Patching Processes for Meltdown & Spectre
January 13, 2018
In order to mitigate against Meltdown, a CPU microcode update needs to be applied, which is delivered via BIOS. MacOS updates will do this via the standard update process. For Linux and Windows, BIOS updates will need to be run in addition to the operating system patches. In our case, we were running 13th generation Dell servers (R630) and deployed BIOS version 2.7.0
(which has since been pulled by Dell). Update (1/13/18): 2.7.0 is once again available for download, but this time with a release date of January 12. When patching, I installed the Windows patch and staged the BIOS update then set the registry key prior to rebooting so that the system only had to reboot once during the patching process. It doesn’t have to be done that way, but that minimized downtime for our instances.
During our testing, we’ve determined that disabling the fixes in both Windows and Linux restores performance to previous levels. This makes the process safer to test as it can be quickly restored, but it does require a reboot. The patch is enabled / disabled in Windows via registry key and Linux via kernel flags at boot.
Server patches for fixing Meltdown and known Spectre variants are available on Microsoft’s Meltdown & Spectre mitigation instructions under the “Recommended Actions” heading.
After the server is patched, the fixes must be manually enabled. Note: Windows desktop operating systems enable by default after the patch is installed.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
If the fix has previously been enabled and needs to be disabled, the following will turn off the fix:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
Verifying the Installation
Run the following PowerShell script as an administrator:
Then run the following as a regular user account:
$OriginalExecutionPolicy = Get-ExecutionPolicy Set-ExecutionPolicy RemoteSigned -Scope Currentuser Import-Module SpeculationControl Get-SpeculationControlSettings Set-ExecutionPolicy $OriginalExecutionPolicy -Scope Currentuser
The resulting output should look like this:
Hardware support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is present: True Windows OS support for branch target injection mitigation is enabled: True
Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: True Windows OS support for PCID optimization is enabled: True
Meltdown and Spectre software patches should be delivered in kernel updates via package managers (i.e. apt or yum) for Linux systems.
To check the running kernel version, run
Centos 7 patches are present beginning in kernel version
Meltdown and Spectre mitigations are present in 10.13.2 (released December 2017) with a supplemental update available January 8 to mitigate exploitation via Safari and Webkit. These can and should be installed via the App Store apps.
Sr Software Engineer at Elastic; previously SRE at Stack Overflow — go, performance, kubernetes, containers, databases