Spectre still unfixed, unlike what Intel says
Written by https://twitter.com/never_released , reviewed and corrected by Alex Ionescu
On January 4th, 3 separate vulnerabilities were released, the two first ones being named Spectre (Variant 1 and 2) and the third one being Meltdown (Variant 3).
Intel CPUs are affected by all vulnerabilities, as are Apple A-series CPUs used on iOS devices, nVidia Tegra X2, the ARM Cortex-A75 and the Qualcomm Snapdragon 845 CPUs. CPUs with speculative execution from other manufacturers (other ARM "big" cores, AMD CPUs, PowerPC, ...) are affected by Spectre but not Meltdown.
In-order CPUs (such as ARM Cortex-A7 or ARM Cortex-A53, as are Atoms before 2013) are not affected by Meltdown and Spectre.
Meltdown (Variant 3) : CVE-2017-5754
Meltdown has been fixed on the Linux kernel through a patchset named KPTI, which affects performance differently depending on the workload. The effects are negligible for typical desktop usage, but some server workloads are heavily impacted.
Windows was patched in November for Insider (beta) builds, and January 2018 for everyone else. The hit when having a CPU without the INVPCID feature (pre-Haswell CPUs) is bigger than more modern CPUs for Meltdown, the TLB has to be flushed on each interrupt or context switch on older CPUs.
PCID as implemented in Ivy Bridge and earlier isn't enough to use the faster path instead of a TLB flush, INVPCID as present on Haswell and later is required for Windows. On Linux, a faster path is used even when INVPCID isn't available.
KPTI is only available for 64-bit operating systems. Some 32-bit operating systems such as Mac OS X are immune because they use separate memory maps for kernel and userspace, at does Linux with a 4GB/4GB memory split.
Spectre (Variant 2) : CVE-2017-5715
It's fixed on Windows on Intel and AMD systems with a microcode update delivered by the OEM, using IBPB and IBRS when available. If no microcode update is done, LFENCE is implemented on Windows as a mitigation for the kernel.
Spectre (Variant 2) is still unfixed on Linux at this time.
It'll be fixed with a mitigation called retpoline (with 5-10% performance impact in server use, should be negligible for customers) on Intel CPUs, which requires recompiling applications for full protection.
On Skylake and later, retpoline is only "98%" effective, aka probably workaroundable in the future.
IBRS, a patchset with a performance impact which also requires newer microcode to work exists for security-concerned users who want to protect applications one from the other without individual per-app fixes (IBRS=2 setting). IBRS is currently available through microcode updates for Haswell and later.
On AMD CPUs, retpoline isn't needed and usage of the LFENCE instruction is enough to protect against Variant 2 of Spectre for the kernel. IBPB is available as a part of a microcode update to protect applications without recompiling (microcode update not currently fully rolled out, and kernel code not included in the official Linux tree yet).
Spectre (Variant 1) : CVE-2017-5753
Spectre (Variant 1) is a bounds-checking exploit during branching. This issue is fixed with a kernel patch which isn't mainlined yet in the Linux kernel according to Red Hat. The flaw shouldn't exist on Windows, but can exist on third-party drivers used on the operating system. It'll have to be fixed for JITs such as web browsers too, it allows reading all the data of the current process otherwise.
Meltdown is currently patched for Linux & Windows. Spectre (Variant 2) is underway for Linux and not done yet for mainline.
Spectre (Variant 1) isn't currently patched on Linux, and the Windows kernel is immune unless one of the installed drivers is vulnerable. Applications interpreting/JITting untrusted code such as web browsers need updates regardless of OS updates for Spectre (Variant 1).
On Windows, Spectre (Variant 2) is patched for user-mode applications if Intel or AMD microcode updates are applied via a BIOS/UEFI update, ask your OEM/PC manufacturer for an firmware update that adds December/January 2018 microcode. Otherwise, application-specific updates are required, and only the kernel is protected (an app can snoop on another application, or even a browser tab on your passwords and such in theory).
Warning: For Windows systems, microcode updates have to be shipped via the BIOS/UEFI to protect against Spectre (Variant 2) across applications.
Warning 2: 32-bit Windows does not have Meltdown patches. Beware.
Warning 3: Windows XP/Vista and Windows Server 2003/2008 will never get Meltdown updates. Windows 8.0 is out of support, it'll not get Meltdown updates too.
This section doesn't apply yet, Linux isn't patched against Spectre. Vendor-specific kernels that have patches against those aren't properly validated and can result in data corruption. Some of them might not even boot on some machines. They're also not optimized and can cause large performance regressions.
The kernel is protected against Spectre (Variant 2) but application-specific patches are required except when IBPB=2 + STIBP, IBRS=1 + IBPB=1, or IBRS=2 are used.
Application-specific updates will be required to mitigate against Spectre (Variant 2) when IBRS=1 without IBPB, LFENCE, or retpoline mitigations are used kernel-side. Retpoline isn't fully effective for Skylake and later microarchitectures.
On Windows Server, KvaShadow (KPTI) and IBRS are disabled by default because of the performance impact, and have to be explicitly enabled by the administrator if he's concerned enough about security.
On Windows (client), the update is only downloaded if the antivirus vendor did set a registry key, for compatibility reasons.
macOS warning: The security flaw is not fixed in macOS 10.12 or 10.11, but only in High Sierra, Apple modified their support website to reflect this ( https://twitter.com/mikeymikey/status/949345240099377152 )
"The microcode is delivered through a firmware update. Consult with the device manufacturer about the firmware version that has the appropriate update for your CPU." infers that the microcode necessary for mitigating Spectre (Variant 2) cannot be applied by Windows, but requires OEM action.
On pre-Ryzen AMD CPUs, IBRS=2 and IBPB=1 is enabled by default on Red Hat to provide protection. On Ryzen, IBPB=2 is enabled instead.
ibpb=2 doesn’t protect the kernel against attacks based on simultaneous multi-threading (SMT, also known as hyperthreading); therefore, ibpb=2 provides less complete protection unless SMT is also disabled or STIBP is used. IBPB addresses Spectre (Scenario 2).
About the microcode update for Zen 1 CPUs being described as "disabling branch prediction", this is a mistake in the description of the update.
When Intel® OS Guard, also known as Supervisor-Mode Execution Prevention (SMEP), is enabled, the operating system will not be allowed to directly execute application code, even speculatively.