January saw the annoucement of a series of critical vulnerabilities called Spectre and Meltdown. The nature of these issues meant the solutions were complex and required fixing delicate code. The initial fix for Meltdown on x86 was KPTI, which was available almost immediately. Developing mitigations for Spectre was more complex. Other architectures had to look at their vulnerability status as well, and get mitigation in where it was needed. As a bit of time has passed, what is the exposure on Fedora now?

Meltdown and Spectre mitigation coverage

The mitigation coverage for Spectre and Meltdown is in a pretty good state. For the x86 architecture, KPTI mitigates the Meltdown vulnerability (CVE-2017-5754), and the retpoline fixes mitigate Spectre variant 2 (CVE-2017-5715). Spectre variant 1 (CVE-2017-5753) required patching specific vulnerable code bits, and known problem areas have been mitigated upstream as well. Additionally ARM coverage landed in the 4.15.4 kernel updates for Fedora. Power architectures have initial coverage in Fedora kernel version 4.14.15.

All of this coverage is still being fine tuned. Initial rounds of mitigation development aimed to plug the holes as quickly as possible so that users were not exposed. Once that happened, developers could pay more attention to fine tuning the mitigation for performance.

With mitigation where it currently stands, the Fedora Kernel Team has closed the tracking bugs for these CVEs. It is still important that you keep your kernels updated as initial mitigation is fine tuned. Optimizations to the initial mitigation are still rolling in, and probably will for the foreseeable future. As many of these mitigations are dependent on CPU microcode updates, it is a very good idea to keep firmware updated where possible.