support/security-update, some arm cores are also affected, like cortex-a75, and a15, a57, a72 to a variant of meltdown.
The A9, which I believe the omnia’s cpu is based on, is reported to be not affected by meltdown though.
1 Like
yes, you are right. I have specified it in my previous reply
@HomerSp FYI: kernel 4.4.110 was released today and it includes the KAISER/KPTI patch which “solve” Meltdown problem.
We plan to ship this kernel version to RC next week but anyway this fix is not related to Omnia anyway (as I wrote above).
1 Like
Just for curiosity, propably stupid question, but… Meltdown software patch should decrease performance… Is this valid also for HW, which is not affected, but using updated upstream?
I’ve read this depends on the particular patch.
It should not. It is an kernel option which is forced only on x86 from Intel.
We will just deploy another kernel patch version as usual.