openSUSE Project’s Richard Brown has shared some insight into the work that the openSUSE Linux security team is doing to protect users against the Meltdown and Spectre security vulnerabilities.

openSUSE Leap and Tumbleweed users were among the first to receive the patches against Meltdown and Spectre hardware bugs that put billions of devices at risk of attacks. The first kernel updates were made available early this month for both OpenSuSE Leap 42.2 and 42.3, though the former reached end of life on January 26, 2018.

For openSUSE Tumbleweed, new kernels arrived in the first weeks of January as well to fully patch users against Meltdown attacks, which are easier to fix than Spectre by using the Kernel Page Table Isolation (KPTI) kernel patches. Spectre has two variants, and it’s harder to fix, but at least openSUSE Linux users are patched against the first one.

“The Spectre Variant 1 attack for the Linux kernel is mitigated with various speculative fences added throughout the kernel code. We might add more in case some places have been missed,” explains Richard Brown. “We released QEMU updates for passing through CPU flags for Variant 2 mitigations.”

Spectre variant 2 is partially fixed in openSUSE Leap and Tumbleweed

openSUSE Leap and Tumbleweed users also received updates for the Mozilla Firefox, Chromium, and WebKitGTK+ software that have been patched upstream against the Meltdown and Spectre timing attacks by removing the Javascript exploitation vector. However, the second variant of the Spectre flaw is partially fixed at the moment.

The Spectre variant 2 requires microcode firmware updates for Intel and AMD processors, but Intel borked its microcode update that was supposed to fix this hardware bug and urged the industry to revert to the pre-Spectre microcode version, which forced openSUSE devs to rely on the retpoline (return trampolines) patches to fix it.

The retpoline patches largely remove the need for firmware mitigations, says Richard Brown, who also noted the fact that openSUSE Leap and Tumbleweed users received the GCC 4.8 and the latest GCC 7 system compilers supporting retpoline, and they are working on new Linux kernel updates with retpoline support.

These new kernel updates will most probably be based on the recently released Linux 4.15 kernel series and should mitigate Spectre variant 2. In addition, users will receive the latest Xen updates from upstream, which mitigate the Meltdown and Spectre security vulnerabilities, so make sure you keep your PCs up-to-date.