Update on spectre vulnerability?

security
beaglebone
docker
resinos

#1

Hi Resin team,

We have all been stunned by the Meltdown and Spectre publications. I like to start this thread to follow updates on this topic. As Raspberry Pi published their hardware is not compromised. The Beaglebone Black, the device we mostly use, is vulnerable to Spectre.

To patch this, if it would be patchable at all, at a lot of places the update needs land. If I would make a list, to come up with the following:

  • TI or ARM would need to make kernel patches.
  • Yocto needs to implement these patches.
  • The host-OS would need updating
  • The Docker base images need kernel patches?
  • The Supervisor would have to use an updated base-image
  • Not to forget our own application.

Anyway, just a topic to list updates. I didn’t look at which of all devices are vulnerable.

Thanks.


#2

Hi,

We are already looking into the Meltdown and Spectre vulnerabilities. We made a list of all our supported devices, and are trying to get patches into ResinOS as fast as we can.

One thing to keep in mind is that Meltdown and Spectre require code execution on the device, so these vulnerabilities can only be exploited once an attacker is already able to execute code on the device itself.

You are right the Raspberry Pi is not affected, but the Beaglebone Black using a Cortex-A8 processor is affected by Variant 1 and 2 of Spectre. https://developer.arm.com/support/security-update

We are looking into the kernel patches for KPTI (Kernel page-table isolation) and how we get this patches into ResinOS as fast as possible. ARM points to arm64 linux kernel patches for KPTI (Kernel page-table isolation) https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/log/?h=kpti

The base images are not affected by Variant 2, because docker containers do not have their own kernel, but are just “namespaced” within the kernel of the host-OS.

Variant 1 becomes a problem when untrusted code is executed in a sand boxed environment. We are currently trying to find situations where this could be a problem in ResinOS. One example for this would also be the eBPF system in the kernel.

For devices that are affected by Variant 3 of Spectre (aka Meltdown) the same kernel patches (KPTI) will mitigate the problem.

Variant 3a which might leak information from privileged system registers, does not require any additional software mitigation.

For more technical details on how Spectre and Meltdown affect ARM devices and what software mitigation’s are available we can refer to the ARM Whitepaper https://developer.arm.com/support/security-update/download-the-whitepaper

We will open up issues for these in the device repositories of ResinOS https://github.com/resin-os/, where we will track the progress on these.

Cheers,
Andreas


#3

Thanks for the update Andreas!